Tag Archives: FSMO

How to Seize FSMO Roles? (PowerShell Guide)

In AD environment, FSMO role seize process only should use in a disaster where you cannot recover the FSMO role holder. It should be using for day to day operations. Some of the FSMO roles (RID, Domain Naming Master, Schema Master) can still afford few hours’ downtime with minimum business impacts. There for do not use the Seize option as the first option if still FSMO role holder can recover or fix. 

Once seize process is completed, the old FSMO role holder should not bring online again. It is recommended to format and remove it from network. In any given time, it is not possible to have same FSMO role appear in two servers in same domain.

In following example, there are two domain controllers in the infrastructure. REBEL-SDC02 is the FSMO role holder and REBEL-PDC-01 is additional domain controller. Due to hardware failure, I cannot bring REBEL-SDC02 online and I need to seize the FSMO roles. 

s1

In order to seize the roles following command can use,

Move-ADDirectoryServerOperationMasterRole -Identity REBEL-PDC-01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -Force

s2

This command will take few minutes to complete as in background it will try to connect to original FSMO role holder. 

The only change in the command from FSMO role transfer is the -Force at the end. Otherwise its exact same command. You also can seize individual role by using Move-ADDirectoryServerOperationMasterRole -Identity REBEL-PDC-01 -OperationMasterRole <FSMO Role> -Force

In their <FSMO Role> can be replaced by the actual FSMO role value.

Once command completed we can test the new FSMO role holder. 

s3

As we can see REBEL-PDC-01 become the new FSMO role holder. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Migration Guide to Active Directory 2016 (PowerShell Guide)

This is my first blog post in 2018. So, first of all Happy New year to my blog readers!

In many occasions, I have written articles about Active Directory Migrations. But still I get lots of emails from readers to clarify things about AD migrations. So, I thought to revisit it by covering most common questions I gets. Also in this blog post, I will show how to do the AD migration only using PowerShell.

Migration task itself is very straight forward. But there are other things you need to consider before you do an AD migration. In below I listed a checklist you can use in many occasions. 

Active Directory Migration Check List 

Evaluate business requirement for active directory migration 

Perform Audit on Existing Active Directory Infrastructure to verify its health status

Create Plan for implementation Process

Prepare Physical / Virtual resources for Domain Controller

Install Windows server 2016 Standard / Datacenter

Patch Servers with latest Windows Updates

Assign Dedicate IP address to Domain Controller

Install AD DS Role

Migrate Application and Server Roles from the Existing Domain Controllers

Migrate FSMO roles to new Domain Controllers

Add New Domain controller to the Existing DR Solution

Decommission old domain controllers 

Raise the Domain and Forest Functional level

On Going Maintenance 

Tips – During audit process you need to verify if your applications will support new AD schema. it is very rare but I have seen legacy applications which is not support newer schema versions. 
 
Also in some scenarios, it is hard to replace primary dc with a DC running with different IP address. AD is supported for IP changes even after FSMO role changes. There for if need you can swap IP addresses after you migrate FSMO roles. 
 
Topology
 
In my demo environment, I have an existing domain controller running with windows server 2012 R2. I am going to migrate it to a windows server 2016 server.
 
mig1
 
In the demonstration, REBEL-WIN-DC01 is the domain controller with windows server 2012 R2 and REBEL-SDC01 is the domain controller with windows server 2016. 
 
Tip – When you introduce new domain controllers to the existing infrastructure it is recommended to introduce to the forest root level first and then go to the domain tree levels.
 
Add Additional Domain Control 
 
As per plan I need to add a new domain controller with windows server 2016 to existing domain first.
 
1) Log in to the Server (Windows server 2016) as a member of local administrators group. 
2) Add server to the existing domain as member. 
3) Log in to domain controller as enterprise administrator.  
4) Verify the static IP address allocation using ipconfig /all.
5) Launch the PowerShell Console as an Administrator
6) Before the configuration process, we need to install the AD DS Role in the given server. In order to do that we can use Following command. 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
 
7) After successful role service Installation, next step is to configure the domain controller. It can be done using following PowerShell command. 
 
Install-ADDSDomainController
-CreateDnsDelegation:$false
-InstallDns:$true
-DomainName "rebeladmin.com"
-SiteName "Default-First-Site-Name"
-ReplicationSourceDC "REBEL-WIN-DC01.rebeladmin.com"
-DatabasePath "C:\Windows\NTDS"
-LogPath "C:\Windows\NTDS"
-SysvolPath "C:\Windows\SYSVOL"
-Force:$true 


Argument

Description

Install-ADDSDomainController

This cmdlet will install the domain controller in active directory infrastructure.

-SiteName

This Parameter can use to define the active directory site name.  the default value is Default-First-Site-Name

-DomainName

This parameter defines the FQDN for the active directory domain.

-ReplicationSourceDC

Using this parameter can define the active directory replication source. By default, it will use any available domain controller. But if need we can be specific.

-InstallDns

Using this can specify whether DNS role need to install with active directory domain controller. For new forest, it is default requirement to set it to $true.

-LogPath

Log path can use to specify the location to save domain log files.

-SysvolPath

This is to define the SYSVOL folder path. Default location for it will be C:\Windows

-Force

This parameter will force command to execute by ignoring the warning. It is typical for the system to pass the warning about best practices and recommendations. 

 
Once execute the command it will ask for SafeModeAdministrator Password. Please use complex password to proceed. This will be used for DSRM.
 
After configuration completed, restart the system and log back in as administrator to check the AD DS status. 

Get-Service adws,kdc,netlogon,dns
 
Move FSMO Roles 
 
Now we have additional domain controller and next step is to migrate FSMO roles to the new server. 
 
We can migrate all five FSMO roles to the New domain controller using following powershell command,
 
Move-ADDirectoryServerOperationMasterRole -Identity REBEL-SDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
 
In above the REBEL-SDC01 is domain controller running with windows server 2016. Once its completed, we can verify the new FSMO role holder using 
 
Netdom query fsmo
 
mig2

 
Decommission Old Domain Controller 
 
Now we moved FSMO roles over and next step is to decommission old DC which is running with windows server 2012 R2. 
In order to do that, log in to old DC as enterprise administrator and run following powershell command,

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition
 
After execute the command it will ask to define password for the local administrator account.
 
mig3
 
Once its completed it will be a member server of the rebeladmin.com domain.
 
Raise Domain and Forest Functional level

After you remove your last domain controller running with windows server 2012 r2 (if its 2012 or 2008 r2 same thing apply) we can raise Domain and Forest Functional level to windows server 2016. You need it to have features comes with AD 2016. 
To upgrade domain functional level, you can use following powershell command
 
Set-ADDomainMode –identity rebeladmin.com -DomainMode Windows2016Domain
 
To upgrade forest function level, you can use following command

Set-ADForestMode -Identity rebeladmin.com -ForestMode Windows2016Forest
 
After the migration completes we still need to verify if its completes successfully.
 
Get-ADDomain | fl Name,DomainMode
 
This command will show the current Domain functional level of the domain after the migration. 
 
Get-ADForest | fl Name,ForestMode
 
Above command will show the current forest functional level of the domain. 
Also, you can use
 
Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 2039 -or $_.eventID -eq 2040} | Format-List
 
To search event ID 2039 and 2040 in the “Directory Service” log which will show the forest and domain functional level updates.
 
mig4
 
Event ID 1458 will verify the transfer of the FSMO roles. 

Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 1458} | Format-List
 
You can use following to verify the list of domain controllers and make sure the old domain controller is gone. 
 
Get-ADDomainController -Filter * | Format-Table Name, IPv4Address
 
Apart from these you also can go through Directory Service and DNS Logs to see if there’s any issues recorded.
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to migrate active directory FSMO roles from windows server 2012 R2 to windows server 2016

Windows server 2016 was released for public (GA) on mid oct 2016. Its exciting time as businesses are already working on migrating their services in to new windows server 2016 infrastructures. In this post, I am going to explain how you can migrate from active directory running on windows server 2012 R2 to windows server 2016 active directory. The same steps are valid for migrating from windows server 2012, windows server 2008 R2 and windows server 2008.

In my demo setup, I have a windows server 2012 R2 domain controller as PDC. I setup windows server 2016 and already added to the existing domain.

updc1

Current domain and forest functional level of the domain is windows server 2012 R2.

updc2

So, let’s start with the migrate process. 

Install Active Directory on windows server 2016
 
1. Log in to windows server 2016 as domain administrator or enterprise administrator
2. Check the IP address details and put the local host IP address as the primary DNS and another AD server as secondary DNS. This is because after AD install, server itself will act as DNS server
3. Run servermanager.exe form PowerShell to open server manager (there is many ways to open it) 
updc3
 
4. Then click on Add Roles and Features
updc4
 
5. It will open up the wizard, click next to continue
updc5
 
6. In next window keep the default and click next
updc6
 
7. Roles will be installed on same server, so leave the default selection and click next to continue
updc7
 
8. Under the server roles tick on Active Directory Domain Services, then it will prompt with the features needs for the role. Click on add features. Then click next to proceed
updc8
updc9
updc10
 
9. On the features windows keep the default and click next
updc11
 
10. In next window, it will give brief description about AD DS, click next to proceed 
updc12
 
11. Then in next window it will give brief description about configuration and click on install to start the role installation process. 
updc13
updc14
 
12. Once installation completed, click on promote this server to a domain controller option
updc15
 
13. It will open up the Active Directory Domain Service configuration wizard, leave the option Add a domain controller to existing domain selected and click next.
updc16
 
14. In next window define a DSRM password and click next
updc17
 
15. In next window click on next to proceed
updc18
 
16. In next windows, it asks from where to replicate domain information. You can select the specific server or leave it default. Once done click next to proceed. 
updc19
 
17. Then it shows the paths for AD DS database, log files and SYSVOL folder. You can change the paths or leave default. In demo, I will keep default and click next to continue
updc20
 
18. In next windows, it will explain about preparation options. Since this is first windows server 2016 AD on the domain it will run forest and domain preparation task as part of the configuration process. Click next to proceed.
updc21
 
19. In next window, it will list down the options we selected. Click next to proceed. 
updc22
 
20. Then it will run prerequisite check, if all good click on install to start the configuration process.
updc23
 
21. Once the installation completes it will restart the server. 
updc24
 
Migrate FSMO Roles to windows server 2016 AD
 
I assume by now you have idea what is FSMO roles. If not search my blog and you will find article explaining those roles. 
There are 2 ways to move the FSMO roles from one AD server to another. One is using GUI and other one is using command line. I had already written articles about GUI method before so I am going to use PowerShell this time to move FSMO roles. If you like to use GUI mode search my blog and you will find articles on it. 
 
1) Log in to windows server 2016 AD as enterprise administrator
2) Open up the Powershell as administrator. Then type netdom query fsmo. This will list down the FSMO roles and its current owner. 
updc25
 
3) In my demo, the windows server 2012 R2 DC server holds all 5 fsmo roles. Now to move fsmo roles over, type Move-ADDirectoryServerOperationMasterRole -Identity REBELTEST-PDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster and press enter
 
In here REBELTEST-PDC01 is the windows server 2016 DC. If FSMO roles are placed on different servers, you can migrate each and every FSMO roles to different servers. 
updc26
 
4) Once its completed, type netdom query fsmo again and you can see now its windows server 2016 DC is the new FSMO roles owner. 
updc27

 
Uninstall AD role from windows server 2012 R2
 
Now we moved FSMO roles but we still running system on windows 2012 R2 domain and forest functional levels. In order to upgrade it, first we need to decommission AD roles from existing windows server 2012 R2 servers. 
 
1) Log in to windows 2012 R2 domain server as enterprise administrator
2) Open the PowerShell as administrator
3) Then type Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition and press enter. It will ask for local administrator password. provide new password for local administrator and press enter.
updc28
updc29
updc30
 
4) Once its completed it will restart the server.
 
Upgrade the forest and domain functional levels to windows server 2016
 
Now we have the windows server 2012 R2 domain controllers demoted, next step is to upgrade domain and forest functional levels. 
 
1) Log in to windows server 2016 DC as enterprise administrator 
2) Open PowerShell as administrator
3) Then type Set-ADDomainMode –identity rebeladmin.net -DomainMode Windows2016Domain to upgrade domain functional level to windows server 2016.  In here rebeladmin.net is the domain name. 
updc31
 
4) Then type Set-ADForestMode -Identity rebeladmin.net -ForestMode Windows2016Forest to upgrade forest functional level.
updc32
 
5) Once done you can run Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode to confirm new domain and functional level 
updc33
 
Hope this post was useful and if you got any questions feel free to contact me on rebeladm@live.com


How to seize operation masters role?

If a proper DR (Disaster Recovery) plan is in place, an engineer will not needs to consider about this option at all. But it’s not a perfect IT world we living on, some business can’t afford to invest on DR. anyway, as we know AD runs with FSMO roles. Depend on the design these roles may be located on different servers and sometime all runs from one DC (which is not recommended). If this role holder servers get crashed we can’t migrate these roles over. If there is no DR plan, the only way to get this work is by seizing the operation master roles.

The utility we will use for this is ntdsutil.exe. This is very handy tool for manage and maintains active directory infrastructure.

1)    Log in to the server as domain administrator or enterprise administrator
2)    Right click on start button and select “command prompt (admin)

seize1

3)    Type ntdsutil and press enter

seize2

4)    Then type roles and press enter

seize3

5)    Type connections and press enter

seize4

6)    Then type connect to server <FQDN of role holder>

seize5

7)    Then type quit and enter

seize6

8)    In my demo I used a server which holds all the roles. To seize the roles execute following one at a time
seize schema master

seize7


seize naming master

seize8


seize RID master

seize9


seize PDC

seize10


seize infrastructure master

seize11

in each command it gives pop up to confirm if you need to do this. Confirm as yes to proceed.

9)    Type quit to exit from ntdsutil.
 
 seize12

This completes the task successfully. If you have any question about this feel free to contact me on rebeladm@live.com

Active Directory Topology

In an infrastructure when you place domain controllers and related services it is important to identify exactly where it should logically locate. It will directly make impact on performances and security.
There are mainly four types of servers and roles when consider about AD topology design.

1)    Forest root domain controller
2)    Regional domain controller
3)    Global catalog server
4)    Operation master role


Forest root domain controller

This is usually used in multi domain network setup. This is the domain controller which will use to create trust paths between domains. In a network some time connections are made from unreliable connections from domain to domain, in such scenario it’s recommended to place forest root domain controller in the location or create shortcut trust.


Regional domain controller

As the name explain these domain controllers are placed in hub locations. This reduce the bandwidth usage between hub locations and main office, improve reliability, reduce support cost etc. writable regional domain controllers can place in hub location only if physical security guarantee. Otherwise it’s recommended to keep them as read only domain controllers (RODC).


Global Catalog Server

Global catalog server holds all the objects in forest. It keeps full copy of the objects in its own domain and read-only copy of objects for all other domains in same forest. The placement of global catalog server is crucial for multi forest environment. In such environment global catalog server should place at following locations,

1)    A location with more the 100 users
2)    A place that hosting applications which required global catalog server.
3)    A place with unreliable connection
4)    A place with Roaming users
5)    A place with slow log on performance

If it’s not one of above you can place domain controller with universal group membership caching.


Operation master role

In an active directory some of the data only can be written by operation master role servers. As we know there is 5 roles (FSMO). 3 of them remain in domain level and those are call as flexible single master operations (FSMO) roles.
1.    Primary Domain Controller (PDC) Emulator – This role responsible for password updates
2.    Relative ID (RID) Operation Master – this role maintains the global RID pool and allocates local RID to other DC
3.    Infrastructure Operation Master – It is responsible for maintain list of security principles from other domains that have membership of local domain


Forest level roles

1.    Schema Operations Master – This is responsible for schema changes
2.    Domain naming operation master – This responsible for changes in directory partition such as adding and removing domains from the forest

When you place operation master roles need to consider following,
•    PDC and RID responsibilities should place in sites with reliable network connectivity
•    Operation master role automatically will assign to first domain controller, but if need we can change it
•    PDC should place nearest the largest number of users.
•    Infrastructure master role should not place in same server as global catalog server. This role is important only in multi-domain forest.

If you have any question about post feel free to contact me on rebeladm@live.com

Step-by-Step Guide for upgrading SYSVOL replication to DFSR (Distributed File System Replication)

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD. All the domain controllers in network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can define when you install the active directory.

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later uses Distributed File System (DFS) for the replication.  DFS is more efficient than FRS. Since windows server 2003 is going out of support, most people already done or still looking for migrate in to latest versions. However migrating FSMO roles WILL NOT migrate SYSVOL replication from FRS to DFS. Most of the engineers forget about this step when they migrate from windows 2003 to new versions.

For FRS to DFS migration we uses the Dfsrmig.exe utility. More info about it available on https://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx

For the demo I am using windows server 2012 R2 server and I migrated FSMO roles already from a windows server 2003 R2 server.

In order to proceed with the migration forest function level must set to windows server 2008 or later. So if your organization not done this yet first step is to get the forest and domain function level updated.

You can verify if the system uses the FRS using dfsrmig /getglobalstate , To do this

1)    Log in to domain controller as Domain admin or Enterprise Admin
2)    Launch powershell console and type dfsrmig /getglobalstate. Output explains it’s not initiated DFRS migration yet.

dfrs1

Before move in to the configurations we need to look into stages of the migration.

There are four stable states going along with the four migration phases.

1)    State 0 – Start
2)    State 1 – Prepared
3)    State 2 – Redirected
4)    State 3 – Eliminated

State 0 – Start

With initiating this state, FRS will replicate SYSVOL folder among the domain controllers. It is important to have up to date copy of SYSVOL before begins the migration process to avoid any conflicts.

State 1 – Prepared

In this state while FRS continues replicating SYSVOL folder, DFSR will replicate a copy of SYSVOL folder. It will be located in %SystemRoot%\SYSVOL_DFRS by default. But this SYSVOL will not response for any other domain controller service requests.

State 2 – Redirected

In this state the DFSR copy of SYSVOL starts to response for SYSVOL service requests. FRS will continue the replication of its own SYSVOL copy but will not involve with production SYSVOL replication.

State 3 – Eliminated

In this state, DFS Replication will continue its replication and servicing SYSVOL requests. Windows will delete original SYSVOL folder users by FRS replication and stop the FRS replication.

In order to migrate from FRS to DFSR its must to go from State 1 to State 3.

Let’s look in to the migration steps.

Prepared State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 1 and press enter

dfrs2

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

dfrs3

Redirected State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 2 and press enter

dfrs4

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state

dfrs5

Eliminated State

1.    Log in to domain controller as Domain admin or Enterprise Admin
2.    Launch powershell console
3.    Type dfsrmig /setglobalstate 3 and press enter

dfrs6

4.    Type dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state

dfrs7

This completes the migration process and to confirm the SYSVOL share, type net share command and enter.

dfrs8

Also make sure in each domain controller FRS service is stopped and disabled.

dfrs9

If you have any question regarding the post feel free to email me at rebeladm@live.com

Step-by-Step Guide to migrate FSMO roles from windows 2003 server to windows 2012 R2 server

Even its been over decade after windows server 2003 release , It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 as their domain controllers. Microsoft has announced that windows server 2003 / windows server 2003 R2 supports ends on 2015, July 14th (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). So the day has come to plan out for the upgrades if you still running those versions in infrastructure.

This guide will explain how we can transfer DC FSMO roles from windows server 2003 to windows server 2012 R2 which is latest. In Windows DC environment FSMO roles holds all the information about DC and its necessary to have all this 5 roles working correctly to maintain proper DC environment. The 5 FSMO roles as following,

•    Schema master
•    Domain naming master
•    RID master
•    PDC emulator
•    Infrastructure master

You can find more information about this roles from http://support.microsoft.com/kb/197132

For the demonstration I am using the following setup

Server Name

Operating System

Server Roles

canitpro-dc2k3.canitpro.local

Windows server 2003 SP2 x86

Active Directory FSMO roles, DNS

CANITPRO-DC2K12.canitpro.local

Windows server 2012 R2 x64

Additional Domain Controller, DNS

So in here I already added windows 2012 r2 server to domain and make it additional domain controller. Currently it do not hold any FSMO roles. My plan is to migrate all the FSMO roles in to windows 2012 r2 server.

role1

Note : In before if we adding windows 2008 server to windows 2003 environment, first we need to prepare the forest and domain schema by running adprep \forestprep and adprep \domainprep  from windows 2008 source files \ support \ adprep. But in windows 2012 you do not need to worry about it when adding 2012 as additional domain controller. When you run the dcpromo it will automatically update it in windows 2003 remotely.

Transfer RID master, PDC emulator, Infrastructure master Roles

As the first step let’s look how we can transfer these 3 roles over to new server.

•    Log in to the windows 2012 R2 server as domain administrator
•    Click on Server Manager > Tools > Active Directory Users and Computers

role2

•    In MMC, right click on the domain name > click on “Operation Masters”

role3

•    In next window it will show the 3 FSMO roles. The default is “PDC”. In there it shows the current PDC holder. Then it is asking if need to change it to new windows 2012 r2 server click on change. There for lets go ahead and click on “Change”

role4

•    Then it’s asking for confirmation. Click yes to continue.

role5

•    Once its confirm as operation completed we can see the window shows the current PDC role holder as new windows 2012 r2 server.

role6

•    Please repeat the same steps to transfer the RID master and Infrastructure master Roles

Transfer domain naming master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Click on Server Manager > Tools > Active Directory Domains and Trusts.

role8

•    In MMC right click on Active Directory Domains and Trusts > click on Operation Master.

role9

•    In here it shows the current domain naming master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role10

•    Then it’s asking for confirmation and click yes to continue.

role11

•    Once its confirm about task completion we can see current domain naming master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role12

Transfer schema master role

•    Log in to the windows 2012 R2 server as domain administrator.
•    Open “Run” window in server (Windows key + R) and type regsvr32 schmmgmt.dll and press enter.

role13

•    It will give the confirmation message and click on ok to continue.

role14

•    Then again open “Run” window and type mmc and click ok

role15

•    Then in mmc window click on File > Add-Remove snap-in

role16

•    Then from snap in select “Active Directory Schema” and click on “Add” button

role17

•    Then click on Ok button to continue

role18

•    Then right click on “Active Directory Schema” and click on “Change Active Directory Domain Controller”

role19

•    In Next window select the windows server 2012 R2 DC (CANITPRO-DC2K12.canitpro.local) and click ok.

role20

•    It will give information message and click ok to continue. 

role21

•    Then right click on “Active Directory Schema” and click on “Operation Master”

role22

•    In here it shows the current schema master role holder (canitpro-dc2k3.canitpro.local) and its asking if we need to move it to windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local). Click on change to move the role over.

role23

•    Then it’s asking for confirmation and click yes to continue.

role24

•    Once it’s confirm about task completion we can see current schema master is windows server 2012 R2 (CANITPRO-DC2K12.canitpro.local).

role25

Now we successfully move all 5 fsmo roles over to new windows server 2012 R2. To confirm it open command prompt in new server and type command netdom query fsmo and press enter.

role26

Yipeeee!!! Its shows as all fsmo roles moved successfully.

It will take some time to move all the data over. After that it’s safe to demote the DC role from the windows 2003 server.
Once its demote 2003 DC make sure you raise the forest functional level and domain functional level in to windows server 2012 R2 to experience new changes.
If you have any questions regarding the post feel free to contact me on rebeladm@live.com