While trying to raise the domain functional level from 2008 R2 to 2012, I am receiving the following Error:
The functional level could not be raised. The error is: The server is unwilling to process the request.
After doing some research, I found that this can be caused if you have objects in the LostAndFound container in Active Directory. When looking inside this container, I see Domain System Volume (SYSVOL share), but the Last Known Parent is that of an old Win2k3 domain controller that no longer resides in the environment.
Though the parent is old, it just makes me nervous that it is referring to the SYSVOL share. I have validated that our SYSVOL and NETLOGON shares are shared out correctly, so I don't know if its okay to just delete it, or if I should move it somewhere.
After trying to raise the domain functional level, I see the following warning in the event viewer:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/29/2015 8:27:20 AM
Event ID: 2909
Task Category: Directory Access
Level: Warning
Keywords: Classic
User: DOMAIN\DomainAdmin
Computer: dc.domain.int
Description:
Active Directory Domain Services failed to update the functional level of the domain because the following Active Directory Domain Controller is at a lower functional level than the requested new functional level of the domain.
Object:
DC=domain,DC=int
NTDS Settings object of Active Directory Domain Controller:
CN=NTDS Settings,CN=LostAndFoundConfig,CN=Configuration,DC=domain,DC=int
I decided to create an OU called Orphaned Objects and attempted to move the object from the LostAndFound OU into it. I was then presented with the following error:
I ran the NTDSUTIL per http://support.microsoft.com/en-us/kb/216498, but this doesnt help because the old domain controller was demoted many years ago and is not showing up in the server list. I did some poking around in ADSIedit. What I find interesting is if you drill down to OU=Domain Controllers, expand the first domain controller and then click on CN=NTFRS Subscriptions, you see a nTFRSSubscriber class object. This is the exact same object that is in the LostAndFound folder. There is just no associated domain controller in the OU=Domain Controllers container. Does this make sense? I am not sure if this means I can just delete it. Again, the object being SYSVOL related worries me a little, even though our SYSVOL and NETLOGON are currently intact.
I can find different online kb resources for receiving this error when moving users around, but nothing about SYSVOL. In Active Directory, I drilled down to System > File Replication Service > Domain System Volume (SYSVOL share) and I do see all of our current Domain Controllers as well as a bunch of other old domain controllers. What is the appropriate way to remove all of the old DCs?
--Scott
- Edited by Teufelhunden 6 hours 21 minutes ago formatting