I'm trying to replace an old Windows 2000 domain controller with a new Windows 2008 Server. I have the Active Directory Domain Services role installed on the new server and joined it to the domain. The next step is to promote the new server to be a domain controller in the existing domain. After that is done I can the take old server offline.
I've already run the adprep tool with /forestprep and /domainprep. When I run dcpromo it looks like it replicates everything, creates the users, groups, and computer objects, but then I get this error:
The operation failed because:
Active Directory Domain Services is missing critical information after installation and cannot continue. If this is a replica Active Directory Domain Controller, rejoin this server to the domain.
"Directory object not found."
I have tried re-joining the computer to the domain and there's nothing helpful in the event logs. I'm at a loss for how to get past this. Any help appreciated.
My own searches found this MS Knowledge Base article:
http://support.microsoft.com/kb/248079
But it's not really helpful. As far as I can tell, all four items it's looking for are present, re-creating the domain isn't a good option, and the 2000sp1 slipstreaming advice doesn't apply to my windows 2008 box.
Checking into each of the objects from the KB article, I noticed the SID for my the Administrator account is: S-1-5-21-2025429265-492894223-1708537768-1124. Note that is does not end with "500", and therefore is somehow likely wrong. The built-in Administrator account is nowhere to be found. This is the account referenced by the 2nd bullet point item under the "Causes" heading in the linked knowledge base article. Any ideas how to fix this? I'm going to make this specific part a separate question as well, but I'll be sure to keep both up to date.
Update on what might have happened. It won't help solve the problem, but in case anyone's curious I found some old notes that help explain the problem. Apparently, once upon a time this server ran an FTP service that has since been replaced with better alternatives. At the time the service was running, the then-administrator noticed that script kiddies where trying to brute-force the administrator password via that service. Now it seems that in windows 2000 you can't disable FTP access for the Administrator account short of shutting down the service. He tried re-naming the account, but they somehow followed the rename. And so after "a nasty hack" he instead "removed" the account. I think I may have to re-create the domain somehow 🙁
Best Answer
This is going to sound crazy but only because I did this to myself once. Check and be sure there are no firewalls or network issues. I had one network once where I accidently had the windows firewall turned on, on one of the DC's (there were 4), so because this DC wasn't replicating properly I couldn't do any AD upgrades. Though the rest of the network was working fine so there were no symptions until I tried to update the schema in my case.
Simple test, make sure each DC can ping every other DC and that all DNS is resolving properly. Also ensure the AD is in the highest that Windows 2000 can go, I'm not sure how backwards compatiable 2008 is as a DC.