Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

SOLVED Upgrade Active Directory from 2008 to 2012 R2

Thang Nguyen Quoc

Active Member
Messages
25
Reaction score
0
Points
1
Please help me,
when upgrade additonal active directory form 2008 to 2012 R2 then can not add user to group.
 

Attachments

  • 12.JPG
    12.JPG
    105.4 KB · Views: 5
Is this a production environment connected to the internet? I ask because the results of a DCDIAG would be of help but don't post it if this is connected-prod.

Have you updated the schema of the domain?
 
Results of DC for Server 2012 R2


Performing initial setup:
Trying to find home server...
Home Server = hclv-au01-2k12
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\HCLV-AU01-2K12
Starting test: Connectivity
......................... HCLV-AU01-2K12 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\HCLV-AU01-2K12
Starting test: Advertising
......................... HCLV-AU01-2K12 passed test Advertising
Starting test: FrsEvent
......................... HCLV-AU01-2K12 passed test FrsEvent
Starting test: DFSREvent
......................... HCLV-AU01-2K12 passed test DFSREvent
Starting test: SysVolCheck
......................... HCLV-AU01-2K12 passed test SysVolCheck
Starting test: KccEvent
......................... HCLV-AU01-2K12 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... HCLV-AU01-2K12 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... HCLV-AU01-2K12 passed test MachineAccount
Starting test: NCSecDesc
......................... HCLV-AU01-2K12 passed test NCSecDesc
Starting test: NetLogons
......................... HCLV-AU01-2K12 passed test NetLogons
Starting test: ObjectsReplicated
......................... HCLV-AU01-2K12 passed test ObjectsReplicated
Starting test: Replications
......................... HCLV-AU01-2K12 passed test Replications
Starting test: RidManager
......................... HCLV-AU01-2K12 passed test RidManager
Starting test: Services
......................... HCLV-AU01-2K12 passed test Services
Starting test: SystemLog
......................... HCLV-AU01-2K12 passed test SystemLog
Starting test: VerifyReferences
......................... HCLV-AU01-2K12 passed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : abc
Starting test: CheckSDRefDom
......................... abc passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... abc passed test CrossRefValidation

Running enterprise tests on : abc
Starting test: LocatorCheck
......................... abc.com passed test LocatorCheck
Starting test: Intersite
......................... abc.com passed test Intersite
PS C:\Users\younetcompany>
 
No errors... So I take it the 2008DC is still on the domain and the schema's at that level?
If so which DC were you connected to and were unable to add a user to a group? Does it hold the FSMO roles?
 
Windows 2012 R2 is connecting to the primary 2008 sp2 child holding 5 roles

DCDIAG for windows 2008 sp (primary domain controller)

Doing initial required tests

Testing server: Default-First-Site-Name\WS2K8
Starting test: Connectivity
......................... WS2K8 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\WS2K8
Starting test: Advertising
......................... WS2K8 passed test Advertising
Starting test: FrsEvent
......................... WS2K8 passed test FrsEvent
Starting test: DFSREvent
......................... WS2K8 passed test DFSREvent
Starting test: SysVolCheck
......................... WS2K8 passed test SysVolCheck
Starting test: KccEvent
An Warning Event occurred. EventID: 0x800004B3
Time Generated: 10/01/2019 10:30:03
Event String:
The directory service could not replicate the following object from the source directory service at the following network address because
of an Active Directory Domain Services schema mismatch.
An Warning Event occurred. EventID: 0x80000785
Time Generated: 10/01/2019 10:30:03
Event String: The attempt to establish a replication link for the following writable directory partition failed.
An Warning Event occurred. EventID: 0x800004B3
Time Generated: 10/01/2019 10:30:04
Event String:
The directory service could not replicate the following object from the source directory service at the following network address because
of an Active Directory Domain Services schema mismatch.
An Warning Event occurred. EventID: 0x80000785
Time Generated: 10/01/2019 10:30:04
Event String: The attempt to establish a replication link for the following writable directory partition failed.
An Warning Event occurred. EventID: 0x800004B3
Time Generated: 10/01/2019 10:30:04
Event String:
The directory service could not replicate the following object from the source directory service at the following network address because
of an Active Directory Domain Services schema mismatch.
An Warning Event occurred. EventID: 0x80000785
Time Generated: 10/01/2019 10:30:04
Event String: The attempt to establish a replication link for the following writable directory partition failed.
......................... WS2K8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... WS2K8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... WS2K8 passed test MachineAccount
Starting test: NCSecDesc
......................... WS2K8 passed test NCSecDesc
Starting test: NetLogons
......................... WS2K8 passed test NetLogons
Starting test: ObjectsReplicated
......................... WS2K8 passed test ObjectsReplicated
Starting test: Replications
......................... WS2K8 passed test Replications
Starting test: RidManager
......................... WS2K8 passed test RidManager
Starting test: Services
Invalid service type: NETLOGON on WS2K8, current value WIN32_SHARE_PROCESS, expected value WIN32_SHARE_PROCESS
......................... WS2K8 failed test Services
Starting test: SystemLog
An Error Event occurred. EventID: 0xC0001B77
Time Generated: 10/01/2019 09:49:09
Event String:
The Terminal Services ActiveX Client service terminated unexpectedly. It has done this 141 time(s). The following corrective action will
be taken in 1000 milliseconds: Restart the service.
An Warning Event occurred. EventID: 0x000003FC
Time Generated: 10/01/2019 10:17:22
Event String: Scope, 192.168.20.0, is 81 percent full with only 46 IP addresses remaining.
......................... WS2K8 failed test SystemLog
Starting test: VerifyReferences
......................... WS2K8 passed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
 
Well there's your problem. I'm hoping you stripped out information from that report and it wasn't missing. It should identify "the following object" by distinguished name.

You might need to disable inheritance, reset the security, and enable inheritance on those objects. The thing is saving the original ACL's just in case that doesn't help or makes something worse. I'd suggest doing it in PowerShell so you can capture the current ACL's and store them in a varibale you can reference to revert them.

Have you looked through the dcpromo logs on the 2012 just to see if there was anything in there of interest regarding this?
%systemroot%\debug\dcpromo.log
 
Looks clean.
But based on the 2008's dcdiag you have replication issues which can cause all sorts of problems in AD.
Check replication on both:
Repadmin /replsummary
Repadmin /Showrepl
 
Repadmin /replsummary
Replication Summary Start Time: 2019-10-01 12:01:58

Beginning data collection for replication summary, this may take awhile:
......


Source DSA largest delta fails/total %% error
LC 04m:58s 0 / 10 0
WS2K8 09m:06s 0 / 10 0


Destination DSA largest delta fails/total %% error
HCLV-AU01-2K12 04m:58s 0 / 10 0
LC 09m:06s 0 / 5 0
WS2K8 02m:47s 0 / 5 0



Repadmin /Showrepl

Repadmin: running command /Showrepl against full DC localhost
Default-First-Site-Name\WS2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 29828689-a748-4c17-b974-608895a8e6df
DSA invocationID: b5c94809-7a57-465b-9890-10793248992c

==== INBOUND NEIGHBORS ======================================

DC=younetco,DC=com
Default-First-Site-Name\LC via RPC
DSA object GUID: 27cda3e2-f619-4d74-82eb-ebbd38eeaac7
Last attempt @ 2019-10-01 12:02:13 was successful.

CN=Configuration,DC=abc,DC=com
Default-First-Site-Name\LC via RPC
DSA object GUID: 27cda3e2-f619-4d74-82eb-ebbd38eeaac7
Last attempt @ 2019-10-01 11:59:11 was successful.

CN=Schema,CN=Configuration,DC=abc,DC=com
Default-First-Site-Name\LC via RPC
DSA object GUID: 27cda3e2-f619-4d74-82eb-ebbd38eeaac7
Last attempt @ 2019-10-01 11:59:11 was successful.

DC=DomainDnsZones,DC=abc,DC=com
Default-First-Site-Name\LC via RPC
DSA object GUID: 27cda3e2-f619-4d74-82eb-ebbd38eeaac7
Last attempt @ 2019-10-01 11:59:11 was successful.

DC=ForestDnsZones,DC=abc,DC=com
Default-First-Site-Name\LC via RPC
DSA object GUID: 27cda3e2-f619-4d74-82eb-ebbd38eeaac7
Last attempt @ 2019-10-01 11:59:11 was successful.

Source: Default-First-Site-Name\HCLV-AU01-2K12
******* 3 CONSECUTIVE FAILURES since 2019-10-01 11:19:11
Last error: 8418 (0x20e2):
The replication operation failed because of a schema mismatch between the servers involved.

Naming Context: CN=Configuration,DC=abc,DC=com
Source: Default-First-Site-Name\HCLV-AU01-2K12
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=abc,DC=com
Source: Default-First-Site-Name\HCLV-AU01-2K12
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=abc,DC=com
Source: Default-First-Site-Name\HCLV-AU01-2K12
******* WARNING: KCC could not add this REPLICA LINK due to error.
 
On the 2012R2 any log here?
%windir%\Debug\Adprep\Logs

Starting with 2012 ADPREP should run automatically when you DCPROMO and the prep should have taken care of this. You need to get replication up.
 
Logs
[2019/09/24:17:12:31.517]
Adprep created the log file 'C:\Windows\debug\adprep\logs\20190924171231\ADPrep.log'
[2019/09/24:17:12:31.517]
Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.
[2019/09/24:17:12:31.533]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=abc,DC=com.
[2019/09/24:17:12:31.533]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/09/24:17:12:31.533]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=WS2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abc,DC=com.
[2019/09/24:17:12:31.534]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/09/24:17:12:31.534]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Schema,CN=Configuration,DC=abc,DC=com.
[2019/09/24:17:12:31.534]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/09/24:17:12:31.549]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=Infrastructure,DC=abc,DC=com.
[2019/09/24:17:12:31.549]
LDAP API ldap_search_s() finished, return code is 0x0
[2019/09/24:17:12:31.549]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=WS2K8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abc,DC=com.
[2019/09/24:17:12:31.550]
LDAP API ldap_search_s() finished, return code is 0x0
 
Going to have to identify what's not replicating and why. Until replication is good your domain is going to have issues.
 
replication issue has not fixed, I am looking for a solution

Active directory 2012 R2 replication Active directory 2008 - > OK
Active directory 2008 not replication Active directory 2012 R2
 

Attachments

  • Isue.JPG
    Isue.JPG
    44.4 KB · Views: 3
When looking into this I saw guidance regarding fixing the replication that suggest to break the inheritance on the objects that won't replicate, reset their security permissions, and then re-enable inheritance. If I were to try that I'd save their current ACLs first so I could revert them if it either didn't help or actually hurt.
 

Forum statistics

Threads
7,043
Messages
27,535
Members
17,729
Latest member
ironmonkey

Trending content

Back
Top