Solved

Unable to Promote Windows 2012 R2 Domain Controller in 2008 Domain

Posted on 2014-12-11
2
2,235 Views
Last Modified: 2014-12-12
I am trying to promote a Windows Server 2012 R2 to a domain controller in an existing

domain containing two Windows 2008 domain controllers. The current domain functional level is Windows Server 2008. When I run the Wizard on the Win2012r2 server it creates this Powershell script:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "mydomain.local" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true



When the prerequisite check runs it returns the following error:


Windows Server 2012 domain controllers have a default for the security setting named

"Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker

cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

A delegation for this DNS server cannot be created because the authoritative parent zone

cannot be found or it does not run Windows DNS server. If you are integrating with an

existing DNS infrastructure, you should manually create a delegation to this DNS server

in the parent zone to ensure reliable name resolution from outside the domain

"mydomain.local". Otherwise, no action is required.

Verification of prerequisites for Active Directory preparation failed. Unable to perform

Exchange schema conflict check for domain mydomain.local.
Exception: Server execution failed.
Adprep could not retrieve data from the server PDC.mydomain.local through Windows

Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20141211091657-test

directory for possible cause of failure.

Prerequisites Check Completed

One or more prerequisites failed.  Please fix these issues and click "Rerun

prerequisites check"


The important failure is the "unable to perform Exchange schema conflict check", as it

will not let me continue with the server promotion.

The ADPrep.log:

[2014/12/11:09:16:57.426]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20141211091657-test

\ADPrep.log'
[2014/12/11:09:16:57.426]
Adprep successfully initialized global variables.[Status/Consequence]Adprep is

continuing.
[2014/12/11:09:16:57.435]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.436]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.436]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=PDC,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.436]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.436]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.437]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.439]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Infrastructure,DC=mydomain,DC=local.
[2014/12/11:09:16:57.440]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.440]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=PDC,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.441]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.453]
Adprep discovered the schema FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.457]
Adprep connected to the schema FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.457]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.457]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.457]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.457]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is DC=mydomain,DC=local.
[2014/12/11:09:16:57.458]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.458]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.459]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2014/12/11:09:16:57.459]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.459]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.469]
Adprep discovered the Infrastructure FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.473]
Adprep connected to the Infrastructure FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.473]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.474]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.474]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.474]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is DC=mydomain,DC=local.
[2014/12/11:09:16:57.475]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.475]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2014/12/11:09:16:57.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.476]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.500]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.501]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.501]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.501]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=UID,CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.512]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.512]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is

installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix

Q293783 for SFU has been applied.
[2014/12/11:09:17:27.623]
Adprep could not retrieve data from the server PDC.mydomain.local through Windows

Managment Instrumentation (WMI).[User Action]Check the log file ADPrep.log in the C:

\Windows\debug\adprep\logs\20141211091657-test directory for possible cause of failure.
[2014/12/11:09:17:27.623]
Adprep encountered an error. Error code: 0x80080005 Error message: Server execution

failed

DSID Info:
DSID: 0x181001a6
HRESULT = 0x80080005
NT BUILD: 9200
NT BUILD: 16384

[2014/12/11:09:17:27.623]
Adprep failed while performing Exchange schema check.[Status/Consequence]The Active

Directory Domain Services schema is not upgraded.[User Action]Check the log file

ADPrep.log in the C:\Windows\debug\adprep\logs\20141211091657-test directory for

possible cause of failure.
[2014/12/11:09:17:27.623]
Adprep encountered an error. Error code: 0x80080005 Error message: Server execution

failed

DSID Info:
DSID: 0x181001a6
HRESULT = 0x80080005
NT BUILD: 9200
NT BUILD: 16384

Windows firewall on the servers is disabled and there is no network firewall between the servers. I am logged in as a Domain Admin/Enterprise Admin/Schema Admin.
0
Comment
Question by:MPLJasper
2 Comments
 
LVL 3

Accepted Solution

by:
v_2abhis2 earned 500 total points
ID: 40495219
Hello,

The answer to your problem lies in the following KB article

http://support.microsoft.com/kb/2737560

"Add the NETWORK SERVICE as part of the SeServiceLogonRight ("Logon as a service") right back to the Default Domain Controllers policy. By default, the service exists there in Windows Server 2003 domains. Make sure that no other policy is removing the service if the service is already present in the Default Domain Controllers policy. By default, the service is set by local security policy on all servers in Windows Server 2008 and later versions and is no longer part of Default Domain Controllers policy"

Thanks
Abhishek
0
 

Author Comment

by:MPLJasper
ID: 40496639
I found this KB article a few days ago and made the change to the Default Domain Controllers Policy. I was still unable to promote my 2012 server to Domain Controller until today when I rebooted my PDC. Works perfectly now!
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now