DC Promotion fails ‘FRS is Depreciated’

FRS is Depreciated KB ID 0001579

Problem

Error seen when attempting to add a new domain controller to an existing domain;

Verification of replica failed. The specified domain {Domain-Name} is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is depreciated.

The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain.

You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing.

Solution: FRS is Depreciated

 

Before proceeding you MUST ensure all your existing domain controllers are AT LEAST Windows Server 2008. Your domain and forest functional levels should be at Windows Server 2008 (AL LEAST). It would also be a good move, to make sure all your DCs are replicating cleanly.

You need to go to one of your legacy (existing) domain controllers, and carry out the following PowerShell procedure. 

First make sure that no one’s messed about with this before, issue the following command and make sure the migration process has not been previously started;

[box]

dfsrmig /getglobalstate

[/box]

Start the process.

[box]

dfsrmig /setglobalstate 1

[/box]

It can take a while, (even if you only have one Domain Controller!) Keep checking the status, with the command ‘dfsrmig /getmigrationstate’ until it says all the domain controllers have migrated to global state ‘Prepared‘.

Change the process to state 2 (Redirected).

[box]

dfsrmig /setglobalstate 2

[/box]

This typically completes a bit faster than the first state. Keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Redirected‘.

Change the process to state 3 (Eliminated).

[box]

dfsrmig /setglobalstate 3

[/box]

As before, keep checking the status, with the command you originally used, until it says all the domain controllers have migrated to global state ‘Suceeded‘.

On the ‘Old‘ domain controllers, you need to disable the NTFRS service and stop it.

[box]

Set-Service ntfrs -StartupType Disabled
Stop-Service ntfrs

[/box]

Now attempt to promote your new domain controller again.

Related Articles, References, Credits, or External Links

NA

Adding a Windows Server 2019/2016 Domain Controller

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background when adding a 2019 domain controller and the wizard is doing the heavy lifting for you.

Solution

2008 to 2019 Domain Controller

2008 to 2016 Domain Controller

Obviously the server needs to be a domain member first!

  • For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
  • For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure: Deploy a 2019 Domain Controller

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

I usually tick the ‘Skip this page by default’ option > Next.

Role Based… > Next.

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

Select Active Directory Domain Services > Next.

Next.

Next.

Ensure ‘Restart’ is selected > Next.

Next.

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

Unless you want to change the default AD install locations > Next.

Next.

Read any warnings  > Install

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

 

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

PowerShell: Creating Domains and Domain Controllers

KB ID 0001400

Problem

I needed to spin up some Windows 2016 Servers, and a domain to do some testing. I have promoted hundreds maybe thousands of domain controllers, so I wondered if this time I could do it with PowerShell. It’s actually easier than using the GUI!

Solution

If you were doing this in Server Manager, you would have to add the role first, and PowerShell is no different;

[box]Install-WindowsFeature AD-Domain-Services -IncludeManagementTools[/box]

Then promote the server to a new DC in a new forest;

[box]Install-ADDSForest[/box]

Supply the new domain name and the recovery password. Select ‘Y’ to reboot, go and have a coffee, when finished you will have a new DC in a new domain, ready to log into.

Related Articles, References, Credits, or External Links

NA

Windows – A Delegation For This DNS Server Cannot Be Created

KB ID 0001287

Problem

When promoting a server to be a domain controller, you might see the following error,

“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.

Or if you are on older domain controllers;

I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?

Solution

Quick Answer:

If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.

But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;

Could not log into the domain with the specified credentials. Supply a valid credential and try again.

Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.

The Long Answer:

It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;

AD domain domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.

AD Domain subdomain.domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).

AD Child Domain subdomain.domain.com This will look to the DNS servers responsible for domain.com (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.

Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.

If you open the delegation, you will see that the name server entry for your child domain has been created;

The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?

Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.

  1. Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
  2. Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. ns1.yourdomain.com etc.
  3. Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.

 

Related Articles, References, Credits, or External Links

NA

Add a 2012 Domain Controller to a 2008 Domain

KB ID 0000680 

Problem

This is considerably less painfull than adding a 2008/2008 R2 domain controller to a 2003 domain was. You dont have to maually prep the schema on the schema master, or run forestprep and domainprep. The wizard does everything for you.

Solution

1. Launch server manager from the taskbar > Select Local Server > Manage > Add Roles and Features.

2. Role Based… > Next.

3. Select local server > Next.

4. Tick ‘Active Directory Domain Service’ > Next.

5. Accept the defaults > Next.

6. Next.

7. Install.

8. Installation may take a while.

9. When finished nothing appears to change, but it does say “Suceeded” > Close.

10. Now the role is on the server you just need to promote it, you can do this by selecting AD DS in the left hand menu > and click ‘More’.

11. ‘Promote the server to a domain controller’

12. By default it will fill in the domain you are already a member of > Next

13. Enter your directory servies restore mode password (DON’T ever lose this password!) > Next.

14. I dont want anyone outside my domain browsing my domain so I don’t care about the delegation error > Next.

15. If you want to reboot as soon at it’s finished tick the box, and (optionally) select a Dc to replicate from > Next.

16. Accept or change the paths as required > Next.

17. Heres a nice touch, now it preps the forest, schema, and domain for you > Next.

18. Next.

19. Install (I’d suggest a reboot when its done).

Related Articles, References, Credits, or External Links

NA

Server 2012 – ‘The Active Directory Services Installation Wizard is relocated in Server Manager’

KB ID 0000714 

Problem

I’ve already written about promoting or adding a Windows Server 2012 Domain Controller;

Add a Server 2012 Domain Controller to a 2008 Domain

But if you attempt to run ‘dcpromo’ from command line, you will see this error, and a link to a Technet article. (Perhaps a clickable link to a picture showing where dcpromo now lives would be better!)

Solution

Note: I’m assuming you have already added the Active Directory Domain Services Role? If not do that first.

1. From Server Manager (ServerManager.exe) > AD DS > There should be a warning triangle at the top of the window > Select it > ‘Promote this server to a domain controller’

Related Articles, References, Credits, or External Links

NA

Deploying a Windows Server 2008 Domain Controller in a Windows 2003 Domain

KB ID 0000239

Problem

Before you can add a Windows Server 2008 Domain Controller to a Windows Server 2003 Domain you need to carry out some preparation, this can be done during working hours, as the process only has a slight performance hit no one will notice there is work going on.

Solution

Before you start, have a good look round your existing domain controllers, get the latest service packs and updates installed. Have a good look through the event logs on the domain controllers, and make sure you domain is happy and replicating, before introducing 2008.

1. First locate the server that holds the FSMO role “schema master”

Locate your FSMO Servers

netdom query /domain:YOURDOMAINNAME fsmo

Note: this is a test network, so all my roles are on the same server – yours will probably be spread out more efficiently.

Prepare the Forest for 2008

2. Go to the schema master server and put in the Server 2008 Install DVD (if it does not have a DVD drive then share then copy the contents of the “support” folder to the schema master).

3. Change to the directory that contains adprep, and issue an “adprep /forestprep” command. (or adrep32 /forestprep on an x32 bit server see below).

4. Read the warning! Make sure your domain controllers comply. Press C {enter} to continue.

Adprep32/ forestprep

5. It will run for a few minutes (Coffee!). When it’s finished it should say that it was successful.

Prepare the Domain for 2008

1. You need to locate the FSMO server that’s holding your Infrastructure Master Role. CLICK HERE.

2. Go to the Infrastructure master server and put in the Server 2008 Install DVD (if it does not have a DVD drive then share then copy the contents of the “support” folder to the schema master).

3. Change to the directory that contains adprep, and issue an “adprep /domainprep” command. (or adrep32 /domainprep on an x32 bit server see below).

Adprep32 /domainprep

Note: This will fail if the domain is not in “Native Mode”

Note: You may also want to run “adprep /domainprep /gpprep” when the above had completed successfully.

Prepare the environment for a 2008 RODC (Read Only Domain Controller)

1. Only really a problem if you want to deploy an RODC. You need to locate the FSMO server that’s holding your Infrastructure Master Role. CLICK HERE.

2. Go to the Infrastructure Master server and put in the Server 2008 Install DVD (if it does not have a DVD drive then share then copy the contents of the “support” folder to the schema master).

3. Change to the directory that contains adprep, and issue an “adprep /rodc” command. (or adrep32 /domainprep on an x32 bit server).

4. Skip to this step.

If you DONT Prepare for Server 2008 you will see the following errors

Seen when adding a 2008 domain controller to a domain with an earlier schema/domain version.

Error 1: To install a domain controller into this Active Directory forest you must first prepare the forest using “adprep /forestprep”. The Adprep utility is available on the Windows Server 2008 R2 installation media in the supportadprep folder.

Error 2: To install a domain controller into this Active Directory domain, you must first prepare the domain using “adprep /domainprep”. The Adprep utility is available on the Windows Server 2008 R2 installation media in the supportadprep folder.

Error 3: You will not be able to install a read-only domain controller in this domain because the “adprep /rodcprep” was not yet run.

Install the New Windows Server 2008 Domain Controller

I’m assuming you have a new server built with Windows Server 2008 / 2008 R2 installed on it, and that you have applied all the necessary service packs and updates to it. It should also be joined to the domain (as a member server) and preferably have a static IP address.

1. Whilst logged on with administrative access > Start > In the Search/Run > type dcpromo {enter}

2. Next.

3. Read the warnings > Next.

4. We are adding a new DC in an existing domain > Next.

5. Confirm the domain name is correct > Next.

6. Check again > Next.

7. If your domain has multiple sites > Then select the site that this DC will be deployed into > Next.

8. The first 2008 Domain controller, should be a global catalog server, and the promotion will install and configure DNS as well > Next.

9. If you have a flat single domain with AD integrated DNS zones this is OK > Simply click Yes > Next.

10. Accept the defaults, (unless you want to host these in a different location) > Next.

11. Enter a recovery mode password. NEVER FORGET, or lose this password, you will need it, if you ever need to restore active directory by booting to directory restore mode.

12. Review the settings > Next.

13. Active directory will install, you can tick the box to reboot when finished if that,s OK (It will need a reboot anyway).

14. When completed simply click finish.

15. If you did not select reboot above then you will be asked to do so now.

 

Related Articles, References, Credits, or External Links

NA