Tuesday, August 2, 2016

Promote Windows Server 2016 to domain controller in Server 2008 R2 Active Directory



I spent over five hours now to solve a failure during the process of Promoting a freshly installed Windows Server 2016 Standard-Server to a domain controller in our Server 2008 R2 level network.



Here is the problem: If I try to add the 2016 Server as a domain controller and choose to replicate from the DC2 (has all FSMO-Roles) it prompts the following failure message when
I choose the DC2:





Error determining whether the target environment require adprep:
Validation error Validation error: Unable to make an LDAP connection
to server DC2.company.lan
Exception: The specified server cannot
perform the requested operation
Details:
Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259




Screenshot Failure Message DC2




If I choose the DC1:




Error determining whether the target environment require adprep:
Validation error Validation error: Unable to check forest upgrade
status for server DC1.company.lan
Exception: The specified server
cannot perform the requested operation
Details:
Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259




Screenshot Failure Message DC1




During my research on the web - I have to confess I am an advanced beginner in Windows Network Administration and may miss some basic knowledge - I found a similiar topic on serverfault:
Fix error determining whether the target environment requires adprep in windows server 2012, during domain controller promotion
But I have checked that and DC2 is scheme master.



My second approach was that I have missing admin privileges because I only was a domain administrator. So I wrote our main administrator to set my account to a scheme administrator. He has done that. But I still do get these failure messages... they are the same. I even tried a restart, but nothing changed. Unfortunatley our main administrator even has no further idea...



What ideas do you have? Am I missing something essential like the scheme administration privileges?



By the way it is confusing that the DC2 failure message is about ldap, but we don't knowingly use LDAP in our network... or is it part of the Active Directory? (I thought it has Kerberos or something like that for authentication...)




FSOM (netdom query fsom)
Scheme-Master:
DC2.company.lan



Domain-Master:
DC2.company.lan
PDC:
DC2.company.lan
RID-Pool-Manager:
DC2.company.lan
Infrastrukturmaster
DC2.company.lan


Answer



Active Directory uses LDAP. You should start by verifying that you can reach the existing domain controllers from the new server and that nothing, including firewalls on the existing dc's, is blocking the ports used by LDAP/AD.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...