Domain – Cannot promote Windows Server 2012 R2 to Domain Controller at a new site. “The wizard cannot gain access to the list of domains in the forest.”

active-directorydcpromodomaindomain-controllerwindows-server-2012-r2

I'm opening a new site (physical and logical) in my international Windows domain.

The site is connected to the main office by a VPN over a slow connection (I'm using pfsense as my main router and ClearOS as my VPN manager, which is the same setup I use at all my sites). I can't do anything about improving the connection at the moment.

I've just setup two brand new physical machines, each running an instance of a brand-new clean install of Windows Server 2012 R2 (with all updates) on top of VMware ESXi 6 (again, this is the same at all my sites, except some are running ESXi 5.5 and some are running 6).

When I try to promote the servers to Domain Controller, I am getting the following error:

The wizard cannot gain access to the list of domains in the forest.

Clicking on Show more gives me the following details:

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is:
The RPC server is unavailable.

Following the recommendations here https://technet.microsoft.com/en-us/library/cc526682.aspx, I have tried issuing the commands ipconfig /registerdns and ipconfig /flushdns and then trying the promotion again, to no effect.

Some additional "symptoms" of my slow connection:

  1. The above error take about 5 to 10 minutes to appear after attempting the initial step of the promotion process (in another question I posted that the process was hanging, but I simply wasn't waiting long enough).
  2. I successfully joined both servers to the Domain, but one took about 5 minutes to join and the other took about 10 minutes to join.
  3. After joining the Domain, I had to reboot and then I logged in as a Domain Admin user. Logging in took about 10 minutes on one machine and 20 minutes on the other machine.
  4. All that said, I can ping the remote DC in the main office continuously (over the VPN, using the local IP) with no problem. Average ping is around 250ms. The ping is not the problem, it is the bandwidth over the local DSL connection which is about 5mbit down and 750kb up, but shared amongst the entire office of about 10 users.

Here are some additional errors from my event viewer:

DFSR Event 1202: (On one machine only)

The DFS Replication service failed to contact a domain controller to access configuration information. The service will try again during the next configuration polling cycle. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Group Policy Preprocessing Event 1006: (On both machines)

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the Details tab for error code and description.

Can anyone give me any troubleshooting clues on how to figure out why I can't successfully promote these servers to DCs? I've used almost this identical setup in a dozen different branches around the world with no problems, so I'm thinking this must be something unique to the local connection…

Best Answer

You may have better luck promoting to DC from media, as described in this MS TechNet article Basically, you will move all necessary data in one go with a packed file, instead of establishing all those connections over your high latency connections. After promotion there will be need of regular replication, which will be retried continuously and, hopefully, some will succeed.

On source DC:

ntdsutil
activate instance ntds
ifm
create sysvol full c:\path-to.file

Copy file to new server and use it with Install from Media option in promotion wizard.

Related Topic