Promoting a 2012r2 dc in an existing 2003 domain

zorobabel

Limp Gawd
Joined
Aug 25, 2008
Messages
189
-Existing domain.local with a single 2003 DC
-Trying to replace the above with a new server running 2012r2

I've run into an issue when trying to promote the new DC using the wizard in 2012r2 at the Prerequisites Check section: "Verification of prerequisites for Active Directory preparation failed. The specified user is not a member of the following groups: Enterprise Admins group.".
-I've done this using the default domain administrator account, and a user created just for this purpose, both members of domain, schema and enterprise administrators.
-I've added a maxtokensize dword on the 2003 HKLM/system/currentcontrolset/control/Lsa/Kerberos/parameters.

Any suggestions please?
 
Last edited:

THUMPer

2[H]4U
Joined
May 6, 2008
Messages
3,596
I'll be doing this soon...I may be on the phone to MS or Dell though for support. haha
 

zorobabel

Limp Gawd
Joined
Aug 25, 2008
Messages
189
I ran version 2008 32bit of adprep on the 2003 server and I got the same error: "currently logged user is not a member of enterprise admins group".
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
transfer the FSMO roles using NTDSutil or mmc applets

Where would you transfer them to? Looks like it's a domain with a single DC...




What is your AD and Domain forest levels? You might have to raise them to 2003 if they're not there already.
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
Looks like there are two things that could cause this...

User Not a Member of Required Groups

Adprep detected that the logon user is not a member of the following groups: Enterprise Admins Group, Schema Admins Group and Contoso.local\Domain Admins Group.

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Verify the current logged on user is a member of Enterprise Admins group, Schema Admins group and Contoso.local\Domain Admins group.

- Or -

Adprep was unable to check the current User's group membership
 

The Cobra

2[H]4U
Joined
Jun 19, 2003
Messages
2,805
You can't make a 2012R2 server a DC on a 2003 Server Network, only a member server.
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
You can't make a 2012R2 server a DC on a 2003 Server Network, only a member server.

I'm not sure that I can agree with that. If everything is at 2003 functional levels, you should be able to add a 2012 R2 DC.

link




Is this DC being installed to the root domain? If not, you may have to forestprep manually.
 

zorobabel

Limp Gawd
Joined
Aug 25, 2008
Messages
189
Thanks for the replies!
The domain is xxxxxx.local, no subdomains.
The issue is with 2003 since the 2008 adprep gives the same error.
 

Hurin

2[H]4U
Joined
Oct 8, 2003
Messages
2,411
I have a very vague recollection of something like this happening to me a long, long time ago.

is your account a member of the BUILTIN\Administrators group in the domain?

Note that BUILTIN\Administrators itself contains the Domain Admins and Enterprise Admins groups.

If you're in that group (as well as Schema Admins) and it's still not working, try removing yourself from that (BUILTIN\Administrators) group and explicitly putting yourself in Domain Admins and Enterprise Admins if not there already. And vice-versa.
 

zorobabel

Limp Gawd
Joined
Aug 25, 2008
Messages
189
Thanks Hurin, still no luck:
-member of domain, schema and enterprise admins gives the error: user not a member of enterprise admins group.
-member of builtin administrators and schema admins gives the same error.
 

The Cobra

2[H]4U
Joined
Jun 19, 2003
Messages
2,805
I'm not sure that I can agree with that. If everything is at 2003 functional levels, you should be able to add a 2012 R2 DC.

link




Is this DC being installed to the root domain? If not, you may have to forestprep manually.

Technically, you can add a 2012R2 DC to a domain, but it will not function correctly until you raise the domain function level to 2008R2. 2012R2 will not fully function until you do the stated step I just listed.

You are better off adding a 2008R2 DC, raise the function level, add the 2012R2 DC, transfer the five FSMO roles over to the new 2012R2 DC and then demote the 2003R2 DC to a member server.
 

Hurin

2[H]4U
Joined
Oct 8, 2003
Messages
2,411
Well, I hope it helps to know that this should work and does in a lab environment. I just created a "testy.local" domain on a freshly built Windows Server 2003 SP2 (fully patched) domain controller.

I was then able to add a 2012 R2 Standard (fully patched) server as a domain controller.

The only things I did in between were. . .
1. Raise the Domain Function Level 2003 from 2000.
2. Raise the Forest Fuction Level to 2003 from 2000.
3. Made sure both servers were using the 2003 DC as the primary/only DNS server.

I used the builtin administrator account throughout.

How long has this 2003 DC been around? Any shenanigans with it in the past. Knowing that it's supposed to work (and does), let's try to figure out how your domain or DC differs from a "plain vanilla" one like in the lab environment above.

--H
 

zorobabel

Limp Gawd
Joined
Aug 25, 2008
Messages
189
Thanks a lot Hurin!
The 2003 DC is an old install from around 2005. I don't know much history about it except for the fact the hardware crashed a few months ago, and I restored the backup to a VM on ESXi.
The 2012R2 is a fresh install.
Well, I hope it helps to know that this should work and does in a lab environment. I just created a "testy.local" domain on a freshly built Windows Server 2003 SP2 (fully patched) domain controller.

I was then able to add a 2012 R2 Standard (fully patched) server as a domain controller.

The only things I did in between were. . .
1. Raise the Domain Function Level 2003 from 2000.
2. Raise the Forest Fuction Level to 2003 from 2000.
3. Made sure both servers were using the 2003 DC as the primary/only DNS server.

I used the builtin administrator account throughout.

How long has this 2003 DC been around? Any shenanigans with it in the past. Knowing that it's supposed to work (and does), let's try to figure out how your domain or DC differs from a "plain vanilla" one like in the lab environment above.

--H
 
Top