Failed DCPROMO caused by AD Recycle bin on the first domain controller of a new tree domain
We are attempting to add a new (Server 2016) DC at a new AD site. The procedure is as we have used successfully in the past:
1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")
This is where we get the errors as follows. From the Directory Service log, ID 2140:
Event ID 1173:
Event ID 1168:
I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.
It looks like it's just a problem with the AD Recycle Bin. How can we overcome this error and promote the DC?
1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")
This is where we get the errors as follows. From the Directory Service log, ID 2140:
While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest. The Active Directory Domain Services is currently enabling or disabling one or more optional features. Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed. The Active Directory Domain Services will temporarily discontinue this replication request. The replication request will be attempted again later. Request Details: Object being modified: CN=BootMachine,O=Boot Attribute being modified: msDS-EnabledFeature Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a Optional feature: Recycle Bin Feature
Event ID 1173:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
e0010002
Parameter:
20d9
Additional Data
Error value:
8451
Internal ID:
11d0700
Event ID 1168:
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
30017ac
I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.
It looks like it's just a problem with the AD Recycle Bin. How can we overcome this error and promote the DC?
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.How did you do that? How did you go down after you tested with different domain function levels?
When you create a new domain you can choose between the different functional levels in the wizard; we never actually successfully created a domain at any of the levels.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest). For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest). For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
It will be decommissioned in due course. In fact, there's no reason we couldn't do it now, apart from having to manually update anything with a static IP / DNS setting. We added new DCs for redundancy and haven't removed it yet (there are two others at the head office site, one 2012 and one 2016).
I see what you're saying, but the AD Recycle Bin is supported at the Server 2008 R2 level, and also we've added Server 2016 domains previously with no difficulty.
Correct but 2008 R2 is old and Microsoft is not testing all the various different setups when creating domains.
Hmm, well I have had Microsoft looking at it for an hour already - they didn't see a problem with Server 2008 R2 but then they also haven't fixed it yet!
I have had Microsoft on this for about 5 hours, and they have escalated it so intend to call me back.
In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:
> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP
This worked fine first time as expected.
So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see. Probably it was just one update (likely a recent one) that caused this.
Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time". I shan't do that again!
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.
In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:
> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP
This worked fine first time as expected.
So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see. Probably it was just one update (likely a recent one) that caused this.
Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time". I shan't do that again!
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.Like I said. They don't test everything with older OSes. It is highly unlikely that the patch that caused this would have prevented a new domain if the 2008 R2 DC wasn't there.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Gain unlimited access to on-demand training courses with an Experts Exchange subscription.
Get AccessWhy Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Join our community and discover your potential
Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.
*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.