You'll need an account that's a member of the Enterprise Admins group.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Good afternoon. I have an issue that I inherited from a previous I.T. administrator. I will do my very best to explain it.
This network currently has one Domain Controller (DC2) and one domain in the forest: domain2.local
However, there are still remnants of an old Domain Controller (DC1) AND an old domain (domain1.local) present throughout the network.
I went to clean up the meta data but ran into an issue.
A query of the FSMO roles tells me that all of them were properly moved to the new domain controller (DC2) except Schema Master.
I am unable to use ntdsutil to seize this role due to permission issues. None of the user accounts I have access to on the domain appear to be Schema Admins, and that particular group appears to be STUCK in the old Domain (domain1.local)...perhaps it didn't replicate properly?.... - when I search AD for that group, I find it...however, when I try to modify it to add my account as a Schema Admin, here is the error I get:
The properties for this item are not available.
If I try to MOVE that group to another OU, I get another error with a little more information:
Windows cannot move object Schema Admins because: The server is not operational.
Unfortunately, there are NO backups of this old domain controller and there is NO way to bring it back online for proper decommissioning. So, my question...is there ANYTHING I can do to force seize the schema master role without having access to the Schema Admin group.... or somehow start fresh with that particular role? Right now, I plan on creating an entirely new domain on a brand new Windows Server 2019 machine, but if I can avoid the hassle of moving everyone to a brand new domain and just clean this one up, that would be great!
Thank you kindly for your help and advice!
You'll need an account that's a member of the Enterprise Admins group.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
If you cannot add to or find someone that's a member Enterprise Admins group you may be out of luck.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
Yes, via PowerShell.
https://www.lepide.com/how-to/export-members-of-a-particular-ad-group-using-poweshell.html
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
The focus needs to be on getting an Enterprise or Schema Admin successful logon or possibly restoring a known good backup.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
Hello @Little Debbie
Unfortunately you must be part of Domain Admins and Schema Admins to seize. In this case, the only solution would be to rebuild, to save even bigger problems in the future from some lack of manageability or previous IT mischief.
Best regards,