none
Adding server 2012 as DC to server 2003 domain, getting adprep error

    Question

  • The 2012 server joined the domain with no problems.  I added AD role to the 2012 server then when I got to promoting the 2012 server to DC it errored out with: ADPrep execution failed --> System.ComponentModel.Win32Exception (0x80004005): A device attached to the system is not functioning

    I checked the adprep log and found "Error message: Unable to access the computer "server.domain.local". The network path was not found."

    The server name and domain name are correct. I can ping the 2003 server and browse shares on it from the 2012 server.  I am logged into the 2012 server with a domain administrator account - the same one I use on the 2003 server all the time.

    Any thoughts?

    Thursday, February 21, 2013 4:53 PM

Answers

  • Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT Authority\LocalService    (In Log On tab of remote registry service)

    Then promote the 2012 server again.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, February 27, 2013 6:28 AM

All replies

  • Is your Domain Functional Level at least Windows 2003 mode?

    Did you use the right credentials?

    http://technet.microsoft.com/en-us/library/4fff7ac7-b90f-41d0-8c87-9ffe08dc6c01#BKMK_Creds
    http://technet.microsoft.com/en-us/library/hh472161.aspx#BKMK_PrereqCheck


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, February 21, 2013 8:17 PM
  • I think that adprep works on the previous version, not two versions back.  So, you might have to upgrade your 2003 domain to 2008 before trying to bring in a 2012 DC.  Everything I find on TechNet about running the 2012 adprep talks about running it on 2008 or 2008 R2.

    .:|:.:|:. tim

    Thursday, February 21, 2013 9:55 PM
  • Yes, it is in 2003 mode.  And as I said the username I am using is the same domain admin account that I use on the 2003 server.
    Thursday, February 21, 2013 11:22 PM
  • I've seen several posts about doing what I am doing - even a video on youtube showing it in action - https://www.youtube.com/watch?v=OG5K6B7hgRU
    Thursday, February 21, 2013 11:24 PM
  • Could you please check the replication status?

    http://www.microsoft.com/en-us/download/details.aspx?id=30005


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, February 22, 2013 2:07 PM
  • adprep still there. It is done automatically or you can do it manually

    http://technet.microsoft.com/en-us/library/hh472161.aspx#BKMK_NewAdprep

    DCPROMO is the one that is not there anymore....


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, February 22, 2013 2:16 PM
  • Hello,

    Check if the following conditions = true:

    http://support.microsoft.com/kb/2737935?wa=wsignin1.0

    Also, did you prep the AD Schema to ready it for the inclusion of 2012 before attempting to join the domain as a DC?


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    Friday, February 22, 2013 2:23 PM
  • Could you please check the replication status?

    http://www.microsoft.com/en-us/download/details.aspx?id=30005


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    It says Errors: 0 so I assume everything is ok.

    Friday, February 22, 2013 2:33 PM
  • Also, I ran DCDIAG on the 2003 server.  Here are the results:

    Domain Controller Diagnosis
    
    Performing initial setup:
       * Verifying that the local machine server, is a DC. 
       * Connecting to directory service on server server.
       * Collecting site info.
       * Identifying all servers.
       * Identifying all NC cross-refs.
       * Found 1 DC(s). Testing 1 of them.
       Done gathering initial info.
    
    Doing initial required tests
       
       Testing server: Default-First-Site-Name\server
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... server passed test Connectivity
    
    Doing primary tests
       
       Testing server: Default-First-Site-Name\server
          Starting test: Replications
             * Replications Check
             * Replication Latency Check
             ......................... server passed test Replications
          Starting test: Topology
             * Configuration Topology Integrity Check
             * Analyzing the connection topology for DC=ForestDnsZones,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for DC=DomainDnsZones,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for CN=Configuration,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             ......................... server passed test Topology
          Starting test: CutoffServers
             * Configuration Topology Aliveness Check
             * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for CN=Configuration,DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for DC=DOMAIN,DC=local.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             ......................... server passed test CutoffServers
          Starting test: NCSecDesc
             * Security Permissions check for all NC's on DC server.
             * Security Permissions Check for
               DC=ForestDnsZones,DC=DOMAIN,DC=local
                (NDNC,Version 2)
             * Security Permissions Check for
               DC=DomainDnsZones,DC=DOMAIN,DC=local
                (NDNC,Version 2)
             * Security Permissions Check for
               CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
                (Schema,Version 2)
             * Security Permissions Check for
               CN=Configuration,DC=DOMAIN,DC=local
                (Configuration,Version 2)
             * Security Permissions Check for
               DC=DOMAIN,DC=local
                (Domain,Version 2)
             ......................... server passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             Verified share \\server\netlogon
             Verified share \\server\sysvol
             ......................... server passed test NetLogons
          Starting test: Advertising
             The DC server is advertising itself as a DC and having a DS.
             The DC server is advertising as an LDAP server
             The DC server is advertising as having a writeable directory
             The DC server is advertising as a Key Distribution Center
             The DC server is advertising as a time server
             The DS server is advertising as a GC.
             ......................... server passed test Advertising
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
             Role Domain Owner = CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
             Role PDC Owner = CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
             Role Rid Owner = CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
             ......................... server passed test KnowsOfRoleHolders
          Starting test: RidManager
             * Available RID Pool for the Domain is 1600 to 1073741823
             * server.DOMAIN.local is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 1100 to 1599
             * rIDPreviousAllocationPool is 1100 to 1599
             * rIDNextRID: 1142
             ......................... server passed test RidManager
          Starting test: MachineAccount
             Checking machine account for DC server on DC server.
             * SPN found :LDAP/server.DOMAIN.local/DOMAIN.local
             * SPN found :LDAP/server.DOMAIN.local
             * SPN found :LDAP/server
             * SPN found :LDAP/server.DOMAIN.local/DOMAIN
             * SPN found :LDAP/dde872f5-762b-4798-9d2f-9f6262d22c27._msdcs.DOMAIN.local
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/dde872f5-762b-4798-9d2f-9f6262d22c27/DOMAIN.local
             * SPN found :HOST/server.DOMAIN.local/DOMAIN.local
             * SPN found :HOST/server.DOMAIN.local
             * SPN found :HOST/server
             * SPN found :HOST/server.DOMAIN.local/DOMAIN
             * SPN found :GC/server.DOMAIN.local/DOMAIN.local
             ......................... server passed test MachineAccount
          Starting test: Services
             * Checking Service: Dnscache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: RpcSs
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... server passed test Services
          Starting test: OutboundSecureChannels
             * The Outbound Secure Channels test
             ** Did not run Outbound Secure Channels test
             because /testdomain: was not entered
             ......................... server passed test OutboundSecureChannels
          Starting test: ObjectsReplicated
             server is in domain DC=DOMAIN,DC=local
             Checking for CN=server,OU=Domain Controllers,DC=DOMAIN,DC=local in domain DC=DOMAIN,DC=local on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local in domain CN=Configuration,DC=DOMAIN,DC=local on 1 servers
                Object is up-to-date on all servers.
             ......................... server passed test ObjectsReplicated
          Starting test: frssysvol
             * The File Replication Service SYSVOL ready test 
             File Replication Service's SYSVOL is ready 
             ......................... server passed test frssysvol
          Starting test: frsevent
             * The File Replication Service Event log test 
             ......................... server passed test frsevent
          Starting test: kccevent
             * The KCC Event log test
             Found no KCC errors in Directory Service Event log in the last 15 minutes.
             ......................... server passed test kccevent
          Starting test: systemlog
             * The System Event log test
             An Error Event occured.  EventID: 0xC0002715
                Time Generated: 02/18/2013   19:53:29
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0xC0002719
                Time Generated: 02/18/2013   20:34:04
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0xC00010E1
                Time Generated: 02/18/2013   20:46:55
                (Event String could not be retrieved)
             ......................... server failed test systemlog
          Starting test: VerifyReplicas
             ......................... server passed test VerifyReplicas
          Starting test: VerifyReferences
             The system object reference (serverReference)
    
             CN=server,OU=Domain Controllers,DC=DOMAIN,DC=local and
    
             backlink on
    
             CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
    
             are correct. 
             The system object reference (frsComputerReferenceBL)
    
             CN=server,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN,DC=local
    
             and backlink on
    
             CN=server,OU=Domain Controllers,DC=DOMAIN,DC=local are
    
             correct. 
             The system object reference (serverReferenceBL)
    
             CN=server,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DOMAIN,DC=local
    
             and backlink on
    
             CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=local
    
             are correct. 
             ......................... server passed test VerifyReferences
          Starting test: VerifyEnterpriseReferences
             ......................... server passed test VerifyEnterpriseReferences
          Starting test: CheckSecurityError
             * Dr Auth:  Beginning security errors check!
             Found KDC server for domain DOMAIN.local in site Default-First-Site-Name
             Checking machine account for DC server on DC server.
             * SPN found :LDAP/server.DOMAIN.local/DOMAIN.local
             * SPN found :LDAP/server.DOMAIN.local
             * SPN found :LDAP/server
             * SPN found :LDAP/server.DOMAIN.local/DOMAIN
             * SPN found :LDAP/dde872f5-762b-4798-9d2f-9f6262d22c27._msdcs.DOMAIN.local
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/dde872f5-762b-4798-9d2f-9f6262d22c27/DOMAIN.local
             * SPN found :HOST/server.DOMAIN.local/DOMAIN.local
             * SPN found :HOST/server.DOMAIN.local
             * SPN found :HOST/server
             * SPN found :HOST/server.DOMAIN.local/DOMAIN
             * SPN found :GC/server.DOMAIN.local/DOMAIN.local
             [server] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.
             ......................... server passed test CheckSecurityError
    
    DNS Tests are running and not hung. Please wait a few minutes...
       
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
       
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
       
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
       
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
       
       Running partition tests on : DOMAIN
          Starting test: CrossRefValidation
             ......................... DOMAIN passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DOMAIN passed test CheckSDRefDom
       
       Running enterprise tests on : DOMAIN.local
          Starting test: Intersite
             Skipping site Default-First-Site-Name, this site is outside the scope
    
             provided by the command line arguments provided. 
             ......................... DOMAIN.local passed test Intersite
          Starting test: FsmoCheck
             GC Name: \\server.DOMAIN.local
             Locator Flags: 0xe00003fd
             PDC Name: \\server.DOMAIN.local
             Locator Flags: 0xe00003fd
             Time Server Name: \\server.DOMAIN.local
             Locator Flags: 0xe00003fd
             Preferred Time Server Name: \\server.DOMAIN.local
             Locator Flags: 0xe00003fd
             KDC Name: \\server.DOMAIN.local
             Locator Flags: 0xe00003fd
             ......................... DOMAIN.local passed test FsmoCheck
          Starting test: DNS
             Test results for domain controllers:
                
                DC: server.DOMAIN.local
                Domain: DOMAIN.local
    
                      
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
                      
                   TEST: Basic (Basc)
                       Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 2.0) is supported
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000008] Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller:
                         MAC address is 00:1F:C6:30:CF:63
                         IP address is static
                         IP address: 192.168.1.99
                         DNS servers:
                            127.0.0.1 (server.DOMAIN.local.) [Valid]
                      The A record for this DC was found
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found (primary)
                      Root zone on this DC/DNS server was not found
                      
                   TEST: Forwarders/Root hints (Forw)
                      Recursion is enabled
                      Forwarders Information: 
                         8.8.4.4 (<name unavailable>) [Valid] 
                      
                   TEST: Delegations (Del)
                      Delegation information for the zone: DOMAIN.local.
                         Delegated domain name: _msdcs.DOMAIN.local.
                            DNS server: server.DOMAIN.local. IP:192.168.1.99 [Valid] 
                      
                   TEST: Dynamic update (Dyn)
                      Dynamic update is enabled on the zone DOMAIN.local.
                      Test record _dcdiag_test_record added successfully in zone DOMAIN.local.
                      Test record _dcdiag_test_record deleted successfully in zone DOMAIN.local.
                      
                   TEST: Records registration (RReg)
                      Network Adapter [00000008] Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller:
                         Matching A record found at DNS server 192.168.1.99:
                         server.DOMAIN.local
    
                         Matching CNAME record found at DNS server 192.168.1.99:
                         dde872f5-762b-4798-9d2f-9f6262d22c27._msdcs.DOMAIN.local
    
                         Matching DC SRV record found at DNS server 192.168.1.99:
                         _ldap._tcp.dc._msdcs.DOMAIN.local
    
                         Matching GC SRV record found at DNS server 192.168.1.99:
                         _ldap._tcp.gc._msdcs.DOMAIN.local
    
                         Matching PDC SRV record found at DNS server 192.168.1.99:
                         _ldap._tcp.pdc._msdcs.DOMAIN.local
    
             
             Summary of test results for DNS servers used by the above domain controllers:
    
                DNS server: 192.168.1.99 (server.DOMAIN.local.)
                   All tests passed on this DNS server
                   This is a valid DNS server 
                   Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered 
                   Delegation to the domain _msdcs.DOMAIN.local. is operational
                   
                DNS server: 8.8.4.4 (<name unavailable>)
                   All tests passed on this DNS server
                   This is a valid DNS server 
                   
             Summary of DNS test results:
             
                                                Auth Basc Forw Del  Dyn  RReg Ext  
                   ________________________________________________________________
                Domain: DOMAIN.local
                   server                   PASS PASS PASS PASS PASS PASS n/a  
             
             ......................... DOMAIN.local passed test DNS
    

    Friday, February 22, 2013 2:51 PM
  • Hello,

    Check if the following conditions = true:

    http://support.microsoft.com/kb/2737935?wa=wsignin1.0

    Also, did you prep the AD Schema to ready it for the inclusion of 2012 before attempting to join the domain as a DC?


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    That link says there will be errors in the Directory Services event log on the 2012 server.  There are none.

    I'm not sure what you mean about prep work.  I did, on the 2003 server, promote to 2003 mode.

    Friday, February 22, 2013 2:55 PM
  • Can you check your schema version?

    dsquery * "cn=schema,cn=configuration,dc=domainname,dc=local" -scope base -attr objectVersion

    13 -> Windows 2000 Server
    30 -> Windows Server 2003 RTM, SP1 & SP2
    31 -> Windows Server 2003 R2
    44 -> Windows Server 2008 RTM
    47 -> Windows Server 2008 R2
    56 -> Windows Server 2012 RTM

    Can you ping the 2k3 DC from the 2012 by its long name?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, February 22, 2013 3:02 PM
  • Look at the steps to prep AD for Server 2008, adjust it to Server 2012 by using the 2012 DVD.

    http://technet.microsoft.com/en-us/library/cc753437(v=ws.10).aspx

    I am not 100% sure about this because I have not personally done it and 2012 does not use adprep but the DVD must contain some schema update, if not try as Tim suggested and prep it to 2008R2 if you have a 2008 R2 DVD.

    The post I mentioned, does relate to you because if you use 'administrator' instead of 'domain\administrator' it may use the local account on the server 2012 instead of the domain account and you have mismatched SID's. This may produce and error like yours when joining.

    http://www.petri.co.il/forums/showthread.php?t=61924


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Friday, February 22, 2013 3:16 PM
  • Can you check your schema version?

    dsquery * "cn=schema,cn=configuration,dc=domainname,dc=local" -scope base -attr objectVersion

    13 -> Windows 2000 Server
    30 -> Windows Server 2003 RTM, SP1 & SP2
    31 -> Windows Server 2003 R2
    44 -> Windows Server 2008 RTM
    47 -> Windows Server 2008 R2
    56 -> Windows Server 2012 RTM

    Can you ping the 2k3 DC from the 2012 by its long name?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    It came back with ObjectVersion 56 - that's correct, right?

    I have no trouble pinging or opening shares on the 2k3 server from the 2012 server either by name (\\server) or by IP.

    Friday, February 22, 2013 3:32 PM
  • Look at the steps to prep AD for Server 2008, adjust it to Server 2012 by using the 2012 DVD.

    http://technet.microsoft.com/en-us/library/cc753437(v=ws.10).aspx

    I am not 100% sure about this because I have not personally done it and 2012 does not use adprep but the DVD must contain some schema update, if not try as Tim suggested and prep it to 2008R2 if you have a 2008 R2 DVD.

    The post I mentioned, does relate to you because if you use 'administrator' instead of 'domain\administrator' it may use the local account on the server 2012 instead of the domain account and you have mismatched SID's. This may produce and error like yours when joining.

    http://www.petri.co.il/forums/showthread.php?t=61924


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    The files on the 2012 DVD will not run on my 2003 server because they are all 64 bit.  I do not have a 2008 server DVD.

    I did not mean to say that the link you provided was bad - just that the errors it shows are not present so my issue must be at least a little different.  I am logging in with domain\administrator.  A mismatch of SIDs / permissions certainly makes sense, but I don't see where it would be coming from.  Is there any other way to test that I am logging in with an account that matches on both machines?

    Friday, February 22, 2013 3:37 PM
  • Can you check your schema version?

    dsquery * "cn=schema,cn=configuration,dc=domainname,dc=local" -scope base -attr objectVersion

    13 -> Windows 2000 Server
    30 -> Windows Server 2003 RTM, SP1 & SP2
    31 -> Windows Server 2003 R2
    44 -> Windows Server 2008 RTM
    47 -> Windows Server 2008 R2
    56 -> Windows Server 2012 RTM

    Can you ping the 2k3 DC from the 2012 by its long name?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    It came back with ObjectVersion 56 - that's correct, right?

    I have no trouble pinging or opening shares on the 2k3 server from the 2012 server either by name (\\server) or by IP.

    Yes.

    what about the long name server.yourdomain.local? So, the DC role failed to install and the server (2012) is still a member server? and, I really do not think you have to be on a 2008 R2 level to bring that 2012 DC. Per MS documentation you have to be on 2003 level which you are. Have you tried rebooting the 2003 and 2012 server and try again?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, February 22, 2013 3:43 PM
  • The schema appears to be OK. try following these removal instructions below then use the recommended guidelines to promote the server:

    This issue occurs for one or more of the following reasons. Were any of these two conditions TRUE when you attempted the first promotion?
    • The server's built-in Administrator account has the same password as the built-in domain Administrator account.
    • The NetBIOS domain prefix or UPN were not provided as credentials for installation. Instead, only the user name "Administrator" was provided.

    .

    .

    To resolve this issue, follow these steps:
    1. Restart the server on which Active Directory could not be installed.
    2. Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server's computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
    3. On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
    4. On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
    5. Restart the failed server.
    6. Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form "domain\user" or "user@domain.tld."

    This is a code defect in Windows Server 2012.

    If you set different passwords on the two Administrator accounts but do not provide the domain, you receive a bad password error.

    We do not recommend that you use the built-in Administrator for domain administration. Instead, we recommend that you create a new domain user for each administrator in the environment. Then, the actions of administrators can be audited individually.

    We strongly discourage you from using matching Administrator passwords on member servers and the domain Administrator account. Local passwords are more easily compromised than AD DS accounts, and knowledge of the matching Administrator passwords grants full enterprise administrative access.

    Also, check Tony's suggestion to make sure the FQDN resolves and check the IP address it resolves to as being the correct IP of the PDC.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    Friday, February 22, 2013 3:51 PM
  • what about the long name server.yourdomain.local? So, the DC role failed to install and the server (2012) is still a member server? and, I really do not think you have to be on a 2008 R2 level to bring that 2012 DC. Per MS documentation you have to be on 2003 level which you are. Have you tried rebooting the 2003 and 2012 server and try again?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Yes, long name works as well.  Yes, the 2012 server joined the domain with no problem and is still a member of the domain.

    Yes, I have rebooted both machines on several occasions.  Someone else had suggested an IP address change on the 2013 DNS setting (it was at 127.0.0.1 and they suggested changing it to the actual IP of the machine) and I tried that about 30 minutes ago.  It required a reboot.  Same error.

    Friday, February 22, 2013 4:09 PM
  • The schema appears to be OK. try following these removal instructions below then use the recommended guidelines to promote the server:

    This issue occurs for one or more of the following reasons. Were any of these two conditions TRUE when you attempted the first promotion?
    • The server's built-in Administrator account has the same password as the built-in domain Administrator account.
    • The NetBIOS domain prefix or UPN were not provided as credentials for installation. Instead, only the user name "Administrator" was provided.

    .

    .

    To resolve this issue, follow these steps:
    1. Restart the server on which Active Directory could not be installed.
    2. Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server's computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
    3. On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
    4. On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
    5. Restart the failed server.
    6. Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form "domain\user" or "user@domain.tld."

    This is a code defect in Windows Server 2012.

    If you set different passwords on the two Administrator accounts but do not provide the domain, you receive a bad password error.

    We do not recommend that you use the built-in Administrator for domain administration. Instead, we recommend that you create a new domain user for each administrator in the environment. Then, the actions of administrators can be audited individually.

    We strongly discourage you from using matching Administrator passwords on member servers and the domain Administrator account. Local passwords are more easily compromised than AD DS accounts, and knowledge of the matching Administrator passwords grants full enterprise administrative access.

    Also, check Tony's suggestion to make sure the FQDN resolves and check the IP address it resolves to as being the correct IP of the PDC.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    I won't be able to reboot the 2012 server until tonight as it is being used.

    Yes, the administrator account is the same as the domain administrator account.  I will create a new domain admin account and use it moving forward.

    I realize that using the same admin account on different servers is bad, but in this case the 2012 machine is replacing the 2003 machine so it won't be true for long.

    Friday, February 22, 2013 4:15 PM
  • Add the IP of your active DNS server only then Purge the DNS Resolver from the 2012 server and renew the DNS client registration.

    ipconfig /flushdns and ipconfig /registerdns

    Are you log as the domain admin? Can you log with an Enterprise admin account and try that?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, February 22, 2013 4:16 PM
  • The 2012's DNS settings should have been pointing to the 2003 PDC unless you had installed DNS on the 2012 before running the ADDS and there was a copy of the local zone in the 2012's DNS. It may have found the domain using NetBIOS but was unable to resolve using DNS.

    I would recommend joining the domain using the PDC's DNS server then change the DNS to the loopback IP after the promotion has succeeded.

    At this point, you may have to do metadata cleanup and start over.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    Friday, February 22, 2013 4:17 PM
  • The 2012's DNS settings should have been pointing to the 2003 PDC unless you had installed DNS on the 2012 before running the ADDS and there was a copy of the local zone in the 2012's DNS. It may have found the domain using NetBIOS but was unable to resolve using DNS.

    I would recommend joining the domain using the PDC's DNS server then change the DNS to the loopback IP after the promotion has succeeded.

    At this point, you may have to do metadata cleanup and start over.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog




    The 2012 server was always pointed to the 2003 server for DNS.  The change I mentioned was on the 2003 server only.
    Friday, February 22, 2013 4:33 PM
  • The schema appears to be OK. try following these removal instructions below then use the recommended guidelines to promote the server:

    This issue occurs for one or more of the following reasons. Were any of these two conditions TRUE when you attempted the first promotion?
    • The server's built-in Administrator account has the same password as the built-in domain Administrator account.
    • The NetBIOS domain prefix or UPN were not provided as credentials for installation. Instead, only the user name "Administrator" was provided.

    .

    .

    To resolve this issue, follow these steps:
    1. Restart the server on which Active Directory could not be installed.
    2. Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server's computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
    3. On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
    4. On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
    5. Restart the failed server.
    6. Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form "domain\user" or "user@domain.tld."

    This is a code defect in Windows Server 2012.



    No luck.  Had no problem following your steps - everything went fine, no errors.  At step 6 I tried to promote, using domain\user for credentials, and got the exact same error as before.
    Saturday, February 23, 2013 2:06 PM
  • Add the IP of your active DNS server only then Purge the DNS Resolver from the 2012 server and renew the DNS client registration.

    ipconfig /flushdns and ipconfig /registerdns

    Are you log as the domain admin? Can you log with an Enterprise admin account and try that?


    ***** This posting is provided "AS IS" with no warranties, and confers no rights.


    The account I've been using is an Enterprise and Domain admin.
    Saturday, February 23, 2013 2:10 PM
  • Any other ideas on things to try?
    Tuesday, February 26, 2013 5:23 PM
  • Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT Authority\LocalService    (In Log On tab of remote registry service)

    Then promote the 2012 server again.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, February 27, 2013 6:28 AM
  • Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT Authority\LocalService    (In Log On tab of remote registry service)

    Then promote the 2012 server again.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    It was disabled.  I can't reboot until tonight, but I'll be back to update this.
    Wednesday, February 27, 2013 12:44 PM
  • Had a chance to kick everyone out.

    That was it!

    THANK YOU!

    Wednesday, February 27, 2013 12:51 PM
  • hello, having the same issues have tried the above method but still having the same result

    OLAYEMI EFUNTOYE

    Friday, June 28, 2013 3:09 PM
  • Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT Authority\LocalService    (In Log On tab of remote registry service)

    Then promote the 2012 server again.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Worked for me too, same problem. THANKS!!!!
    Tuesday, July 16, 2013 6:59 PM
  • Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT Authority\LocalService    (In Log On tab of remote registry service)

    Then promote the 2012 server again.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    THANKS DIANA!!!! WORKED FOR ME TOO *-*
    Friday, July 26, 2013 3:24 PM
  • Worked for me.

    The main issue was that my client configuration was not correct (AD, DNS)

    I fix all stuff and later when I try to get working receive the error from W2K12.

    I believe that REMOTE REGISTRY per default is disable after a windows update fix.

    Anyway, thanks a lot Diana

    ;)

    Wednesday, August 28, 2013 1:42 AM
  • Obrigado Diana Zhang, seu post resolveu meu problema.

    Muito obrigado!

    Tuesday, September 24, 2013 7:05 PM
  • Hi, I have the same problem and I checked my remote registry service on the 2003 DC is started. I tried to connect to it with "regedit" on another computer, then i get error:

    Cannot open HKEY_LOCAL_MACHINE

    Cannot open the security token beasue of some mistake

    detail infomation: access denied

    I am operating with domain administrator account. What could be the problem.

    Wednesday, September 25, 2013 2:02 AM
  • Solved according to this article.

    the local service account has no permission to access a registry key.

    Wednesday, September 25, 2013 2:25 AM
  • I had the same issue but the remote registry service was running on the 2003 DC.

    My issue was solved by disabling one of the 2 NIC cards(which was actually a teamed pair of NIC's) on the 2012 server before the promotion to DC.

    I may have missed this in earlier posts but thought I'd add it just in case as it's a pretty frustrating problem!

    Thursday, February 06, 2014 11:52 AM
  • try adprep from consolesession!

    not via RDP!

    Friday, February 07, 2014 1:32 PM
  • Check the Remote Registry service on the 2003 domain controller is configured as follows:

    Startup type: Automatic

    Service Status: Started

    Security context: NT Authority\LocalService    (In Log On tab of remote registry service)

    Then promote the 2012 server again.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Worked for me. Thanks!

    John

    Monday, March 03, 2014 7:41 PM