Results 1 to 9 of 9
  1. #1
    New Lounger
    Join Date
    Jan 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    2003r2 -> 2012 DC promotion problem

    Trying to promote a 2012 member server to a DC in a 2003 domain

    Verified domain is at 2003 functional levels

    Prerequisite checks when promoting the 2012 machine fail with the following:

    Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain corp.local.
    Exception: Access is denied.
    Adprep could not retrieve data from the server server01.corp.local through Windows Managment Instrumentation (WMI).
    [User Action]
    Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20130117131610-test directory for possible cause of failure.

    (log says same info as in message)

    Googling found the following Msft article:

    http://technet.microsoft.com/en-us/l.../jj592690.aspx

    Issue
    Prerequisite adprep check fails with error "Unable to perform Exchange schema conflict check"
    Symptoms
    When attempting to promote a Windows Server 2012 domain controller into an existing Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest, prerequisite check fails with error:
    Verification of prerequisites for AD prep failed. Unable to perform Exchange schema conflict check for domain
    <domain name>
    (Exception: the RPC server is unavailable)
    The adprep.log shows error:
    Adprep could not retrieve data from the server
    <domain controller>
    through Windows Management Instrumentation (WMI).
    Resolution and Notes
    The new domain controller cannot access WMI through DCOM/RPC protocols against the existing domain controllers. To date, there have been three causes for this:
    A firewall rule blocks access to the existing domain controllers

    The NETWORK SERVICE account is missing from the "Logon as a service" (SeServiceLogonRight) privilege on the existing domain controllers

    NTLM is disabled on domain controllers, using security policies described in Introducing the Restriction of NTLM Authentication


    I have verified that there are no firewall rules blocking traffic; the NETWORK SERVICE account is listed in the "Logon as a service" on the 2003 box Default Domain Controller Security Settings; and NTLM is not disabled.

    Other Googling shows people with the same issue, which was resolved by putting a 2008 server on the domain, promoting it, and then the 2012 box will promote from there. I am hoping to avoid this scenario.

    Any help much appreciated.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Gold Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,376
    Thanks
    7
    Thanked 205 Times in 195 Posts
    I would test whether you can run WMI queries on the DC from a workstation and then from the new server. It may just be a credentials problem connecting to the DC.

    cheers, Paul

  4. #3
    New Lounger
    Join Date
    Jan 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Paul, I like to think I know what I'm doing most of the time but can you lend a brother a hand and give me a little more detail on running a WMI query, as you suggest? My googling the same only confused me more.

    At this point I'm ready to build up a 2008 box and do a two-step promo.

    Thanks,
    --jjb

  5. #4
    Gold Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,376
    Thanks
    7
    Thanked 205 Times in 195 Posts
    You can run queries directly from the Command Prompt. Type: WMIC
    This site has a good list of examples.
    You need to specify a user with domain admin credentials to test the DC - the "/user" switch as shown here.

    cheers, Paul

  6. #5
    New Lounger
    Join Date
    Jan 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Just to close this out, I was NOT able to get the 2012 box promoed into the 2003 domain.

    Ended up building a 2008r2 box on an old 760 Optiplex workstation, DCPROMO-ed that box and transferred FMSO roles to the same 2008 box

    From there I was able to promote the 2012 server and transfer the FSMO roles to it.

    The 2008r2 box was DCPROMO-ed out of the domain and then removed.

    This was a two-step process that I was hoping to avoid but it worked. Building the box, promoting it in and out of the domain, etc took a shorter amount of time than the hours of troubleshooting I performed (including posting here). Hope this helps someone else out there.

  7. #6
    Gold Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,376
    Thanks
    7
    Thanked 205 Times in 195 Posts
    Sad that you can't do a direct upgrade from 2003 to 2012!

    cheers, Paul

  8. #7
    New Lounger
    Join Date
    Mar 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I created a solution to this precise problem. http://mscheidler.blogspot.com/2013/...r-into_18.html

  9. #8
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 63 Times in 51 Posts
    Some where not too long ago I read something to this effect, that you can't directly promote 2012 in a 2003 domain.

    @mscheidler, nice write up. but I might suggest rather than upgrade a 2000 domain to 2003, go right to 2008R2. The upgrade process from 2000 to 2008R2 is surprisingly smooth and should then eliminate any issues when promoting a 2012 server.
    Chuck

  10. #9
    New Lounger
    Join Date
    Mar 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    @Chuck, I believe the issue here specifically is caused by some sort of WMI corruption/misconfiguration. I watched a youtube video of someone going from 2003 to 2012 with no issues. Also, when this simply refused to work, something snapped in my brain and it became an imperative task to defeat that bastard server (without "punting").

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •