Go Premium for a chance to win a PS4. Enter to Win


Setting up server 2012 R2 standard within an existing 2003 domain

Posted on 2016-08-23
Medium Priority
Last Modified: 2016-08-30
Hi Experts,
I believe you guys might’ve had a handful of these queries.  
The client runs on a 2003 domain and requested that I assist them with the setup of win2k2012 DC. Server 2012 will replace one of their win2k3 servers in a different site and they requested for the new server to have the name.  
The FSMO roles are hosted by one 2003 DC, and the following steps were taken,
-       The domain functional level was raised from windows server 2000  to 2003 via ADUC and AD domain and trust
-      On  Sever 2012,  the AD Domain service role was added.  
The problem comes in when promoting this as a DC,  
Error:  the forest functional level is Windows 2000
The client isn’t aware that they had older DC in their domain, so whoever did their upgrade, left some binaries behind.
On the 2003 DC, raising the forest fictional level gives the following error:  A referral was returned from the server
Within ADUC, the Domain controller OU, an old DC was removed but I had to do this via ADSI.edit, this didn’t resolve the problem.  
Within AD Sites and Services, there are DC’s the client doesn’t know about or doesn’t use anymore,
When I force replication on them, it can’t be discovered.  Event logs (Directory Services) shows that replication errors to these DC
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
One of the DC can be ping but no RPC, so it cannot be remotely connected.
When trying to delete these objects from AD sites and services, I get the following error:
DC contains objects representing domain controller and possibly other DC.  

So this DC must first be demoted, which is not reachable and the client doesn’t know about them.
There are orphaned domains that would need to be removed from AD domain and trust too.  
I’ll continue troubleshooting, but your contribution will be highly appreciated
Question by:Schoemans
  • 5
  • 2
LVL 16

Assisted Solution

FOX earned 1000 total points
ID: 41766827
1. Run the command-    netdom query fsmo    -to verify where all the fsmo roles are sitting.
2. Any domain controllers that are not physically part of the domain but are still sitting in ADUC need to be cleaned out.  Remove them from ADUC, Check DNS(forward and reverse lookups) and remove them from there as well. Check AD Sites and Services, Expand Servers and remove any servers that you know are not physically on the network anymore. Once you have deleted the servers from those areas and given a little time for the changes to replicate verify in ADSIEDit if they are still showing up, if so, delete them.

Accepted Solution

saumik belel earned 1000 total points
ID: 41766887
Seize the FSMO roles & perform a metadata cleanup on Server 2012.

Kindly take a look at the below document, hope it helps.

Seizing FSMO Roles : https://www.petri.com/seizing_fsmo_roles

Delete Failed DCs from Active Directory : https://www.petri.com/delete_failed_dcs_from_ad

Assisted Solution

by:saumik belel
saumik belel earned 1000 total points
ID: 41766893
Additonally remove stale entries from the DNS & remove IP address of old server if configured in NIC Card.
Keep Server's own IP address in Prferred DNS on NIC Card.
Check Dns errors on the new server by running dcdiag /test:dns.
Also run Dcdiag /q command to check active directory errors.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

ID: 41766950
thanx for the replies.... I'll check the links

1. I did use this command to locate the FSMO,  
   netdom query fsmo,  no problem with that
2.  ADUC has been cleaned but they cannot be removed from AD sites and services unless demoted, plus they also exist under AD domain and trust,  as domains that  has been added
sorry for not updating,  I saw that these servers are from different domains.  
eg.  training,com and development,com,  while the client's on ABC.com
Thanx,  I'll check the other areas

@saumik belel,  thanx

Author Comment

ID: 41774531
dcdiag /test:dns

summary of test results...  note they have more than one dns servers  
DNS on the server with the FSMO roles looks fine,  I'll call the DC ABC in these question

none of the failures below, relates to the domains we trying to remove
failure 1:  this is with the alternative dns server  ( secondary)
failure 2:  fails to some root servers

            1. DNS server: xxxx.xxxx.xxxx.xxxx (<name unavailable>)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the xxxx.xxxx.xxxx.xxxx
7.in-addr.arpa. failed on the DNS server xxxx.xxxx.xxxx.xxxx
               Name resolution is not functional. _ldap._tcp.ABC.local. failed
on the DNS server xxxx.xxxx.xxxx.xxxx

            DNS server: xxxx.xxxx.xxxx.xxxx (d.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (b.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (l.root-servers.net.)
                   Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: ABC.local
               ABC                     PASS WARN PASS PASS PASS PASS n/a

         ......................... ABC.local passed test DNS

with >dcdiag /q
there are some replication latency warning,  I've confirm with the client and they said this serve's off,  it will be repaired at a later stage.  
the last replication to it was in 2013
DC failed test Kccevent

Author Comment

ID: 41774572
when trying to connect to these servers:  Error:
"DeBindW error 0x6ba ( the RPC server is unavailable "

so can't connect to these DC's

under Domain and trust
there are two trusted domains
1.  training.abc.local
2. dev_training.abc.local

but none of these exist anymore,  the DC's I need to remove are from those domains

raising the forest function level error:  " A referral was returned from the server

dns records on the Main DC looks fine, no entries

I can ping the server in this domain  by name or IP, training.abc.local ( host-name training)
but when one tries to track this via DHCP console,  it's assigned to another machine,  same IP.

ipconfig /flushdns
ipconfig /displaydns

shows that  .45 IP belongs to training
but when you run ping -a to .45,  it returns a different device.

I'll continue to troubleshoot

Author Comment

ID: 41774896
I went the other router,
using NTDSutil,  connect to the ABC DC,  where binding succeeded
list domain:  which shows the list all the domains within the forest

followed all the instructions on the link and managed to removed the development server,
still have problems with training DC,  as I get errors when  I try to removed it...  ( access denied)

I've used the following command too
 Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.  
whereas this account is part of the schema admins and Enterprise admins, but I still get access denied.
"DSremoveDeServerW error 0x5 ( Access is denied)"

Is there a way to delete this from ADSIedit.msc?
meanwhile I'll continue troubleshooting

Author Comment

ID: 41775836
thanx lads,  
I've managed  to remove both servers first and then also removed the child domains  
followed the links and it worked...

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question