?
Solved

Unable to Promote Windows 2012 R2 Domain Controller in 2008 Domain

Posted on 2014-12-11
2
Medium Priority
?
3,712 Views
Last Modified: 2014-12-12
I am trying to promote a Windows Server 2012 R2 to a domain controller in an existing

domain containing two Windows 2008 domain controllers. The current domain functional level is Windows Server 2008. When I run the Wizard on the Win2012r2 server it creates this Powershell script:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "mydomain.local" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true



When the prerequisite check runs it returns the following error:


Windows Server 2012 domain controllers have a default for the security setting named

"Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker

cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

A delegation for this DNS server cannot be created because the authoritative parent zone

cannot be found or it does not run Windows DNS server. If you are integrating with an

existing DNS infrastructure, you should manually create a delegation to this DNS server

in the parent zone to ensure reliable name resolution from outside the domain

"mydomain.local". Otherwise, no action is required.

Verification of prerequisites for Active Directory preparation failed. Unable to perform

Exchange schema conflict check for domain mydomain.local.
Exception: Server execution failed.
Adprep could not retrieve data from the server PDC.mydomain.local through Windows

Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20141211091657-test

directory for possible cause of failure.

Prerequisites Check Completed

One or more prerequisites failed.  Please fix these issues and click "Rerun

prerequisites check"


The important failure is the "unable to perform Exchange schema conflict check", as it

will not let me continue with the server promotion.

The ADPrep.log:

[2014/12/11:09:16:57.426]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20141211091657-test

\ADPrep.log'
[2014/12/11:09:16:57.426]
Adprep successfully initialized global variables.[Status/Consequence]Adprep is

continuing.
[2014/12/11:09:16:57.435]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.436]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.436]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=PDC,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.436]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.436]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.437]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.439]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Infrastructure,DC=mydomain,DC=local.
[2014/12/11:09:16:57.440]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.440]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=PDC,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.441]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.453]
Adprep discovered the schema FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.457]
Adprep connected to the schema FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.457]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.457]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.457]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.457]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is DC=mydomain,DC=local.
[2014/12/11:09:16:57.458]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.458]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.459]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2014/12/11:09:16:57.459]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.459]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.469]
Adprep discovered the Infrastructure FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.473]
Adprep connected to the Infrastructure FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.473]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.474]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.474]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.474]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is DC=mydomain,DC=local.
[2014/12/11:09:16:57.475]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.475]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2014/12/11:09:16:57.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.476]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.500]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.501]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.501]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.501]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=UID,CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.512]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.512]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is

installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix

Q293783 for SFU has been applied.
[2014/12/11:09:17:27.623]
Adprep could not retrieve data from the server PDC.mydomain.local through Windows

Managment Instrumentation (WMI).[User Action]Check the log file ADPrep.log in the C:

\Windows\debug\adprep\logs\20141211091657-test directory for possible cause of failure.
[2014/12/11:09:17:27.623]
Adprep encountered an error. Error code: 0x80080005 Error message: Server execution

failed

DSID Info:
DSID: 0x181001a6
HRESULT = 0x80080005
NT BUILD: 9200
NT BUILD: 16384

[2014/12/11:09:17:27.623]
Adprep failed while performing Exchange schema check.[Status/Consequence]The Active

Directory Domain Services schema is not upgraded.[User Action]Check the log file

ADPrep.log in the C:\Windows\debug\adprep\logs\20141211091657-test directory for

possible cause of failure.
[2014/12/11:09:17:27.623]
Adprep encountered an error. Error code: 0x80080005 Error message: Server execution

failed

DSID Info:
DSID: 0x181001a6
HRESULT = 0x80080005
NT BUILD: 9200
NT BUILD: 16384

Windows firewall on the servers is disabled and there is no network firewall between the servers. I am logged in as a Domain Admin/Enterprise Admin/Schema Admin.
0
Comment
Question by:MPLJasper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
v_2abhis2 earned 2000 total points
ID: 40495219
Hello,

The answer to your problem lies in the following KB article

http://support.microsoft.com/kb/2737560

"Add the NETWORK SERVICE as part of the SeServiceLogonRight ("Logon as a service") right back to the Default Domain Controllers policy. By default, the service exists there in Windows Server 2003 domains. Make sure that no other policy is removing the service if the service is already present in the Default Domain Controllers policy. By default, the service is set by local security policy on all servers in Windows Server 2008 and later versions and is no longer part of Default Domain Controllers policy"

Thanks
Abhishek
0
 

Author Comment

by:MPLJasper
ID: 40496639
I found this KB article a few days ago and made the change to the Default Domain Controllers Policy. I was still unable to promote my 2012 server to Domain Controller until today when I rebooted my PDC. Works perfectly now!
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question