NWHS
asked on
unable to run "setup /forestprep" during exchange 2003 install. permissions error encountered.
I'm bringing up a brand new network for one of my clients. I built a brand new server, installed windows 2003 and then promoted it to a DC. Everything went fine until I tried to install exchange.
(I'm aware of the pitfalls associated with installing exchange on a DC. Unfortunately, they are a necessary evil in this situation)
setup /forestprep returns the following error:
The component "Microsoft Exchange Forest Preparation" cannot be assigned
the action "ForestPrep" because:
- Either you do not have permission to update the Active
Directory schema or Active Directory service is currently too busy.
I'm aware of the Knowledge base article KB274196 which identifies the "remote registry service" as the culprit. My server has this service running correctly and my Exchange setup log does not contain the same errors listed in that KB article.
Here is a copy of my exchange install log: http://pastebin.ca/730149
Here is a copy of netdiag's output: http://pastebin.ca/730151
Here is a copy of dcdiag's output: http://pastebin.ca/730152
Any assistance would be appreciated.
Cheers,
-Zander
(I'm aware of the pitfalls associated with installing exchange on a DC. Unfortunately, they are a necessary evil in this situation)
setup /forestprep returns the following error:
The component "Microsoft Exchange Forest Preparation" cannot be assigned
the action "ForestPrep" because:
- Either you do not have permission to update the Active
Directory schema or Active Directory service is currently too busy.
I'm aware of the Knowledge base article KB274196 which identifies the "remote registry service" as the culprit. My server has this service running correctly and my Exchange setup log does not contain the same errors listed in that KB article.
Here is a copy of my exchange install log: http://pastebin.ca/730149
Here is a copy of netdiag's output: http://pastebin.ca/730151
Here is a copy of dcdiag's output: http://pastebin.ca/730152
Any assistance would be appreciated.
Cheers,
-Zander
Make sure that the account you are using is a member of the schema administrators group.
ASKER
I am doing this as the Domain Administrator who is a schema administrator by default. I double checked just in case the permission had been removed. Everything is fine.
ASKER
Sorry, I think that was a little vague. I mean to say that there were no problems with the domain administrator's permissions. The overall problem persists.
-Zander
-Zander
It wasn't that vague.
Anyway, there are a few things here. First, I would reboot, then try setup again - I know, I know, amazingly scientific.
Second, assuming that does no good, I would make the Domain admin account you are using, a member of the local administrators group (it is a long shot, I know, and it shouldn't matter as it is already in there with domain admins, but humour me - then reboot and try again).
Third, how many servers? Is this Exchange server the first DC? If not, find out which one is, find out if it is the Schema Master FSMO role holder, and then run forestprep on that one.
Finally, you could also have a look at this, but it is another long shot -> http://support.microsoft.com/kb/326262
-red
Anyway, there are a few things here. First, I would reboot, then try setup again - I know, I know, amazingly scientific.
Second, assuming that does no good, I would make the Domain admin account you are using, a member of the local administrators group (it is a long shot, I know, and it shouldn't matter as it is already in there with domain admins, but humour me - then reboot and try again).
Third, how many servers? Is this Exchange server the first DC? If not, find out which one is, find out if it is the Schema Master FSMO role holder, and then run forestprep on that one.
Finally, you could also have a look at this, but it is another long shot -> http://support.microsoft.com/kb/326262
-red
ASKER
Hey Red,
I've already tried the reboot trick twice. I love the magic of rebooting. Unfortunately, no dice this time.
So far as I'm aware, a system that has been promoted to a DC no longer has a "local administrators" group. I hunted around for one just in case but there's nothing like that in AD, and the "users and groups" item has been removed from the computer management tree.
This is the only server in the domain (the only computer at all for that matter) so it is the Schema master.
I had already gone through that article. I even made that change to the registry, even though those errors do not appear in my setup log. No dice there either.
-Zander
I've already tried the reboot trick twice. I love the magic of rebooting. Unfortunately, no dice this time.
So far as I'm aware, a system that has been promoted to a DC no longer has a "local administrators" group. I hunted around for one just in case but there's nothing like that in AD, and the "users and groups" item has been removed from the computer management tree.
This is the only server in the domain (the only computer at all for that matter) so it is the Schema master.
I had already gone through that article. I even made that change to the registry, even though those errors do not appear in my setup log. No dice there either.
-Zander
Why is netdiag showing up as windows 2000? And why have you not updated the server at all (you only have 2 listed hotfixes).
ASKER
This seems unrelated but it might be important information.
This is a rebuild of their previous server which crashed with no backup. I was able to pull a copy of the ntds.dit file off of the crashed server and attempted to recover it after rebuilding the server with identical settings.
Since I didn't have a system state backup I attempted my recovery using ntdsutil in ds recovery mode. I simply set the db path to a different directory containing the old ntds.dit file. Unfortunatly this did not work because no one knew the origional dsrm password. so I returned the settings to the origional path. I ran "integrity" which succeeded and then booted the server with no further problems.
This is a rebuild of their previous server which crashed with no backup. I was able to pull a copy of the ntds.dit file off of the crashed server and attempted to recover it after rebuilding the server with identical settings.
Since I didn't have a system state backup I attempted my recovery using ntdsutil in ds recovery mode. I simply set the db path to a different directory containing the old ntds.dit file. Unfortunatly this did not work because no one knew the origional dsrm password. so I returned the settings to the origional path. I ran "integrity" which succeeded and then booted the server with no further problems.
ASKER
I don't have a clue why netdiag is showing the server as windows 2000. I thought that was pretty strange too. I am actually running the sp2 update as I type this. I'm headed home after that but I'll report back in the morning.
Thanks for all the help so far. I really appreciate the friendly respect that you capably communicate in your messages.
-Alex
Thanks for all the help so far. I really appreciate the friendly respect that you capably communicate in your messages.
-Alex
Why are you trying to recover anything on what sounds like a clean network install? What is stopping you from formatting it and starting again?
ASKER
Several answers:
There was a pre-existing network here before I came along. They hired me to re-create their network after a total server failure. When I walked in the door they had a non-functional DC with two of the 3 raid5 drives in failure mode. I forced the array back online and was able to copy the ntds.dit file (thats the active directory database) from the degraded array.
I then started from scratch and built them a fresh server. The first thing I tried to do was recover their pre-existing AD database so as to not have to rebuild all their accounts from scratch. I used the ntdsutil method that I mentioned above. That was unsuccessful because no one remembered the old dsrm password. So, I proceeded with the fresh AD database.
At this point I've recreated all their accounts and group permissions for file shares, All their workstations have been joined to the domain (my assistant did that last night) and all their old profiles have been transfered into new ones. That is why I don't want to format and reinstall.
At this point I think our best lead is probably the weird "windows 2000" message in netdiag. I ran a fixboot to see if it was something with the kernel but that didn't seem to do much. (to be honest, i don't know what fixboot really fixes.)
-Zander
There was a pre-existing network here before I came along. They hired me to re-create their network after a total server failure. When I walked in the door they had a non-functional DC with two of the 3 raid5 drives in failure mode. I forced the array back online and was able to copy the ntds.dit file (thats the active directory database) from the degraded array.
I then started from scratch and built them a fresh server. The first thing I tried to do was recover their pre-existing AD database so as to not have to rebuild all their accounts from scratch. I used the ntdsutil method that I mentioned above. That was unsuccessful because no one remembered the old dsrm password. So, I proceeded with the fresh AD database.
At this point I've recreated all their accounts and group permissions for file shares, All their workstations have been joined to the domain (my assistant did that last night) and all their old profiles have been transfered into new ones. That is why I don't want to format and reinstall.
At this point I think our best lead is probably the weird "windows 2000" message in netdiag. I ran a fixboot to see if it was something with the kernel but that didn't seem to do much. (to be honest, i don't know what fixboot really fixes.)
-Zander
How many users are we talking about here?
Anyway, rebuilds aside (FWIW, I NEVER use a server that gives me problems when configuring it - if something goes wrong, it gets formatted til it plays nice - it might take 4 or 5 installs, but it is worth it) how did the service pack and updates go for windows?
Where did you get netdiag? Download the latest version in the support tools.
-red
Anyway, rebuilds aside (FWIW, I NEVER use a server that gives me problems when configuring it - if something goes wrong, it gets formatted til it plays nice - it might take 4 or 5 installs, but it is worth it) how did the service pack and updates go for windows?
Where did you get netdiag? Download the latest version in the support tools.
-red
ASKER
Ok,
So here's the solution. If you're reading this thread hoping for an elegant answer, I'm sorry but I'm not going to be able to provide one.
I ran out of time to wait for assistance and went with the hit-it-with-a-hammer method. I took a system-state backup of the server and formated it. After rebuilding it exactly as it had been before, I recovered the system state. All of this was done using the built in backup software (formerly known as ntbackup). Once I had recovered the system-state I no longer had the forestprep error. I'm still in the dark as to why it was happening in the first place.
All I learned about the problem is that it isn't related to netdiag reporting the wrong OS (it still does that) and whatever was causing the trouble isn't stored in the system state.
<email address removed>
-Zander
So here's the solution. If you're reading this thread hoping for an elegant answer, I'm sorry but I'm not going to be able to provide one.
I ran out of time to wait for assistance and went with the hit-it-with-a-hammer method. I took a system-state backup of the server and formated it. After rebuilding it exactly as it had been before, I recovered the system state. All of this was done using the built in backup software (formerly known as ntbackup). Once I had recovered the system-state I no longer had the forestprep error. I'm still in the dark as to why it was happening in the first place.
All I learned about the problem is that it isn't related to netdiag reporting the wrong OS (it still does that) and whatever was causing the trouble isn't stored in the system state.
<email address removed>
-Zander
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.