Monday, March 18, 2013

Promoting a Windows 2012 Server Into a Server 2003 Domain Function Level Environment

Last week I was tasked with the wonderful job of transitioning a Windows Server 2000 domain to Windows 2012.  Obviously this upgrade path is not supported unless you move to 2003 first.  Once this was completed, which was an adventure onto it's own, I thought I'd be in the clear.  Just fire up AD-DS in 2012 and allow it to reach into the 2003 server to automatically perform the ADPREP.  Boy was I wrong.  During the AD-DS wizard's prerequisite check, it failed with the following error:

Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain corp.local.
Exception: Access is denied.
Adprep could not retrieve data from the server server2003.corp.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\RandomNumbers directory for possible cause of failure.


The log files provided no additional guidance whatsoever.  So after hunting for a few days, here is what I concocted to resolve the issue:

On the Server 2003 machine, check permissions of the WMI Mangement Interface - Navigate to computer management (Start, run, compmgmt.msc) Expand Services and Applications, right-click and select properties of WMI Control.  See if you’re able to successfully open the WMI Controls Properties, if not perform the following:

Execute a system-wide security settings reset from elevated command prompt
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  If connection fails perform the following:

Create a batch script from the script below and save it in the following directory: C:\Windows\System32\Wbem. Open an elevated command prompt and cd into the aforementioned directory to run the script.

@echo off
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
for /f %%s in ('dir /b *.dll') do regsvr32 /s %%s
wmiprvse /regserver 
winmgmt /regserver 
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s


Reboot the machine and test WMI again.  If the connection fails again,  execute the security settings reset once again. (from elevated command prompt)

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  You should now have access to WMI control.  If not, you may have to jump to a server 2008 domain controller first.  If so, continue with the DC promotion.

5 comments:

  1. Which PC are you running the commands on? The 2012 server or the 2003 server. It's not clear.

    ReplyDelete
  2. So, I figured commands needed to be run on the 2003 server. Followed all the steps. No luck. Looks like I'll be setting up a 2008 server to do a 2-step promotion. Thanks for the post.

    ReplyDelete
  3. The script worked great for me. I had to correct the FOR lines so it would register the dlls. You are missing a %S on the first, and and the last one I had to change tboth %S to %%S. Thanks so much!

    ReplyDelete
  4. Thanks it was a help for me too!
    Here's what the corrected script should look like-


    @echo off
    sc config winmgmt start= disabled
    net stop winmgmt /y
    %systemdrive%
    cd %windir%\system32\wbem
    for /f %%s in ('dir /b *.dll') do regsvr32 /s %%s
    wmiprvse /regserver
    winmgmt /regserver
    sc config winmgmt start= auto
    net start winmgmt
    for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s

    ReplyDelete