Avatar of David Haycox
David Haycox
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Failed DCPROMO caused by AD Recycle bin on the first domain controller of a new tree domain

We are attempting to add a new (Server 2016) DC at a new AD site.  The procedure is as we have used successfully in the past:

1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")

This is where we get the errors as follows. From the Directory Service log, ID 2140:
While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest.  The Active Directory Domain Services is currently enabling or disabling one or more optional features.  Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed.  The Active Directory Domain Services will temporarily discontinue this replication request.  The replication request will be attempted again later. Request Details: Object being modified: CN=BootMachine,O=Boot Attribute being modified: msDS-EnabledFeature Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a Optional feature: Recycle Bin Feature

Event ID 1173:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
 
Exception:
e0010002
Parameter:
20d9
 
Additional Data
Error value:
8451
Internal ID:
11d0700

Event ID 1168:
Internal error: An Active Directory Domain Services error has occurred.
 
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
30017ac

I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain

The Forest Functional Level is Server 2008 R2.  We have tried different domain functional levels for the new DC to no avail.

It looks like it's just a problem with the AD Recycle Bin.  How can we overcome this error and promote the DC?
Active Directory

Avatar of undefined
Last Comment
David Haycox

8/22/2022 - Mon
Shaun Vermaak

The Forest Functional Level is Server 2008 R2.  We have tried different domain functional levels for the new DC to no avail.
How did you do that? How did you go down after you tested with different domain function levels?
David Haycox

ASKER
When you create a new domain you can choose between the different functional levels in the wizard; we never actually successfully created a domain at any of the levels.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest).  For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
Shaun Vermaak

What's the plan with this remaining 2008 R2 DC?
Your help has saved me hundreds of hours of internet surfing.
fblack61
David Haycox

ASKER
It will be decommissioned in due course.  In fact, there's no reason we couldn't do it now, apart from having to manually update anything with a static IP / DNS setting.  We added new DCs for redundancy and haven't removed it yet (there are two others at the head office site, one 2012 and one 2016).
Shaun Vermaak

My gut tells me to first decommission, raise FFL and the retry new domain
David Haycox

ASKER
I see what you're saying, but the AD Recycle Bin is supported at the Server 2008 R2 level, and also we've added Server 2016 domains previously with no difficulty.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Shaun Vermaak

Correct but 2008 R2 is old and Microsoft is not testing all the various different setups when creating domains.
David Haycox

ASKER
Hmm, well I have had Microsoft looking at it for an hour already - they didn't see a problem with Server 2008 R2 but then they also haven't fixed it yet!
Shaun Vermaak

Let me know what they find. Would be interesting to know
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
David Haycox

ASKER
I have had Microsoft on this for about 5 hours, and they have escalated it so intend to call me back.

In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:

> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP

This worked fine first time as expected.

So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see.  Probably it was just one update (likely a recent one) that caused this.

Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time".  I shan't do that again!

So to recap: I believe the problem is caused by Windows updates.  Don't install them before promoting your DC.
Shaun Vermaak

So to recap: I believe the problem is caused by Windows updates.  Don't install them before promoting your DC.
Like I said. They don't test everything with older OSes. It is highly unlikely that the patch that caused this would have prevented a new domain if the 2008 R2 DC wasn't there.
David Haycox

ASKER
That's possible, but we can't say that for certain without actually carrying it out.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
David Haycox

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.