Using rootDSE mods to transfer role ownership
A while back I had conversation with Richard siddaway about a blog entry he made HERE.
The basic gist is there seems to be a bug in the TransferRoleOwnership method of .NET Class DomainController. There is clearly a problem, but I say “seems” because strictly speaking the DomainController class does not include Windows 2008.
Thus we fall back on our old trusty rootDSE mods and for those of you that have never heard of rootDSE mods (you may have heard them referred to as Operational Attributes) I definately recommend reading up on them HERE.
Effectively what we do is get the rootDSE for the DC we want to transfer the role to and set one of the following mods to 1:
You, of course, need to have the valid rights to perform the operation.
Here is the Script I use
if(!$role){return "Please enter a valid Role: IM,PDC,RID,Schema,DM"}
$rootDSE = [ADSI]"LDAP://$Server/rootDSE"
Write-Host
Write-Host " Moving FSMO Role"
Write-Host " – Using Server: [$Server]"
Write-Host " – Using Role: [$Role]"
switch -exact ($role)
{
"IM" {$myrole = ‘becomeInfrastructureMaster’}
"PDC" {$myrole = ‘becomePDC’}
"RID" {$myrole = ‘becomeRidMaster’}
"Schema" {$myrole = ‘becomeSchemaMaster’}
"DM" {$myrole = ‘becomeDomainMaster’}
Default {return "Please provide Valid Role: IM,PDC,RID,Schema,DM"}
}
Write-Host " – Performing $MyRole on $Server"
$rootDSE.put($myRole,1)
$rootDSE.SetInfo()
Write-Host
