Monday, March 18, 2013

Promoting a Windows 2012 Server Into a Server 2003 Domain Function Level Environment

Last week I was tasked with the wonderful job of transitioning a Windows Server 2000 domain to Windows 2012.  Obviously this upgrade path is not supported unless you move to 2003 first.  Once this was completed, which was an adventure onto it's own, I thought I'd be in the clear.  Just fire up AD-DS in 2012 and allow it to reach into the 2003 server to automatically perform the ADPREP.  Boy was I wrong.  During the AD-DS wizard's prerequisite check, it failed with the following error:

Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain corp.local.
Exception: Access is denied.
Adprep could not retrieve data from the server server2003.corp.local through Windows Managment Instrumentation (WMI).
[User Action]
Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\RandomNumbers directory for possible cause of failure.


The log files provided no additional guidance whatsoever.  So after hunting for a few days, here is what I concocted to resolve the issue:

On the Server 2003 machine, check permissions of the WMI Mangement Interface - Navigate to computer management (Start, run, compmgmt.msc) Expand Services and Applications, right-click and select properties of WMI Control.  See if you’re able to successfully open the WMI Controls Properties, if not perform the following:

Execute a system-wide security settings reset from elevated command prompt
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  If connection fails perform the following:

Create a batch script from the script below and save it in the following directory: C:\Windows\System32\Wbem. Open an elevated command prompt and cd into the aforementioned directory to run the script.

@echo off
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
for /f %%s in ('dir /b *.dll') do regsvr32 /s %%s
wmiprvse /regserver 
winmgmt /regserver 
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s


Reboot the machine and test WMI again.  If the connection fails again,  execute the security settings reset once again. (from elevated command prompt)

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Reboot the machine and test WMI again.  You should now have access to WMI control.  If not, you may have to jump to a server 2008 domain controller first.  If so, continue with the DC promotion.

11 comments:

  1. Which PC are you running the commands on? The 2012 server or the 2003 server. It's not clear.

    ReplyDelete
  2. So, I figured commands needed to be run on the 2003 server. Followed all the steps. No luck. Looks like I'll be setting up a 2008 server to do a 2-step promotion. Thanks for the post.

    ReplyDelete
  3. The script worked great for me. I had to correct the FOR lines so it would register the dlls. You are missing a %S on the first, and and the last one I had to change tboth %S to %%S. Thanks so much!

    ReplyDelete
  4. Thanks it was a help for me too!
    Here's what the corrected script should look like-


    @echo off
    sc config winmgmt start= disabled
    net stop winmgmt /y
    %systemdrive%
    cd %windir%\system32\wbem
    for /f %%s in ('dir /b *.dll') do regsvr32 /s %%s
    wmiprvse /regserver
    winmgmt /regserver
    sc config winmgmt start= auto
    net start winmgmt
    for /f %%s in ('dir /s /b *.mof *.mfl') do mofcomp %%s

    ReplyDelete
  5. Dude, you saved me on this one, thanks bro. I owe you a beer if I ever see you. THANK YOU!!!

    ReplyDelete
  6. Any possibility running these scripts would affect any other applications/services?

    ReplyDelete
  7. Had the same error message. Turned out it was due to Trend Micro Worry Free Business Services being installed on the only DC in the network. Uninstalled it and DCPROMO went fine.

    ReplyDelete
  8. Mine was also caused by AV(Eset). Once uninstalled it worked fine.

    ReplyDelete
  9. Thank you dude. The script worked for me with little difficulty. First time when I was runnig the script I faced with error 0x80040155 "interface not registered". After googling the error I found this article https://www.sophos.com/en-us/support/knowledgebase/23743.aspx . I registered ole32.dll " regsvr32 \windows\system32\ole32.dll . After that I started the script, and it finished successfully.

    ReplyDelete
  10. For me it was the ISA 2004 service on our SBS 2003 server.

    You just need to disable the RPF Filter:

    a. Open Microsoft Internet Security and Acceleration Server 2004

    b. Go to Configuration > Add-in --> RPC Filter on the right side, right-click on it and select Properties, uncheck 'Enable this filter'

    Back to pre-requisites on the 2012 r2 server and it works straight away.

    ReplyDelete