Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can't Raise Forest Functional level from Windows Server 2000 to 2003

Posted on 2014-01-17
7
Medium Priority
?
3,127 Views
Last Modified: 2014-01-17
Hello All and thank you in advance,

My setup consists of one Forest, one domain and 3 domain controllers.

The PDC and FSMO holder is a Windows Server 2003 and the other two are Windows Server 2003 R2.

I have made sure that my admin account is member of all the appropriate rules.

Replication between the controllers seems to be fine.

There are no other DCs on the network.

I manually added the Schema Update Enable registry entry.

I cannot raise the Forest Functional level from 2000 to 2003 and I get an error saying:
A referral was returned from the server


C:\>netdom query fsmo
Schema owner                CFG01.HQ.DavisCofferLyons.Co.Uk

Domain role owner           CFG01.HQ.DavisCofferLyons.Co.Uk

PDC role                    CFG01.HQ.DavisCofferLyons.Co.Uk

RID pool manager            CFG01.HQ.DavisCofferLyons.Co.Uk

Infrastructure owner        CFG01.HQ.DavisCofferLyons.Co.Uk

The command completed successfully.

Please see below the dcdiag output and the ldap:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\CFG01
      Starting test: Connectivity
         ......................... CFG01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\CFG01
      Starting test: Replications
         ......................... CFG01 passed test Replications
      Starting test: NCSecDesc
         ......................... CFG01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... CFG01 passed test NetLogons
      Starting test: Advertising
         ......................... CFG01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,C
=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=Davi
CofferLyons,DC=Co,DC=Uk is the Schema Owner, but is deleted.
         ......................... CFG01 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... CFG01 passed test RidManager
      Starting test: MachineAccount
         Warning:  Attribute userAccountControl of CFG01 is: 0x92000 = ( UF_SER
ER_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_TRUSTED_FOR_DELEGATION )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_T
USTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... CFG01 passed test MachineAccount
      Starting test: Services
         ......................... CFG01 passed test Services
      Starting test: ObjectsReplicated
         ......................... CFG01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... CFG01 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... CFG01 failed test frsevent
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x8000043B
            Time Generated: 01/17/2014   09:36:09
            (Event String could not be retrieved)
         ......................... CFG01 failed test kccevent
      Starting test: systemlog
         ......................... CFG01 passed test systemlog
      Starting test: VerifyReferences
         ......................... CFG01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidatio

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : HQ
      Starting test: CrossRefValidation
         ......................... HQ passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... HQ passed test CheckSDRefDom

   Running enterprise tests on : HQ.DavisCofferLyons.Co.Uk
      Starting test: Intersite
         ......................... HQ.DavisCofferLyons.Co.Uk passed test Inters
te
      Starting test: FsmoCheck
         ......................... HQ.DavisCofferLyons.Co.Uk passed test FsmoCh
ck


LDAP:

Established connection to cfg01.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
      1> currentTime: 01/17/2014 09:04:25 GMT Standard Time GMT Daylight Time;
      1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> dsServiceName: CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      5> namingContexts: DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; DC=DomainDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk; DC=ForestDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> defaultNamingContext: DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> schemaNamingContext: CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> configurationNamingContext: CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      1> rootDomainNamingContext: DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      23> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948;
      2> supportedLDAPVersion: 3; 2;
      14> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange; ThreadMemoryLimit; SystemMemoryLimitPercent;
      1> highestCommittedUSN: 3655315;
      4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
      1> dnsHostName: CFG01.HQ.DavisCofferLyons.Co.Uk;
      1> ldapServiceName: HQ.DavisCofferLyons.Co.Uk:cfg01$@HQ.DAVISCOFFERLYONS.CO.UK;
      1> serverName: CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk;
      3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791;
      1> isSynchronized: TRUE;
      1> isGlobalCatalogReady: TRUE;
      1> domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
      1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
      1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
-----------
0
Comment
Question by:jamescarson69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39788196
Looks like you have an old entry in AD Sites and Services esp for Schema owner:

      Starting test: KnowsOfRoleHolders
         Warning: CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,C
=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=Davi
CofferLyons,DC=Co,DC=Uk is the Schema Owner, but is deleted.
         ......................... CFG01 failed test KnowsOfRoleHolders
0
 

Author Comment

by:jamescarson69
ID: 39788202
Hello,

This is actually the PDC CFG01

Also I tried to move the schema role to another DC and i'm getting an error that CFG01 cannot be contacted.

HOw ever it's up and working.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39788235
Run the below commands...

- Repadmin /replsum
- Repadmin /showrepl

Based on the DCDIAG log you have failed Sysvol (frsevent) and also hold roles failed as well. What I would do is ensure replication is working correctly with the above commands. Also, check using NTDSUTIL and ensure that the roles are pointing to. This will give you a more accurate result for what Active Directory has listed for the FSMO role holders as it checks with ADSIEdit.

Check FSMO Role using NTDSUTIL

Using "netdom query fsmo" is only checking what the local machine thinks the FSMO roles are. If you run this command on other DC's it will probbaly show differently as you have got replicaiton issues.

If you find old DC's using NTDSUTIL you need to remove them before you can proceed with the Functional Raise in the forest. You will also want to make sure that your replication is working 100% so that the change applies to all DC's in your environment.

Will.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:jamescarson69
ID: 39788258
HEllo Will and thank you for helping,

Please see below everything seems to be pointing on the CFG01.

C:\>Repadmin /replsum
Replication Summary Start Time: 2014-01-17 12:13:08

Beginning data collection for replication summary, this may take awhile:
  ......


Source DC           largest delta  fails/total  %%  error
 CFG01                     10m:59s    0 /  10    0
 CFG02                     11m:38s    0 /  10    0
 CFGAD1                    11m:14s    0 /  10    0


Destination DC    largest delta    fails/total  %%  error
 CFG01                     07m:46s    0 /  10    0
 CFG02                     11m:14s    0 /  10    0
 CFGAD1                    11m:38s    0 /  10    0



C:\>Repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site\CFG01
DC Options: IS_GC
Site Options: (none)
DC object GUID: e783f0ac-eed8-4f68-9b89-c977fc4eba7e
DC invocationID: bd7f856e-8b5f-4718-b4ad-20d859ad31c3

==== INBOUND NEIGHBORS ======================================

DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:09:03 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:11:11 was successful.

CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:11:05 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:11:08 was successful.

CN=Schema,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:05:22 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:05:22 was successful.

DC=DomainDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:05:22 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:05:22 was successful.

DC=ForestDnsZones,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
    Default-First-Site\CFG02 via RPC
        DC object GUID: 6d3769af-c204-4645-a65d-815e5de3ecba
        Last attempt @ 2014-01-17 12:05:22 was successful.
    Default-First-Site\CFGAD1 via RPC
        DC object GUID: c3d3cc0c-4595-419c-a4c5-f437c11d5a3a
        Last attempt @ 2014-01-17 12:05:22 was successful.

I ran the netdom query fsmo from CFG02 and I got the same:

C:\>netdom query fsmo
Schema owner                CFG01.HQ.DavisCofferLyons.Co.Uk

Domain role owner           CFG01.HQ.DavisCofferLyons.Co.Uk

PDC role                    CFG01.HQ.DavisCofferLyons.Co.Uk

RID pool manager            CFG01.HQ.DavisCofferLyons.Co.Uk

Infrastructure owner        CFG01.HQ.DavisCofferLyons.Co.Uk

The command completed successfully.

NTDSUTIL:


C:\>ntdsutil
ntdsutil: domain management
domain management: connections
server connections: connect to the server cfg01
Error 80070057 parsing input - illegal syntax?
server connections: connect to server cfg01
Binding to cfg01 ...
Connected to cfg01 using credentials of locally logged on user.
server connections: list roles for connected server
Error 80070057 parsing input - illegal syntax?
server connections: quit
domain management: select operation target
select operation target: list roles for connected server
Server "cfg01" knows about 5 roles
Schema - CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,CN=CFG01,CN
=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyo
ns,DC=Co,DC=Uk
Domain - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=
Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
PDC - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Con
figuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
RID - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Con
figuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Infrastructure - CN=NTDS Settings,CN=CFG01,CN=Servers,CN=Default-First-Site,CN=S
ites,CN=Configuration,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
select operation target:
0
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39788435
Try moving the Schema owner from CGF01 to another DC and then back again to see if it update this entry:

Schema - CN=NTDS Settings\0ADEL:b3942a9e-5f34-4991-ac50-9d648f236bbf,CN=CFG01,CN
=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HQ,DC=DavisCofferLyo
ns,DC=Co,DC=Uk
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 39788540
Use ADSIEdit to see if there are any objects relating to the old DC.

Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
Expand the Domain Naming Context
Expand DC=domainname, DC=COM
Expand OU=Domain Controllers
See if there is an account from the old DC in there.
If there is > Right-click CN=domain controller name, and then click Delete.

Also check your directory service event logs on your DC's to get more information as you have failed sysvol replicaiton. The logs should be able to provide more detail on why it is happening.

Will.
0
 

Author Comment

by:jamescarson69
ID: 39788594
Hello Will,

I was just on the phone with Microsoft and they did what you say.

There was a false entry on the schema so he went to fSMORoleOwner and deleted the value then forced the replication and that did it.

Thank you very much for your help.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question