Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


ungraceful dcpromo /forceremoval and now exchange 2010 problems and AD loose ends

Posted on 2010-11-11
Medium Priority
Last Modified: 2012-05-10

I have just used demazter's SBS2003 to 2008R2 and exchange 2010 guide, most of it was pretty much inline with the guide until the end when attempting to demote the old SBS2003 server.  It gave me an error saying it could not contact any other domain controllers, even though it was there, and i could get a ping response, name resolution etc..  Upon searching for hours i found a number of process' to use the /forceremoval thinking i could clean up metadata later.  Well the SBS2003 server will now no longer logon, even using the local administrator password, so this is a writeoff.


- metadata removal process didn't even see the old server
- exchange management shell could not connect
- endless DNS errors
- unable to edit any GPO
- unable to use dcgpofix (didnt think i was an administrator)

and the list goes on...

However, the question that lurks for a small organization of 30 employees is: "do i re-do this whole domain from fresh, or is this a simple few loose ends to clean up"  anyway, i went down the loose ends road, got gpofix to work, used the BURFLAGS fix to D4, and after a sleepless night ended up getting a clean "dcdiag" response except for "Unable to connect to the netlogon share" - which didn't seem to affect any logons, or operations...

After configuring SSL UCC signature and continuing on i though i had a reasonably functional DC.  That is until i tried to remove some of the references to my old organization in exchange.

An overview of my machine

A summary of my situation now:

- Outlook web access will no longer work in exchange 2010 from an external address, it gets to the login page, then hangs when you click submit
- Exchange Best Practises reports first administrative routing group deleted
- unable to connect to routing master
- active directory domain has an unrecognized exchange signature
- DCDIAG reports unable to connect to netlogon share
- DCDIAG reports that SSL certificate for has been deleted
- Task get-exchangeassistanceconfig throw unhandled exception
- exchange replication service could not find a valid configuration for exchange database xxx
- could not find a certificate in the personal store for the FQDN then it points to one of the OLD servers
- (in event viewer) Microsoft-Windows-Failoverclustering/operational - The specified channel could not be found

There are more errors but i am just trying to paint a picture.  I HAVE had OWA working, but i have crashed it.  -  One of the problems i have in researching this is no one seems to acknowledge that the old server DOES NOT EXIST anymore.  I cannot connect it back up and use system manager to change anything or replicate any AD info.

Where i am now is the following works:

- logons
- folder redirection
- full access to GPO
- exchange activesync (although VERY slow)
- OWA within organization LAN
- remoteapp on appserver VM using TS web access
- DHCP, DNS, etc..

but the deeper i dig, the more errors i seem to create.  OWA does not work, exchange keeps telling me i have legacy servers, and keeps changing its own settings, and yeah.  Etc.

My MAIN question is:  GUYS, should i start again or is there a common theme to the above ?

If i start again, can i use my mailbox.edb (which, did successfully move over to 2010) to connect to the re-installed exchange ?  I cannot get exmerge to work either.  some dll/ocx error.

Thank you, VERY MUCH, for any assistance.  I have this weekend where we are able to be offline if need be.



Question by:benhefron
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 74

Expert Comment

by:Glen Knight
ID: 34118659
I am sorry you have had so many problems with following my guide.

it sounds to me like there is something much more deep routed going wrong here.  My advice would be to call in some professional services.

To be fair this looks like about 20 questions in one.

Author Comment

ID: 34119020
I apologize for the many questions, it feels like 1 but I suppose contains many.  I am new to this board and not 100% sure about what the experts expect as an "ideal question".  I was just pretty confident that it would make sense to someone.

It sounds like it will be more hassle to try band aid this so let me just make the 20 questions just 1

Can I take the *.edb file which is our 33GB mail database and mount it in a brand new installation if I was to start fresh?  Or would I have to extract as pst? ?

Thank you
LVL 74

Expert Comment

by:Glen Knight
ID: 34119048
You would need to extract the data,  whilst Exchange 2010 does support database portability that is only within the same Exchange Organisation.

Rebuilding is probably a bit extreme, but there does look like a number of different issues here that need to be resolved.

Without knowing exactly what you have done or what state Exchange and/or Active Directory is in it's going to be pretty difficult for any of us to answer this question with certainty.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 34119087
If the rebuild is done with the same domain name and name user account alias'/user names and structure, would it be successful to use the same edb?

Is there any other information that I could give to paint a clearer picture?

LVL 39

Accepted Solution

ChiefIT earned 2000 total points
ID: 34119687
The common theme would appear to be a DNS related discrepancy. Specifically, finding the SRV records for domain authentication, replications, and Host records for Exchange...

Can't find this or that. That's what you are looking at.. Bottom line is DNS is associated in many ways with Group policy replication, Exchange services, Logons or finding the netlogon shares...

Let's start with a simple DCdiag /test:DNS and make sure your old SBS server is not seen as a DNS server, (hence timing out many of the functions as it looks for this old server that was demoted).

It appears like you may have DNS metadata, and FRS metada that remains on your current servers. Part of the metadata cleanup process is to remove existance of the old server as a DNS server, and also remove it as a replication partner from Sites and Services. If it remains as a partner in Sites and Services, you freeze file replications, and therefore you start getting GPO errors. If you don't have DNS Host A records correct, you have a problem with contacting the current Exchange server, If you don't have DNS right, folder ridirection will not work....

All of this sounds like DNS metadata...

Please follow this link to remove all DNS and FRS metadata. Dont' just stop at AD metadata. http://www.petri.co.il/delete_failed_dcs_from_ad.htm
LVL 39

Expert Comment

ID: 34119704
By the way, for fixed IPs, make sure that you configure all NICs to recognize your curent DNS servers as the preferred and alternate DNS server.

For DHCP clients, go into DHCP scope options by entering the DHCP snapin, and make sure the only recognized DNS servers are existing DNS servers. That will pass down the current DNS servers to these clients, and that means they will not look for your SBS server for DNS.

For your SBS server, make sure it is pointed to an existing DNS server for authentication. It sounds like it demoted gracefully, and is currently a member server, (POINTING TO ITESLF for authentication), for the authentication server.

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question