I gotta say I’m having a hard time giving a good title for this post. This article is mostly a small reminder for myself after encountering small problems when I wanted to add a new Windows 2012 Server DC to an existing Active Directory domain infrastructure. I have a domain with 2 Windows Server 2008 acting as the domain controller and my main objective was to add a new DC running on Windows Server 2012 for replacing one of the old Windows 2008 server before it dies.
So I’ve got a new Windows 2012 server installed and ready that I wanted to add as a new DC for an existing AD domain. That domain is running on 2 Windows 2008 Server. As soon that I tried to add the new DC to the domain, I’ve got an warning message that tell me that I need to raise the forest level functionality.
Now here’s the part that gives a lot of confusion. When adding a newer version of Windows Server to an existing domain, we need to raise the domain level and the forest level functionality. These are 2 different operation but have the same purpose, modifying the current AD database structure to be able to use the new functionality of the AD Domain and Forest. So in order to do so, I need to launch the Active Directory Domain and Trusts consoles. I open the console and expand the domain, when I right click on the domain name, I have the option of “Raise Domain Functional Level”, choose it and I can see the current functionality level of the domain which is Windows Server 2008. Ok, no problem here, but like I said, my new server is talking about the forest level functionality and not of the domain itself. So if I want to check the forest level, in the same console, I need to right click on the Active Directory Domain and Trusts entry itself on the left side of the console and there I can see the option for “Raise Forest Functional Level”.
My first small problem start here, because the new Windows 2012 server is not compatible with the current version of the forest level which is currently at the level of Windows 2000 Server. The 2012 version is asking for a forest level functionality version to be at the minimal level of 2003. This forest and domain has been created with an old server running Windows 2003 server that died a long time ago and if I remember correctly the main roles where transferred to one of the 2 Windows 2008 server (let’s name them server01 and server02). In that process, the domain level functionality was raised, but not for the forest. So it should be simple, I just need to raise the forest level functionality.
On one of the 2 Windows 2008 server acting as the DC, I’m trying to raise the forest level functionality from version 2000 to version 2008 and as soon that I click on the option for doing so, I’ve got an error message telling me “there is no such object on the server”. My initial reaction is “WTF is that and can I have more details regarding this error?” A quick search on the Internet give me the explanation that the old Windows 2003 server acting as the first DC of this domain must still live inside the domain. After doing a quick initial search inside the domain through the user and computers, Sites and Services consoles, I can’t find the old Windows 2003 server that used to exist in this domain. A quick reminder that this server was never officially demoted since the motherboard fried and it died on the spot. Having at that time a second DC already running on Windows 2008 Servers, no plan was ever done to restore the server from a backup. We simply transferred the roles to the win2k8 server. But if I remembered correctly I can lookup the 5 mains roles of a DC by using the netdom utility from a command prompt, in order to so so, I simply need to type ; netdom query fsmo. And here’s the result ;
netdom query fsmo
Schema master *** Warning: role owner is a deleted DC: CN=NTDS Settings\0ADEL:eddfdde1-6724-483c-aae0-5bab5d2a0dc7,CN=OLD-SERVER\0ADEL:d9eb345e-2dfa-4944-be91-361886e62795,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
Domain naming master server01.domain.local
PDC server01.domain.local
RID pool manager server01.domain.local
Infrastructure master server01.domain.local
The command completed successfully.
There is the main problem, the role of Schema master is still listed as belonging to the old Windows 2003 Server that is dead. All the other 4 roles are associated with the first win2k8 server, no problem here. I now need to give the role of Schema Master to server01 instead of the old win2k3 server. This procedure is all documented from Microsoft. The important point is that there is 2 different operations for doing this ; we can either transfer the role or seize the role. We have to take the time to think about the definition of these 2 operations. Why? because they are both fundamentally different while the end result is the same. In my case, my problem is the Schema master role that needs to be given to server01. If I try to transfer the role it automatically fail because when you do the transfer operation, you are asking for the permission to the server who currently own the roles to transfer it to a new server. In this case it cannot work because I can’t speak to the old server since it’s dead. So I don’t have the choice, I have to seize the role instead. Seizing the role simply give it to the new server without asking anyone if I can do it with their permission. I don’t care, I just do it. Make sure that you log on to one of your current DC and with an account that is member of the Enterprise Admins and the Schema Admins groups. You need some high level access to be able to change the forest structure. So after running the procedure for seizing the role of Schema master to server01, I run again the netdom command and here’s the result ;
netdom query fsmo
Schema master server01.domain.local
Domain naming master server01.domain.local
PDC server01.domain.local
RID pool manager server01.domain.local
Infrastructure master server01.domain.local
The command completed successfully.
I am now able to raise the forest level functionality without any problem and afterward, add the new Windows 2012 server as a DC to the current domain. And after doing so, I can properly demote the wink28 server who is about to die to make sure that it’s retired properly from the domain without leaving any ghost in it.
Thank you. I am in a similar situation and I was investigating possible gotcha’s before I did the forest level rise. Your post made me MUCH more confident. Most posts say nothing about any issues raising the forest level and I just knew there had to be some and if there were I’d hit them. Seeing the issues in advance makes them much easier to accept.