0

I'm upgrading my AD by adding new Windows Server 2022 Domain Controllers and will be demoting the existing Server 2012R2 DCs once the new servers are up and I see that things seem to be working smoothly.

I've already transferred the RIDMaster role to one of the new servers. And I was planning on transferring the other FSMO roles to the new servers as well, when I saw a comment about risks with transferring the PDCEmulator role without prep as there could be issues with the time service - Transferring PDC Emulator and Time Server Roles to New 2008 R2 DC. As far as I can tell this seems to be specific for earlier versions of Windows Server - 2000, 2003 and possibly 2008 (R2). Articles about transferring the FSMO roles from Windows Server 2012 onwards have no mention of this.

So my questions are as follows:

  • Has this been resolved in later versions of Windows Server?
  • If not what is best practice for transferring the PDC Emulator FSMO role?
  • Are there other gotchas I should be aware of with transferring FSMO roles?
Laage
  • 87
  • 2
  • 10

1 Answers1

3

I don't see anything mentioned in the link about any "risks". When you transfer the PDCe role you'll want to reconfigure the Windows Time service on the new PDCe and on the previous PDCe (which is now a member server). The commands below are what I do for both.

PDCe:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm.exe /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:YES /update
net stop w32time
net start w32time

Domain Members (Including other Domain Controllers):

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /syncfromflags:DOMHIER /update
net stop w32time
net start w32time
joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • True... The link was more to exemplify the prep needed on the PDCe servers. I believe I first saw something about potential logon problems if the new PDCe had not been prepped accordingly. My point was more that I've mostly seen comments about this with Windows Server 2000/2003/2008. Any articles about Windows Server 2012 and later only mention the transfer and says nothing about the configuration of the Windows Time Service, so I was wondering if something had changed and Server 2012 and later possibly had an external time service configured as default. – Laage Jul 29 '22 at 13:29
  • Also, when you write "Domain Members", do you mean both member servers and clients? That's a big ask in a domain with 4k+ users and primarily mobile clients. – Laage Jul 29 '22 at 13:34
  • To clarify, I don't reconfigure the Windows Time service on all Domain Members, only on the new and the previous PDCe role holder. All Domain Members sync time to the domain hierarchy by default. The reason you need to do it on the new and previous PDCe role holder is to make the new PDCe role holder the authoritative time source for the domain and to return the previous PDCe role holder to the default configuration (sync to the domain hierarchy). – joeqwerty Jul 29 '22 at 16:29
  • Thank you, that clarifies things for me. Just a final question then. Should I reconfigure the time service before or after moving the role? – Laage Aug 01 '22 at 07:27
  • Reconfigure the Windows Time service after transferring the PDCe role. – joeqwerty Aug 01 '22 at 14:46