Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!
Failed DCPROMO caused by AD Recycle bin on the first domain controller of a new tree domain
We are attempting to add a new (Server 2016) DC at a new AD site. The procedure is as we have used successfully in the past:
1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")
This is where we get the errors as follows. From the Directory Service log, ID 2140:
Event ID 1173:
Event ID 1168:
I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.
It looks like it's just a problem with the AD Recycle Bin. How can we overcome this error and promote the DC?
1. Join the head office domain (this works fine) - let's call it "headoffice.company"
2. Promote the machine to be a new DC in a tree domain ("store02.company")
This is where we get the errors as follows. From the Directory Service log, ID 2140:
While processing of an Active Directory Domain Services replication request, the Active Directory Domain Services attempted to modify the list of enabled optional features for the forest. The Active Directory Domain Services is currently enabling or disabling one or more optional features. Therefore, modifications to the list of enabled optional features for the forest are not being accepted at this time, so the replication request failed. The Active Directory Domain Services will temporarily discontinue this replication request. The replication request will be attempted again later. Request Details: Object being modified: CN=BootMachine,O=Boot Attribute being modified: msDS-EnabledFeature Value being modified: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a Optional feature: Recycle Bin Feature
Event ID 1173:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Exception:
e0010002
Parameter:
20d9
Additional Data
Error value:
8451
Internal ID:
11d0700
Event ID 1168:
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
-1073741823
Error value (hex):
c0000001
Internal ID:
30017ac
I have found this article which appears to show the same problem, but there's no solution as yet: Failed DCPROMO - First Domain Controller of a new Child Domain
The Forest Functional Level is Server 2008 R2. We have tried different domain functional levels for the new DC to no avail.
It looks like it's just a problem with the AD Recycle Bin. How can we overcome this error and promote the DC?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
LVL 51
How did you do that? How did you go down after you tested with different domain function levels?
When you create a new domain you can choose between the different functional levels in the wizard; we never actually successfully created a domain at any of the levels.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest). For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
The forest functional level of course we can only change upwards (and in fact we can't go above Server 2008 R2 as we have one remaining DC using 2008 R2 in the forest). For the other existing sites the domain functional level can be different though, depending on what OS the DCs are running at each site.
It will be decommissioned in due course. In fact, there's no reason we couldn't do it now, apart from having to manually update anything with a static IP / DNS setting. We added new DCs for redundancy and haven't removed it yet (there are two others at the head office site, one 2012 and one 2016).
I see what you're saying, but the AD Recycle Bin is supported at the Server 2008 R2 level, and also we've added Server 2016 domains previously with no difficulty.
Correct but 2008 R2 is old and Microsoft is not testing all the various different setups when creating domains.
Hmm, well I have had Microsoft looking at it for an hour already - they didn't see a problem with Server 2008 R2 but then they also haven't fixed it yet!
I have had Microsoft on this for about 5 hours, and they have escalated it so intend to call me back.
In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:
> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP
This worked fine first time as expected.
So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see. Probably it was just one update (likely a recent one) that caused this.
Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time". I shan't do that again!
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.
In the meantime though I installed a fresh Server 2016 Standard VM with the minimum required, i.e.:
> No Windows updates, default settings for a new VMware VM (E1000 NIC, not vmnet3), US region (not UK - just changed the time zone), static IP
This worked fine first time as expected.
So I suspect it was the lack of updates that fixed it, rather than the other settings - but we'll see. Probably it was just one update (likely a recent one) that caused this.
Normally I wouldn't install updates until after promoting to a DC, but on this occasion I had to wait for a third party company to open the firewall ports and so did the updates first "to save time". I shan't do that again!
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.
So to recap: I believe the problem is caused by Windows updates. Don't install them before promoting your DC.Like I said. They don't test everything with older OSes. It is highly unlikely that the patch that caused this would have prevented a new domain if the 2008 R2 DC wasn't there.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
-
IT AdministrationCertification: ISCAP Information Systems Certification and Accreditati… 16 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.