Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Setting up server 2012 R2 standard within an existing 2003 domain

Posted on 2016-08-23
Medium Priority
Last Modified: 2016-08-30
Hi Experts,
I believe you guys might’ve had a handful of these queries.  
The client runs on a 2003 domain and requested that I assist them with the setup of win2k2012 DC. Server 2012 will replace one of their win2k3 servers in a different site and they requested for the new server to have the name.  
The FSMO roles are hosted by one 2003 DC, and the following steps were taken,
-       The domain functional level was raised from windows server 2000  to 2003 via ADUC and AD domain and trust
-      On  Sever 2012,  the AD Domain service role was added.  
The problem comes in when promoting this as a DC,  
Error:  the forest functional level is Windows 2000
The client isn’t aware that they had older DC in their domain, so whoever did their upgrade, left some binaries behind.
On the 2003 DC, raising the forest fictional level gives the following error:  A referral was returned from the server
Within ADUC, the Domain controller OU, an old DC was removed but I had to do this via ADSI.edit, this didn’t resolve the problem.  
Within AD Sites and Services, there are DC’s the client doesn’t know about or doesn’t use anymore,
When I force replication on them, it can’t be discovered.  Event logs (Directory Services) shows that replication errors to these DC
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
One of the DC can be ping but no RPC, so it cannot be remotely connected.
When trying to delete these objects from AD sites and services, I get the following error:
DC contains objects representing domain controller and possibly other DC.  

So this DC must first be demoted, which is not reachable and the client doesn’t know about them.
There are orphaned domains that would need to be removed from AD domain and trust too.  
I’ll continue troubleshooting, but your contribution will be highly appreciated
Question by:Schoemans
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 16

Assisted Solution

FOX earned 1000 total points
ID: 41766827
1. Run the command-    netdom query fsmo    -to verify where all the fsmo roles are sitting.
2. Any domain controllers that are not physically part of the domain but are still sitting in ADUC need to be cleaned out.  Remove them from ADUC, Check DNS(forward and reverse lookups) and remove them from there as well. Check AD Sites and Services, Expand Servers and remove any servers that you know are not physically on the network anymore. Once you have deleted the servers from those areas and given a little time for the changes to replicate verify in ADSIEDit if they are still showing up, if so, delete them.

Accepted Solution

saumik belel earned 1000 total points
ID: 41766887
Seize the FSMO roles & perform a metadata cleanup on Server 2012.

Kindly take a look at the below document, hope it helps.

Seizing FSMO Roles : https://www.petri.com/seizing_fsmo_roles

Delete Failed DCs from Active Directory : https://www.petri.com/delete_failed_dcs_from_ad

Assisted Solution

by:saumik belel
saumik belel earned 1000 total points
ID: 41766893
Additonally remove stale entries from the DNS & remove IP address of old server if configured in NIC Card.
Keep Server's own IP address in Prferred DNS on NIC Card.
Check Dns errors on the new server by running dcdiag /test:dns.
Also run Dcdiag /q command to check active directory errors.
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 41766950
thanx for the replies.... I'll check the links

1. I did use this command to locate the FSMO,  
   netdom query fsmo,  no problem with that
2.  ADUC has been cleaned but they cannot be removed from AD sites and services unless demoted, plus they also exist under AD domain and trust,  as domains that  has been added
sorry for not updating,  I saw that these servers are from different domains.  
eg.  training,com and development,com,  while the client's on ABC.com
Thanx,  I'll check the other areas

@saumik belel,  thanx

Author Comment

ID: 41774531
dcdiag /test:dns

summary of test results...  note they have more than one dns servers  
DNS on the server with the FSMO roles looks fine,  I'll call the DC ABC in these question

none of the failures below, relates to the domains we trying to remove
failure 1:  this is with the alternative dns server  ( secondary)
failure 2:  fails to some root servers

            1. DNS server: xxxx.xxxx.xxxx.xxxx (<name unavailable>)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the xxxx.xxxx.xxxx.xxxx
7.in-addr.arpa. failed on the DNS server xxxx.xxxx.xxxx.xxxx
               Name resolution is not functional. _ldap._tcp.ABC.local. failed
on the DNS server xxxx.xxxx.xxxx.xxxx

            DNS server: xxxx.xxxx.xxxx.xxxx (d.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (b.root-servers.net.)
            DNS server: xxxx.xxxx.xxxx.xxxx (l.root-servers.net.)
                   Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: ABC.local
               ABC                     PASS WARN PASS PASS PASS PASS n/a

         ......................... ABC.local passed test DNS

with >dcdiag /q
there are some replication latency warning,  I've confirm with the client and they said this serve's off,  it will be repaired at a later stage.  
the last replication to it was in 2013
DC failed test Kccevent

Author Comment

ID: 41774572
when trying to connect to these servers:  Error:
"DeBindW error 0x6ba ( the RPC server is unavailable "

so can't connect to these DC's

under Domain and trust
there are two trusted domains
1.  training.abc.local
2. dev_training.abc.local

but none of these exist anymore,  the DC's I need to remove are from those domains

raising the forest function level error:  " A referral was returned from the server

dns records on the Main DC looks fine, no entries

I can ping the server in this domain  by name or IP, training.abc.local ( host-name training)
but when one tries to track this via DHCP console,  it's assigned to another machine,  same IP.

ipconfig /flushdns
ipconfig /displaydns

shows that  .45 IP belongs to training
but when you run ping -a to .45,  it returns a different device.

I'll continue to troubleshoot

Author Comment

ID: 41774896
I went the other router,
using NTDSutil,  connect to the ABC DC,  where binding succeeded
list domain:  which shows the list all the domains within the forest

followed all the instructions on the link and managed to removed the development server,
still have problems with training DC,  as I get errors when  I try to removed it...  ( access denied)

I've used the following command too
 Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.  
whereas this account is part of the schema admins and Enterprise admins, but I still get access denied.
"DSremoveDeServerW error 0x5 ( Access is denied)"

Is there a way to delete this from ADSIedit.msc?
meanwhile I'll continue troubleshooting

Author Comment

ID: 41775836
thanx lads,  
I've managed  to remove both servers first and then also removed the child domains  
followed the links and it worked...

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question