Monday, March 18, 2013

Promoting a Windows 2012 Server Into a Server 2003 Domain Function Level Environment

Last week I was tasked with the wonderful job of transitioning a Windows Server 2000 domain to Windows 2012.  Obviously this upgrade path is not supported unless you move to 2003 first.  Once this was completed, which was an adventure onto it's own, I thought I'd be in the clear.  Just fire up AD-DS in 2012 and allow it to reach into the 2003 server to automatically perform the ADPREP.  Boy was I wrong.  During the AD-DS wizard's prerequisite check, it failed with the following error:

Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain corp.local.
Exception: Access is denied.
Adprep could not retrieve data from the server server2003.corp.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\RandomNumbers directory for possible cause of failure.

The log files provided no additional guidance whatsoever.  So after hunting for a few days, here is what I concocted to resolve the issue:

On the Server 2003 machine, check permissions of the WMI Mangement Interface - Navigate to computer management (Start, run, compmgmt.msc) Expand Services and Applications, right-click and select properties of WMI Control.  See if you’re able to successfully open the WMI Controls Properties, if not perform the following:

Execute a system-wide security settings reset from elevated command prompt
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  If connection fails perform the following:

Create a batch script from the script below and save it in the following directory: C:\Windows\System32\Wbem. Open an elevated command prompt and cd into the aforementioned directory to run the script.

@echo off
sc config winmgmt start= disabled
net stop winmgmt /y
cd %windir%\system32\wbem
for /f %%s in ('dir /b *.dll') do regsvr32 /s %%s
wmiprvse /regserver 
winmgmt /regserver 
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s

Reboot the machine and test WMI again.  If the connection fails again,  execute the security settings reset once again. (from elevated command prompt)

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  You should now have access to WMI control.  If not, you may have to jump to a server 2008 domain controller first.  If so, continue with the DC promotion.