Blank Forest Functional Level - Unable to fix

akeiii · Guest

Set Forest Functional Level Manually Fails

I have a domain which had 2 domain controllers, both Windows Server 2003
fully patched.
The domain functional level was Windows Server 2003.
The forest functional level was Windows Server 2003.
The PDC failed catastrophically.
I had to use FSMO to transfer all operations to the remaining domain
controller.
I acquired a new server with Windows Server 2003 R2. When I tried to
promote it to be a domain controller the promotion failed, incompatible
forest, because the new server interprets not set as mixed mode. Checking
the new PDC I discovered that the domain functional level is still Windows
Server 2003 however the forest functional level is blank. Ldp.exe and
Adsiedit.msc both show that the attribute msDS-Behavior-Version on the
CN=Partitions, CN=Configuration, DC=ForestRootDom, DC=tld object is NOT SET.
If I try to raise the forest functional level on the domain controller using
the MMC the console gets an error and closes. If I try to manually set the
forest functional level using either Ldp.exe or Adsiedit.msc I receive the
following error "Illegal modify operation. Some aspect of the modification is
not permitted.". The Microsoft troubleshooting document says "Click OK to
continue." however this does not work. The full Microsoft document follows.
"
View and Set Functional Levels Manually
LDAP tools such as Ldp.exe and Adsiedit.msc can be used to view and modify
the current domain and forest functional level settings. When you modify the
attributes manually,
it is best to target the FSMO authoritative for the increase as the change
is actually written to the authoritative FSMO then replicated.

Forest Level Setting
The attribute is msDS-Behavior-Version on the CN=Partitions,
CN=Configuration, DC=ForestRootDom, DC=tld object.
• Value of 0 or not set=mixed level forest
• Value of 1=Windows Server 2003 interim forest level
• Value of 2=Windows Server 2003 forest level

Note When you increase the msDS-Behavior-Version attribute from 0 to 1 with
ADSIEdit, you receive the following error message:
Illegal modify operation. Some aspect of the modification is not permitted.
Click OK to continue. The attribute on the partitions container and the
domain head are correctly increased. The error message is not reported by the
Ldp.exe file.
You can safely ignore the error message. To verify the level increase was
successful, refresh the attribute list and check the current setting.
This error message may also occur if you have already performed the level
increase on the authoritative FSMO, but has not replicated to the local
domain controller.
"

Suggestions?

akeiii · Guest

Attempting to raise the forest fuctional level on the PDC results in the
following error:

Active Directory Domains and trusts: mmc.exe
The instruction at 0x77bd8efa referenced memory at 0x00000028". The memory
could not be "read".
Ok to terminate, CANCEL to debug.

"akeiii" wrote:

Joe Richards [MVP] · Guest

I find it odd that you were at FFL2 and the other DCs didn't know it, if that
were the case, your forest wasn't replicating properly. It would be easier to
believe you actually weren't at FFL2.

Anyway, not being in FFL2 won't prevent you from adding an R2 DC. Your thoughts
that it interprets not set as mixed mode is true because not set IS mixed mode.
You need to do a forest prep to prepare the schema for R2 prior to adding an R2
Domain Controller. Up until this afternoon I had one R2 forest that was entirely
all R2 DCs in Windows 2000 mixed mode. It was a fresh forest I had just built
for testing purposes and was never at any point anything but R2.

Anyway, you could be running into something odd when raising the forest
functional level and even though it isn't required for R2, I will offer a
command line mechanism to do it that will kick out an error message that can be
used to work out the issue. LDP should have kicked out the error message as
well, I expect you just didn't post the entire error.

Anyway here is the command (all one line)

admod -b CN=Partitions,CN=Configuration,DC=domain,DC=com
msDS-Behavior-Version::2 -exterr

Run the command and post the ENTIRE error message.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

akeiii wrote:

akeiii · Guest

Prior to the PDC failure replication worked perfectly and both DCs showed
FFL2 and DFL2. It was only after the PDC failed and I had to force make the
other DC the operations master (PDC) that the FFL disappeared. The complete
LDP.EXE error was "Illegal modify operation. Some aspect of the modification
is not permitted." as was the error from ADSIEDIT.MSC.

"Joe Richards [MVP]" wrote:

Joe Richards [MVP] · Guest

That isn't the whole error that AD is sending back. Use the command that I
specified.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

akeiii wrote:

akeiii · Guest

AdMod V01.06.00cpp Joe Richards (...) June 2005

Error 0xa (10) - Referral
Extended Error: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'domain.com'

ERROR: Too many errors encountered, terminating...

The command did not complete successfully

"Joe Richards [MVP]" wrote:

akeiii · Guest

I still can not fix the FFL however I am closer to promoting the new server
to a domain controller. I promoted a Windows Server 2003 SP1 server to a
domain controller. I then transferred the three master roles (including
operations and infrastructure) to the new system and back. Now I could
promote the new server with Windows Server 2003x64 R2 to a domain controller
if I could run ADPREP. My CATCH22 is:

1.) ADPREP.EXE from CD2 of Windows Server 2003x64 R2 must be run to prep
the forest.
2.) ADPREP.EXE must be run on the operations master.
3.) The operations master is Windows Server 2003 SP1 (32 bit).
4.) The ADPREP.EXE from the Windows Server 2003x64 R2 will not run on the
current operations master!

I can not find a download for the version of ADPREP I need.

"akeiii" wrote:

akeiii · Guest

I spoke too soon. Adprep (I found a R2 32 bit CD2) returns the following
error: Error code: 0x20 Server extended error code : 0x208d, Server error
message: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0,
best match of:
'CN=XXXXXXXXXXXX\0ADEL:429f1675-1fbd-466a-ad02-0d9b950d1b96,CN=Servers,CN=Defaut-First-Site-Name,CN=Sties,CN=Configuration,DC=<domain
name>,DC=com' where XXXXXXXXXXX is the name of the old PDC!

I would bet that if I could remove that bad entry the other problems would
go away.

"akeiii" wrote:

Joe Richards [MVP] · Guest

That is a referral, the error says that plus I verified the AD source code via
the specified DSID. It generally means that the object being modified is not on
the DC that you are trying to modify it on.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

akeiii wrote:

Joe Richards [MVP] · Guest

I would start looking very closely at all DCs to verify that the same DC is set
for the PDC master. I would also look at DNS and make sure the DNS PDC entry is
correct. I would even make sure that he 1B record in WINS is correct. Something
appears to be pointing at the old PDC.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

akeiii wrote:

akeiii · Guest

The final solution was to fix the corrupt AD by executing the following steps:

1.) Use NTDSUTIL on the new PDC
2.) Connect to the current server
3.) Seize PDC
4.) Seize infrastructure master
5.) Seize schema master

Even thought Sites and Services, ADSIEDIT and LDP all indicated that the
current server had all of these roles there was still an orphan record in the
AD that referenced the old PDC. There was no record of the old system or its
IP in any name server. The bad record could not be found using any of those
tools so it could not be deleted however the above procedure worked to remove
it. The only role FSMO failed to transfer and had to actually seize was the
schema master.

"Joe Richards [MVP]" wrote:

Joe Richards [MVP] · Guest

Sorry to break it to you but NTDSUTIL doesn't do anything magical, this is from
someone who has spent hours looking at its source code... If it could fix it, so
could have ADSIEDIT and LDP (whose source code I have also spent considerable
time with).

Don't mistake not being able to find the info as it not existing. Certainly, if
this is all it took, you didn't have a corrupt AD. NTDSUTIL simply presented it
in a better way to you that you could work with.

I am glad you got it all worked out now.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

akeiii wrote: