Problem solve Get help with specific problems with your technologies, process and projects.

Should I transfer the FSMO role with DCPROMO or MMC?

I have a "test" domain controller on which I first installed Active Directory. I have a better server, "server2," that I want to replace the role of the test domain controller (be the FSMO), so I can completely take the "test" domain controller out of the domain. I have already run dcpromo.exe on "server2" and joined the domain as a DC, but now I want to rid the domain of the "test" DC. I need to transfer the FSMO role from the "test" DC to "server2". Is the best way to do this to demote the "test" DC with DCPROMO or transfer the FSMO roles with MMC?

I am receiving the error: "The transfer of the current operations master role cannot be performed for the following reason. The requested FSMO operation failed. The current FSMO holder could not be contacted." This happens when I try to transfer the FSMO operations manager with MMC.

The best way would be to use the MMC. If you try with DCPROMO it should work, but failure can leave the system in an odd state occasionally. I prefer to perform such sensitive actions in smaller steps so that I can review the results.

If the MMC fails, you can also try the NTDSUTIL.exe from the Support Tools. You will need to understand that this tool is primarily used to 'seize' the FSMO roles. This is done when the previous FSMO owner is no longer available. If you do this, the old FSMO machine can NEVER be on the network again. You will need to format the old FSMO machine and reinstall it -- perhaps a little extreme, but better safe then sorry.

Now that you have the methods, let's address your specific issue. You have two servers that are DCs in the same domain. You want to demote server1 so that it does not participate as an FSMO server or DC. However, you are getting the error you mentioned. First, you should look in the event logs -- especially the SYSTEM, DNS, File Replication and Directory Services Event logs. The synchronization of the domains is probably incomplete for some reason. Often this is due to connectivity problems with the network, or more often (especially in test environments) an incorrect DNS configuration, which is why you should examine the DNS event logs. Checking the File Replication log will give you an idea if the Active Directory setup on server2 is actually complete. Until it is complete, the FRS and Directory Services logs will indicate issues with the completion of SYSVOL and synchronization activities. Correct these issues first and then try to use the MMC to transfer the roles.

Editor's Note: Find more useful information in these Best Web Link categories: Active Directory Replication, Group Policy and DNS. You may also want to browse through our collection of Active Directory white papers.

*Sign up for our free weekly Active Directory tips to have expert tips and advice about managing Active Directory delivered right to your inbox.

Dig Deeper on Windows systems and network management