As I’ve been re-working some of the my infrastructure, I wanted to bring my domain controllers up to Windows Server 2012 R2, and I also want to move one of the virtual machines too.
- PDC emulator – for older systems which can’t handle a multi-master domain model.
- RID Master – provides unique keys for objects, and performs domain moves.
- Infrastructure Master – for inter-domain communication.
- Schema Master – manages the schema for the domain forest.
- Domain Naming Master – manages naming and conflicts for the domain forest.
So, we need to point each of the 5 over to the new, proposed PDC.
Get the new servers in place:
In my case, I wanted to do fresh installs, and use my new server naming strategy. So first, I bring up my domain controllers as regular (NOT read-only) domain controllers. This typically means:
- Install Windows Server
- Add the machine to the domain (on the same screen where you set the computer name)
- From Server Manager – add a new “Role” for “Active Directory Domain Services”, and join the domain. Typically you’d want to install DNS, and I host my DHCP servers from domain controllers too. So, each domain controller can handle it all: user validation, DHCP, and DNS – which allows the other domain controllers to fail, but not impact the network too much.
At this point, the new server is a domain controller, but it’s not the primary domain controller – and there can be only one primary. Before we get too far, let’s look at an example.
This might make more sense when I describe what I have and what I want to do:
- SHFLPDC01 – old Windows 2012 primary domain controller
- SHFLBDC01 – old Windows 2012 backup domain controller
- SPHWPPDC01 – new Windows 2012 R2 (proposed) primary domain controller (plus, moving to a different host server)
- SPHWPBDC01 – new Windows 2012 R2 backup domain controller
I ultimately want to decommission the SHFL* servers. I can bring up backup domain controllers, but the tricky part is that I need to promote the replacement as the NEW primary – which is what is described below.
Another way to look at this is SHFLPDC01 is the primary domain controller, and despite the names, I really have 3 backup domain controllers at the moment. I want to promote one of them to be primary, which will demote SHFLPDC01 to be a backup domain controller. At that point, I can take those old SHFL* servers offline.
After a little research, it looks like you need to change this pointer in 3 places, all available in mmc.exe:
- Active Directory Domains and Trusts
- Active Directory Users and Computers
- Active Directory Schema
To help us later, we need to do one step to make #3 possible. That MMC add-in is not available, by default. To make it available, run the following command (on the new, proposed, primary domain controller, for example):
This will pop up a confirmation message. You MUST run this as Administrator, you’ll get an error if you don’t. So, right-click on cmd.exe and choose Run as Administrator:
Now, to do all three of these, launch “mmc.exe” and add the following add-in’s:
and then click OK. In my case, I see something like this:
In brackets, it automatically connected me to the existing PDC (SHFLPDC01). So, we need to change the domain controller, and then change the “operations master” on each. Let’s do one at a time:
Changing Domains and Trust:
First, I’ll right-click at the “Active Directory Domains and Trusts” level to bring up the context menu, and choose “Change Active Directory Domain Controller”:
which brings up a screen like this:
I switch to the new (what I want to be) primary domain controller, then click OK. Now, you might notice that the description in the tree changes:
This hasn’t changed anything, we are just connecting to a different domain controller. We needed to do that for this second operation: right-click at the Domains and Trust level again but this time choose “Operations Master…”, which brings up this:
When we click “Change” on this screen, this makes it so our new PDC will become the primary for this particular part of Active Directory.
Click Close and this part is done – 1 down, 4 to go.
Changing Users and Computers:
For this next section, it starts off identical – right-click at the Users and Computers level and “Change Domain Controller…”:
Similar to the last step, right-click on the domain and choose “Operations Master…”
Note though that this has THREE tabs, so you need to click that “Change” button on all 3 tabs:
Click Close and you are done with this part 4 down, 1 to go.
Lastly, this is pretty much more of the same – right-click on “Active Directory Schema” and change the Active Directory Domain Controller. Then, right-click again and choose “Operations Master”:
Just like before, confirm the current vs proposed, and if it’s correct click “Change”:
Click Close and we’re done – 5 out of 5 roles have been switched to point to the new PDC.
Above, we changed the “operations master” of all five FSMO roles from the old PDC to the new PDC. How do we confirm it? Well, first I used PowerShell to see who the PowerShell thinks the PDC is:
PS> Import-Module ActiveDirectory
PS> Get-ADDomain | Select-Object –Property InfrastructureMaster
and I saw:
That’s correct! Next, let’s take the PDC offline and try to change our password. That should be something you can only do when the PDC is online. And yes, I can change my password or create a user account and it seems to work.
So – from everything I’ve read, I think this is all that is needed. It looks like I have my new PDC online, and the old PDC is now powered-off. If I’m missing something, please leave a comment below!