Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Errors after upgrading AD to 2008 R2

Posted on 2010-11-16
9
Medium Priority
?
1,061 Views
Last Modified: 2012-06-27
Yesterday I upgraded our schema and domain from 2003 to 2008 R2.  Both /forestprep and /domainprep completed without any errors, and everything appears to be working fine. However, I do have some new errors in the System log and Directory service log that I've never seen before that I'd like to resolve.

In the System log, it starts with four error events logged at the exact same time:

Service Control Manger ( Event ID 7022 ):
The Kerberos Key Distribution Center service hung on starting.

Service Control Manger ( Event ID 7001 ):
The HTTP SSL service depends on the IIS Admin Service service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Service Control Manger ( Event ID 7001 ):
The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin Service service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Service Control Manger ( Event ID 7001 ):
The World Wide Web Publishing Service service depends on the IIS Admin Service service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Then about two minutes thereafter, the Directory Service logs this error:

NTDS Inter-site Messaging ( Event ID 1832 ):
The SMTP domain administrative namespace is not available at this time. Mail-based replication cannot be configured until this condition is corrected.
 
As a result, intersite replication using the SMTP transport between the local domain controller and all domain controllers in other sites will fail.
 
Replication using SMTP will be tried again later.
 
Additional Data
Error value:
80070422 The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

I believe the errors are related due to timing proximity, but I can't find anything on them (particularly the last one).  We are a small business with only two domain controllers... we are not doing any inter-site replication.

Generally everything seems to be working, but I would like to resolve these errors rather than just ignore them just in case.

Thanks for your insight.

0
Comment
Question by:bllarson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34147598
What do you mean timing proximity?  Are the DCs within 5 minutes.  Do the erros appear on both DCs?

Is the IIS service starting

How does dcdiag look?

Thanks

Mike
0
 
LVL 2

Expert Comment

by:cranakis
ID: 34147733
The first four errors seem to be a result of IIS not running. When you installed the OS, what role did you setup the server to perform?  Also what are you using this sever for?
0
 
LVL 2

Expert Comment

by:cranakis
ID: 34147766
Also you might find the following article helpful:
http://technet.microsoft.com/en-us/library/cc431377.aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:bllarson
ID: 34147787
By timing proximity I mean that both times I have seen these errors, the four Service Control Manager errors in the System log occur shortly before the Directory Service error. (Just over 2 minutes and 30 seconds).  
Another important piece of information...  both times these errors occurred was just after the server was rebooted. (Sorry for leaving that out.)

The IIS service is *not* starting.  It is disabled. The server generating these errors is a DC (FSMO master), and a print server.  It has been running for several years in these roles. (Should IIS be enabled?)

The errors *are not* occurring on the other DC.

DCDIAG on both domain controllers results in %100 'passed test'.
0
 
LVL 2

Accepted Solution

by:
cranakis earned 1500 total points
ID: 34147824
No you dont need IIS running on a print server.  Probably during setup Windows got the idea that the box would be doing more than just print serving.  You can just ignore the errors, they wont affect you.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34147903
DCDIAG on both domain controllers results in %100 'passed test'.

...that is very good to hear :)
0
 

Author Comment

by:bllarson
ID: 34147990
Yea... as I said, everything *looks* OK operationally.  I just don't like new errors I've never seen before; particularly after a schema upgrade. I like nice clean logs.

So (just rephrasing to make sure I'm understanding cranakis), you're asserting that if I turned on IIS these errors would go away? And that given I don't need IIS on this sever, I can write these off as idiot-lights?  
0
 
LVL 2

Expert Comment

by:cranakis
ID: 34148125
That is correct.  You do not need IIS for print serving.
0
 

Author Closing Comment

by:bllarson
ID: 34148253
I guess that good enough.

Ideally, I would have liked to make an adjustment so the errors don't occur at all.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question