What roles to you already have installed on the server? Typically Active Directory would be the first role you would want to install on a domain controller machine.

It looks like someone has tried to install Active Directory before, but there are lots of errors. I'm going to try and remove it and start again.

That didn't work :( I have File Services, IIS and I installed Active Directory services and then went to the next step of running dcpromo and I get the port 88 error. So I can't work out what's using port 88. There was terminal services installed, but I removed that as its not needed.

Try Nirsoft's Current Ports to see what is using port 88 and tell us: http://www.nirsoft.net/utils/cports.html

If I understand what's been said, you have an instance of kerberos already running, and it may be in a broken state, and unusable according to the dcpromo process.

At this point, I have to ask, what is your goal?  If this server will be promoted for a lab, or as part of a learning experience... then it's a worthy goal, and lets see we can get it to work.  If this will be a domain controller for a production environment that you'll need to support for the next several years... then I'd stop now, and build a clean server for your domain controller.

Assuming the lab/learning environment case:  When you uninstalled the previous installation of the AD role, and rebooted -- did you run netstat -anb (or -ano, and look up the pid)?  Could you see whether port tcp/88 was then clear?

Hi, I'm just back online after being sick for a few days. Yes it seems that kerberos is already running, but unusable according to dcpromo. These machines have come from one of our offices that has just closed. I need to get everything working together so that I can clean a few things up. The machine isn't likely be in use for a long time, but I need to promote it as the current DC seems quite old and I'm concerned that it might crash.

I did remove AD role and restart, but the port was still in use.  I will try using the Nirsoft tool to see if it is actually kerberos using 88.

Even though AD is removed, kerberos is still running and using tcp/88. I used Nirsoft tool and confirmed that kerberos is using the port. I did previously use netstat but it just noted it was in use but it could not ID the process.

I can't close port 88. So I'm not sure what to do.

The machine isn't likely be in use for a long time, but I need to promote it as the current DC seems quite old and I'm concerned that it might crash.

If I'm reading this statement correctly that means you should start again - rebuild this server and then promote it to a DC...like @Razmus has already mentioned...since its not doing anything else at minute I'd say that's the quickest way to get back up and running

Kerberos appears to be included in the lsass.exe process... which should be the active directory domain services process.  Do you have a service running named 'Active Directory Domain Services'?  Or did the nirsoft/cport tell you what the executible was?  (Is there any chance someone might have loaded one of the other kerberos implementations?)

I'd still tend towards the server rebuild solution, if remotely possible.

As a side note, running SIW and clicking on Licenses will let you retrieve the installation keys: http://www.majorgeeks.com/files/details/siw_(system_info).html (which may be helpful.)
But; is there any chance there was another server acting as the PDC at the old site?

Thanks. I don't really want to wipe it unless I have to as it has a lot of stuff on it and it will take a long time to setup again and I'm not sure I have access to all the existing installation files for the software on it.

What I meant is that I need it working now, but it won't be used say past 6 months, so a long term solution isn't needed, just a short term one.

Yes there was another PDC, this is why I'm making this one a DC as the PDC seems to have some hardware problems and I am concerned it will crash and leave us without a DC.

I'm not in that office at the moment, but I'll see what other services are running. thanks

Your right answer then is to fire up the old PDC, demote it (!!!), and then run DCPROMO.  The server you want to use is still tied to the old PDC.

OK thanks for that. I'm a bit confused, if I demote the current PDC, where is the new one going to get all the user accounts for the domain from? There aren't any other DC's on the network. Sorry, I don't do this very often, so I don't know a whole lot.

Assumptions:  (1) You don't have any servers off. (You don't need to start any servers.)
(2) Your domain controller isn't Pre-Windows 2000. (You don't really have a PDC.  You have one server which operates as a PDC-emulator, and that role can be switched to any healthy domain controller in your domain.)
(3) You aren't missing any FSMO roles.  (Running 'netdom query fsmo' from a command prompt on the domain controller will identify all your fsmo roles, and where they currently live.)
(4) You have a domain with a single domain controller in it, and that single domain controller isn't healthy.  (DON'T demote that DC.  As you indicate, if this assumption is valid, that is almost exactly opposite of what you want to accomplish.  Your instinct on this question is sharp.)
(5) Folks other than you have built and maintained the server you are working with, and it isn't a tightly controlled environment.  
(6) The existing domain controller is Windows 2008.  (So, for example, we don't have a Windows 2003 DC, which doesn't have the schema extended to support Windows 2008.  We also don't have a Windows 2008 R2 DC, where the Forest/Domain functional level have already been elevated to Windows 2008 R2.)

Let me know if any of these assumptions are invalid.  Some I think you've already stated (for example, we're dealing with Windows 2008, not NT 4.0 or 3.51...)

I'm increasingly concerned that the server you're trying to promote has the MIT implementation of Kerberos installed.  It would be identified as krb5.  What I don't know is whether the Microsoft implementation of Kerberos would also identify itself as krb5.  :-( )  As you say, you'll be able to look closer when you get into the office.  (I'll be waiting with, as they say, bated breath.)

Thanks for the reply.
1) All servers are turned on and connected
2) The DC is Server 2003
3) I don't appear to have netdom. I see it has service pack1, so I'm getting SP2 now, netdom should be with that download.
4) The setup seems fine, there aren't any errors, but the machine is very old and I think the hardware might fail.
5) Yes, someone else set this all up, its come from an office that closed and they have mess everywhere that I need to clean up :(
6) The DC server 2003 and I want to make a newer machine a DC, it is running server 2008 R2. There is only one DC and its the 2003 box.

I ran netdom query fsmo and got - the security context is invalid

Try removing the Active Directory Service from that server and then check if port 88 is still in use.

Can you post the errors from the Event Log?

Migrating AD to a new server: http://technet.microsoft.com/en-us/library/dd379558(v=ws.10).aspx

> The DC is Server 2003

Okay, that leaves open the possibility that the AD schema won't support a Windows 2008 DC, but I don't believe you'd get an error anything like the kerberos error you've already received.  (There are a couple easy ways to determine what level your schema is running.  If you're running something older than 44, you'll just need to run adprep a couple times before advancing.  (Microsoft rolled this into the process of adding the first Server 2012 DC... it'll do it for you in the background if it hasn't already been done.  Well, it will if you have sufficient permissions to update the schema.)

> I ran netdom query fsmo and got - the security context is invalid

That is worrying, which leads me to wonder if the account you are using has sufficient permissions to run DCPromo.  The account you are using is a member of domain admins, enterprise admins, or the domain built-in administrators group?

> Migrating AD to a new server

I'm assuming Impressionist doesn't wish to migrate AD to a new server, but wishes to have more than one domain controller as per best practices.

Yes, I do want a second domain controller for redundancy. The login I am using is the domain admin, so I'm not sure what is going on. I'll keep working at it.

I don't think my port 88 problem has anything to do with the other DC that is running server 2003 as I can't even initiate the process of making the machine a DC because as soon as I run dcpromo after installing AD domain services I get the error stating that port 88 is in use and I can't continue until I free up port 88. Problem is, I can't seem to free it up :(
I might have to give up :(

You can use the following commands to find out what is holding onto port 88.

Run the following commands in the command prompt:
netstat -ano | find /I ":88"

Make a note of the last number in the results.
This is the PID of the application using port 88

Then run:
tasklist | find /I "PID"
where PID is the number you noted from the previous command.

e.g. using port 135
C:\Users\Leon>netstat -ano | find /I ":135"
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       876
  TCP    [::]:135               [::]:0                 LISTENING       876

C:\Users\Leon>tasklist | find /I "876"
svchost.exe                    876 Services                   0      9 664 K

I assume you've rebooted the server at least once since you started having this problem. (?)

> netstat -ano | find /I ":88"

I believe Impressionist has already said that netstat didn't identify the PID in this instance, twice.  Both in the original question question, and in a latter comment.

A little more information.
The kerberos function which gets loaded on a domain controller comes from c:\windows\system32\kdsSvc.dll.  You should be able to confirm whether that file is in use.  Doing a quick spot check, I don't see that file on my member servers.

There is still the low probability that a previous administrator has loaded MIT Kerberos , possibly for another project, which would identify itself as krb5.  Try doing a search for any file that contains 'krb5', or the string 'krb5' in the registry.  (I keep coming back to krb5, because you mention that specifically in the error in the original question, and I'm still not sure why you would see reference to that specifically if it weren't the MIT Kerberos...)

Hi Razmus,
I don't have the kdssvc.dll and there is nothing with reference to krb5 in the registry. At first I didn't find what was holding onto port 88 using netstat, but cports tells me its kerberos. Someone has done something to this machine, but who knows what?! Is there anyway to force a port closed, even if it is temporary? If I could do that, at least dcpromo would continue and I could see if it would complete.
I may have to give up and see if I can acquire all the install files for the software on this machine and then wipe it and start again.
thanks for all your help.

My biggest problem is not having a backup DC and having all this stuff on the server I can't promote that I can't easily reinstall :( I don't have many options. Anyway, I'll live with it for now and clean up what I can. Thanks for all your help.

Very helpful, although I didn't solve my problem, I appreciated the help.