Can't Raise Domain Functional Level

While trying to raise the domain functional level from 2008 R2 to 2012, I am receiving the following Error:

The functional level could not be raised.  The error is: The server is unwilling to process the request.

After doing some research, I found that this can be caused if you have objects in the LostAndFound container in Active Directory.  When looking inside this container, I see Domain System Volume (SYSVOL share), but the Last Known Parent is that of an old Win2k3 domain controller that no longer resides in the environment.

 Active Directory Object in AD LostAndFound Container
Though the parent is old, it just makes me nervous that it is referring to the SYSVOL share.  I have validated that our SYSVOL and NETLOGON shares are shared out correctly, so I don't know if it’s okay to just delete it, or if I should move it somewhere.

After trying to raise the domain functional level, I see the following warning in the event viewer:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/29/2015 8:27:20 AM
Event ID: 2909
Task Category: Directory Access
Level: Warning
Keywords: Classic
User: DOMAIN\DomainAdmin


Active Directory Domain Services failed to update the functional level of the domain because the following Active Directory Domain Controller is at a lower functional level than the requested new functional level of the domain.

NTDS Settings object of Active Directory Domain Controller:
CN=NTDS Settings,CN=LostAndFoundConfig,CN=Configuration,DC=domain,DC=int

I decided to create an OU called Orphaned Objects and attempted to move the object from the LostAndFound OU into it.  I was then presented with the following error:

Error When Trying To Move LostAndFound Object

I can find different resources for seeing this error when moving users around, but nothing about SYSVOL.  In Active Directory, I drilled down to System > File Replication Service > Domain System Volume (SYSVOL share) and I do see all of our current Domain Controllers as well as a bunch of other old domain controllers.  What is the appropriate way to remove all of the old DCs?
Scott RobbSr Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DarinTCHSenior CyberSecurity EngineerCommented:
the best way to remove a DC is to demote it

if you can not or it is already gone - you will have to play with ADSIedit to perform some cleanup

see step 4 references
Scott RobbSr Systems AdministratorAuthor Commented:
Thank you for the feedback.  That particular DC was demoted many years ago, so I am not sure what this is all about.  I will take a look at your ADSIedit cleanup article.  I'll let you know how it goes.  Thank you very much for pointing me in the right direction.
Scott RobbSr Systems AdministratorAuthor Commented:
So the problem I am running into is since the old domain controller was demoted many years ago, it is not showing up in the list of servers.  I did go into ADSIedit though and do some poking around.  What I find interesting is if, in ADSIedit, you drill down to OU=Domain Controllers and then expand the first domain controller and then click on CN=NTFRS Subscriptions for the domain controller, you see a nTFRSSubscriber class object.  This is the exact same object that is in the LostAndFound folder.  There is just no associated domain controller in the OU=Domain Controllers container.  Does this make sense?  I am not sure if this means I can just delete it.  Again, it being SYSVOL related worries me a little, even though our SYSVOL and NETLOGON are currently intact.  Again, I really appreciate the feedback and info partner.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

David Johnson, CD, MVPOwnerCommented:
1. try  repadmin /removelingeringobjects and see if this fixes it
2. if not it is probably safe to delete
DarinTCHSenior CyberSecurity EngineerCommented:
in general FRS is for system policy and logon scripts
plus file folders in older systems
so I don't see an issue with removing this from recycle if you have the correct version elsewhere

ps more info on FRS if desired

that being said - of course you should have a full backup before performing any changes right???

and I have a had a similar issue where an object was still being referenced - and i could not go forward - and the said object was supposed to have been deleted
in the end i bit the bullet - deleted it again and successfully completed my task

as an additional question has any other DC been promoted.....ideally  to take the 'parent role'?
Scott RobbSr Systems AdministratorAuthor Commented:
So I finally figured out what our issue was and got it resolved last night.  Not only did we have orphaned objects in the ADUC LostAndFound container, we also had to clean out the LostAndFound container in ADSI Edit as well.  We had 9 other objects in ADSI Edit that weren't being shown in ADUC.  Once we got everything cleaned up, it promoted successfully.

As far as the extra domain controllers being referenced in the Domain System Volume container, since the computer accounts no longer resided in AD it was okay to just right-click, delete.

I appreciate everybody's feedback.  Using your recommendations made me a better technician, so thank you.  I hope that this post can help somebody else.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott RobbSr Systems AdministratorAuthor Commented:
Everybody's input ultimately helped to the resolution, but the root cause was caused by orphaned objects in ADUC and ADSI Edit.  Removing those objects is ultimately what resolved the issue I was experiencing.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.