Transferring roles from one DC to another DC is a common practice, especially if you may have recently provisioned another domain controller in your environment and are shifting roles around to either provide better performance, or perhaps take down another DC to upgrade to a new server OS. The roles are generally a very easy thing to shift around. There are five Active Directory roles that are held by domain controllers in a Microsoft AD environment.
Forest Wide Roles
- Schema Master
- Domain Naming Master
Domain Wide Roles
- PDC Emulator Master
- RID Pool Master
- Infrastructure Master
Generally to transfer the above roles, you simply login to the destination server which is key. You must be on the target server to transfer the roles. Using the noted tools below, you simply transfer the roles:
- Schema Master – transferred using the Schema Management MMC
- Domain Naming Master – transfering using the Domains and Trusts MMC
- PDC Emulator – transferred using Active Dirctory Users and Computers
- RID Master – transferred using Active Dirctory Users and Computers
- Infrastructure Master – transferred using Active Dirctory Users and Computers
However, I have seen in a couple of cases that when you go to transfer the schema master or the domain naming master from one DC to another, the option is not available to do so. In this case, we can bypass the limitations of the GUI tools provided to manage the roles in favor of the ntdsutil utility which can be a lifesaver in many situations as it gives you the ability to do things that you wouldn’t otherwise be able to do with the GUI MMC consoles.
Transfer roles using ntdsutil
- Make sure to login as a user that is a member of the Enterprise Admins group
- Open a command prompt and type ntdsutil
- type roles and press ENTER
- type connections and press ENTER
- type connect to %yourservernamegoeshere% and press ENTER where the servername is the DC where you want to transfer the role to
- At the server connections prompt then type q and press ENTER
- type transfer role where role is the role that you want to transfer. For a list of the roles type ? at the fsmo maintenance prompt
- type q to exit the prompt and q again to quit NTDSUTIL