[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

FSMO role (schema) transfer error

Posted on 2014-03-13
4
Medium Priority
?
3,353 Views
Last Modified: 2014-03-13
I am trying to transfer all roles from our 2003 DC to the new 2008 DC because the 2003 AD seems to lock up once every month and no one can log on to the domain. I got all roles transferred except the Schema master. I keep getting a permission error.

- I am logged in as the administrator built in.
- I am a member of both enterprise admins and schema admin groups.

no one else seems to have any ideas of what is going wrong.

here is the error:

C:\Documents and Settings\Administrator>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server server2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user.
server connections: q
fsmo maintenance: transfer schema master
ldap_modify_sW error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0

Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Server "server2" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
Domain - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=domain,DC=local
PDC - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
RID - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=domain,DC=local
Infrastructure - CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
fsmo maintenance:
0
Comment
Question by:raffie613
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
Joe Jenkins earned 2000 total points
ID: 39928285
Try this:

From the 2008 DC:

- Run ntdsutil from a command prompt
- Type ROLES and then enter
- Type CO and then enter
- Type CO TO SERVER <your2008dcname> and then enter
- Type Q and then enter
- Type TRANS SC MA and then enter
- On the box asking you whether you want to transfer the schema FSMO to that DC, - click Yes
- Q and then enter
- Q and then enter

You can also do it from the GUI:
This article does a good job of showing you with images how to get this done.  Scroll down to where it says "Schema Master":
http://kpytko.pl/2011/08/26/transferring-fsmo-roles-from-gui/

I used this method recently and all went well.
0
 

Author Comment

by:raffie613
ID: 39928326
I tried both these methods to transfer and got the results i posted initially. I am not aware of any other two methods to transfer the roles. Except i used the full words instead of CO and SC MA. Never got to the point of entering in Q afterwards.
0
 

Author Comment

by:raffie613
ID: 39928328
ok well even after i got those errors, about 10 hours later seems the change went though anyway. strange but now server 2 is showing up as schema master on both DC now.
Thanks
0
 
LVL 5

Expert Comment

by:Joe Jenkins
ID: 39928334
Hmm. I was going to ask if the user you were using the utility as was part of the Schema Admins AD security group. That would yield that error.

Before you decommission that server make sure you run dcdiag and everything looks good. Just to be safe!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question