?
Solved

ungraceful dcpromo /forceremoval and now exchange 2010 problems and AD loose ends

Posted on 2010-11-11
6
Medium Priority
?
1,411 Views
Last Modified: 2012-05-10
Guys,

I have just used demazter's SBS2003 to 2008R2 and exchange 2010 guide, most of it was pretty much inline with the guide until the end when attempting to demote the old SBS2003 server.  It gave me an error saying it could not contact any other domain controllers, even though it was there, and i could get a ping response, name resolution etc..  Upon searching for hours i found a number of process' to use the /forceremoval thinking i could clean up metadata later.  Well the SBS2003 server will now no longer logon, even using the local administrator password, so this is a writeoff.

Anyway;

- metadata removal process didn't even see the old server
- exchange management shell could not connect
- endless DNS errors
- unable to edit any GPO
- unable to use dcgpofix (didnt think i was an administrator)

and the list goes on...

However, the question that lurks for a small organization of 30 employees is: "do i re-do this whole domain from fresh, or is this a simple few loose ends to clean up"  anyway, i went down the loose ends road, got gpofix to work, used the BURFLAGS fix to D4, and after a sleepless night ended up getting a clean "dcdiag" response except for "Unable to connect to the netlogon share" - which didn't seem to affect any logons, or operations...

After configuring SSL UCC signature and continuing on i though i had a reasonably functional DC.  That is until i tried to remove some of the references to my old organization in exchange.

An overview of my machine

A summary of my situation now:

- Outlook web access will no longer work in exchange 2010 from an external address, it gets to the login page, then hangs when you click submit
- Exchange Best Practises reports first administrative routing group deleted
- unable to connect to routing master
- active directory domain has an unrecognized exchange signature
- DCDIAG reports unable to connect to netlogon share
- DCDIAG reports that SSL certificate for 0.0.0.0:443 has been deleted
- Task get-exchangeassistanceconfig throw unhandled exception
- exchange replication service could not find a valid configuration for exchange database xxx
- could not find a certificate in the personal store for the FQDN then it points to one of the OLD servers
- (in event viewer) Microsoft-Windows-Failoverclustering/operational - The specified channel could not be found

There are more errors but i am just trying to paint a picture.  I HAVE had OWA working, but i have crashed it.  -  One of the problems i have in researching this is no one seems to acknowledge that the old server DOES NOT EXIST anymore.  I cannot connect it back up and use system manager to change anything or replicate any AD info.

Where i am now is the following works:

- logons
- folder redirection
- full access to GPO
- exchange activesync (although VERY slow)
- OWA within organization LAN
- remoteapp on appserver VM using TS web access
- DHCP, DNS, etc..

but the deeper i dig, the more errors i seem to create.  OWA does not work, exchange keeps telling me i have legacy servers, and keeps changing its own settings, and yeah.  Etc.

My MAIN question is:  GUYS, should i start again or is there a common theme to the above ?

If i start again, can i use my mailbox.edb (which, did successfully move over to 2010) to connect to the re-installed exchange ?  I cannot get exmerge to work either.  some dll/ocx error.

Thank you, VERY MUCH, for any assistance.  I have this weekend where we are able to be offline if need be.

Cheers

Ben

0
Comment
Question by:benhefron
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34118659
I am sorry you have had so many problems with following my guide.

it sounds to me like there is something much more deep routed going wrong here.  My advice would be to call in some professional services.

To be fair this looks like about 20 questions in one.
0
 

Author Comment

by:benhefron
ID: 34119020
I apologize for the many questions, it feels like 1 but I suppose contains many.  I am new to this board and not 100% sure about what the experts expect as an "ideal question".  I was just pretty confident that it would make sense to someone.



It sounds like it will be more hassle to try band aid this so let me just make the 20 questions just 1

Can I take the *.edb file which is our 33GB mail database and mount it in a brand new installation if I was to start fresh?  Or would I have to extract as pst? ?

Thank you
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34119048
You would need to extract the data,  whilst Exchange 2010 does support database portability that is only within the same Exchange Organisation.

Rebuilding is probably a bit extreme, but there does look like a number of different issues here that need to be resolved.

Without knowing exactly what you have done or what state Exchange and/or Active Directory is in it's going to be pretty difficult for any of us to answer this question with certainty.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:benhefron
ID: 34119087
If the rebuild is done with the same domain name and name user account alias'/user names and structure, would it be successful to use the same edb?

Is there any other information that I could give to paint a clearer picture?

Thanks
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 34119687
The common theme would appear to be a DNS related discrepancy. Specifically, finding the SRV records for domain authentication, replications, and Host records for Exchange...

Can't find this or that. That's what you are looking at.. Bottom line is DNS is associated in many ways with Group policy replication, Exchange services, Logons or finding the netlogon shares...

Let's start with a simple DCdiag /test:DNS and make sure your old SBS server is not seen as a DNS server, (hence timing out many of the functions as it looks for this old server that was demoted).

It appears like you may have DNS metadata, and FRS metada that remains on your current servers. Part of the metadata cleanup process is to remove existance of the old server as a DNS server, and also remove it as a replication partner from Sites and Services. If it remains as a partner in Sites and Services, you freeze file replications, and therefore you start getting GPO errors. If you don't have DNS Host A records correct, you have a problem with contacting the current Exchange server, If you don't have DNS right, folder ridirection will not work....

All of this sounds like DNS metadata...

Please follow this link to remove all DNS and FRS metadata. Dont' just stop at AD metadata. http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 34119704
By the way, for fixed IPs, make sure that you configure all NICs to recognize your curent DNS servers as the preferred and alternate DNS server.

For DHCP clients, go into DHCP scope options by entering the DHCP snapin, and make sure the only recognized DNS servers are existing DNS servers. That will pass down the current DNS servers to these clients, and that means they will not look for your SBS server for DNS.

For your SBS server, make sure it is pointed to an existing DNS server for authentication. It sounds like it demoted gracefully, and is currently a member server, (POINTING TO ITESLF for authentication), for the authentication server.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
New style of hardware planning for Microsoft Exchange server.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question