Can't Raise Domain Functional Level

While trying to raise the domain functional level from 2008 R2 to 2012, I am receiving the following Error:

The functional level could not be raised.  The error is: The server is unwilling to process the request.

After doing some research, I found that this can be caused if you have objects in the LostAndFound container in Active Directory.  When looking inside this container, I see Domain System Volume (SYSVOL share), but the Last Known Parent is that of an old Win2k3 domain controller that no longer resides in the environment.

NTFRS Subscriber Object in AD LostAndFound Container

Though the parent is old, it just makes me nervous that it is referring to the SYSVOL share.  I have validated that our SYSVOL and NETLOGON shares are shared out correctly, so I don't know if its okay to just delete it, or if I should move it somewhere.

After trying to raise the domain functional level, I see the following warning in the event viewer:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/29/2015 8:27:20 AM
Event ID: 2909
Task Category: Directory Access
Level: Warning
Keywords: Classic
User: DOMAIN\DomainAdmin
Computer: dc.domain.int

Description:

Active Directory Domain Services failed to update the functional level of the domain because the following Active Directory Domain Controller is at a lower functional level than the requested new functional level of the domain.

Object:
DC=domain,DC=int
NTDS Settings object of Active Directory Domain Controller:
CN=NTDS Settings,CN=LostAndFoundConfig,CN=Configuration,DC=domain,DC=int

I decided to create an OU called Orphaned Objects and attempted to move the object from the LostAndFound OU into it.  I was then presented with the following error:

Error When Trying To Move LostAndFound Object

I ran the NTDSUTIL per http://support.microsoft.com/en-us/kb/216498, but this doesnt help because the old domain controller was demoted many years ago and is not showing up in the server list.  I did some poking around in ADSIedit.  What I find interesting is if you drill down to OU=Domain Controllers, expand the first domain controller and then click on CN=NTFRS Subscriptions, you see a nTFRSSubscriber class object.  This is the exact same object that is in the LostAndFound folder.  There is just no associated domain controller in the OU=Domain Controllers container.  Does this make sense?  I am not sure if this means I can just delete it.  Again, the object being SYSVOL related worries me a little, even though our SYSVOL and NETLOGON are currently intact.

I can find different online kb resources for receiving this error when moving users around, but nothing about SYSVOL.  In Active Directory, I drilled down to System > File Replication Service > Domain System Volume (SYSVOL share) and I do see all of our current Domain Controllers as well as a bunch of other old domain controllers.  What is the appropriate way to remove all of the old DCs?

--Scott



March 29th, 2015 12:06pm

Can you also please check below command  dcdiag /v /c /e .

And see it gives any reference issues ?

I assume cleanup only the option whcih we need to look for .

Regrads,

Biju Kurup

Free Windows Admin Tool Kit Click here and download it now
March 29th, 2015 9:23pm

I see there are a few deleted posts, so I don't know what was already mentioned, discussed or suggested, so I hope I am not repeating anything already mentioned.

You can right-click on the NTFRS subscription and update the information. After doing so, you will see an Event ID 13520 saying it had updated, and/or possibly "NtFrs also logged event 13553, "The File Replication Service successfully added this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"" ..."

March 29th, 2015 11:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics