I'm trying to replace an old Windows 2000 domain controller with a new Windows 2008 Server. I have the Active Directory Domain Services role installed on the new server and joined it to the domain. The next step is to promote the new server to be a domain controller in the existing domain. After that is done I can the take old server offline.
I've already run the adprep tool with /forestprep and /domainprep. When I run dcpromo
it looks like it replicates everything, creates the users, groups, and computer objects, but then I get this error:
The operation failed because:
Active Directory Domain Services is missing critical information after installation and cannot continue. If this is a replica Active Directory Domain Controller, rejoin this server to the domain.
"Directory object not found."
I have tried re-joining the computer to the domain and there's nothing helpful in the event logs. I'm at a loss for how to get past this. Any help appreciated.
My own searches found this MS Knowledge Base article:
http://support.microsoft.com/kb/248079
But it's not really helpful. As far as I can tell, all four items it's looking for are present, re-creating the domain isn't a good option, and the 2000sp1 slipstreaming advice doesn't apply to my windows 2008 box.
Checking into each of the objects from the KB article, I noticed the SID for my the Administrator account is: S-1-5-21-2025429265-492894223-1708537768-1124
. Note that is does not end with "500", and therefore is somehow likely wrong. The built-in Administrator account is nowhere to be found. This is the account referenced by the 2nd bullet point item under the "Causes" heading in the linked knowledge base article. Any ideas how to fix this? I'm going to make this specific part a separate question as well, but I'll be sure to keep both up to date.
Update on what might have happened. It won't help solve the problem, but in case anyone's curious I found some old notes that help explain the problem. Apparently, once upon a time this server ran an FTP service that has since been replaced with better alternatives. At the time the service was running, the then-administrator noticed that script kiddies where trying to brute-force the administrator password via that service. Now it seems that in windows 2000 you can't disable FTP access for the Administrator account short of shutting down the service. He tried re-naming the account, but they somehow followed the rename. And so after "a nasty hack" he instead "removed" the account. I think I may have to re-create the domain somehow :(
This is going to sound crazy but only because I did this to myself once. Check and be sure there are no firewalls or network issues. I had one network once where I accidently had the windows firewall turned on, on one of the DC's (there were 4), so because this DC wasn't replicating properly I couldn't do any AD upgrades. Though the rest of the network was working fine so there were no symptions until I tried to update the schema in my case.
Simple test, make sure each DC can ping every other DC and that all DNS is resolving properly. Also ensure the AD is in the highest that Windows 2000 can go, I'm not sure how backwards compatiable 2008 is as a DC.
You need to update the AD schema to the 2008 format. Between each version of AD (2000, 2003, 2003R2 and 2008) there have been schema changes. There's a tool called adprep on the 2008 DVD. I think first you will run adprep /domainprep and then adprep /forestprep. There is potentially a third one that's new to 2008. running adprep /? should help you.
Your account's SID is NOT wrong. The only account which ends in that 500 is the built-in Administrator account which is created when the domain is built. Likewise that applies to the built-in administrator account in the local SAM of a workstation/server/* NT box.
As for your dcpromo problem, post the dcpromo.log from %SystemRoot%\Debug.
Thanks, Brian Desmond Active Directory MVP
Make sure that the domain is upgraded from mixed mode. The initial 2000 install (like the others) has a limited functionality version. You can bounce it up to full 2000 only domain. Once that is done, try the upgrade again.
If you get no joy with that, get a copy of 2003 ( your 2008 licence also downgrading ) and do the upgrade to a 2003 domain. Once again, upgrade the domain functionality level afterwards. Then try step up to the 2008 domain.
Also, leave some time after each step if/when it completes so things can replicate in the background.