Cannot seize Schema Master - Schema Admins group stuck in old domain

Little Debbie 1 Reputation point
2021-08-25T18:37:45.537+00:00

Good afternoon. I have an issue that I inherited from a previous I.T. administrator. I will do my very best to explain it.

This network currently has one Domain Controller (DC2) and one domain in the forest: domain2.local

However, there are still remnants of an old Domain Controller (DC1) AND an old domain (domain1.local) present throughout the network.

I went to clean up the meta data but ran into an issue.

A query of the FSMO roles tells me that all of them were properly moved to the new domain controller (DC2) except Schema Master.

I am unable to use ntdsutil to seize this role due to permission issues. None of the user accounts I have access to on the domain appear to be Schema Admins, and that particular group appears to be STUCK in the old Domain (domain1.local)...perhaps it didn't replicate properly?.... - when I search AD for that group, I find it...however, when I try to modify it to add my account as a Schema Admin, here is the error I get:

The properties for this item are not available.

If I try to MOVE that group to another OU, I get another error with a little more information:

Windows cannot move object Schema Admins because: The server is not operational.

Unfortunately, there are NO backups of this old domain controller and there is NO way to bring it back online for proper decommissioning. So, my question...is there ANYTHING I can do to force seize the schema master role without having access to the Schema Admin group.... or somehow start fresh with that particular role? Right now, I plan on creating an entirely new domain on a brand new Windows Server 2019 machine, but if I can avoid the hassle of moving everyone to a brand new domain and just clean this one up, that would be great!

Thank you kindly for your help and advice!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,238 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,959 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Dave Patrick 426.2K Reputation points MVP
    2021-08-25T18:53:14.53+00:00

    You'll need an account that's a member of the Enterprise Admins group.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Dave Patrick 426.2K Reputation points MVP
    2021-08-25T19:09:57.557+00:00

    If you cannot add to or find someone that's a member Enterprise Admins group you may be out of luck.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  3. Dave Patrick 426.2K Reputation points MVP
    2021-08-25T19:17:53.927+00:00

    Yes, via PowerShell.
    https://www.lepide.com/how-to/export-members-of-a-particular-ad-group-using-poweshell.html

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. Dave Patrick 426.2K Reputation points MVP
    2021-08-25T21:55:23.727+00:00

    The focus needs to be on getting an Enterprise or Schema Admin successful logon or possibly restoring a known good backup.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  5. Limitless Technology 39,416 Reputation points
    2021-08-26T12:55:47.047+00:00

    Hello @Little Debbie

    Unfortunately you must be part of Domain Admins and Schema Admins to seize. In this case, the only solution would be to rebuild, to save even bigger problems in the future from some lack of manageability or previous IT mischief.

    Best regards,