Promote Windows Server 2016 to domain controller in Server 2008 R2 Active Directory

active-directory windows-server-2016 windows-server-2008-r2 ldap

I spent over five hours now to solve a failure during the process of Promoting a freshly installed Windows Server 2016 Standard-Server to a domain controller in our Server 2008 R2 level network.

Here is the problem: If I try to add the 2016 Server as a domain controller and choose to replicate from the DC2 (has all FSMO-Roles) it prompts the following failure message when
I choose the DC2:

Error determining whether the target environment require adprep:
Validation error Validation error: Unable to make an LDAP connection to server DC2.company.lan
Exception: The specified server cannot perform the requested operation
Details: Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259

Screenshot Failure Message DC2

If I choose the DC1:

Error determining whether the target environment require adprep:
Validation error Validation error: Unable to check forest upgrade status for server DC1.company.lan
Exception: The specified server cannot perform the requested operation
Details: Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259

Screenshot Failure Message DC1

During my research on the web - I have to confess I am an advanced beginner in Windows Network Administration and may miss some basic knowledge - I found a similiar topic on serverfault: Fix error determining whether the target environment requires adprep in windows server 2012, during domain controller promotion But I have checked that and DC2 is scheme master.

My second approach was that I have missing admin privileges because I only was a domain administrator. So I wrote our main administrator to set my account to a scheme administrator. He has done that. But I still do get these failure messages... they are the same. I even tried a restart, but nothing changed. Unfortunatley our main administrator even has no further idea...

What ideas do you have? Am I missing something essential like the scheme administration privileges?

By the way it is confusing that the DC2 failure message is about ldap, but we don't knowingly use LDAP in our network... or is it part of the Active Directory? (I thought it has Kerberos or something like that for authentication...)

FSOM (netdom query fsom)
Scheme-Master:
DC2.company.lan

Domain-Master:
DC2.company.lan
PDC:
DC2.company.lan
RID-Pool-Manager:
DC2.company.lan
Infrastrukturmaster
DC2.company.lan


Active Directory uses LDAP. You should start by verifying that you can reach the existing domain controllers from the new server and that nothing, including firewalls on the existing dc's, is blocking the ports used by LDAP/AD.


To do forest related tasks you may be looking for the Enterprise Admins group. That is the group required for adprep /forestprep.

Running the Schema upgrade requires all three admin groups in the domain, per info from the source link.

Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

It is also best practices to remove yourself from this group when you are done with the required tasks. As a Domain Admin, you have rights to add and remove yourself. The same goes for the Schema Admins group.

Source: https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx

Credit to JBaldridge for catching a couple mistakes.

Related

Supplier proposes upgrade to 2016, we're running 2008r2, should we do it?
Why does my debian server freeze?
Alternative way to deploy Azure VM from generalised image with AzureRM
LUKS Automatic unlock of with key file on remote ubuntu server
Free ESXI 6.5 and API support
Apache redirects from HTTPS to HTTP when adding trailing slash to directory
Why might an External IP change on a Google Cloud Platform VM instance?
Site-to-site IPSec routing (Ubuntu, StrongSwan)
"Sysprep" for Linux after cloning VMs?
Docker startup time
Difference Between Amazon S3 Select and Amazon Redshift Spectrum
inconsistent `apt-get update` behaviour on official Ubuntu AWS AMI