Setting up server 2012 R2 standard within an existing 2003 domain

Hi Experts,
I believe you guys might’ve had a handful of these queries.  
The client runs on a 2003 domain and requested that I assist them with the setup of win2k2012 DC. Server 2012 will replace one of their win2k3 servers in a different site and they requested for the new server to have the name.  
The FSMO roles are hosted by one 2003 DC, and the following steps were taken,
-       The domain functional level was raised from windows server 2000  to 2003 via ADUC and AD domain and trust
-      On  Sever 2012,  the AD Domain service role was added.  
The problem comes in when promoting this as a DC,  
Error:  the forest functional level is Windows 2000
The client isn’t aware that they had older DC in their domain, so whoever did their upgrade, left some binaries behind.
On the 2003 DC, raising the forest fictional level gives the following error:  A referral was returned from the server
Within ADUC, the Domain controller OU, an old DC was removed but I had to do this via ADSI.edit, this didn’t resolve the problem.  
Within AD Sites and Services, there are DC’s the client doesn’t know about or doesn’t use anymore,
When I force replication on them, it can’t be discovered.  Event logs (Directory Services) shows that replication errors to these DC
The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
One of the DC can be ping but no RPC, so it cannot be remotely connected.
When trying to delete these objects from AD sites and services, I get the following error:
DC contains objects representing domain controller and possibly other DC.  

So this DC must first be demoted, which is not reachable and the client doesn’t know about them.
There are orphaned domains that would need to be removed from AD domain and trust too.  
I’ll continue troubleshooting, but your contribution will be highly appreciated
Who is Participating?

Improve company productivity with a Business Account.Sign Up

saumik belelConnect With a Mentor Commented:
Seize the FSMO roles & perform a metadata cleanup on Server 2012.

Kindly take a look at the below document, hope it helps.

Seizing FSMO Roles :

Delete Failed DCs from Active Directory :
FOXConnect With a Mentor Active Directory/Exchange EngineerCommented:
1. Run the command-    netdom query fsmo    -to verify where all the fsmo roles are sitting.
2. Any domain controllers that are not physically part of the domain but are still sitting in ADUC need to be cleaned out.  Remove them from ADUC, Check DNS(forward and reverse lookups) and remove them from there as well. Check AD Sites and Services, Expand Servers and remove any servers that you know are not physically on the network anymore. Once you have deleted the servers from those areas and given a little time for the changes to replicate verify in ADSIEDit if they are still showing up, if so, delete them.
saumik belelConnect With a Mentor Commented:
Additonally remove stale entries from the DNS & remove IP address of old server if configured in NIC Card.
Keep Server's own IP address in Prferred DNS on NIC Card.
Check Dns errors on the new server by running dcdiag /test:dns.
Also run Dcdiag /q command to check active directory errors.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

SchoemansAuthor Commented:
thanx for the replies.... I'll check the links

1. I did use this command to locate the FSMO,  
   netdom query fsmo,  no problem with that
2.  ADUC has been cleaned but they cannot be removed from AD sites and services unless demoted, plus they also exist under AD domain and trust,  as domains that  has been added
sorry for not updating,  I saw that these servers are from different domains.  
eg.  training,com and development,com,  while the client's on
Thanx,  I'll check the other areas

@saumik belel,  thanx
SchoemansAuthor Commented:
dcdiag /test:dns

summary of test results...  note they have more than one dns servers  
DNS on the server with the FSMO roles looks fine,  I'll call the DC ABC in these question

none of the failures below, relates to the domains we trying to remove
failure 1:  this is with the alternative dns server  ( secondary)
failure 2:  fails to some root servers

            1. DNS server: xxxx.xxxx.xxxx.xxxx (<name unavailable>)
               2 test failures on this DNS server
               This is not a valid DNS server. PTR record query for the xxxx.xxxx.xxxx.xxxx failed on the DNS server xxxx.xxxx.xxxx.xxxx
               Name resolution is not functional. _ldap._tcp.ABC.local. failed
on the DNS server xxxx.xxxx.xxxx.xxxx

            DNS server: xxxx.xxxx.xxxx.xxxx (
            DNS server: xxxx.xxxx.xxxx.xxxx (
            DNS server: xxxx.xxxx.xxxx.xxxx (
                   Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: ABC.local
               ABC                     PASS WARN PASS PASS PASS PASS n/a

         ......................... ABC.local passed test DNS

with >dcdiag /q
there are some replication latency warning,  I've confirm with the client and they said this serve's off,  it will be repaired at a later stage.  
the last replication to it was in 2013
DC failed test Kccevent
SchoemansAuthor Commented:
when trying to connect to these servers:  Error:
"DeBindW error 0x6ba ( the RPC server is unavailable "

so can't connect to these DC's

under Domain and trust
there are two trusted domains

but none of these exist anymore,  the DC's I need to remove are from those domains

raising the forest function level error:  " A referral was returned from the server

dns records on the Main DC looks fine, no entries

I can ping the server in this domain  by name or IP, ( host-name training)
but when one tries to track this via DHCP console,  it's assigned to another machine,  same IP.

ipconfig /flushdns
ipconfig /displaydns

shows that  .45 IP belongs to training
but when you run ping -a to .45,  it returns a different device.

I'll continue to troubleshoot
SchoemansAuthor Commented:
I went the other router,
using NTDSutil,  connect to the ABC DC,  where binding succeeded
list domain:  which shows the list all the domains within the forest

followed all the instructions on the link and managed to removed the development server,
still have problems with training DC,  as I get errors when  I try to removed it...  ( access denied)

I've used the following command too
 Type "set creds <domain name> <username> <password>" (without the quotation marks) and press ENTER.  
whereas this account is part of the schema admins and Enterprise admins, but I still get access denied.
"DSremoveDeServerW error 0x5 ( Access is denied)"

Is there a way to delete this from ADSIedit.msc?
meanwhile I'll continue troubleshooting
SchoemansAuthor Commented:
thanx lads,  
I've managed  to remove both servers first and then also removed the child domains  
followed the links and it worked...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.