Hi All, 

I had a Single domain controller Server 2003

I have already installed 2012 Server on another physical server. 

Raised domain functional level to Windows 2003 

Promoted 2012 server to Domain controller. 

Transferred all fsmo roles to 2012 server and verified too. 

Now issue is when I try to edit group policy through 2012 Server I get and error " Failed to open Group Policy Object. You might not have the appropriate rights. " in Details box i got this "The network name cannot be found"

and when in my Group Policy Management when i click on my domain name it shows a pop-up saying "A processing error occurred collecting data using this base domain controller. Please change the base domain controller and try again."

so I right clicked the domain name and click change domain controller and than select my old 2003 domain controller. after doing this every thing started working fine. Means I am able to edit the group policy. 

Kindly tell me where did i go wrong while promoting the new 2012 server to Domain controller. even though AD shows my 2012 server is now PDC. 

Is there something else which I missed and had to do to completely transfer the Domain controller? 

please note I have to turn off the older on after some time so I have to make sure that everything is transferred and the new server can work alone and on its own. 

Thanks in Advance 

Raja Mansoor

Here are two Warnings which I found in event logs. 

1. Event Id 2092 source=ActiveDirectory_DomainService Task category=Replication. 

Here is the error

------------------------------------------------

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 

Operations which require contacting a FSMO operation master will fail until this condition is corrected. 

FSMO Role: CN=Schema,CN=Configuration,DC=nmc,DC=net,DC=pk 

User Action: 

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476. 
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication. 
3. In the rare event that all replication partners are expected to be offline (for example, because of maintenance or disaster recovery), you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com. 

The following operations may be impacted: 
Schema: You will no longer be able to modify the schema for this forest. 
Domain Naming: You will no longer be able to add or remove domains from this forest. 
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts. 
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups. 
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

---------------------

2. Error ID =13508 Source=NtFrs Category=None

Here is the error

------------------------

The File Replication Service is having trouble enabling replication from SERVER to AD-DNS for c:\windows\sysvol\domain using the DNS name server.nmc.net.pk. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 

 [1] FRS can not correctly resolve the DNS name server.nmc.net.pk from this computer. 
 [2] FRS is not running on server.nmc.net.pk. 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 

 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

--------------------------------------

Thank you every one for reading such a long post 

Did you run ADPREP /gpprep.

https://technet.microsoft.com/en-us/library/cc731728.aspx?f=255&MSPPError=-2147217396

Performs similar updates as domainprep. However, this command also provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality.

In Active Directory environments that run Microsoft Windows 2000, this command performs updates during off-peak hours. This minimizes replication traffic that is created in those environments by updates to file system permissions and Active Directory permissions on existing Group Policy objects (GPOs). This command is also available on Microsoft Windows Server 2003 with Service Pack 1 (SP1) or later.

Run this command after the forestprep command finishes and after the changes replicate to all domain controllers in the forest. You must run this command on the infrastructure master for the domain. For more information about running this command in Windows 2000 Active Directory environments, see Prepare Your Infrastructure for Upgrade (http://go.microsoft.com/fwlink/?LinkId=94798).

Run the following commands on the role holder, what is the output?

DCDIAG /c /v >c:\dcdiag.txt

Net share

Are the DC's global catalogs?

Are all required AD ports open?

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Are the DC's subnet/ IP associated to the site in AD sites and services?

hi,

Can you post the dcpromo logs of Windows 2012 R2. Also provide the output of following commands

Repadmin /SHOWREPL

Repadmin /replsum /Errorsonly

Here are two Warnings which I found in event logs. 

1. Event Id 2092 source=ActiveDirectory_DomainService Task category=Replication. 

Here is the error

------------------------------------------------

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role. 

Operations which require contacting a FSMO operation master will fail until this condition is corrected. 

FSMO Role: CN=Schema,CN=Configuration,DC=nmc,DC=net,DC=pk 

--------------------

2. Error ID =13508 Source=NtFrs Category=None

Here is the error

------------------------

The File Replication Service is having trouble enabling replication from SERVER to AD-DNS for c:\windows\sysvol\domain using the DNS name server.nmc.net.pk. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 

It seems to be a replication issue, and the new DC failed to fully take over the FSMO roles you transferred. You might want to seize the missing FSMO roles by using NTDSUTIL.
 
For more details about how to seize the FSMO roles, please refer to: https://support.microsoft.com/en-us/kb/255504
 
Regarding the error id 13508, it indicates replication failure between the DC. There could be many reason why this can happen. For your case, seems it's due to DNS misconfiguration. Please make sure the DNS setting on the server is pointing to the correct DNS address.
 
Hope this helps.
 

Regards,

Eth

Event ID 2092:

User Action:

1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity DNS name resolution or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance perhaps because of maintenance or a disaster recovery you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

Event ID 13508:

To fix the problem,  you must designate a domain controller to be authoritative for the Sysvol replica set:
1. Stop the File Replication service on the PDC emulator FSMO role holder.
2. Use the Registry Editor to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Paramaters\Backup/Restore\Process at Startup.

3. Double-click the BurFlags Value Name,  a REG_DWORD data type,  and set the data value to D4,  using the Hex radix.
4. Exit the Registry Editor.
5. Start the File Replication service.

Note: If the BurFlags Value Name is set to D4 (authoritative) on more that one replica,  conflicts and collisions will