Solved

Can't Raise Forest Functional level from Windows Server 2000 to 2003

Posted on 2014-01-17
7
2,758 Views
Last Modified: 2014-01-17
Hello All and thank you in advance,

My setup consists of one Forest, one domain and 3 domain controllers.

The PDC and FSMO holder is a Windows Server 2003 and the other two are Windows Server 2003 R2.

I have made sure that my admin account is member of all the appropriate rules.

Replication between the controllers seems to be fine.

There are no other DCs on the network.

I manually added the Schema Update Enable registry entry.

I cannot raise the Forest Functional level from 2000 to 2003 and I get an error saying:
A referral was returned from the server


C:\>netdom query fsmo
Schema owner                CFG01.HQ.DavisCofferLyons.Co.Uk

Domain role owner           CFG01.HQ.DavisCofferLyons.Co.Uk

PDC role                    CFG01.HQ.DavisCofferLyons.Co.Uk

RID pool manager            CFG01.HQ.DavisCofferLyons.Co.Uk

Infrastructure owner        CFG01.HQ.DavisCofferLyons.Co.Uk

The command completed successfully.

Please see below the dcdiag output and the ldap:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\CFG01
      Starting test: Connectivity
         ......................... CFG01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\CFG01
      Starting test: Replications
         ......................... CFG01 passed test Replications
      Starting test: NCSecDesc
         ......................... CFG01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... CFG01 passed test NetLogons
      Starting test: Advertising
         ......................... CFG01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,C
=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=Davi
CofferLyons,DC=Co,DC=Uk is the Schema Owner, but is deleted.
         ......................... CFG01 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... CFG01 passed test RidManager
      Starting test: MachineAccount
         Warning:  Attribute userAccountControl of CFG01 is: 0x92000 = ( UF_SER
ER_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_TRUSTED_FOR_DELEGATION )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_T
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... CFG01 passed test MachineAccount
      Starting test: Services
         ......................... CFG01 passed test Services
      Starting test: ObjectsReplicated
         ......................... CFG01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... CFG01 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... CFG01 failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000043B
            Time Generated: 01/17/2014   09:36:09
            (Event String could not be retrieved)
         ......................... CFG01 failed test kccevent
      Starting test: systemlog
         ......................... CFG01 passed test systemlog
      Starting test: VerifyReferences
         ......................... CFG01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : HQ
      Starting test: CrossRefValidation
         ......................... HQ passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... HQ passed test CheckSDRefDom

   Running enterprise tests on : HQ.DavisCofferLyons.Co.Uk
      Starting test: Intersite
         ......................... HQ.DavisCofferLyons.Co.Uk passed test Inters
te
      Starting test: FsmoCheck
         ......................... HQ.DavisCofferLyons.Co.Uk passed test FsmoCh
ck


LDAP:

Established connection to cfg01.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
      1> currentTime: 01/17/2014 09:04:25 GMT Standard Time GMT Daylight Time;
      1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> dsServiceName: CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      5> namingContexts: DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; DC=DomainDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; DC=ForestDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> defaultNamingContext: DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> schemaNamingContext: CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> configurationNamingContext: CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> rootDomainNamingContext: DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      23> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948;
      2> supportedLDAPVersion: 3; 2;
      14> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange; ThreadMemoryLimit; SystemMemoryLimitPercent;
      1> highestCommittedUSN: 3655315;
      4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
      1> dnsHostName: CFG01.HQ.DavisCofferLyons.Co.Uk;
      1> ldapServiceName: HQ.DavisCofferLyons.Co.Uk:cfg01$@HQ.DAVISCOFFERLYONS.CO.UK;
      1> serverName: CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791;
      1> isSynchronized: TRUE;
      1> isGlobalCatalogReady: TRUE;
      1> domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
      1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
      1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
-----------
0
Comment
Question by:jamescarson69
  • 3
  • 2
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Peter Hutchison
ID: 39788196
Looks like you have an old entry in AD Sites and Services esp for Schema owner:

      Starting test: KnowsOfRoleHolders
         Warning: CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,C
=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=Davi
CofferLyons,DC=Co,DC=Uk is the Schema Owner, but is deleted.
         ......................... CFG01 failed test KnowsOfRoleHolders
0
 

Author Comment

by:jamescarson69
ID: 39788202
Hello,

This is actually the PDC CFG01

Also I tried to move the schema role to another DC and i'm getting an error that CFG01 cannot be contacted.

HOw ever it's up and working.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39788235
Run the below commands...

- Repadmin /replsum
- Repadmin /showrepl

Based on the DCDIAG log you have failed Sysvol (frsevent) and also hold roles failed as well. What I would do is ensure replication is working correctly with the above commands. Also, check using NTDSUTIL and ensure that the roles are pointing to. This will give you a more accurate result for what Active Directory has listed for the FSMO role holders as it checks with ADSIEdit.

Check FSMO Role using NTDSUTIL

Using "netdom query fsmo" is only checking what the local machine thinks the FSMO roles are. If you run this command on other DC's it will probbaly show differently as you have got replicaiton issues.

If you find old DC's using NTDSUTIL you need to remove them before you can proceed with the Functional Raise in the forest. You will also want to make sure that your replication is working 100% so that the change applies to all DC's in your environment.

Will.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:jamescarson69
ID: 39788258
HEllo Will and thank you for helping,

Please see below everything seems to be pointing on the CFG01.

C:\>Repadmin /replsum
Replication Summary Start Time: 2014-01-17 12:13:08

Beginning data collection for replication summary, this may take awhile:
  ......


Source DC           largest delta  fails/total  %%  error
 CFG01                     10m:59s    0 /  10    0
 CFG02                     11m:38s    0 /  10    0
 CFGAD1                    11m:14s    0 /  10    0


Destination DC    largest delta    fails/total  %%  error
 CFG01                     07m:46s    0 /  10    0
 CFG02                     11m:14s    0 /  10    0
 CFGAD1                    11m:38s    0 /  10    0



C:\>Repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site\CFG01
DC Options: IS_GC
Site Options: (none)
DC object GUID: e783f0ac-eed8-4f68-9b89-c977fc4eba7e
DC invocationID: bd7f856e-8b5f-4718-b4ad-20d859ad31c3

==== INBOUND NEIGHBORS ======================================

DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:09:03 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:11:11 was successful.

CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:11:05 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:11:08 was successful.

CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:05:22 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:05:22 was successful.

DC=DomainDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:05:22 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:05:22 was successful.

DC=ForestDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:05:22 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:05:22 was successful.

I ran the netdom query fsmo from CFG02 and I got the same:

C:\>netdom query fsmo
Schema owner                CFG01.HQ.DavisCofferLyons.Co.Uk

Domain role owner           CFG01.HQ.DavisCofferLyons.Co.Uk

PDC role                    CFG01.HQ.DavisCofferLyons.Co.Uk

RID pool manager            CFG01.HQ.DavisCofferLyons.Co.Uk

Infrastructure owner        CFG01.HQ.DavisCofferLyons.Co.Uk

The command completed successfully.

NTDSUTIL:


C:\>ntdsutil
ntdsutil: domain management
domain management: connections
server connections: connect to the server cfg01
Error 80070057 parsing input - illegal syntax?
server connections: connect to server cfg01
Binding to cfg01 ...
Connected to cfg01 using credentials of locally logged on user.
server connections: list roles for connected server
Error 80070057 parsing input - illegal syntax?
server connections: quit
domain management: select operation target
select operation target: list roles for connected server
Server "cfg01" knows about 5 roles
Schema - CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,CN=CFG01,CN
=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyo
ns,DC=Co,DC=Uk
Domain - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=
Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
PDC - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Con
figuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
RID - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Con
figuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Infrastructure - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=S
ites,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
select operation target:
0
 
LVL 18

Expert Comment

by:Peter Hutchison
ID: 39788435
Try moving the Schema owner from CGF01 to another DC and then back again to see if it update this entry:

Schema - CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,CN=CFG01,CN
=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyo
ns,DC=Co,DC=Uk
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39788540
Use ADSIEdit to see if there are any objects relating to the old DC.

Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
Expand the Domain Naming Context
Expand DC=domainname, DC=COM
Expand OU=Domain Controllers
See if there is an account from the old DC in there.
If there is > Right-click CN=domain controller name, and then click Delete.

Also check your directory service event logs on your DC's to get more information as you have failed sysvol replicaiton. The logs should be able to provide more detail on why it is happening.

Will.
0
 

Author Comment

by:jamescarson69
ID: 39788594
Hello Will,

I was just on the phone with Microsoft and they did what you say.

There was a false entry on the schema so he went to fSMORoleOwner and deleted the value then forced the replication and that did it.

Thank you very much for your help.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now