Solved

Unable to Promote Windows 2012 R2 Domain Controller in 2008 Domain

Posted on 2014-12-11
2
2,396 Views
Last Modified: 2014-12-12
I am trying to promote a Windows Server 2012 R2 to a domain controller in an existing

domain containing two Windows 2008 domain controllers. The current domain functional level is Windows Server 2008. When I run the Wizard on the Win2012r2 server it creates this Powershell script:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "mydomain.local" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true



When the prerequisite check runs it returns the following error:


Windows Server 2012 domain controllers have a default for the security setting named

"Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker

cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564

(http://go.microsoft.com/fwlink/?LinkId=104751).

A delegation for this DNS server cannot be created because the authoritative parent zone

cannot be found or it does not run Windows DNS server. If you are integrating with an

existing DNS infrastructure, you should manually create a delegation to this DNS server

in the parent zone to ensure reliable name resolution from outside the domain

"mydomain.local". Otherwise, no action is required.

Verification of prerequisites for Active Directory preparation failed. Unable to perform

Exchange schema conflict check for domain mydomain.local.
Exception: Server execution failed.
Adprep could not retrieve data from the server PDC.mydomain.local through Windows

Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20141211091657-test

directory for possible cause of failure.

Prerequisites Check Completed

One or more prerequisites failed.  Please fix these issues and click "Rerun

prerequisites check"


The important failure is the "unable to perform Exchange schema conflict check", as it

will not let me continue with the server promotion.

The ADPrep.log:

[2014/12/11:09:16:57.426]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20141211091657-test

\ADPrep.log'
[2014/12/11:09:16:57.426]
Adprep successfully initialized global variables.[Status/Consequence]Adprep is

continuing.
[2014/12/11:09:16:57.435]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.436]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.436]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=PDC,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.436]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.436]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.437]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.439]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=Infrastructure,DC=mydomain,DC=local.
[2014/12/11:09:16:57.440]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.440]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=PDC,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.441]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.453]
Adprep discovered the schema FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.457]
Adprep connected to the schema FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.457]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.457]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.457]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.457]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is DC=mydomain,DC=local.
[2014/12/11:09:16:57.458]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.458]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.459]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2014/12/11:09:16:57.459]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.459]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.469]
Adprep discovered the Infrastructure FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.473]
Adprep connected to the Infrastructure FSMO: PDC.mydomain.local.
[2014/12/11:09:16:57.473]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.474]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.474]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.474]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is DC=mydomain,DC=local.
[2014/12/11:09:16:57.475]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.475]
LDAP API ldap_search_ext_s finished, return code is 0x0
[2014/12/11:09:16:57.475]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.476]
LDAP API ldap_search_s finished, return code is 0x0
[2014/12/11:09:16:57.500]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is (null).
[2014/12/11:09:16:57.501]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.501]
Adprep successfully retrieved information from the Active Directory Domain Services.
[2014/12/11:09:16:57.501]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to

start the search is CN=UID,CN=Schema,CN=Configuration,DC=mydomain,DC=local.
[2014/12/11:09:16:57.512]
LDAP API ldap_search_s() finished, return code is 0x0
[2014/12/11:09:16:57.512]
Adprep successfully determined whether Microsoft Windows Services for UNIX (SFU) is

installed or not. If adprep detected SFU, adprep also verified that Microsoft hotfix

Q293783 for SFU has been applied.
[2014/12/11:09:17:27.623]
Adprep could not retrieve data from the server PDC.mydomain.local through Windows

Managment Instrumentation (WMI).[User Action]Check the log file ADPrep.log in the C:

\Windows\debug\adprep\logs\20141211091657-test directory for possible cause of failure.
[2014/12/11:09:17:27.623]
Adprep encountered an error. Error code: 0x80080005 Error message: Server execution

failed

DSID Info:
DSID: 0x181001a6
HRESULT = 0x80080005
NT BUILD: 9200
NT BUILD: 16384

[2014/12/11:09:17:27.623]
Adprep failed while performing Exchange schema check.[Status/Consequence]The Active

Directory Domain Services schema is not upgraded.[User Action]Check the log file

ADPrep.log in the C:\Windows\debug\adprep\logs\20141211091657-test directory for

possible cause of failure.
[2014/12/11:09:17:27.623]
Adprep encountered an error. Error code: 0x80080005 Error message: Server execution

failed

DSID Info:
DSID: 0x181001a6
HRESULT = 0x80080005
NT BUILD: 9200
NT BUILD: 16384

Windows firewall on the servers is disabled and there is no network firewall between the servers. I am logged in as a Domain Admin/Enterprise Admin/Schema Admin.
0
Comment
Question by:MPLJasper
2 Comments
 
LVL 3

Accepted Solution

by:
v_2abhis2 earned 500 total points
ID: 40495219
Hello,

The answer to your problem lies in the following KB article

http://support.microsoft.com/kb/2737560

"Add the NETWORK SERVICE as part of the SeServiceLogonRight ("Logon as a service") right back to the Default Domain Controllers policy. By default, the service exists there in Windows Server 2003 domains. Make sure that no other policy is removing the service if the service is already present in the Default Domain Controllers policy. By default, the service is set by local security policy on all servers in Windows Server 2008 and later versions and is no longer part of Default Domain Controllers policy"

Thanks
Abhishek
0
 

Author Comment

by:MPLJasper
ID: 40496639
I found this KB article a few days ago and made the change to the Default Domain Controllers Policy. I was still unable to promote my 2012 server to Domain Controller until today when I rebooted my PDC. Works perfectly now!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now