zequestioner
asked on
HELP!! Exchange 2010 won't load after transferring remaining DC Roles
HELP!! Exchange 2010 won't load after transferring remaining DC Roles from SBS 2003 to a new Server 2008 R2 DC. Exchange runs on a separate box and is giving the following error.
Exchange2010.jpg
Exchange2010.jpg
did you ammend/transfer all of the DNS too?
ASKER
yes, i changed the soa's and all others that i could find. is there a record for the global catalog server?
to be honest if you haven't already fully configured your exchange installation - re-install it. Looks like exchange doesn't recognize the machine it's installed on and it may just be down to failure to contact AD server via DNS. Just something quick to keep your fingers busy!
ASKER
btw, on step 13, i was turned off the global catalog on the sbs, so now there's only 1, which is the new DC. The part where it bombed out was when i was uninstalling active directory, and DID NOT check the box that said it was the last.. then it said it couldn't contact the domain. Which box do I run the final dcpromo from? sbs or the new dc? per the instructions in the link, it's not very clear.
There is but first thing's first.
Is the 2008 DC a DNS server and does the Exchange server point to it as it's DNS?
Is the 2008 DC a DNS server and does the Exchange server point to it as it's DNS?
You would dcpromo on the SBS box to remove the domain contreoller role. It isn;t the last DC so you shouldn't tick that box. it will then become a domain member.
in the Microsoft document the author didn't mention any other references when talking about removing GC reference so we can assume that it's merely a case of removing the role from one server and enabling it for your exchange server:
Active Directory Sites and Services
http://support.microsoft.com/kb/313994
Active Directory Sites and Services
http://support.microsoft.com/kb/313994
Also try running the following from a command prompt on your exchange server
dcdiag /s:<your dc> and let us know what he outcome is.
dcdiag /s:<your dc> and let us know what he outcome is.
ASKER
On that step, GC was already enabled on the new DC, i simply 'unchecked ' the GC for SBS.
since exchange and GC are on different machines it may be worth putting an exception in your exchange firewall for:
"As a general rule of thumb, you should have a global catalog server in any AD site containing an application that requires extensive use of port number 3268 (the global catalog lookup port). Since Exchange Server is such an application, you want a global catalog server in any site that it resides. "
"As a general rule of thumb, you should have a global catalog server in any AD site containing an application that requires extensive use of port number 3268 (the global catalog lookup port). Since Exchange Server is such an application, you want a global catalog server in any site that it resides. "
ASKER
dc diag
Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BRAINSTATE8
Starting test: Connectivity
......................... BRAINSTATE8 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BRAINSTATE8
Starting test: Advertising
Warning: DsGetDcName returned information for
\\brainstate1.brainstate.local, when we were trying to reach
BRAINSTATE8.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... BRAINSTATE8 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... BRAINSTATE8 passed test FrsEvent
Starting test: DFSREvent
......................... BRAINSTATE8 passed test DFSREvent
Starting test: SysVolCheck
......................... BRAINSTATE8 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 04/04/2011 08:49:00
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
A warning event occurred. EventID: 0x80000828
Time Generated: 04/04/2011 08:49:06
Event String:
Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.
A warning event occurred. EventID: 0x8000082C
Time Generated: 04/04/2011 08:50:00
Event String:
......................... BRAINSTATE8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... BRAINSTATE8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... BRAINSTATE8 passed test MachineAccount
Starting test: NCSecDesc
......................... BRAINSTATE8 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\BRAINSTATE8\netlogon)
[BRAINSTATE8] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... BRAINSTATE8 failed test NetLogons
Starting test: ObjectsReplicated
......................... BRAINSTATE8 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: CN=Schema,CN=Configuration,DC=brainstate,DC=local
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-04-04 08:52:56.
The last success occurred at 2011-04-04 08:26:08.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: CN=Configuration,DC=brainstate,DC=local
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-04-04 08:51:43.
The last success occurred at 2011-04-04 08:26:08.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
......................... BRAINSTATE8 failed test Replications
Starting test: RidManager
......................... BRAINSTATE8 passed test RidManager
Starting test: Services
......................... BRAINSTATE8 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:23:45
Event String:
Driver Snagit 10 Printer required for printer Snagit 10 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:23:45
Event String:
Driver Dell Color Laser 5110cn PCL6 required for printer !!brainstate2!BST5110_106-PCL6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:23:46
Event String:
Driver Dell MFP Laser 3115cn PS required for printer !!brainstate2!FrontDesk106-PCL6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:23:46
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:23:47
Event String:
Driver Snagit 9 Printer required for printer Snagit 9 is unknown. Contact the administrator to install the driver before you log in again.
A warning event occurred. EventID: 0x8000001D
Time Generated: 04/04/2011 08:25:30
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
An error event occurred. EventID: 0xC2000001
Time Generated: 04/04/2011 08:26:09
Event String: Unexpected failure. Error code: 490@01010004
A warning event occurred. EventID: 0x00000090
Time Generated: 04/04/2011 08:26:24
Event String:
The time service has stopped advertising as a good time source.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:28:12
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
A warning event occurred. EventID: 0x000727AA
Time Generated: 04/04/2011 08:28:12
Event String:
The WinRM service failed to create the following SPNs: WSMAN/Brainstate8.brainstate.local; WSMAN/Brainstate8.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:28:12
Event String:
Driver Dell Color Laser 5110cn PCL6 required for printer !!brainstate2!BST5110_106-PCL6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:28:13
Event String:
Driver Snagit 9 Printer required for printer Snagit 9 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:28:16
Event String:
Driver Snagit 10 Printer required for printer Snagit 10 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:28:17
Event String:
Driver Dell MFP Laser 3115cn PS required for printer !!brainstate2!FrontDesk106-PCL6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/04/2011 08:32:37
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/04/2011 08:38:13
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
A warning event occurred. EventID: 0x000003F6
Time Generated: 04/04/2011 08:41:24
Event String:
Name resolution for the name _msdcs.brainstate.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 04/04/2011 08:41:37
Event String:
Name resolution for the name dns.msftncsi.com timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00000422
Time Generated: 04/04/2011 08:43:37
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\brainstate.local\SysVol\brainstate.local\Policies\{7CF1D96A-5226-4A83-AC66-B0EC4C90213E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
A warning event occurred. EventID: 0x8000001D
Time Generated: 04/04/2011 08:48:52
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x000003F6
Time Generated: 04/04/2011 08:49:21
Event String:
Name resolution for the name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.BRAINSTATE.LOCAL timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:49:23
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x000003F6
Time Generated: 04/04/2011 08:49:42
Event String:
Name resolution for the name brainstate.local timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:49:50
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC2000001
Time Generated: 04/04/2011 08:50:10
Event String: Unexpected failure. Error code: 490@01010004
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:50:17
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x00000086
Time Generated: 04/04/2011 08:50:21
Event String:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:50:44
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:51:11
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:51:38
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:52:05
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x000727AA
Time Generated: 04/04/2011 08:52:22
Event String:
The WinRM service failed to create the following SPNs: WSMAN/Brainstate8.brainstate.local; WSMAN/Brainstate8.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:52:32
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:52:59
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:53:26
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
An error event occurred. EventID: 0xC00038D6
Time Generated: 04/04/2011 08:53:53
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
A warning event occurred. EventID: 0x00001695
Time Generated: 04/04/2011 08:54:06
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'brainstate.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
An error event occurred. EventID: 0x0000168E
Time Generated: 04/04/2011 08:56:34
Event String:
The dynamic registration of the DNS record 'gc._msdcs.brainstate.local. 600 IN A 192.168.204.8' failed on the following DNS server:
A warning event occurred. EventID: 0x00001695
Time Generated: 04/04/2011 08:56:34
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'brainstate.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 04/04/2011 08:56:34
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.brainstate.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
A warning event occurred. EventID: 0x00001695
Time Generated: 04/04/2011 08:56:34
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.brainstate.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:58:02
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:58:03
Event String:
Driver Dell Color Laser 5110cn PCL6 required for printer !!brainstate2!BST5110_106-PCL6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:58:03
Event String:
Driver Dell MFP Laser 3115cn PS required for printer !!brainstate2!FrontDesk106-PCL6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:58:08
Event String:
Driver Snagit 10 Printer required for printer Snagit 10 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 04/04/2011 08:58:08
Event String:
Driver Snagit 9 Printer required for printer Snagit 9 is unknown. Contact the administrator to install the driver before you log in again.
......................... BRAINSTATE8 failed test SystemLog
Starting test: VerifyReferences
......................... BRAINSTATE8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : brainstate
Starting test: CheckSDRefDom
......................... brainstate passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... brainstate passed test CrossRefValidation
Running enterprise tests on : brainstate.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
......................... brainstate.local failed test LocatorCheck
Starting test: Intersite
......................... brainstate.local passed test Intersite
ASKER
I really need to get this fixed asap as it's business hours now... is there any harm in re-enabling the Global Catalog on the SBS box?
ASKER
To answer the earlier question, yes exchange dns is pointing to the new DC which is also a DNS server.
ok question did you run this on your DC or exchange? Either way you have DNS problems and also if you ran this on DC it doesn't know it has GC role. Either run diag on DC (if this isn't DC) just to verify knows GC role holder - I know you said it was already enabled but check again just to be sure :)
there is no harm short term in having GC on SBS box but the amount of potential traffic could be harmful long term when it comes to replication (I'm paraphrasing here btw)
it looks like the DC isn't running as a DC at the moment as it cant connect to the Netlogon share. is netlogon running on the DC?
As for enabling the GC on the SBS server - if you have DCpromo'd it down - you cant make a non DC a GC.
As for enabling the GC on the SBS server - if you have DCpromo'd it down - you cant make a non DC a GC.
SHARE-IT good point on demoted server!
whilst googling this:
Warning: DcGetDcName(GC_SERVER_REQU IRED) call failed, error 1355
I found this:
http://support.microsoft.com/kb/839879
might help?
Warning: DcGetDcName(GC_SERVER_REQU
I found this:
http://support.microsoft.com/kb/839879
might help?
Just ckecking - is the new DC pointing to itself for DNS resolution?
Basically everything should point to the new DC server for name resolution.
It looks like DNS issues but at this point it could be dozens of things. Are there any relevant event in the eventlog on the DC?
Basically everything should point to the new DC server for name resolution.
It looks like DNS issues but at this point it could be dozens of things. Are there any relevant event in the eventlog on the DC?
ASKER
above instruction said to run this on the exchange server so that's what i did. I double verified this already.... for now, i have re-enabled GC on the SBS box, rebooted the new DC, then rebooted Exchange, and now we are able to send emails...
What do I need to do to make sure I can disable GC from SBS and not break exchange?
What do I need to do to make sure I can disable GC from SBS and not break exchange?
Glad you got it working.
so your SBS server is still a DC?
You need to ensure that DNS is fully functional on the new DC and that all systems are pointing to it for DNS. You also need to double check that it is a GC.
Then switch off your SBS servers and make sure everything still works.
Then do a DCPromo on the SBS server not exchange.
so your SBS server is still a DC?
You need to ensure that DNS is fully functional on the new DC and that all systems are pointing to it for DNS. You also need to double check that it is a GC.
Then switch off your SBS servers and make sure everything still works.
Then do a DCPromo on the SBS server not exchange.
ASKER
We can send.....but my Barracuda Spam filter says it is refusing to accept connections... WTH?
ASKER
Cool. thanks for the help. I will make sure everything is pointing to the new DC, double verify GC, disable GC on SBS, then run DC Promo on SBS.
Any ideas why exchange would be refusing connections now?
Any ideas why exchange would be refusing connections now?
still sounds like DNS.
Can you rerun the DCdiag and post again?
What does spam filter point to for DNS?
Can you rerun the DCdiag and post again?
What does spam filter point to for DNS?
ASKER
it points to outside dns servers and does not use dns to resolve the mail server.
I get 192.168.x.x - connection refused.
If I use telnet from my desktop and point to the exchange server it does not open a connection.
telnet ExchangeIP 25 ..... times out.
I get 192.168.x.x - connection refused.
If I use telnet from my desktop and point to the exchange server it does not open a connection.
telnet ExchangeIP 25 ..... times out.
ASKER
No firewall is turned on in the exchange box.
do you have mcafee on your desktop? It closes port 25.
so is your Barracuda a hardware based solution? (not familiar with Barracuda).
Can you try to telnet from your exchange box to the spam filter?
if it accepts the connection, send a mail via telnet from your hub server..
helo
mail from: you:yourdomain.com
rcpt to: you@gmail.com
data
subject: my test
bla blah b;ah
.
quit
so is your Barracuda a hardware based solution? (not familiar with Barracuda).
Can you try to telnet from your exchange box to the spam filter?
if it accepts the connection, send a mail via telnet from your hub server..
helo
mail from: you:yourdomain.com
rcpt to: you@gmail.com
data
subject: my test
bla blah b;ah
.
quit
sorry...
mail from: you@yourdomain.com
mail from: you@yourdomain.com
ASKER
For some reason the Microsoft Exchange Transport service had crashed and was 'stopped'. Turned it back on and we are now able to send email, however, there are now messages in the outbound queue stating 'Message EXCHSVR\Unreachable\67xx cannot be routed to 1 recipients.
Unreachable queue on server EXCHSVR has more than one entry.
Unreachable queue on server EXCHSVR has more than one entry.
ASKER
for some reason, the existing send connector that we've had all along just didn't seem to be working. also would not let me change the authentication to 'none' - so I created a new send connector with 'no' authentication and configured the barracuda to allow relay from exchange. All seems to be working now, what a hell of a morning.
where are they sending to? the old exchange server?
oops - didn't refresh before posting. :(
So - now it all working, just remember that before you demote the original SBS server, be sure to switch it off BEFORE demoting to ensure all is well. if, after a few hours, even a day or 2, it all good - then demote it.
Go grab a coffee to celebrate! :)
So - now it all working, just remember that before you demote the original SBS server, be sure to switch it off BEFORE demoting to ensure all is well. if, after a few hours, even a day or 2, it all good - then demote it.
Go grab a coffee to celebrate! :)
you'll have to switch it back on before you actually run the dcpromo demotion obviously.
ASKER
ok, so you're saying as a test run... simply shutdown the sbs server and see if things work or break. Fix anything that breaks as we should now be able to operate independently of SBS. Then, follow the instructions for removing it. (Unchecking/Disabling Global Catalog on SBS, running dcpromo, shutdown it down.) Then relax and have a homebrew.
ASKER
PS, is there a time limit for removing sbs from the network? Is it OK if I wait until the weekend to do these things?
ASKER
CRAP!
So, I've transferred all 5 FSMO roles, etc. but couldn't get the sbs box to allow dcpromo to complete. It kep saying it could not find the other domain. Even though I could ping domain.local and get replies from the new DC. So, i used the dcpromo /force command and now I can't log into any other computers b/c it says it cannot contact the domain controller. All dns records are pointing at the new DC. I am wondering if I need to be patient and allow dns to propagate, etc. but It's a small network. Here's a DC diag from the new DC - I went ahead and turned off the sbs box, since the forced dcpromo removed AD, it is no longer a domain controller or a member of the domain. I can connect to AD on the new box, but i have to specifically tell it to 'connect to a domain controller' before it shows me the site info. Exchange will not connect to AD now either. Any help would be greatly appreciated.
So, I've transferred all 5 FSMO roles, etc. but couldn't get the sbs box to allow dcpromo to complete. It kep saying it could not find the other domain. Even though I could ping domain.local and get replies from the new DC. So, i used the dcpromo /force command and now I can't log into any other computers b/c it says it cannot contact the domain controller. All dns records are pointing at the new DC. I am wondering if I need to be patient and allow dns to propagate, etc. but It's a small network. Here's a DC diag from the new DC - I went ahead and turned off the sbs box, since the forced dcpromo removed AD, it is no longer a domain controller or a member of the domain. I can connect to AD on the new box, but i have to specifically tell it to 'connect to a domain controller' before it shows me the site info. Exchange will not connect to AD now either. Any help would be greatly appreciated.
Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Ldap search capabality attribute search failed on server BRAINSTATE1, return
value = 81
Got error while checking if the DC is using FRS or DFSR. Error:
Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BRAINSTATE8
Starting test: Connectivity
......................... BRAINSTATE8 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BRAINSTATE8
Starting test: Advertising
......................... BRAINSTATE8 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... BRAINSTATE8 passed test FrsEvent
Starting test: DFSREvent
......................... BRAINSTATE8 passed test DFSREvent
Starting test: SysVolCheck
......................... BRAINSTATE8 passed test SysVolCheck
Starting test: KccEvent
......................... BRAINSTATE8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... BRAINSTATE8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... BRAINSTATE8 passed test MachineAccount
Starting test: NCSecDesc
......................... BRAINSTATE8 passed test NCSecDesc
Starting test: NetLogons
......................... BRAINSTATE8 passed test NetLogons
Starting test: ObjectsReplicated
......................... BRAINSTATE8 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: DC=ForestDnsZones,DC=brainstate,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2011-04-10 01:48:51.
The last success occurred at 2011-04-10 00:48:51.
1 failures have occurred since the last success.
[BRAINSTATE1] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: DC=DomainDnsZones,DC=brainstate,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2011-04-10 01:48:51.
The last success occurred at 2011-04-10 01:02:34.
1 failures have occurred since the last success.
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: CN=Schema,CN=Configuration,DC=brainstate,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2011-04-10 01:48:51.
The last success occurred at 2011-04-10 00:48:51.
1 failures have occurred since the last success.
The directory on BRAINSTATE1 is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: CN=Configuration,DC=brainstate,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2011-04-10 01:48:51.
The last success occurred at 2011-04-10 00:48:51.
1 failures have occurred since the last success.
The directory on BRAINSTATE1 is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
[Replications Check,BRAINSTATE8] A recent replication attempt failed:
From BRAINSTATE1 to BRAINSTATE8
Naming Context: DC=brainstate,DC=local
The replication generated an error (1753):
There are no more endpoints available from the endpoint mapper.
The failure occurred at 2011-04-10 01:48:51.
The last success occurred at 2011-04-10 01:16:51.
1 failures have occurred since the last success.
The directory on BRAINSTATE1 is in the process.
of starting up or shutting down, and is not available.
Verify machine is not hung during boot.
......................... BRAINSTATE8 failed test Replications
Starting test: RidManager
......................... BRAINSTATE8 passed test RidManager
Starting test: Services
......................... BRAINSTATE8 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 01:36:10
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 01:41:12
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 01:46:14
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 01:51:16
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 01:56:19
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 02:01:21
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x0000041E
Time Generated: 04/10/2011 02:06:22
Event String:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
An error event occurred. EventID: 0x00000422
Time Generated: 04/10/2011 02:11:23
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\brainstate.local\SysVol\brainstate.local\Policies\{7CF1D96A-5226-4A83-AC66-B0EC4C90213E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 04/10/2011 02:16:23
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\brainstate.local\SysVol\brainstate.local\Policies\{7CF1D96A-5226-4A83-AC66-B0EC4C90213E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 04/10/2011 02:21:24
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\brainstate.local\SysVol\brainstate.local\Policies\{7CF1D96A-5226-4A83-AC66-B0EC4C90213E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 04/10/2011 02:26:24
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\brainstate.local\SysVol\brainstate.local\Policies\{7CF1D96A-5226-4A83-AC66-B0EC4C90213E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 04/10/2011 02:31:25
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\brainstate.local\SysVol\brainstate.local\Policies\{7CF1D96A-5226-4A83-AC66-B0EC4C90213E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
......................... BRAINSTATE8 failed test SystemLog
Starting test: VerifyReferences
......................... BRAINSTATE8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : brainstate
Starting test: CheckSDRefDom
......................... brainstate passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... brainstate passed test CrossRefValidation
Running enterprise tests on : brainstate.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
But when I look under the main site, and tcp I see the GC record for the new domain controller.. I deleted the one for the old one too.
diagnostic still shows replication attempts with your now offline SBS box you need to remove those links.
/administration tools/active directory sites and services/sites/default first site/servers/server name/ntds
whilst there you can verify global catalogue role is enabled for "Brainstates"
the diag did not show any problem with the roles so it may be a case of needing to run metadata cleanup.
I know it has been mentioned before but under pressure and stress it's easy to miss things so double check primary DNS on your DC IS itself. For the purpose of testing turn off all your firewall services on your exchange box and your DC. You may need to add many exceptions to your DC to allow proper functionality - you can prove this by simply turning off windows firewall.
If you need help with creating custom exceptions let me know.
Again go through DNS and cleanup references to your SBS box.
/administration tools/active directory sites and services/sites/default first site/servers/server name/ntds
whilst there you can verify global catalogue role is enabled for "Brainstates"
the diag did not show any problem with the roles so it may be a case of needing to run metadata cleanup.
I know it has been mentioned before but under pressure and stress it's easy to miss things so double check primary DNS on your DC IS itself. For the purpose of testing turn off all your firewall services on your exchange box and your DC. You may need to add many exceptions to your DC to allow proper functionality - you can prove this by simply turning off windows firewall.
If you need help with creating custom exceptions let me know.
Again go through DNS and cleanup references to your SBS box.
The good news is things generally look healthy.
Things to do...
1. Go into Active Directory Sites & Services and double check that BRAINSTATES8 is definately a GC. This can be seen by expanding Default-first-site-name and clicking on servers.
2. Check that the GC records in DNS do actually point to the right server names and that those names point to the right ip addresses.
3. Whilst in there, see if BRAINSTATES1 is still in there as a DC/GC
4. Assuming that BRAINSTATES8 is the ONLY DC/DNS server on the network, make sure that all PCs, Servers, etc, point to it for DNS.
5. Disable the firewall on the DC (we can make exceptions later if necessary)
6. Run dcdiag from the exchange server pointing to the dc "DCDIAG /S:BRAINSTATES8" see if all is well.
7. As you had to do a forced dcpromo, there will still be references to that server in the Directory so you will need to do a metadata cleanup. It's simple enough but make sure you read through properly and understand as you can do considerable damage if you do it wrong. Make sure you have a system state backup of the DC. Here's a nice, easy to follow guide to get rid of that old DC once and for all...
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Let me know how you get on.
Things to do...
1. Go into Active Directory Sites & Services and double check that BRAINSTATES8 is definately a GC. This can be seen by expanding Default-first-site-name and clicking on servers.
2. Check that the GC records in DNS do actually point to the right server names and that those names point to the right ip addresses.
3. Whilst in there, see if BRAINSTATES1 is still in there as a DC/GC
4. Assuming that BRAINSTATES8 is the ONLY DC/DNS server on the network, make sure that all PCs, Servers, etc, point to it for DNS.
5. Disable the firewall on the DC (we can make exceptions later if necessary)
6. Run dcdiag from the exchange server pointing to the dc "DCDIAG /S:BRAINSTATES8" see if all is well.
7. As you had to do a forced dcpromo, there will still be references to that server in the Directory so you will need to do a metadata cleanup. It's simple enough but make sure you read through properly and understand as you can do considerable damage if you do it wrong. Make sure you have a system state backup of the DC. Here's a nice, easy to follow guide to get rid of that old DC once and for all...
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Let me know how you get on.
ah great minds thinking alike :)
Indeed! :)
Oh and i've been meaning to say, if BRAINSTATES8 is the ONLY DC, make another one ASAP!
Oh and i've been meaning to say, if BRAINSTATES8 is the ONLY DC, make another one ASAP!
ASKER
After an expensive call with Microsoft they discovered that our domain controller had stopped advertising itself as a domain controller. It advertised GC and other roles, but not DC. (and was the only DC in the domain.) once this was fixed, everything else followed suite.
Son of a b*tch! I just checked your DC diag post and yes:
Starting test: Advertising
Warning: DsGetDcName returned information for
\\brainstate1.brainstate.l ocal, when we were trying to reach
BRAINSTATE8.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... BRAINSTATE8 failed test Advertising
Sorry dude it was right there in the first line it didn't even click :(
Starting test: Advertising
Warning: DsGetDcName returned information for
\\brainstate1.brainstate.l
BRAINSTATE8.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... BRAINSTATE8 failed test Advertising
Sorry dude it was right there in the first line it didn't even click :(
ASKER
Got a message for being abandoned... tons of great info here, but i''ll let EE decide who gets points.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html
Everything went perfectly until i got to step 13. Will you please confirm that this step should be run on the sbs box or on the new DC?