Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

adding a 2k12 dc to sbs 2k3

Posted on 2013-06-18
7
Medium Priority
?
708 Views
Last Modified: 2013-07-01
Hello,

I'm trying to put a 2k12 std server into an sbs 2k3 domain. the forest lvl is set to 2k3. when I run adprep32.exe on the sbs server just to make sure im not missing something (since the gui can be wrong) it fails. attached is the log for the adprep32 run I did. I will also outline step-by-step what ive done when adding the new server to the sbs domain:

1. sbs domain is live and running for millennia as 2k3 forest lvl (I checked b4 the next steps)
2. connected 2k12 srv to domain X
3. "welcome to domain x"
4. rebooted 2k12
5. went to 2k12 dcpromo wizard
6. tried contacting a dc on domain x (the only one is the sbs server)
7. 2k12 returns "verification of replica failed. the forest level is windows 2000. to install a windows 2012 dc...."

any help is appreciated!
ADPrep.log
0
Comment
Question by:CMx-Eng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 26

Expert Comment

by:Tony J
ID: 39258923
Ok first off I am unsure whether this would or wouldn't be supported but assuming you have taken care to appreciate a couple of things:

SBS can have additional domain controllers but these additional DC's must not host any FSMO roles. If you do this, it'll cause SBS to shut down.

Next, from http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths :

Functional level features and requirements

--------------------------------------------------------------------------------

Windows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest, but domain controllers that run Windows 2000 Server are not supported and will block installation of a domain controller that runs Windows Server 2012. If the forest contains domain controllers running Windows Server 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.

Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers to your forest. In this case, consider the following workflow:

1.Install domain controllers that run Windows Server 2003 or later. These domain controllers can be deployed on an evaluation version of Windows Server. This step also requires running adprep.exe for that operating system release as a prerequisite.


2.Remove the Windows 2000 domain controllers. Specifically, gracefully demote or forcibly remove Windows Server 2000 domain controllers from the domain and used Active Directory Users and Computers to remove the domain controller accounts for all removed domain controllers.


3.Raise the forest functional level to Windows Server 2003 or higher.


4.Install domain controllers that run Windows Serer 2012.


5.Remove domain controllers that run earlier versions of Windows Server.

Now this is where I am uncertain - see in step 1 where it says run ADPREP.EXE ? ( http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx ) this writes changes to the AD schema to, among other things, add support for newer versions.

So the step would be something along the lines of, elevate the domain to 2003 functional level (after taking note of how this may impact your current systems), and then run ADPrep from the 2012 media on the SBS DC.

Personally I wouldn't want to do this on a live system.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39259009
do you have schema admin and domain admin?

also verify this folder security access to confirm why you don't have access to update this folder (use ADSIedit.msc)


[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2013/06/18:17:04:55.984]
ADPREP was unable to modify the default security descriptor on object CN=ms-DS-Managed-Service-Account,CN=Schema,CN=Configuration,DC=CENTER,DC=local.

[Status/Consequence]

Adprep attempts to merge the existing default security descriptors with the new access control entry (ACE).
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39259549
The real question that needs answering is why?  What is your goal by adding Win2K12 server as a DC?

As already pointed out the Forest and Domain Levels of the SBS server to Server 2003
You can find the instructions to perform those tasks here
http://technet.microsoft.com/en-us/library/cc780862(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc776703(v=ws.10).aspx

With Server 2012, you no longer have to run ADPREP on the SBS 2003 server..the "wizard" in Server 2012 will do it for you
CAUTION HERE:   BE SURE YOU HAVE A GOOD, VERIFIABLE BACKUP
The follow the instructions in this great article by one of Microsoft's Premier Field Engineers
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:CMx-Eng
ID: 39262453
@cris we have clients in distant locations on the current domain. adding the new server as a dc and moving everything "in house" is easier from an administrative pov than creating a new domain that would require travel or coordination between points to configure the distant client workstations....

@limjianan the account im using has schema and enterprise rights, yes. I also verified security control for the groups in the adsiedit properties of CN=Schema,CN=Configuration,DC=CENTER,DC=local
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39263945
just be aware that your SBS 2003 CALs do not cover access to a Server 2012 servers, so you'll need to 2012 CALs as well
0
 

Accepted Solution

by:
CMx-Eng earned 0 total points
ID: 39279798
I had to change a value in CN=Schema,CN=Configuration,DC=CENTER,DC=local to reflect the win 2003 forest lvl and the 2012 DC took. All setup and on the domain now.
0
 

Author Closing Comment

by:CMx-Eng
ID: 39289444
overlooked a value in the config, should have seen it earlier. good thing I double checked...
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

662 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question