Solved

Promoting 2012 to domain controller in 2003 environment

Posted on 2014-12-21
17
262 Views
Last Modified: 2014-12-28
Hi,
Im in the process of promoting a windows 2012 r2 standard within a 2003 domain and during promotion to a domain controller when it was running adprep, it  got error that referencing wmi.  This is the first 2012 server introduced into the domain which is running 2 2003 domain controllers and 2 2008 member servers so there are no 2008 domain controllers only the 2003 which I want to remove eventually if I can get the new 2012 to extend the schema.  I am attaching the log file from c:\windows\debug\adprep\logs.  The good thing is the server recognizes the other servers on network.  Thanks.
0
Comment
Question by:dankyle67
17 Comments
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Log file is not attached.  Also are you getting the error on the Windows 2012 server or on a Windows 2003 server?

-saige-
0
 
LVL 15

Expert Comment

by:Ivan
Comment Utility
Hi,

what is the Forest functional level? It should be at least Windows 2003 as I recall. When you want to promote 2012r2 to a DC, you first need to prepare schema on Windows 2003 DC with /adprep, and then you should be able to promote windows 2012r2 to a additional DC.

Regards,
0
 

Author Comment

by:dankyle67
Comment Utility
Sorry forgot to attach log file.  I was told that running adprep from the 2003 domain controller would work but I was later advised to run the promo of the 2012 server and this would run the adprep all in the same sequence saving the step of the 2003 route.  I have a concern that if this had errors then it would have similar error running from 2003 domain controller.  As i mentioned, the 2012 server is able to recognize the other servers and in addition, it has the users and domain option there along with the other active directory components so it looks like it is part of active directory which is nice.  Is this because i had run active directory domain portion of setup on the 2012 server already?
ADPrep.log
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
Are you running it as a Enterpriser  administrator?
Error code: 0x5 Error message: Access is denied.
0
 

Author Comment

by:dankyle67
Comment Utility
Im believe as domain admin but how would i confirm if i was enterprise admin?  I simply joined it to our domain which is a single domain.  It did mention about access denied on the wmi.
0
 

Author Comment

by:dankyle67
Comment Utility
Also, i could not remote desktop into the server from internally and gave error about network level access.  I enabled remote desktop and administrator is allowed access it lists.  I installed logmein for now so i can at least get in remotely.
0
 

Expert Comment

by:vltsg
Comment Utility
You cannot go directly from 2003 server to 2012 server. You MUST have a 2008 domain controller that hosts all the FMSO roles during your migration from 2003 to 2012. Once you have a 2008 (or R2) machine in place transfer your FSMO roles to that 2008 server. Then bring your 2012 server into the domain and it will work just fine. Once the 2012 is a DC, you move the FSMO roles to that server and can remove the 2008 server (all in one day).
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
Comment Utility
@vltsg you are incorrect and the article you sourced, does not mention anything about your stipulation that a Windows 2008 Server DC must be a member of a 2003 domain in order to add a 2012 DC.

First and foremost, Microsoft states that the Forest and Domain Functional levels must be, at a minimum, Windows Server 2003 in order to support a Windows Server 2012 DC.

Understanding Active Directory Domain Services (AD DS) Functional Levels
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
Which, in a nutshell, means that you can run a pure 2003 domain and add a 2012 DC to it without the need to introduce an intermediary (as you stipulate).

-saige-
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 32

Expert Comment

by:it_saige
Comment Utility
The way that you can verify membership is by checking the Enterprise Admins group in Active Directory Users and Computers to ensure that you, directly, or a group that you are a member of is enrolled in this group.  However, I don't think that Enterprise Admin membership applies here but Schema Admins membership definately does.  Actually after reading over the ADPREP requirements, I find:
Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.
Source

Another EE PAQ discusses this, and yes the original author did add an intermediary to solve the problem, however, another poster mentioned that they were able to resolve the error by modifying the Component Services on the 2003 DC.
I was able to fix by going into Component Services on 2003 server, right click 'my computer', properties, on 'default properties' tab 'enable distributed COM on this computer' was unchecked.  I checked it and reboot both servers, I was then able to promote the 2012 server to DC, adprep went thru with no issues.
EE PAQ 28168026

Another poster also mentions this article: http://www.kickassnetwork.net/?p=431

-saige-
0
 

Author Comment

by:dankyle67
Comment Utility
I agree with what you are saying so will try correcting the schema and enterprise admin issue first and will reattempt from the 2012 server again and if it doesn't work I will run the adprep from the 2003 domain controller holding the fsmo roles. If it does work eventually, after transferring the fsmo roles from the 2003 server to the promoted 2012 domain controller, if I demote the remaining 3 2003 domain controllers, then could I raise the forest functional level to a higher level than the current 2003 level?
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Once you have removed all 2003 DC's you can raise the forest/domain functional levels to the highest supported by your DC's.  In other words, if you have all 2012 DC's then you can raise the levels to Server 2012.  If, however, you have a 2008 DC, then your levels can only go as high as Server 2008.

Don't forget to check out the links with regards to Component Services and WMI.

-saige-
0
 

Author Comment

by:dankyle67
Comment Utility
Ok sounds good, will give the whole process a try again tonite and hope it gets through.  Any idea why i wouldnt be able to remote desktop to the 2012 server even though i had enabled it and am using admin to login?
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Could be a variety of reasons.  RDP settings on the 2012 server, firewall settings on the 2012 server, network access rules on the domain, firewall settings on the local network, etc.

-saige-
0
 

Author Comment

by:dankyle67
Comment Utility
Ok im here at office and so I had to copy the contents of the 2012 server dvd into hard drive of 2003 server/domain controller where I attempted to run adprep from support folder and it looks like adprep32 and adprep both don't work.  I was told that adprep will not run on 2003 server and must be run remotely from the 2012 server.  Is this correct?  If so, then I will have to correct that wmi error after all.
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
ADPREP can be ran on the 2003 Server, but you are probably running the wrong one.  ADPREP is the 64-bit version and since your Windows 2003 Server is most likely the 32-bit version, you need to run ADPREP32.

Remember though, that ADPREP is exposing the WMI error.

-saige-
0
 

Author Comment

by:dankyle67
Comment Utility
Hi again, ok was able to complete the domain controller role on the 2012 server using the roles wizard and initially got error about schema master not completing a replication cycle after reboot which i had done after checking the box on 2003 server for components under computer management as you cited in your excerpt so that cured the wmi issue without too much pain.  I then ran replication in sites and services on the 2003 server and after that, the prerequisites check ran without errors and the message that the 2012 server was successfully promoted to a domain controller came up at the end which was great.  Everything seems ok except that i cannot replicate the new 2012 server yet under sites and services although it does show up as a domain controller.  I checked dns and all the entries look the same as the one on the 2003 server.  I will wait a week to make sure things are ok dns wise before making the 2012 server the primary dns.  I think i probably have to wait a few more minutes or more before the 2012 will be able to replicate.  Aside from that, i think im almost home with this project thanks to all your help which was including from when you helped me in my previous question as well.
0
 

Author Comment

by:dankyle67
Comment Utility
Just checked the new 2012 domain controller and now it was able to replicate with all the other domain controllers so all good.  Thanks again for all the help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Active Directory Audit 18 69
Folder size tool 6 58
AD Replications issues 12 39
Reload DC in a single server environment 5 55
Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now