This answer describes seizing the Schema role. The role can be transferred by registering schmmgmt.dll (regsvr32 schmmgmt.dll) and using the Active Directory Schema console.
first check with the command
get-adforest |fl SchemaMaster
if not
Move-ADDirectoryServerOperationMasterRole -Identity "DC2" -OperationMasterRole SchemaMaster
will ask you if you want to move the role
here the logical steps:
1) Query Role Holder: Netdom query fsmo
2) if DC2 is the schema master holder, you're done. If another server is the schema role holder, you need to move the role.
3) try to gracefully move the role (there are more than 1 way to do that); if a graceful move of the role is not possible because role holder DC is not consistent, then you need to go to the following steps:
4) backup the role holder DC, turn it off, and detach the network card
5) login into DC2 and seize the role (seizing is a forceful action)
6) remove the DC from AD Users and Computers and perform a metadata clean up
7) never bring back to life the old role holder
8) query all the DCs to ensure they all are aware of the new role holder
Use AD Schema snap-in: https://activedirectorypro.com/transfer-fsmo-roles/#:~:text=To%20transfer%20the%20schema%20master%20role%20follow%20these%20steps.
To ensure that DC2 is the schema master for contoso.com using ntdsutil, you can perform the following steps:
Log on to DC2 or any other domain controller that has the Active Directory Domain Services (AD DS) role installed.
Open a Command Prompt window with administrative privileges.
Type "ntdsutil" and press Enter to open the ntdsutil tool.
Type "roles" and press Enter to switch to the "fsmo maintenance" prompt.
Type "connections" and press Enter to switch to the "server connections" prompt.
Type "connect to server DC2" (replace DC2 with the name of the DC you want to make the schema master) and press Enter to connect to the DC2 server.
Type "q" and press Enter to return to the "fsmo maintenance" prompt.
Type "seize schema master" and press Enter to make DC2 the schema master.
Type "q" and press Enter to exit ntdsutil.
Transferring and seizing are slightly different. Seizing should be done if a transfer is not possible. A transfer is where both DCs understand a change will take place, and a seize is where the one who is holding the role is offline or unavailable "usually".
I think the Powershell method of Move-AD*Role would be more appropriate for that reason.
Yes for PDC, Infra and RID it would work but not for schema - you have to use ntdsutil so:
1) Login to DC2 -> Start -> Run and type ntdsutil
2) Type 'roles' and then 'connections'
3) Type: connect to server DC1 (schema master) and then type: 'q'
4) Type: 'seize schema master'
5) Type 'q' twice to exit
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
BJack
Highly Voted 2 years agoGoofer
Highly Voted 2 years agoGoofer
2 years agononoelptirobo
5 days agoSantaClaws
1 year, 3 months agosardonique
Most Recent 7 months agosmorar
9 months agoskycrap
1 year, 8 months agosa66ath
1 year, 11 months agopewpewvx
1 year, 10 months agoGoofer
2 years agoSTFN2019
2 years agoGoofer
2 years ago