I’ve written before about how to promote a domain controller. This covered the peaceful transition of power from one machine being the Primary Domain Controller (PDC) of an Active Directory (AD) to one of the backups.
However, I ran across a new issue. One of my virtual machines is down with a hardware issue, and I’m not sure if/when/how I will fix it. The only thing of significance on there was the PDC for my Active Directory domain. That means that the other BDC’s are doing domain functions, but there are several domain-level things I cannot do until the PDC is back online. The BDC’s become read-only and cache some changes. What I really need to do though, is promote one of these BDC’s to be the new PDC. But how do you do that?
As it turns out, from this page: https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control you have to use the NTDSUtil.exe command-line tool – which is already available on a domain controller. Here’s a quick look:
So you basically call these “seize” commands, one by one. The tool first tries to peacefully transition control, but if the domain controller is not available, then it does the seizure. Similar to a regular change of PDC, you do need to switch ALL of the roles to the PDC-elect.
Specifically, here are the commands I ran from an Administrator command-prompt:
and then from that prompt, these commands:
connect to server localhost │
seize naming master
seize schema master
seize infrastructure master
seize RID master
After each command, it gives you a little summary of which domain controllers are serving which roles.
How can you be sure all of this worked? Well, I did two things – first, is using the techniques from my original blog post – using mmc.exe to verify which domain controller was serving which role. In my case too, I REMOVED the old/dead PDC from the Active Directory. When I tried to do that, it told me that it still had one role, which I overlooked (schema master). Once I switched over that role, I was allowed to delete the old PDC without error messages. Now, the domain operates normally, the old/offline PDC is removed from the domain, and one of the BDC’s is now serving as the primary domain controller.