asked on Can't Raise Domain Functional Level
While trying to raise the domain functional level from 2008 R2 to 2012, I am receiving the following Error:
The functional level could not be raised. The error is: The server is unwilling to process the request.
After doing some research, I found that this can be caused if you have objects in the LostAndFound container in Active Directory. When looking inside this container, I see Domain System Volume (SYSVOL share), but the Last Known Parent is that of an old Win2k3 domain controller that no longer resides in the environment.
![Active Directory Object in AD LostAndFound Container]()
Though the parent is old, it just makes me nervous that it is referring to the SYSVOL share. I have validated that our SYSVOL and NETLOGON shares are shared out correctly, so I don't know if it’s okay to just delete it, or if I should move it somewhere.
After trying to raise the domain functional level, I see the following warning in the event viewer:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 3/29/2015 8:27:20 AM
Event ID: 2909
Task Category: Directory Access
Level: Warning
Keywords: Classic
User: DOMAIN\DomainAdmin
Computer: dc.domain.int
Description:
Active Directory Domain Services failed to update the functional level of the domain because the following Active Directory Domain Controller is at a lower functional level than the requested new functional level of the domain.
Object:
DC=domain,DC=int
NTDS Settings object of Active Directory Domain Controller:
CN=NTDS Settings,CN=LostAndFoundCo
I decided to create an OU called Orphaned Objects and attempted to move the object from the LostAndFound OU into it. I was then presented with the following error:
![Error When Trying To Move LostAndFound Object]()
I can find different resources for seeing this error when moving users around, but nothing about SYSVOL. In Active Directory, I drilled down to System > File Replication Service > Domain System Volume (SYSVOL share) and I do see all of our current Domain Controllers as well as a bunch of other old domain controllers. What is the appropriate way to remove all of the old DCs?
The functional level could not be raised. The error is: The server is unwilling to process the request.
After doing some research, I found that this can be caused if you have objects in the LostAndFound container in Active Directory. When looking inside this container, I see Domain System Volume (SYSVOL share), but the Last Known Parent is that of an old Win2k3 domain controller that no longer resides in the environment.
Though the parent is old, it just makes me nervous that it is referring to the SYSVOL share. I have validated that our SYSVOL and NETLOGON shares are shared out correctly, so I don't know if it’s okay to just delete it, or if I should move it somewhere.
After trying to raise the domain functional level, I see the following warning in the event viewer:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDi
Date: 3/29/2015 8:27:20 AM
Event ID: 2909
Task Category: Directory Access
Level: Warning
Keywords: Classic
User: DOMAIN\DomainAdmin
Computer: dc.domain.int
Description:
Active Directory Domain Services failed to update the functional level of the domain because the following Active Directory Domain Controller is at a lower functional level than the requested new functional level of the domain.
Object:
DC=domain,DC=int
NTDS Settings object of Active Directory Domain Controller:
CN=NTDS Settings,CN=LostAndFoundCo
I decided to create an OU called Orphaned Objects and attempted to move the object from the LostAndFound OU into it. I was then presented with the following error:
I can find different resources for seeing this error when moving users around, but nothing about SYSVOL. In Active Directory, I drilled down to System > File Replication Service > Domain System Volume (SYSVOL share) and I do see all of our current Domain Controllers as well as a bunch of other old domain controllers. What is the appropriate way to remove all of the old DCs?
Active DirectoryWindows Server 2012
Last Comment
Scott Robb
ASKER
Thank you for the feedback. That particular DC was demoted many years ago, so I am not sure what this is all about. I will take a look at your ADSIedit cleanup article. I'll let you know how it goes. Thank you very much for pointing me in the right direction.
ASKER
So the problem I am running into is since the old domain controller was demoted many years ago, it is not showing up in the list of servers. I did go into ADSIedit though and do some poking around. What I find interesting is if, in ADSIedit, you drill down to OU=Domain Controllers and then expand the first domain controller and then click on CN=NTFRS Subscriptions for the domain controller, you see a nTFRSSubscriber class object. This is the exact same object that is in the LostAndFound folder. There is just no associated domain controller in the OU=Domain Controllers container. Does this make sense? I am not sure if this means I can just delete it. Again, it being SYSVOL related worries me a little, even though our SYSVOL and NETLOGON are currently intact. Again, I really appreciate the feedback and info partner.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Everybody's input ultimately helped to the resolution, but the root cause was caused by orphaned objects in ADUC and ADSI Edit. Removing those objects is ultimately what resolved the issue I was experiencing.
http://support.microsoft.com/en-us/kb/216498
if you can not or it is already gone - you will have to play with ADSIedit to perform some cleanup
see step 4 references
http://support.microsoft.com/en-us/kb/216498