Solved

FSMO role (schema) transfer error

Posted on 2014-03-13
4
2,943 Views
Last Modified: 2014-03-13
I am trying to transfer all roles from our 2003 DC to the new 2008 DC because the 2003 AD seems to lock up once every month and no one can log on to the domain. I got all roles transferred except the Schema master. I keep getting a permission error.

- I am logged in as the administrator built in.
- I am a member of both enterprise admins and schema admin groups.

no one else seems to have any ideas of what is going wrong.

here is the error:

C:\Documents and Settings\Administrator>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: transfer schema master
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "server2" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
Domain - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
PDC - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
RID - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
Infrastructure - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
fsmo maintenance:
0
Comment
Question by:raffie613
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
Joe Jenkins earned 500 total points
ID: 39928285
Try this:

From the 2008 DC:

- Run ntdsutil from a command prompt
- Type ROLES and then enter
- Type CO and then enter
- Type CO TO SERVER <your2008dcname> and then enter
- Type Q and then enter
- Type TRANS SC MA and then enter
- On the box asking you whether you want to transfer the schema FSMO to that DC, - click Yes
- Q and then enter
- Q and then enter

You can also do it from the GUI:
This article does a good job of showing you with images how to get this done.  Scroll down to where it says "Schema Master":
http://kpytko.pl/2011/08/26/transferring-fsmo-roles-from-gui/

I used this method recently and all went well.
0
 

Author Comment

by:raffie613
ID: 39928326
I tried both these methods to transfer and got the results i posted initially. I am not aware of any other two methods to transfer the roles. Except i used the full words instead of CO and SC MA. Never got to the point of entering in Q afterwards.
0
 

Author Comment

by:raffie613
ID: 39928328
ok well even after i got those errors, about 10 hours later seems the change went though anyway. strange but now server 2 is showing up as schema master on both DC now.
Thanks
0
 
LVL 5

Expert Comment

by:Joe Jenkins
ID: 39928334
Hmm. I was going to ask if the user you were using the utility as was part of the Schema Admins AD security group. That would yield that error.

Before you decommission that server make sure you run dcdiag and everything looks good. Just to be safe!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question