Raising functional level

[Mike Kapos]

Hi,

I just upgraded my Windows 2000 domain to 2003 and had no problems until I
try to raise the domain (or forest) functional level to 2003. I have no 2000
DC's left but everytime I try and raise the functional level I get and
error:

"The functional level could not be raised. The error is: The server is
unwilling to process the request."

Does anyone have any ideas? I've run DCDIAG and have gotten no errors...

Thanks in advance for any help,

Mike

[Dean Wells [MVP]]

This usually occurs because of something known as INITSYNC; a
requirement for a FSMO role holder to replicate with at last one partner
before offering FSMO services. Since both Forest and Domain functional
level increases are FSMO bound, I would suggest using active Directory
Sites and Services to force the FSMO in question to replicate and then
retry the operation. Domain functional level increases are handled by
the PDC FSMO whilst Forest functional level increases are the
responsibility of the Schema FSMO.

Use a command prompt to determine the FSMO role holders by typing -

netdom query fsmo

HTH

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

[Dean Wells [MVP]]

Dean Wells [MVP] wrote:

> This usually occurs because of something known as INITSYNC; a
> requirement for a FSMO role holder to replicate with at last one

... anyone got an "E" key going spare
..............................^............... :)

[Mike Kapos]

Thanks for info, it seems that I am having replication problems. I started
get this error from DCDIAG:

[Replications Check,VANQL-DNS01] A recent replication attempt failed:
From (unknown) to VANQL-DNS01
Naming Context: DC=VANQALAB,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failure.
The failure occurred at 2003-10-27 16:49.41.
The last success occurred at 2003-10-27 13:49.42.
3 failures have occurred since the last success.

Any ideas?

Thanks

Mike

"Dean Wells [MVP]" <dwe...@mask.msetechnology.com> wrote in message
news:%23eTgU9O...@TK2MSFTNGP09.phx.gbl...

[Dean Wells [MVP]]

Dean Wells [MVP] wrote:
> Dean Wells [MVP] wrote:
>
>> This usually occurs because of something known as INITSYNC; a
>> requirement for a FSMO role holder to replicate with at last one
>
> ... anyone got an "E" key going spare
> ..............................^............... :)
>
> Dean

... and a newsgroup reader that won't wrap lines. I QUIT :)

[Dean Wells [MVP]]

Determine the DNS server being used be your newly upgraded Domain
Controller, on that DNS server set the zone representing the Domain in
question to "Allow both non-secure and secure dynamic updates". Back on
the new DC run a Command Prompt (CMD) and type -

ipconfig /registerdns

... you may need to wait for a period of no less than 15 minutes before
proceeding or you can flush the cache on the designated replication
partner by running a Command Prompt on it and typing -

ipconfig /flushdns

Retry the replication operation ... remember, you should be selecting
the new DC's NTDS Settings object in AD Sites and Services, selecting a
replication partner's connection object (the DC should be within the
same domain), right click it and select "Replicate now" ... assuming
this operation succeeds, attempt the functional level increase again. If
this succeeds, don't forget reset the zone's configuration to allow only
secure updates.

If you receive further failures, please post the responses.

[Mike Kapos]

OK, I get a different error now. When I try to raise the level on the forest
I get and error:

The NTDS-DSA object:
'CN=NTDS Settings,CN=LostAndFoundConfig,CN=Configuration,DC=VANQALAB,DC=com'
is not properly configured and is preventing the forest functional level
from begin raised. It refers to the domain controller
'VANQL-DC01\oADEL:3e5cd8b2-c83d-4872-a242-ca722637854c' If this domain
controller is off-line, then bring it back on line may cause replication
that will repair the configuration. Otherwise delete this object using the
ADSI Edit MMC snapin or a similar tool

When I try to raise the level on the domain I get the same error as
before...

"Dean Wells [MVP]" <dwe...@mask.msetechnology.com> wrote in message

news:%23ld3DUP...@TK2MSFTNGP10.phx.gbl...

[Dean Wells [MVP]]

The DC referenced by this error is likely the cause, is it still live?
To ensure I'm fully aware of your environment, how many DCs do you have?
How many Domains? How many sites? How may DCs are running 2003? Do you
have any NT4 BDCs?

Sorry for the barrage of questions, I'd prefer it if I'm fully aware of
your environment.

[Mike Kapos]

I'm glad to give you all the info I have...

I originally had 2 DC's running windows 2000(VANQL-DC01 and VANQL-DNS01) in
one site, this is our test lab. I ran ADPREP /forestprep and domainprep on
the domain and then added a new 2003 DC called VANRDLABDC01..

I then upgraded both 2000 DC's to 2003.

All this is in one domain called VANQALAB.COM.

Hope this answers all your questions. I'm thinking it might just be easier
to demote the VANQL-DC01 DC (the one that's giving me the headache) and then
repromote it..

Thanks

"Dean Wells [MVP]" <dwe...@mask.msetechnology.com> wrote in message

news:%23$t0E2PnD...@TK2MSFTNGP10.phx.gbl...

[Mike Kapos]

Don't know if this helps but I get this when I run a DCDIAG /C

Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important
DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a
given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=LostAndFoundConfig,CN=Configuration,DC=VANQALAB,DC=com
Base Object Description: "Server Object"
Value Object Attribute: serverReference
Value Object Description: "DC Account Object"
Recommended Action: This could hamper authentication (and thus
replication, etc). Check if this server is deleted, and if so
clean up this DCs Account Object. If the problem persists and
this is not a deleted DC, authoratively restore the DSA object
from
a good copy, for example the DSA on the DSA's home server.

Everything else passes fine...
"Mike Kapos" <mkapos...@hotmail.com> wrote in message
news:%23iIkN9P...@TK2MSFTNGP11.phx.gbl...

[Dean Wells [MVP]]

Mike Kapos wrote:
> I'm glad to give you all the info I have...
>
> I originally had 2 DC's running windows 2000(VANQL-DC01 and
> VANQL-DNS01) in one site, this is our test lab. I ran ADPREP
> /forestprep and domainprep on the domain and then added a new 2003 DC
> called VANRDLABDC01..
>
> I then upgraded both 2000 DC's to 2003.
>
> All this is in one domain called VANQALAB.COM.
>
> Hope this answers all your questions. I'm thinking it might just be
> easier to demote the VANQL-DC01 DC (the one that's giving me the
> headache) and then repromote it..
>
> Thanks
>
>>

>> The DC referenced by this error is likely the cause, is it still
>> live? To ensure I'm fully aware of your environment, how many DCs do
>> you have? How many Domains? How many sites? How may DCs are running
>> 2003? Do you have any NT4 BDCs?
>>
>> Sorry for the barrage of questions, I'd prefer it if I'm fully aware
>> of your environment.
>>
>> Dean
>>
>> --
>> Dean Wells [MVP / Windows platform]
>> MSEtechnology
>> [[ Please respond to the Newsgroup only regarding posts ]]
>> R e m o v e t h e m a s k t o s e n d e m a i l

It would seem that the DC referenced by the error has somewhat of a
problem, the cause of which I could do little but take a guess at. I
would suggest that you remove the offending DC by simply deleting its
metadata from the directory using ADSIEDIT.MSC or NTDSUTIL's metadata
cleanup ... the critical object in order for you to proceed is the NTDS
Settings object (within the config. NC) of the seemingly dead DC. You'll
also want to run DCPROMO /forceremoval on the console of this same 2003
DC. Once the object has been deleted, trigger the KCC on the remaining
DCs and retry the functional level increase.

[Mike Kapos]

Thanks, I figured as much.. ;)

I'll remove it now and try readding it after I raise the level..

I'll let you know how it goes.. thanks for everything.. :)

"Dean Wells [MVP]" <dwe...@mask.msetechnology.com> wrote in message

news:%23kDq6EQ...@TK2MSFTNGP10.phx.gbl...

[Mike Kapos]

OK, I'm a little stuck, I demoted VANQL-DC01 with now problem but I still
get the same error. How do I delete it's metadata?

Thanks

"Mike Kapos" <mkapos...@hotmail.com> wrote in message

news:e0XO9HQn...@TK2MSFTNGP11.phx.gbl...

[Dean Wells [MVP]]

The following article outlines the supported procedure -

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b216498

HTH

[Mike Kapos]

I found that KB but all the entries were already gone but I still get that
error when trying to raise the level.. I'm starting to think my whole
upgrades is pooched.. :(

"Dean Wells [MVP]" <dwe...@mask.msetechnology.com> wrote in message

news:%23o57HaQ...@TK2MSFTNGP11.phx.gbl...

[Mike Kapos]

I figured it out.. It seemd that I actually had to deleted the
LostAndFoundConfig entry and everything started working fine again...

Thanks for everything.. :)

"Mike Kapos" <mkapos...@hotmail.com> wrote in message

news:u7Or1eQn...@TK2MSFTNGP09.phx.gbl...

[Dean Wells [MVP]]

Great ... good job!

[jrags...@gmail.com]

On Tuesday, October 28, 2003 12:16:43 AM UTC-4, Mike Kapos wrote:
> I figured it out.. It seemd that I actually had to deleted the
> LostAndFoundConfig entry and everything started working fine again...
>
> Thanks for everything.. :)
>

> Did you delete the "CN=Lostandfoundconfig" folder out from the adsi configuration? all signs point to deleting what is in here but there are no objects that I can see.