Forest functional upgrade not possible

I’m having trouble upgrading the forest functional level in a test
environment, and am wondering if any light can be on the issue.
(Sorry, for the length of this initial post, but I thought it best to
include as much as possible).

When attempting to raise the forest functionality to Windows 2003 (logged in
to holder of all root FSMOs with Enterprise admin account) I receive the
followign error;
“The forest functional level could not be be raised. This may be due to
replication latency. Please wait about 30 minutes and try again.”

I first got this error two weeks ago, so replication latency can be ruled
out (replication health checked numerous times during this period).

More specifically if I raise the NTDS service logging level to 5 for 9
(Internal Processing), 8 (Directory access) and 16 (LDAP interface events) I
get three events logged when I try to raise forest functional level; 1535,
1175 and 1481.

The detail of these events are;
Source: NTDS General
Category: Internal Processing
Event ID: 1481
Description:
Internal error: The operation on the object failed.
Additional data: Error value: 5 00002179: SvcErr: DSID-030F12D4, problem
5003 (WILL_NOT_PERFORM), data 0
Source: NTDS General
Category: Directory Access
Event ID: 1175
Description:
Internal event: A privileged operation (rights required = 0x) on object
CN=Partitions,CN=Configuration,<FOREST ROOT> failed because a non-security
related error occurred.
Source: NTDS LDAP
Catoegry: LDAP Interface
Event ID: 1535
Internal event: The LDAP server returned an error 00002179: SvcErr: DSID,
030F12D4, problem 5003 (WILL_NOT_PERFORM), data 0

Error 2179 is ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN, which indicates
that one or more domains are still in mixed mode. However this is not the
case. The test domain has a placeholder root domain (single DC) and a
production domain (three DCs), both of which are at Windows 2003 level, and
this value (domainFunctionality=2) is consistent across all DCs).

This test environment I’ve been asked to use, has unfortunately not been
maintained properly. When I got to it I found that it even had a ‘dead’
domain referenced (another one below the placeholder root). I tidied this up
using NTDSUTIL, including removign the domain and the domainDNSzones
partition, and can no longer find any reference to it in the configuration
container, or as a trust in other domains, but I can’t help feeling that some
residue of this domain is causing the issue.

The following steps have been taken as troubleshooting steps;
• Replication confirmed as healthy. (repadmin /replsum)
• Domain controllers confirmed as healthy (dcdiag /c/v/d,
/test:verifyenterprisereferences)
• Netdiag /v on all DCs
• Only expected partitions in cn=partitions,cn=configuration,<FOREST ROOT>
• No references to failed domain in Configuration partition (dumped using
ldif and scanned)
• All DCs are now at sp2 (were at sp1 before)
• 2 * DomainDNSZones deleted and recreated
• No obsolete computer objects in Sites and Services
• No obsolete _msdcs references, or reference to ‘dead’ domain
• Schema and Enterprise admins are universal groups
• Forest prep logs (for 2K3 update) are still available and don’t report any
error
• No unexpected computers think they’re DCs (userAccountControl 8192)
• Lost and found objects deleted
• CNF objects deleted
• Lingering objects cleared down (there were a lot of these on the root DC
in the child partition)
• FSMO roles are reporting correctly (netdom query fsmo) when checked from
each DC. These are as per appropriate fsmoRoleOwner attributes.
• Enterprise Admins and Enterprise Domain Controllers seem to have
appropriate rights (compared with other environments) to the partitions (at
root of partitions, and in CN=Partitions container), and the Partitions
container in Configuration partition.
• Thirteen attributes are added to the global catalog as part of the forest
functional update. To rule this out I manually added the attributes to the
PAS with the Schema GUI.
• ntmixedDomain value on all DCs=0.
• No obsolete security descriptors on CN=Partitions or it’s content partitions
• INITSYNC has been set to be skipped (Repl Perform Initial Synchronizations
= 0)
• “Everyone” has Access this computer from the network right
• userAccountcontrol for all DCs is 532480

Two other errors have also been received, but haven’t helped me so far.

Whenever a DC is rebooted the following error is received;
Source: NTDS
Category: Internal Processing
Event ID: 1481
Description:
Internal error: The operation on object failed.
Additional data
Error value
2 000020EF: NameErr: DSID-032500F4, problem 2001 (NO_OBJECT), data -1603,
best match of: “”

20EF = ERROR_DS_UNKNOWN_ERROR
======
I tried using ADMOD to ‘manually’ update the msDS-Behaviour-Version value
(recommended in a post elsewhere by Joe Richards), and got the following
error;
DN Count: 1
Using server: <ROOTDC>.<FOREST ROOT>:389
Directory: Windows Server 2003
Modifying specified objects...
DN: CN=Partitions,CN=Configuration,<FOREST ROOT>...
Extended Error: 00000057: LdapErr: DSID-0C090A85, comment: Error in
attribute conversion operation, data 0, vece
ERROR: Too many errors encountered, terminating...
The command did not complete successfully

x57= LDAP_FILTER_ERROR
I couldn’t get any further with these errors.

Thanks in advance for any help.

Regards
Gordon

.

Loading