1

Last year I created a new dc and performed dcpromo on it so that I had a backup dc. The original dc is dead so I have started making another.

When I came to dcpromo it I got a prepare the forest with adprep /forestprep. Ive had a lookup on this, but always prefer to come here for such things.

What does the adprep do?

Why wasnt it needed last year when I did a promo?

Will all the useres need to be off?

cheers

5 Spice ups
2

you only need to adprep if you are uplifiting the host OS that will be a domain controller. - eg 2003->2008 or 2008->2008R2

3

Adprep is used the first time you go to promote a Windows Server that is running a later OS than that of the current domain controllers. For example if your current domain controllers are 2003 and this is your first 2008r2 domain controller then Adprep needs to be ran. If you install a domain controller of the same OS as the other domain controllers then you do not need to run Adprep. Adprep perfroms the following tasks to get your domain/forest ready for the Server 2008R2 domain controller. It updates the Active Directory schema,updates security descriptors modifies access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder, creates new objects as needed and creates new containers as needed. This should not affect the users in any way.

more information can be found here:

1 Spice up
4

you will likely also have to do a forestprep,

The 2 commands basicly preps the current version of your AD to accept the new features and play nice with the new version AD server you are trying to add to the mix

here is a posting talking about doing what you will need to do

1 Spice up
5

Thanks for the posts guys, thats all made sense. Ive just done the forest prep and im getting the schema master did not complete a replication cycle, check it on the forest error. Im guessing my schema master was the one that died. How do I make the remaining one the master?

Sorry for the newby questions, but ive been lucky so far in my career everywere Ive been everything has been up and running its only in the last year or so Ive been in a place long eneough for dc servers to start to die, and Ive had to get my hands dirty. Its never been a subject that floated my boat either so I havent read up on it.

6

I saved this off a website years ago, don’t remember the site but it has saved me a few times

see attached pdf

How_to_remove_data_in_Active_Directory_after_an_unsuccessful_domain_controller_demotion.pdf (126 KB)

7

You will also want to make sure that all of your FSMO roles have been moved off of your DC that died.

http://support.microsoft.com/kb/324801

8

leif2251 wrote:

Thanks for the posts guys, thats all made sense. Ive just done the forest prep and im getting the schema master did not complete a replication cycle, check it on the forest error. Im guessing my schema master was the one that died. How do I make the remaining one the master?

Sorry for the newby questions, but ive been lucky so far in my career everywere Ive been everything has been up and running its only in the last year or so Ive been in a place long eneough for dc servers to start to die, and Ive had to get my hands dirty. Its never been a subject that floated my boat either so I havent read up on it.

You will need to seize all FSMO roles.

http://support.microsoft.com/kb/255690

1 Spice up
9

How many DCs do you have ? If the DC that failed is your only one, then you are in a completely different world than just siezing the FSMO roles.

10

I believe I have seized all the roles. I followed Daniels link. I got an error message about failing to transfer, it then said that it had 5 roles available and that it would sieze them… is the correct? Is there a command to see who holds the roles?

Anyway did the forest prep worked fine, went back to the new server, ran dcpromo again and got the same error saying that I need to run the adprep?

11

leif2251 wrote:

I believe I have seized all the roles. I followed Daniels link. I got an error message about failing to transfer, it then said that it had 5 roles available and that it would sieze them… is the correct? Is there a command to see who holds the roles?

Anyway did the forest prep worked fine, went back to the new server, ran dcpromo again and got the same error saying that I need to run the adprep?

Use DCDIAG

you can use the specific test KnowsOfRoleHolders.

12

The knowsofroleholders passed, does this mean that it has seized the roles?

Im noticing that the kcc is giving errors, not a clue what this is though.

13

How to view and transfer FSMO roles - http://support.microsoft.com/kb/324801

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller - Transfer or seize Operation Master roles - Windows Server | Microsoft Learn

The missing DC may still be triggering the KCC errors.

14

also…

To view the current operations master role holders

  1. Open Ntdsutil as an administrator: Click Start, and then, in Start Search, type ntdsutil. At the top of the Start menu, right-click ntdsutil, and then click Run as administrator. In the User Account Control dialog box, provide Domain Admins credentials, and then click OK.

  2. At the ntdsutil: prompt, type roles, and then press ENTER.

  3. At the fsmo maintenance: prompt, type connections, and then press ENTER.

  4. At the server connections: prompt, type connect to server <servername>, where <servername> is the name of the domain controller that belongs to the domain that contains the operations masters.

  5. After you receive confirmation of the connection, type quit, and then press ENTER to exit this menu.

  6. At the fsmo maintenance: prompt, type select operation target, and then press ENTER.

  7. At the select operations target: prompt, type list roles for connected server, and then press ENTER.

    The system responds with a list of the current roles and the Lightweight Directory Access Protocol (LDAP) name of the domain controllers that are currently assigned to host each role.

  8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the ntdsutil: prompt, type quit, and then press ENTER to close the window.

15

it says it knows 5 roles

schema

naming master

pdc

rid

infrastructure

should these all sat master?

Should I try to seize them again?

Thanks for all you help so far…

16

Yes - use the command line instructions from the Technet links.

17

Right Ive been through them twice, the server has all 5 fsmo roles stated in the article, the forestprep completed without error.

But when I try to dcpromo my new server I still get forest prep the domain. Is there something else im missing

18

leif2251 wrote:

Right Ive been through them twice, the server has all 5 fsmo roles stated in the article, the forestprep completed without error.

But when I try to dcpromo my new server I still get forest prep the domain. Is there something else im missing

Just run the /forestprep. Users will see no interruption .

19

Hi Steve,

as I said in my last post “Right Ive been through them twice, the server has all 5 fsmo roles stated in the article, the forestprep completed without error.”

I have run the forest prep which said it completed without error but I still get the error with dc promo

20

try forcing replication between your domain controllers, all DC have to fully replicate the changes before you will be able to do a promo successfully