Failed DCPROMO caused by AD Recycle bin on the first domain controller of a new tree domain
We are attempting to add a new (Server 2016) DC at a new AD site. The procedure is as we have used successfully in the past:
1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")
This is where we get the errors as follows. From the Directory Service log, ID 2140:
Event ID 1173:
Event ID 1168:
I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.
It looks like it's just a problem with the AD Recycle Bin. How can we overcome this error and promote the DC?
1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")
This is where we get the errors as follows. From the Directory Service log, ID 2140:
While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest. The Active Directory Domain Services is currently enabling or disabling one or more optional features. Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed. The Active Directory Domain Services will temporarily discontinue this replication request. The replication request will be attempted again later. Request Details: Object being modified: CN=BootMachine,O=Boot Attribute being modified: msDS-EnabledFeature Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a Optional feature: Recycle Bin Feature
Event ID 1173:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
e0010002
Parameter:
20d9
Additional Data
Error value:
8451
Internal ID:
11d0700
Event ID 1168:
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
30017ac
I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.
It looks like it's just a problem with the AD Recycle Bin. How can we overcome this error and promote the DC?
Shaun Vermaak
How did you do that? How did you go down after you tested with different domain function levels?
ASKER
When you create a new domain you can choose between the different functional levels in the wizard; we never actually successfully created a domain at any of the levels.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest). For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest). For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
What's the plan with this remaining 2008 R2 DC?
ASKER
It will be decommissioned in due course. In fact, there's no reason we couldn't do it now, apart from having to manually update anything with a static IP / DNS setting. We added new DCs for redundancy and haven't removed it yet (there are two others at the head office site, one 2012 and one 2016).
My gut tells me to first decommission, raise FFL and the retry new domain
ASKER
I see what you're saying, but the AD Recycle Bin is supported at the Server 2008 R2 level, and also we've added Server 2016 domains previously with no difficulty.
Correct but 2008 R2 is old and Microsoft is not testing all the various different setups when creating domains.
ASKER
Hmm, well I have had Microsoft looking at it for an hour already - they didn't see a problem with Server 2008 R2 but then they also haven't fixed it yet!
Let me know what they find. Would be interesting to know
ASKER
I have had Microsoft on this for about 5 hours, and they have escalated it so intend to call me back.
In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:
> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP
This worked fine first time as expected.
So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see. Probably it was just one update (likely a recent one) that caused this.
Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time". I shan't do that again!
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.
In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:
> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP
This worked fine first time as expected.
So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see. Probably it was just one update (likely a recent one) that caused this.
Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time". I shan't do that again!
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.Like I said. They don't test everything with older OSes. It is highly unlikely that the patch that caused this would have prevented a new domain if the 2008 R2 DC wasn't there.
ASKER
That's possible, but we can't say that for certain without actually carrying it out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.