none
Addint a child domain process hangs in Replicating the schema directory partition

    Question

  • Hello everyone,

    for practice proposes and exam preparations I have my own virtual private network setup on an PowerEdge R905 Machine (which is a beast) I have two networks and windows server 2008R2 on a DMZ zone setup as router to rout traffic between two of my networks. My two networks are 192.168.10.0 - and 192.168.20.0. the 10 network has its own active directory setup, now on my 20 network I am trying to deploy a child domain. during the process everything is going just fine BUT the process of promoting the domain gets stuck on Replicating The Schema Directory Partition. Can anyone tell me what the issue might be ? I tried everything that I could think of such as:

    made sure the 20 network server is pointed to the DNS on the 10th server.

    you can ping the IP address and the FQDN of 10 network from the 20 network.

    I made sure all firewalls are disabled on both networks

    on my 10 network I have created sites  and assigned the right subnets for each site

    so please any hint and explanation is greatly appreciated

    Thursday, December 12, 2013 3:35 PM

Answers

All replies

  • If firewalls are disabled between the 2 subnets then you are sure that all of the below ports are opened:

    Client Port(s)

    Server Port

    Service

    49152 -65535/UDP

    123/UDP

    W32Time

    49152 -65535/TCP

    135/TCP

    RPC Endpoint Mapper

    49152 -65535/TCP

    464/TCP/UDP

    Kerberos password change

    49152 -65535/TCP

    49152-65535/TCP

    RPC for LSA, SAM, Netlogon (*)

    49152 -65535/TCP/UDP

    389/TCP/UDP

    LDAP

    49152 -65535/TCP

    636/TCP

    LDAP SSL

    49152 -65535/TCP

    3268/TCP

    LDAP GC

    49152 -65535/TCP

    3269/TCP

    LDAP GC SSL

    53, 49152 -65535/TCP/UDP

    53/TCP/UDP

    DNS

    49152 -65535/TCP

    49152 -65535/TCP

    FRS RPC (*)

    49152 -65535/TCP/UDP

    88/TCP/UDP

    Kerberos

    49152 -65535/TCP/UDP

    445/TCP

    SMB

    49152 -65535/TCP

    49152-65535/TCP

    DFSR RPC (*)

    Then make sure that the other subnet is across route not across NAT to avoid a lot of additional configurations.

    Regards,

    Housam Smadi

    Thursday, December 12, 2013 4:31 PM
  • The next server is Across route. as I mentioned I have windows server 2008R2 setup as router by installing network policy and access service role installed and configured RIP as routing protocol. you can ping just fine across both networks.

    How can I make sure the above ports you mentioned are open?

    Thursday, December 12, 2013 5:10 PM
  • Use telnet ip port to check the open ports.

    Regards,

     
    Thursday, December 12, 2013 5:20 PM
  • Checked everything and still no luck
    Thursday, December 12, 2013 8:04 PM
  • Silly question, but these servers aren't clones of one another are they?  If you're using a Virtual Machine template and you don't sysprep generalize it, you'll have all kinds of strange problems.
    Thursday, December 12, 2013 8:27 PM
  • No they are not clones. they are virtual machines but they are built from Scratch.
    Thursday, December 12, 2013 8:38 PM
  • Hi Riaz Ansary,

    Thanks for your posting.

    To make a further troubleshooting, I recommend you can check the (%windir%\debug\)dcpromo.log) and whether there is any error.

    In addition, there are some similar threads had been solved may be helpful for you:

    Windows server 2012 “replicating the Schema directory partition” for 12 hours + , whats going on?                                 

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/c3cb3b90-9fca-45d7-a99a-9f3815ca28af/windows-server-2012-replicating-the-schema-directory-partition-for-12-hours-whats-going-on?forum=winserverDS

    Active directory domain services could not replicate the directory partition cn schema cn configuration:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/4d05d697-5021-472f-81bc-83fde9231a9b/active-directory-domain-services-could-not-replicate-the-directory-partition-cn-schema-cn?forum=winserverDS

    I hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, December 16, 2013 3:20 AM
    Moderator
  • Try to make sure you join the parent domain before promoting the server as a child domain controller. But just in case you are already mid way...
    1. Cancel DCpromo
    2. Bring back the server as WGrp.
    3. Remove the AD DS role
    4. Verify that the server is not registered in AD Sites in parent DC.
    5. Restart the box(s)
    6. Join to the parent domain
    7. Install AD & then run dcpromo to promote the server as child DC

    yup

    • Proposed as answer by CasperAUS Thursday, August 04, 2016 8:58 AM
    Friday, December 12, 2014 7:41 AM
  • I just had these exact symptoms in a 2012 R2 test lab, adding a new child domain and DC on a separate VLAN/subnet.  I didn't want to join it to the domain first because that seems unnecessary, in fact if you do join it one of the first things the dcpromo process does is remove it from the domain.  That did solve my problem, however.

    Wiresharking it there were no real obvious clues (ports blocked or anything), but I finally followed up on the repeated broadcast queries for a workgroup with the Netbios name for my primary domain (JOE).  There was no machine on the new VLAN/subnet that was using that Netbios name yet, so no Computer Browser service responded to it.

    My resolution was to install WINS on the primary DC, have it register with itself, add that IP as a WINS server on the new Child DC, confirm that they both added records for their computernames and workgroup/domain Netbios names to the WINS database, and the dcpromo was immediately successful.

    I probably could have moved the new DC temporarily over to the same VLAN/subnet as my other DC's, or found some other way for the Computer Browser service to resolve the primary domain Netbios name.  I did make a stab it it with LMHOSTS but was unsuccessful.

    This NETBIOS domain name resolution requirement should be added to the dcpromo process and prerequisites check.

    Saturday, September 10, 2016 10:30 PM