When you try to configure the first Windows Server 2012 domain controller in an existing Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest, the prerequisites check fails, and you receive the following error message:
Verification of prerequisites for Active Directory preparation failed. Unable to perform Exchange schema conflict check for domain adatum.com. Exception: The RPC server is unavailable. Adprep could not retrieve data from the server 2008r2-01.adatum.com through Windows Management Instrumentation (WMI).
Additionally, the C:\windows\debug\adprep\logs\<date/time>-test\adprep.log file shows the following:
[2012/07/24:09:50:21.734]Adprep failed while performing Exchange schema check.[Status/Consequence]The Active Directory Domain Services schema is not upgraded.[User Action]Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20120724094831-test directory for possible cause of failure.[2012/07/24:09:50:21.734]Adprep encountered a Win32 error. Error code: 0x6ba Error message: The RPC server is unavailable.DSID Info:DSID: 0x1810012aHRESULT = 0x800706baNT BUILD: 8517
The existing domain controller or controllers are missing the SeServiceLogonRight ("Logon as a service") right for the NETWORK SERVICE account.
The WMI and DCOM protocols are blocked between the computer that is running Windows Server 2012 and the existing domain controller or controllers.
Add the NETWORK SERVICE as part of the SeServiceLogonRight ("Logon as a service") right back to the Default Domain Controllers policy. By default, the service exists there in Windows Server 2003 domains. Make sure that no other policy is removing the service if the service is already present in the Default Domain Controllers policy. By default, the service is set by local security policy on all servers in Windows Server 2008 and later versions and is no longer part of Default Domain Controllers policy.
Examine Windows Firewall on the existing domain controllers, and make sure that the following rules are enabled. (By default, these rules are enabled on domain controllers.)
Windows Management Instrumentation (WMI-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (Async-In)
If these rules are not enabled, enable them, and then retest. If domain controller configuration is still failing the prerequisite test, examine any third-party software firewalls or endpoint protection software on the existing domain controllers and firewalls between the existing domain controllers and the domain controllers that are running Windows Server 2012. Make sure that their rules enable the following:
TCP/IP - port 135 - RPC/DCOM/WMI endpoint mapper (RpcSs)
TCP/IP - all ports - Asynchronous callback WMI client (Unsecapp)
TCP/IP - all ports - Windows Management Instrumentation service (Wmimgmt)
If domain controller configuration is still failing, use double-sided network captures between the existing and new domain controllers to determine where the traffic is dropping, and consider contacting Microsoft Customer Support.
This issue also occurs if you are running Windows Server 2012.
The adprep.exe /forestprep command also runs prerequisite checking.
The missing SeServiceLogonRight right issue can be caused when administrators have previously run the dcpromo /forceremoval command in Windows Server 2003.