Setting up server 2012 R2 standard within an existing 2003 domain

Posted on 2016-08-23
Medium Priority
Last Modified: 2016-08-30
Hi Experts,
I believe you guys might’ve had a handful of these queries.  
The client runs on a 2003 domain and requested that I assist them with the setup of win2k2012 DC. Server 2012 will replace one of their win2k3 servers in a different site and they requested for the new server to have the name.  
The FSMO roles are hosted by one 2003 DC, and the following steps were taken,
-       The domain functional level was raised from windows server 2000  to 2003 via ADUC and AD domain and trust
-      On  Sever 2012,  the AD Domain service role was added.  
The problem comes in when promoting this as a DC,  
Error:  the forest functional level is Windows 2000
The client isn’t aware that they had older DC in their domain, so whoever did their upgrade, left some binaries behind.
On the 2003 DC, raising the forest fictional level gives the following error:  A referral was returned from the server
Within ADUC, the Domain controller OU, an old DC was removed but I had to do this via ADSI.edit, this didn’t resolve the problem.  
Within AD Sites and Services, there are DC’s the client doesn’t know about or doesn’t use anymore,
When I force replication on them, it can’t be discovered.  Event logs (Directory Services) shows that replication errors to these DC
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
One of the DC can be ping but no RPC, so it cannot be remotely connected.
When trying to delete these objects from AD sites and services, I get the following error:
DC contains objects representing domain controller and possibly other DC.  

So this DC must first be demoted, which is not reachable and the client doesn’t know about them.
There are orphaned domains that would need to be removed from AD domain and trust too.  
I’ll continue troubleshooting, but your contribution will be highly appreciated
Question by:Schoemans
  • 5
  • 2
LVL 17

Assisted Solution

FOX earned 1000 total points
ID: 41766827
1. Run the command-    netdom query fsmo    -to verify where all the fsmo roles are sitting.
2. Any domain controllers that are not physically part of the domain but are still sitting in ADUC need to be cleaned out.  Remove them from ADUC, Check DNS(forward and reverse lookups) and remove them from there as well. Check AD Sites and Services, Expand Servers and remove any servers that you know are not physically on the network anymore. Once you have deleted the servers from those areas and given a little time for the changes to replicate verify in ADSIEDit if they are still showing up, if so, delete them.

Accepted Solution

saumik belel earned 1000 total points
ID: 41766887
Seize the FSMO roles & perform a metadata cleanup on Server 2012.

Kindly take a look at the below document, hope it helps.

Seizing FSMO Roles : https://www.petri.com/seizing_fsmo_roles

Delete Failed DCs from Active Directory : https://www.petri.com/delete_failed_dcs_from_ad

Assisted Solution

by:saumik belel
saumik belel earned 1000 total points
ID: 41766893
Additonally remove stale entries from the DNS & remove IP address of old server if configured in NIC Card.
Keep Server's own IP address in Prferred DNS on NIC Card.
Check Dns errors on the new server by running dcdiag /test:dns.
Also run Dcdiag /q command to check active directory errors.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!


Author Comment

ID: 41766950
thanx for the replies.... I'll check the links

1. I did use this command to locate the FSMO,  
   netdom query fsmo,  no problem with that
2.  ADUC has been cleaned but they cannot be removed from AD sites and services unless demoted, plus they also exist under AD domain and trust,  as domains that  has been added
sorry for not updating,  I saw that these servers are from different domains.  
eg.  training,com and development,com,  while the client's on ABC.com
Thanx,  I'll check the other areas

@saumik belel,  thanx

Author Comment

ID: 41774531
dcdiag /test:dns

summary of test results...  note they have more than one dns servers  
DNS on the server with the FSMO roles looks fine,  I'll call the DC ABC in these question

none of the failures below, relates to the domains we trying to remove
failure 1:  this is with the alternative dns server  ( secondary)
failure 2:  fails to some root servers

            1. DNS server: xxxx.xxxx.xxxx.xxxx (<name unavailable>)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the xxxx.xxxx.xxxx.xxxx
7.in-addr.arpa. failed on the DNS server xxxx.xxxx.xxxx.xxxx
               Name resolution is not functional. _ldap._tcp.ABC.local. failed
on the DNS server xxxx.xxxx.xxxx.xxxx

            DNS server: xxxx.xxxx.xxxx.xxxx (d.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (b.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (l.root-servers.net.)
                   Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: ABC.local
               ABC                     PASS WARN PASS PASS PASS PASS n/a

         ......................... ABC.local passed test DNS

with >dcdiag /q
there are some replication latency warning,  I've confirm with the client and they said this serve's off,  it will be repaired at a later stage.  
the last replication to it was in 2013
DC failed test Kccevent

Author Comment

ID: 41774572
when trying to connect to these servers:  Error:
"DeBindW error 0x6ba ( the RPC server is unavailable "

so can't connect to these DC's

under Domain and trust
there are two trusted domains
1.  training.abc.local
2. dev_training.abc.local

but none of these exist anymore,  the DC's I need to remove are from those domains

raising the forest function level error:  " A referral was returned from the server

dns records on the Main DC looks fine, no entries

I can ping the server in this domain  by name or IP, training.abc.local ( host-name training)
but when one tries to track this via DHCP console,  it's assigned to another machine,  same IP.

ipconfig /flushdns
ipconfig /displaydns

shows that  .45 IP belongs to training
but when you run ping -a to .45,  it returns a different device.

I'll continue to troubleshoot

Author Comment

ID: 41774896
I went the other router,
using NTDSutil,  connect to the ABC DC,  where binding succeeded
list domain:  which shows the list all the domains within the forest

followed all the instructions on the link and managed to removed the development server,
still have problems with training DC,  as I get errors when  I try to removed it...  ( access denied)

I've used the following command too
 Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.  
whereas this account is part of the schema admins and Enterprise admins, but I still get access denied.
"DSremoveDeServerW error 0x5 ( Access is denied)"

Is there a way to delete this from ADSIedit.msc?
meanwhile I'll continue troubleshooting

Author Comment

ID: 41775836
thanx lads,  
I've managed  to remove both servers first and then also removed the child domains  
followed the links and it worked...

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question