Solved

add 2012 DC to Server 2003 domain

Posted on 2014-01-07
14
1,465 Views
Last Modified: 2014-01-19
I have a single server running Server 2003 Std. sp2. I added a Server 2012 Std Server to the domain as a member server. I am now trying to promote the 2012 server to a DC. The 2003 forest and domain are in 2003 functional level. I am getting the error described here; http://support.microsoft.com/kb/2737560 when the prerequisites check runs (last step before installation) I followed resolution one by adding the logon permissions to the built in administrator account. Instead of following step two I turned off all firewalls and AV programs but I'm still getting the same error. There is no Exchange Server
0
Comment
Question by:rettif9
  • 8
  • 3
  • 3
14 Comments
 
LVL 21

Expert Comment

by:yo_bee
ID: 39764075
did you shut the firewall service off or just went into Control Panel and turned of the firewall feature for your domain network connection on your 2012 server?

If you shut the service off you need to have it turned and just disable the feature from within control panel.

Not sure if this will work, but I know if you disable the service you will not be able to RDP into a OS running W7, 2008, W8 or 2012.  This might be the case if you did disable the service on that 2012 box.
0
 
LVL 7

Author Comment

by:rettif9
ID: 39764115
server 2012 firewall is on in services, off in control panel. server 2003 firewall is off in services.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 39764132
So that idea is out the window.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 39764134
did you run adprep on the 2003 box?
0
 
LVL 7

Author Comment

by:rettif9
ID: 39764172
Supposedly not necessary in 2012 it runs automatically during promotion. http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx
0
 
LVL 7

Author Comment

by:rettif9
ID: 39764204
Getting late here will continue tomorrow.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39764546
Try below

Reboot Windows 2003 PDC server and server hosting Schema master and Domain naming master once.

Then Make sure you have logged on 2012 server with account having Enterprise Admins, domain admins and schema admins group membership prior to start below operations.

Check if ADDS tools is already installed on 2012 member server when you tried to run DC promotion from GUI, if not just add them through server manager.
Then insert 2012 DVD \ ISO and browse to \Support\Adprep folder in DVD from elevated command prompt run below commands on 2012 member server

Adprep /Forestprep
Adprep /domainprep
Adprep /domainprep /gpprep
adprep /rodcprep -- This is required only if you wanted to run RODC in Windows 2003 forest. However you may run this command if wanted to without any issues
http://technet.microsoft.com/library/cc731728.aspx

Side Note:
You must run adprep /domainprep and adprep /domainprep /gpprep in all domains in given forest
Same thing is applied to adprep /rodcprep command as well.

Once that all commands completed successfully, just reboot 2012 server once and try to run DCPromo wizard on 2012 member server, it will work hopefully

Mahesh
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 7

Author Comment

by:rettif9
ID: 39765262
I now have several tools in Administrative tools on the 2012 server that are normally only found in DCs. like AD domains and Trusts, AD users and computers, etc.

I ran DCDiag from the 2012 server.

I have replaced some names with [generic equivalent]

i.e. localDomain.local = [LOCALDOMAIN]
new server = [2012Server]
existing server = [2003Server]

There seem to be a few causes for concern please advise.

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\administrator.[LOCALDOMAIN]>dcdiag /c

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   ***Error: [2012Server] is not a Directory Server.  Must specify /s:<Directory
   Server> or  /n:<Naming Context> or nothing to use the local machine.
   ERROR: Could not find home server.

C:\Users\administrator.[LOCALDOMAIN]>dcdiag /c /s:[2003Server]

Directory Server Diagnosis

Performing initial setup:
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\[2003SERVER]
      Starting test: Connectivity
         ......................... [2003SERVER] passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\[2003SERVER]
      Starting test: Advertising
         ......................... [2003SERVER] passed test Advertising
      Starting test: CheckSecurityError
         [[2003SERVER]] No security related replication errors were found on this DC!
         To target the connection to a specific source DC use /ReplSource:<DC>.
         ......................... [2003SERVER] passed test CheckSecurityError
      Starting test: CutoffServers
         ......................... [2003SERVER] passed test CutoffServers
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... [2003SERVER] failed test FrsEvent
      Starting test: DFSREvent
         ......................... [2003SERVER] passed test DFSREvent
      Starting test: SysVolCheck
         ......................... [2003SERVER] passed test SysVolCheck
      Starting test: FrsSysVol
         ......................... [2003SERVER] passed test FrsSysVol
      Starting test: KccEvent
         ......................... [2003SERVER] passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... [2003SERVER] passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... [2003SERVER] passed test MachineAccount
      Starting test: NCSecDesc
         ......................... [2003SERVER] passed test NCSecDesc
      Starting test: NetLogons
         ......................... [2003SERVER] passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... [2003SERVER] passed test ObjectsReplicated
      Starting test: OutboundSecureChannels
         ** Did not run Outbound Secure Channels test because /testdomain: was
         not entered
         ......................... [2003SERVER] passed test OutboundSecureChannels
      Starting test: Replications
         ......................... [2003SERVER] passed test Replications
      Starting test: RidManager
         ......................... [2003SERVER] passed test RidManager
      Starting test: Services
            Invalid service type: RpcSs on [2003SERVER], current value
            WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
         ......................... [2003SERVER] failed test Services
      Starting test: SystemLog
         ......................... [2003SERVER] passed test SystemLog
      Starting test: Topology
         ......................... [2003SERVER] passed test Topology
      Starting test: VerifyEnterpriseReferences
         ......................... [2003SERVER] passed test VerifyEnterpriseReferences
      Starting test: VerifyReferences
         ......................... [2003SERVER] passed test VerifyReferences
      Starting test: VerifyReplicas
         ......................... [2003SERVER] passed test VerifyReplicas

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... [2003SERVER] failed test DNS

   Running partition tests on : TAPI3Directory
      Starting test: CheckSDRefDom
         ......................... TAPI3Directory passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... TAPI3Directory passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : [LOCALDOMAIN]
      Starting test: CheckSDRefDom
         ......................... [LOCALDOMAIN] passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... [LOCALDOMAIN] passed test CrossRefValidation

   Running enterprise tests on : [LOCALDOMAIN].local
      Starting test: DNS
         Test results for domain controllers:

            DC: [2003Server].[LOCALDOMAIN].local
            Domain: [LOCALDOMAIN].local


               TEST: Basic (Basc)
                  Error: No WMI connectivity
                  No host records (A or AAAA) were found for this DC

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: [LOCALDOMAIN].local
               [2003Server]                        PASS FAIL n/a  n/a  n/a  n/a  n/a

         ......................... [LOCALDOMAIN].local failed test DNS
      Starting test: LocatorCheck
         ......................... [LOCALDOMAIN].local passed test LocatorCheck
      Starting test: FsmoCheck
         ......................... [LOCALDOMAIN].local passed test FsmoCheck
      Starting test: Intersite
         ......................... [LOCALDOMAIN].local passed test Intersite

C:\Users\administrator.[LOCALDOMAIN]>
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39766063
Basically output states that 2012 server is not promoted to DC yet and 2003 server is functional DC.
The AD tools are installed on that when you tried to promote it as Domain controller at 1st place.
Simply go to command prompt and enter net Share on 2012 member server, it will not show you netlogon and Sysvol share.
Also In domain controllers OU on 2003 DC, you will not found 2012 as a DC, it will be found as 2012 member server in ADUC
Also if you try to connect ADUC to different server, it will not show you 2012 server as it is not promoted to DC yet.

Also check if 2003 DC is functioning properly
Run net share in command prompt, it should show netlogon and Sysvol share
Check directory events for 1394 event ID
Check File replication events for 13516
Check all AD services are running properly
Netlogon
File replication services
DNS Server
DNS Client
Intersite messaging
Security accounts Manager
Kerberos Key distribution centre
Remote registry

In command prompt run nslookup
This should resolve to its own IP address and FQDN
In DNS, under _msdcs.domain.com zone check that 2003 server DC GUID is listed and under NS records also.
Ensure that DC is pointing itself in tcp/ip properties
Go to run and enter %logonserver% and it should resolve to its own NetBIOS name
In command prompt run netdom query fsmo and verify that all FSMO roles are listed

Then you could probably go ahead and follow my 1st comment to deploy 2012 ADC
Ensure that 2012 DC is pointing to 2003 DC in its tcp/ip network card properties for  dns name resolution

Mahesh
0
 
LVL 7

Author Comment

by:rettif9
ID: 39768302
@Mahesh,

I had an Exchange server go down so this got moved to back burner. Hoping to get time to work on it today.
0
 
LVL 7

Author Comment

by:rettif9
ID: 39770209
Adprep /Forestprep log file has two errors;
Adprep could not retrieve data from the server [2003 server.domain].local through Windows Managment Instrumentation (WMI).

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20140109220221 directory for possible cause of failure.
[2014/01/09:22:03:18.989]
Adprep encountered a Win32 error.

Error code: 0x6ba Error message: The RPC server is unavailable.

Tried this fix under known issues but it didn't help; http://technet.microsoft.com/en-us/library/hh472161.aspx
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39771814
I hope 2012 server is member server, if not please make it

Run below command on 2012 DC in elevated command prompt to turn off firewall for all 3 profiles

netsh advfirewall set allprofiles state off
Also ensure that you remove IPv6 checkbox from tcp/ip properties on 2012 server and server must point to 2003 DC in preferred DNS entry in tcp/ip settings.

Then try to run schema upgrade

If still it fails try below workaround:
Introduce 2008 R2 member server in existing 2003 domain and install AD RSAT tools from windows features and then insert 2012 DVD in 2008 R2 member server and from there try to upgrade schema.

If all above actions fails, then try workaround mentioned in below article:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d6dd1256-4561-4981-a24e-da075b5d79f3/adding-new-server-2012-dc-in-existing-2003-forest?forum=winserverDS

Mahesh
0
 
LVL 7

Author Comment

by:rettif9
ID: 39787089
@Mahesh
I've got limited opportunities to work on this, but plan to try again Friday evening. I tried the netsh command which completed successfully but then Adprep /forestprep failed again anyway. I plan to try this again. If that fails I'll get a 2008 R2 server joined to the network and try that.
0
 
LVL 7

Author Closing Comment

by:rettif9
ID: 39793115
After rebooting both servers and getting both firewalls stopped The DC promotion completed successfully. Replication looks like it will be the next challenge. Thanks Mahesh
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now