Promote Windows Server 2016 to domain controller in Server 2008 R2 Active Directory
I spent over five hours now to solve a failure during the process of Promoting a freshly installed Windows Server 2016 Standard-Server to a domain controller in our Server 2008 R2 level network.
Here is the problem: If I try to add the 2016 Server as a domain controller and choose to replicate from the DC2 (has all FSMO-Roles) it prompts the following failure message when
I choose the DC2:
Error determining whether the target environment require adprep:
Validation error Validation error: Unable to make an LDAP connection to server DC2.company.lan
Exception: The specified server cannot perform the requested operation
Details: Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259
Screenshot Failure Message DC2
If I choose the DC1:
Error determining whether the target environment require adprep:
Validation error Validation error: Unable to check forest upgrade status for server DC1.company.lan
Exception: The specified server cannot perform the requested operation
Details: Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259
Screenshot Failure Message DC1
During my research on the web - I have to confess I am an advanced beginner in Windows Network Administration and may miss some basic knowledge - I found a similiar topic on serverfault: Fix error determining whether the target environment requires adprep in windows server 2012, during domain controller promotion But I have checked that and DC2 is scheme master.
My second approach was that I have missing admin privileges because I only was a domain administrator. So I wrote our main administrator to set my account to a scheme administrator. He has done that. But I still do get these failure messages... they are the same. I even tried a restart, but nothing changed. Unfortunatley our main administrator even has no further idea...
What ideas do you have? Am I missing something essential like the scheme administration privileges?
By the way it is confusing that the DC2 failure message is about ldap, but we don't knowingly use LDAP in our network... or is it part of the Active Directory? (I thought it has Kerberos or something like that for authentication...)
FSOM (netdom query fsom)
Scheme-Master:
DC2.company.lan
Domain-Master:
DC2.company.lan
PDC:
DC2.company.lan
RID-Pool-Manager:
DC2.company.lan
Infrastrukturmaster
DC2.company.lan
Active Directory uses LDAP. You should start by verifying that you can reach the existing domain controllers from the new server and that nothing, including firewalls on the existing dc's, is blocking the ports used by LDAP/AD.
To do forest related tasks you may be looking for the Enterprise Admins
group. That is the group required for adprep /forestprep
.
Running the Schema upgrade requires all three admin groups in the domain, per info from the source link.
Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.
It is also best practices to remove yourself from this group when you are done with the required tasks. As a Domain Admin
, you have rights to add and remove yourself. The same goes for the Schema Admins
group.
Source: https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
Credit to JBaldridge for catching a couple mistakes.