When working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there's one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn't working for others.
PS C:\Windows\system32> Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster cmdlet Move-ADDirectoryServerOperationMasterRole at command pipeline position 1 Supply values for the following parameters: Identity: XXXXXXX Move Operation Master Role Do you want to move role 'SchemaMaster' to server 'XXXXXXX.domain.pl' ? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Move-ADDirectoryServerOperationMasterRole : Access is denied At line:1 char:1 + Move-ADDirectoryServerOperationMasterRole -OperationMasterRole Schema ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (XXXXXXX:ADDirectoryServer) [Move-ADDirector...ationMasterRole], ADExcept ion + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.MoveADDirectorySer verOperationMasterRole
So what could be wrong? Nothing that can be considered wrong on first sight. The trick is (for whatever reason) to change your Primary group to Schema Admins.
By default, it should be Domain Users but if you're having problems with FSMO move, just set your Primary group to Schema Admins and you're good to go. Remember that you need to log out for the group changes to update properly. After you log back in you should be able to move FSMO role without a problem.