This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 28.999999999999996%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Good afternoon. I have an issue that I inherited from a previous I.T. administrator. I will do my very best to explain it.
This network currently has one Domain Controller (DC2) and one domain in the forest: domain2.local
However, there are still remnants of an old Domain Controller (DC1) AND an old domain (domain1.local) present throughout the network.
I went to clean up the meta data but ran into an issue.
A query of the FSMO roles tells me that all of them were properly moved to the new domain controller (DC2) except Schema Master.
I am unable to use ntdsutil to seize this role due to permission issues. None of the user accounts I have access to on the domain appear to be Schema Admins, and that particular group appears to be STUCK in the old Domain (domain1.local)...perhaps it didn't replicate properly?.... - when I search AD for that group, I find it...however, when I try to modify it to add my account as a Schema Admin, here is the error I get:
The properties for this item are not available.
If I try to MOVE that group to another OU, I get another error with a little more information:
Windows cannot move object Schema Admins because: The server is not operational.
Unfortunately, there are NO backups of this old domain controller and there is NO way to bring it back online for proper decommissioning. So, my question...is there ANYTHING I can do to force seize the schema master role without having access to the Schema Admin group.... or somehow start fresh with that particular role? Right now, I plan on creating an entirely new domain on a brand new Windows Server 2019 machine, but if I can avoid the hassle of moving everyone to a brand new domain and just clean this one up, that would be great!
Thank you kindly for your help and advice!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You'll need an account that's a member of the Enterprise Admins group.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Unfortunately, I get the same error messages when I try to access that group.
If you cannot add to or find someone that's a member Enterprise Admins group you may be out of luck.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Is there a way to find out the members of that group via command line, perhaps, since I cannot access it in the GUI?
Yes, via PowerShell.
https://www.lepide.com/how-to/export-members-of-a-particular-ad-group-using-poweshell.html
--please don't forget to upvote and Accept as answer if the reply is helpful--
Ok, unfortunately that will not work. It keeps defaulting to the new domain, and I think the Enterprise Admins group is stuck in the old domain, hence why its properties cannot be displayed.
Enterprise Admins group is stuck in the old domain
Not sure what is meant here. There should be only one domain.
Ok, I might be wrong about this actually....
There are remnants of the old domain showing in various areas. For example, Active Directory Users and Computers shows only one domain in the forest...however, if I go to do a directory search, in the dropdown, I can see the old domain listed.
Find: Users, Contacts, and Groups In: (choices are) Entire Directory, Domain1, Domain2
Now, if I search for Enterprise Admins in Domain1...the group is NOT found....if I search for it in Domain 2...same result....if I choose "Entire Directory," I find the group but cannot open it...I get that error message.
The focus needs to be on getting an Enterprise or Schema Admin successful logon or possibly restoring a known good backup.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hello @Little Debbie
Unfortunately you must be part of Domain Admins and Schema Admins to seize. In this case, the only solution would be to rebuild, to save even bigger problems in the future from some lack of manageability or previous IT mischief.
Best regards,
Additionally,
Do you have any trust relationship between two domains i.e domain1.local and domain2.local?
Also how many users are there in your old domain which you want decommission?
Thanks you.