Promote Windows Server 2016 to domain controller in Server 2008 R2 Active Directory

active-directory windows-server-2008-r2 ldap windows-server-2016

24,679

Solution 1

Active Directory uses LDAP. You should start by verifying that you can reach the existing domain controllers from the new server and that nothing, including firewalls on the existing dc's, is blocking the ports used by LDAP/AD.

Solution 2

To do forest related tasks you may be looking for the Enterprise Admins group. That is the group required for adprep /forestprep.

Running the Schema upgrade requires all three admin groups in the domain, per info from the source link.

Make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

It is also best practices to remove yourself from this group when you are done with the required tasks. As a Domain Admin, you have rights to add and remove yourself. The same goes for the Schema Admins group.

Source: https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx

Credit to JBaldridge for catching a couple mistakes.

24,679

frankhammer

Updated on September 18, 2022

Comments

frankhammer almost 2 years

I spent over five hours now to solve a failure during the process of Promoting a freshly installed Windows Server 2016 Standard-Server to a domain controller in our Server 2008 R2 level network.

Here is the problem: If I try to add the 2016 Server as a domain controller and choose to replicate from the DC2 (has all FSMO-Roles) it prompts the following failure message when
I choose the DC2:

Error determining whether the target environment require adprep:
Validation error Validation error: Unable to make an LDAP connection to server DC2.company.lan
Exception: The specified server cannot perform the requested operation
Details: Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259

Screenshot Failure Message DC2

If I choose the DC1:

Error determining whether the target environment require adprep:
Validation error Validation error: Unable to check forest upgrade status for server DC1.company.lan
Exception: The specified server cannot perform the requested operation
Details: Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259

Screenshot Failure Message DC1

During my research on the web - I have to confess I am an advanced beginner in Windows Network Administration and may miss some basic knowledge - I found a similiar topic on serverfault: Fix error determining whether the target environment requires adprep in windows server 2012, during domain controller promotion But I have checked that and DC2 is scheme master.

My second approach was that I have missing admin privileges because I only was a domain administrator. So I wrote our main administrator to set my account to a scheme administrator. He has done that. But I still do get these failure messages... they are the same. I even tried a restart, but nothing changed. Unfortunatley our main administrator even has no further idea...

What ideas do you have? Am I missing something essential like the scheme administration privileges?

By the way it is confusing that the DC2 failure message is about ldap, but we don't knowingly use LDAP in our network... or is it part of the Active Directory? (I thought it has Kerberos or something like that for authentication...)

FSOM (netdom query fsom)
Scheme-Master:
DC2.company.lan

Domain-Master:
DC2.company.lan
PDC:
DC2.company.lan
RID-Pool-Manager:
DC2.company.lan
Infrastrukturmaster
DC2.company.lan
frankhammer about 7 years

I am member of the groups "Domain Administrators", "Schema Administrators" and another one which is in german "Organisations Administrator". Is this the aquivalent of "Enterprise Administrator"?
Cory Knutson about 7 years

Enterprise Administrators is explicitly required for several forest related actions. The other groups do not grant access to a few actions, like adprep.
frankhammer about 7 years

My colleague temporarly disabled the firewall, still getting the above described errors. :-/ Which tools/software can I use to check if the packages on that ports go reach the DC2?
Matt Southward about 7 years

Check this. Any number of tools could be used. For example, nmap would work or portqry from MS.
JBaldridge about 7 years

We don't really know all that much about your environment. How many domains do you have in your forest? Are you working in the root forest domain or a child domain? The error specifically calls out ADPrep. You need to run adprep /forestprep on the schema operations master for the forest so that you can see the output and deal with any errors from there. Make sure to login as an admin that already is a member of Enterprise Admins. This should solve the issue (or at least get you much closer).
frankhammer about 7 years

Thank you JBaldridge. So I have to copy adprep from the installation medium (in my case an ISO-Image -> support/adprep) to the schema operations master? I will do that. :-)
frankhammer about 7 years

I have done this and executed the command "adprep /forestprep". The error message (translated from german to english) is, that my user is not part of the group "Scheme Admins". But that is not true... if I look at my account I have the group membership of the "Scheme Admins"... may a restart of the server or a running service does help?
frankhammer about 7 years

That was the final problem. Porty were blocked to the DC2 especially LDAP. Seems like a hardware firewall had been the problem.