Solved

Setting up server 2012 R2 standard within an existing 2003 domain

Posted on 2016-08-23
8
52 Views
Last Modified: 2016-08-30
Hi Experts,
I believe you guys might’ve had a handful of these queries.  
The client runs on a 2003 domain and requested that I assist them with the setup of win2k2012 DC. Server 2012 will replace one of their win2k3 servers in a different site and they requested for the new server to have the name.  
The FSMO roles are hosted by one 2003 DC, and the following steps were taken,
-       The domain functional level was raised from windows server 2000  to 2003 via ADUC and AD domain and trust
-      On  Sever 2012,  the AD Domain service role was added.  
The problem comes in when promoting this as a DC,  
Error:  the forest functional level is Windows 2000
The client isn’t aware that they had older DC in their domain, so whoever did their upgrade, left some binaries behind.
On the 2003 DC, raising the forest fictional level gives the following error:  A referral was returned from the server
Within ADUC, the Domain controller OU, an old DC was removed but I had to do this via ADSI.edit, this didn’t resolve the problem.  
Within AD Sites and Services, there are DC’s the client doesn’t know about or doesn’t use anymore,
When I force replication on them, it can’t be discovered.  Event logs (Directory Services) shows that replication errors to these DC
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
One of the DC can be ping but no RPC, so it cannot be remotely connected.
When trying to delete these objects from AD sites and services, I get the following error:
DC contains objects representing domain controller and possibly other DC.  

So this DC must first be demoted, which is not reachable and the client doesn’t know about them.
There are orphaned domains that would need to be removed from AD domain and trust too.  
I’ll continue troubleshooting, but your contribution will be highly appreciated
0
Comment
Question by:Schoemans
  • 5
  • 2
8 Comments
 
LVL 16

Assisted Solution

by:FOX
FOX earned 250 total points
ID: 41766827
1. Run the command-    netdom query fsmo    -to verify where all the fsmo roles are sitting.
2. Any domain controllers that are not physically part of the domain but are still sitting in ADUC need to be cleaned out.  Remove them from ADUC, Check DNS(forward and reverse lookups) and remove them from there as well. Check AD Sites and Services, Expand Servers and remove any servers that you know are not physically on the network anymore. Once you have deleted the servers from those areas and given a little time for the changes to replicate verify in ADSIEDit if they are still showing up, if so, delete them.
0
 
LVL 1

Accepted Solution

by:
saumik belel earned 250 total points
ID: 41766887
Seize the FSMO roles & perform a metadata cleanup on Server 2012.

Kindly take a look at the below document, hope it helps.

Seizing FSMO Roles : https://www.petri.com/seizing_fsmo_roles

Delete Failed DCs from Active Directory : https://www.petri.com/delete_failed_dcs_from_ad
0
 
LVL 1

Assisted Solution

by:saumik belel
saumik belel earned 250 total points
ID: 41766893
Additonally remove stale entries from the DNS & remove IP address of old server if configured in NIC Card.
Keep Server's own IP address in Prferred DNS on NIC Card.
Check Dns errors on the new server by running dcdiag /test:dns.
Also run Dcdiag /q command to check active directory errors.
0
 

Author Comment

by:Schoemans
ID: 41766950
thanx for the replies.... I'll check the links

@Foxluv,
1. I did use this command to locate the FSMO,  
   netdom query fsmo,  no problem with that
2.  ADUC has been cleaned but they cannot be removed from AD sites and services unless demoted, plus they also exist under AD domain and trust,  as domains that  has been added
sorry for not updating,  I saw that these servers are from different domains.  
eg.  training,com and development,com,  while the client's on ABC.com
Thanx,  I'll check the other areas

@saumik belel,  thanx
0
 

Author Comment

by:Schoemans
ID: 41774531
dcdiag /test:dns

summary of test results...  note they have more than one dns servers  
DNS on the server with the FSMO roles looks fine,  I'll call the DC ABC in these question

none of the failures below, relates to the domains we trying to remove
failure 1:  this is with the alternative dns server  ( secondary)
failure 2:  fails to some root servers

            1. DNS server: xxxx.xxxx.xxxx.xxxx (<name unavailable>)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the xxxx.xxxx.xxxx.xxxx
7.in-addr.arpa. failed on the DNS server xxxx.xxxx.xxxx.xxxx
               Name resolution is not functional. _ldap._tcp.ABC.local. failed
on the DNS server xxxx.xxxx.xxxx.xxxx

            DNS server: xxxx.xxxx.xxxx.xxxx (d.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (b.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (l.root-servers.net.)
                   Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: ABC.local
               ABC                     PASS WARN PASS PASS PASS PASS n/a

         ......................... ABC.local passed test DNS

with >dcdiag /q
there are some replication latency warning,  I've confirm with the client and they said this serve's off,  it will be repaired at a later stage.  
the last replication to it was in 2013
DC failed test Kccevent
"
0
 

Author Comment

by:Schoemans
ID: 41774572
ntdsutil:
when trying to connect to these servers:  Error:
"DeBindW error 0x6ba ( the RPC server is unavailable "

so can't connect to these DC's

under Domain and trust
there are two trusted domains
1.  training.abc.local
2. dev_training.abc.local

but none of these exist anymore,  the DC's I need to remove are from those domains

raising the forest function level error:  " A referral was returned from the server

dns records on the Main DC looks fine, no entries

I can ping the server in this domain  by name or IP, training.abc.local ( host-name training)
but when one tries to track this via DHCP console,  it's assigned to another machine,  same IP.

ipconfig /flushdns
ipconfig /displaydns


shows that  .45 IP belongs to training
but when you run ping -a to .45,  it returns a different device.

I'll continue to troubleshoot
0
 

Author Comment

by:Schoemans
ID: 41774896
I went the other router,
using NTDSutil,  connect to the ABC DC,  where binding succeeded
list domain:  which shows the list all the domains within the forest

followed all the instructions on the link and managed to removed the development server,
still have problems with training DC,  as I get errors when  I try to removed it...  ( access denied)

I've used the following command too
 Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.  
whereas this account is part of the schema admins and Enterprise admins, but I still get access denied.
error:
"DSremoveDeServerW error 0x5 ( Access is denied)"

Is there a way to delete this from ADSIedit.msc?
meanwhile I'll continue troubleshooting
0
 

Author Comment

by:Schoemans
ID: 41775836
thanx lads,  
I've managed  to remove both servers first and then also removed the child domains  
followed the links and it worked...
0

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now