Solved

ungraceful dcpromo /forceremoval and now exchange 2010 problems and AD loose ends

Posted on 2010-11-11
6
1,402 Views
Last Modified: 2012-05-10
Guys,

I have just used demazter's SBS2003 to 2008R2 and exchange 2010 guide, most of it was pretty much inline with the guide until the end when attempting to demote the old SBS2003 server.  It gave me an error saying it could not contact any other domain controllers, even though it was there, and i could get a ping response, name resolution etc..  Upon searching for hours i found a number of process' to use the /forceremoval thinking i could clean up metadata later.  Well the SBS2003 server will now no longer logon, even using the local administrator password, so this is a writeoff.

Anyway;

- metadata removal process didn't even see the old server
- exchange management shell could not connect
- endless DNS errors
- unable to edit any GPO
- unable to use dcgpofix (didnt think i was an administrator)

and the list goes on...

However, the question that lurks for a small organization of 30 employees is: "do i re-do this whole domain from fresh, or is this a simple few loose ends to clean up"  anyway, i went down the loose ends road, got gpofix to work, used the BURFLAGS fix to D4, and after a sleepless night ended up getting a clean "dcdiag" response except for "Unable to connect to the netlogon share" - which didn't seem to affect any logons, or operations...

After configuring SSL UCC signature and continuing on i though i had a reasonably functional DC.  That is until i tried to remove some of the references to my old organization in exchange.

An overview of my machine

A summary of my situation now:

- Outlook web access will no longer work in exchange 2010 from an external address, it gets to the login page, then hangs when you click submit
- Exchange Best Practises reports first administrative routing group deleted
- unable to connect to routing master
- active directory domain has an unrecognized exchange signature
- DCDIAG reports unable to connect to netlogon share
- DCDIAG reports that SSL certificate for 0.0.0.0:443 has been deleted
- Task get-exchangeassistanceconfig throw unhandled exception
- exchange replication service could not find a valid configuration for exchange database xxx
- could not find a certificate in the personal store for the FQDN then it points to one of the OLD servers
- (in event viewer) Microsoft-Windows-Failoverclustering/operational - The specified channel could not be found

There are more errors but i am just trying to paint a picture.  I HAVE had OWA working, but i have crashed it.  -  One of the problems i have in researching this is no one seems to acknowledge that the old server DOES NOT EXIST anymore.  I cannot connect it back up and use system manager to change anything or replicate any AD info.

Where i am now is the following works:

- logons
- folder redirection
- full access to GPO
- exchange activesync (although VERY slow)
- OWA within organization LAN
- remoteapp on appserver VM using TS web access
- DHCP, DNS, etc..

but the deeper i dig, the more errors i seem to create.  OWA does not work, exchange keeps telling me i have legacy servers, and keeps changing its own settings, and yeah.  Etc.

My MAIN question is:  GUYS, should i start again or is there a common theme to the above ?

If i start again, can i use my mailbox.edb (which, did successfully move over to 2010) to connect to the re-installed exchange ?  I cannot get exmerge to work either.  some dll/ocx error.

Thank you, VERY MUCH, for any assistance.  I have this weekend where we are able to be offline if need be.

Cheers

Ben

0
Comment
Question by:benhefron
  • 2
  • 2
  • 2
6 Comments
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
I am sorry you have had so many problems with following my guide.

it sounds to me like there is something much more deep routed going wrong here.  My advice would be to call in some professional services.

To be fair this looks like about 20 questions in one.
0
 

Author Comment

by:benhefron
Comment Utility
I apologize for the many questions, it feels like 1 but I suppose contains many.  I am new to this board and not 100% sure about what the experts expect as an "ideal question".  I was just pretty confident that it would make sense to someone.



It sounds like it will be more hassle to try band aid this so let me just make the 20 questions just 1

Can I take the *.edb file which is our 33GB mail database and mount it in a brand new installation if I was to start fresh?  Or would I have to extract as pst? ?

Thank you
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
You would need to extract the data,  whilst Exchange 2010 does support database portability that is only within the same Exchange Organisation.

Rebuilding is probably a bit extreme, but there does look like a number of different issues here that need to be resolved.

Without knowing exactly what you have done or what state Exchange and/or Active Directory is in it's going to be pretty difficult for any of us to answer this question with certainty.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:benhefron
Comment Utility
If the rebuild is done with the same domain name and name user account alias'/user names and structure, would it be successful to use the same edb?

Is there any other information that I could give to paint a clearer picture?

Thanks
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
Comment Utility
The common theme would appear to be a DNS related discrepancy. Specifically, finding the SRV records for domain authentication, replications, and Host records for Exchange...

Can't find this or that. That's what you are looking at.. Bottom line is DNS is associated in many ways with Group policy replication, Exchange services, Logons or finding the netlogon shares...

Let's start with a simple DCdiag /test:DNS and make sure your old SBS server is not seen as a DNS server, (hence timing out many of the functions as it looks for this old server that was demoted).

It appears like you may have DNS metadata, and FRS metada that remains on your current servers. Part of the metadata cleanup process is to remove existance of the old server as a DNS server, and also remove it as a replication partner from Sites and Services. If it remains as a partner in Sites and Services, you freeze file replications, and therefore you start getting GPO errors. If you don't have DNS Host A records correct, you have a problem with contacting the current Exchange server, If you don't have DNS right, folder ridirection will not work....

All of this sounds like DNS metadata...

Please follow this link to remove all DNS and FRS metadata. Dont' just stop at AD metadata. http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
By the way, for fixed IPs, make sure that you configure all NICs to recognize your curent DNS servers as the preferred and alternate DNS server.

For DHCP clients, go into DHCP scope options by entering the DHCP snapin, and make sure the only recognized DNS servers are existing DNS servers. That will pass down the current DNS servers to these clients, and that means they will not look for your SBS server for DNS.

For your SBS server, make sure it is pointed to an existing DNS server for authentication. It sounds like it demoted gracefully, and is currently a member server, (POINTING TO ITESLF for authentication), for the authentication server.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now