• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1418
  • Last Modified:

ungraceful dcpromo /forceremoval and now exchange 2010 problems and AD loose ends


I have just used demazter's SBS2003 to 2008R2 and exchange 2010 guide, most of it was pretty much inline with the guide until the end when attempting to demote the old SBS2003 server.  It gave me an error saying it could not contact any other domain controllers, even though it was there, and i could get a ping response, name resolution etc..  Upon searching for hours i found a number of process' to use the /forceremoval thinking i could clean up metadata later.  Well the SBS2003 server will now no longer logon, even using the local administrator password, so this is a writeoff.


- metadata removal process didn't even see the old server
- exchange management shell could not connect
- endless DNS errors
- unable to edit any GPO
- unable to use dcgpofix (didnt think i was an administrator)

and the list goes on...

However, the question that lurks for a small organization of 30 employees is: "do i re-do this whole domain from fresh, or is this a simple few loose ends to clean up"  anyway, i went down the loose ends road, got gpofix to work, used the BURFLAGS fix to D4, and after a sleepless night ended up getting a clean "dcdiag" response except for "Unable to connect to the netlogon share" - which didn't seem to affect any logons, or operations...

After configuring SSL UCC signature and continuing on i though i had a reasonably functional DC.  That is until i tried to remove some of the references to my old organization in exchange.

An overview of my machine

A summary of my situation now:

- Outlook web access will no longer work in exchange 2010 from an external address, it gets to the login page, then hangs when you click submit
- Exchange Best Practises reports first administrative routing group deleted
- unable to connect to routing master
- active directory domain has an unrecognized exchange signature
- DCDIAG reports unable to connect to netlogon share
- DCDIAG reports that SSL certificate for has been deleted
- Task get-exchangeassistanceconfig throw unhandled exception
- exchange replication service could not find a valid configuration for exchange database xxx
- could not find a certificate in the personal store for the FQDN then it points to one of the OLD servers
- (in event viewer) Microsoft-Windows-Failoverclustering/operational - The specified channel could not be found

There are more errors but i am just trying to paint a picture.  I HAVE had OWA working, but i have crashed it.  -  One of the problems i have in researching this is no one seems to acknowledge that the old server DOES NOT EXIST anymore.  I cannot connect it back up and use system manager to change anything or replicate any AD info.

Where i am now is the following works:

- logons
- folder redirection
- full access to GPO
- exchange activesync (although VERY slow)
- OWA within organization LAN
- remoteapp on appserver VM using TS web access
- DHCP, DNS, etc..

but the deeper i dig, the more errors i seem to create.  OWA does not work, exchange keeps telling me i have legacy servers, and keeps changing its own settings, and yeah.  Etc.

My MAIN question is:  GUYS, should i start again or is there a common theme to the above ?

If i start again, can i use my mailbox.edb (which, did successfully move over to 2010) to connect to the re-installed exchange ?  I cannot get exmerge to work either.  some dll/ocx error.

Thank you, VERY MUCH, for any assistance.  I have this weekend where we are able to be offline if need be.



  • 2
  • 2
  • 2
1 Solution
Glen KnightCommented:
I am sorry you have had so many problems with following my guide.

it sounds to me like there is something much more deep routed going wrong here.  My advice would be to call in some professional services.

To be fair this looks like about 20 questions in one.
benhefronAuthor Commented:
I apologize for the many questions, it feels like 1 but I suppose contains many.  I am new to this board and not 100% sure about what the experts expect as an "ideal question".  I was just pretty confident that it would make sense to someone.

It sounds like it will be more hassle to try band aid this so let me just make the 20 questions just 1

Can I take the *.edb file which is our 33GB mail database and mount it in a brand new installation if I was to start fresh?  Or would I have to extract as pst? ?

Thank you
Glen KnightCommented:
You would need to extract the data,  whilst Exchange 2010 does support database portability that is only within the same Exchange Organisation.

Rebuilding is probably a bit extreme, but there does look like a number of different issues here that need to be resolved.

Without knowing exactly what you have done or what state Exchange and/or Active Directory is in it's going to be pretty difficult for any of us to answer this question with certainty.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

benhefronAuthor Commented:
If the rebuild is done with the same domain name and name user account alias'/user names and structure, would it be successful to use the same edb?

Is there any other information that I could give to paint a clearer picture?

The common theme would appear to be a DNS related discrepancy. Specifically, finding the SRV records for domain authentication, replications, and Host records for Exchange...

Can't find this or that. That's what you are looking at.. Bottom line is DNS is associated in many ways with Group policy replication, Exchange services, Logons or finding the netlogon shares...

Let's start with a simple DCdiag /test:DNS and make sure your old SBS server is not seen as a DNS server, (hence timing out many of the functions as it looks for this old server that was demoted).

It appears like you may have DNS metadata, and FRS metada that remains on your current servers. Part of the metadata cleanup process is to remove existance of the old server as a DNS server, and also remove it as a replication partner from Sites and Services. If it remains as a partner in Sites and Services, you freeze file replications, and therefore you start getting GPO errors. If you don't have DNS Host A records correct, you have a problem with contacting the current Exchange server, If you don't have DNS right, folder ridirection will not work....

All of this sounds like DNS metadata...

Please follow this link to remove all DNS and FRS metadata. Dont' just stop at AD metadata. http://www.petri.co.il/delete_failed_dcs_from_ad.htm
By the way, for fixed IPs, make sure that you configure all NICs to recognize your curent DNS servers as the preferred and alternate DNS server.

For DHCP clients, go into DHCP scope options by entering the DHCP snapin, and make sure the only recognized DNS servers are existing DNS servers. That will pass down the current DNS servers to these clients, and that means they will not look for your SBS server for DNS.

For your SBS server, make sure it is pointed to an existing DNS server for authentication. It sounds like it demoted gracefully, and is currently a member server, (POINTING TO ITESLF for authentication), for the authentication server.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now