Installing SP3 on Exchange 2010 LDP error

I have a 2010 Exchange server on a 2008 R2 domain controller (DBXDC02.dbx.local). I have recently introduced a 2012 domain controller (DBXDC03.dbx.local) with the intension of migrating the exchange from 2010 to 2013 on the new DC. The prerequisites before migrating is to have exchange 2010 at SP3 level. As mine is not, I have tried to upgrade but come across the following error when running the installer:

Setup encountered a problem while validating the state of Active Directory: An active Directory error 0x51 occurred when trying to check the suitability of server 'DBXDC03.dbx.local.' Error: 'Active directory response: The LDAP server is unavailable.'

This error appears when checking the prerequisites and the error is seen under the "Organization Prerequisites", the "Hub Transport Role Prerequisites", Client Access Role Prerequisites" and the "Mailbox Role Prerequisites".
DATABAXAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ahmed786Commented:
You may check this link as this type of error was discussed in this forum.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28089243.html
0
DATABAXAuthor Commented:
Thanks Ahmed, I have followed the instructions here but can't telnet on 3268. I have opened the port on the firewall on both DCs but no joy. Port 389 works fine. any ideas?
0
Sushil SonawaneCommented:
Demote your AD server 2012 then try to installed exchange server sp3.  After install sp3 then again promote the windows server 2012 as domain controller.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DATABAXAuthor Commented:
that seems a bit harsh, surely there's an easier way than that.
0
Ahmed786Commented:
Start the local windows firewall service and go to the firewall configuration and provide exception to the GC ports.


Then you have to run netstat -a & portqry ui on the DC and checked if 3268 is
listening or not.

You may want to check if you are locally filtering out that
port or if any third party service is blocking it. Doing an ms-config and
stopping all third party service may help


you may try this Get out a network sniffer to locate network problem and then try to connect to 3268 and look to see what is returned.


You may check this article

http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx


what you get with below

Open cmd and type dcdiag /s:DCName >>DC.txt  and then run netdiag /v >>net.txt is everything showing normal overhere.
0
DATABAXAuthor Commented:
Hi Ahmed, we can clearly see 3268 is not listening from the netsat -a command

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:88             DBXDC03:0              LISTENING
  TCP    0.0.0.0:135            DBXDC03:0              LISTENING
  TCP    0.0.0.0:389            DBXDC03:0              LISTENING
  TCP    0.0.0.0:445            DBXDC03:0              LISTENING
  TCP    0.0.0.0:464            DBXDC03:0              LISTENING
  TCP    0.0.0.0:593            DBXDC03:0              LISTENING
  TCP    0.0.0.0:636            DBXDC03:0              LISTENING
  TCP    0.0.0.0:3389           DBXDC03:0              LISTENING
  TCP    0.0.0.0:5985           DBXDC03:0              LISTENING
  TCP    0.0.0.0:9389           DBXDC03:0              LISTENING
  TCP    0.0.0.0:47001          DBXDC03:0              LISTENING
  TCP    0.0.0.0:49152          DBXDC03:0              LISTENING
  TCP    0.0.0.0:49153          DBXDC03:0              LISTENING
  TCP    0.0.0.0:49154          DBXDC03:0              LISTENING
  TCP    0.0.0.0:49155          DBXDC03:0              LISTENING
  TCP    0.0.0.0:49166          DBXDC03:0              LISTENING
  TCP    0.0.0.0:49167          DBXDC03:0              LISTENING
  TCP    0.0.0.0:52486          DBXDC03:0              LISTENING
  TCP    0.0.0.0:54692          DBXDC03:0              LISTENING

I proceeded to disable all third party services and rebooted. no difference so may need to go down the sniffer route. I'll let you know how I get on.
0
DATABAXAuthor Commented:
here is the output from dcdiag /s:DCName >>DC.txt
Seems very misleading as the dns server clearly states the server name with its associated ip address. I can even ping the DC by name from the 2008 machine.


Directory Server Diagnosis


Performing initial setup:

   Ldap search capability attribute search failed on server DCName, return

   value = 81
   The host DCName could not be resolved to an IP address. Check the DNS

   server, DHCP, server name, etc.
0
Ahmed786Commented:
Because of the error what u got in Dcdiag and thats wht you are also having problem while telnet to 3268 port

check this command

nltest /dsgetdc:DCName /force /gc

Also Check this

• Open Exchange Management Console
• Right click on Organization Configuration
• Click Modify Configuration Domain Controller
• Check Use Default Domain Controller
0
DATABAXAuthor Commented:
Hi Ahmed, the output from that command is:

C:\Users\Administrator>nltest /dsgetdc:DCName /force /gc
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I then changed the exchange configuration to use the default domain controller (it was set to use DBXDC03) and ran the command again with the same result.

I then tried to run the SP3 installer again and received the same LDAP error but in addition received the following error:

Error:
Setup cannot continue with the upgrade because the resource property contains invalid data: Failed to connect to Active Directory server DBXDC03.dbx.local. Make sure the server is available, and that you have used the correct credentials.
0
Ahmed786Commented:
Check your Exchange DNS setting pointing to your domain dns servers,if it is run nslookup queries for domain.local, dc.domain.local, gc.domain.local, dc, gc and make sure you get authoritative responses for them, If no then problem with your DNS.



How many Dcs you have? all are GC or wht ? after assigning GC to it you need to reboot your DC.


>> Also you can try this to delete stale credentials in a key manager:
1. Click Start, click Run, type “control keymgr.dll” , and the click OK.
2. Delete any entry that matches the names of the Exchange servers or domain controllers in your organization
0
Ahmed786Commented:
This is to check Trust Relationship as well as connectivity

Ask him to try this as as well nltest /dsgetdc:DCName ----> Hit Enter ( This is to verify you can locate your DC)

Then try this nltest /dsgetdc:DCName /force -- > Hit Enter


If issue with above then 100% sure that problem is with DNS registrations and network connectivity


Try this as well

nltest /SC_QUERY:Domain Name  --> Enter

Also check this  technet article about error you are getting on NLTest.

http://support.microsoft.com/kb/253096
0
DATABAXAuthor Commented:
I currently have 2 GC domain controllers, dbxdc02 and dbxdc03 on a domain called dbx.

The output to the above commands are as follows:

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nslookup dbx.local
Server:  UnKnown
Address:  192.168.16.2

Name:    dbx.local
Addresses:  192.168.16.2
          192.168.16.88


C:\Users\Administrator\Downloads\Exchange 2010 SP3>nslookup dbxdc02.dbx.local
Server:  UnKnown
Address:  192.168.16.2

Name:    dbxdc02.dbx.local
Address:  192.168.16.2


C:\Users\Administrator\Downloads\Exchange 2010 SP3>nslookup dbxdc03.dbx.local
Server:  UnKnown
Address:  192.168.16.2

Name:    dbxdc03.dbx.local
Address:  192.168.16.88

see attached file for the output of control keymgr.dll
win.JPG
0
DATABAXAuthor Commented:
Here is the output for the first test: (I take it I am running these commands on dbxdc02 which is the 2008 R2 DC which also has exchange 2010 on it.

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbxdc02
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbxdc03
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


Here are the results for test 2:

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbxdc02 /force
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbxdc03 /force
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


Here are the results for test 3:

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /SC_QUERY:dbx
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DBXDC03.dbx.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
0
DATABAXAuthor Commented:
reading the article you provided and running the test based on their recommendation produces the following output. this is interesting as it thinks the IP address is a 169, very strange and there is no mention of dbxdc03 either.

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbx.local /gc

           DC: \\DBXDC02.dbx.local
      Address: \\169.254.135.23
     Dom Guid: fbfff193-c63b-4c07-83ce-8c4e0e8def87
     Dom Name: dbx.local
  Forest Name: dbx.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO
SE_SITE FULL_SECRET WS
The command completed successfully
0
Ahmed786Commented:
so now try with nltest /dsgetdc:dbxdc02.dbx.local /force


 nltest /dsgetdc:dbxdc03.dbx.local /force  and see the output

---------

So it means that as per your result nslookup dbxdc02.dbx.local
Server:  UnKnown
Address:  192.168.16.2

Name:    dbxdc02.dbx.local
Address:  192.168.16.2

In every nslookup you can see that Server name is unknow, it means its not taking Dc name here, as the exchange server is also acking as DC so its name should be mentioned over here. instead of Unknown.

So please check DNS settings and also check host entries on exchange server.



NOTE :- When NSLOOKUP starts, before anything else, it checks the computer's network configuration to determine the IP address of the DNS server that the computer uses.
Then it does a reverse DNS lookup on that IP address to determine the name of the DNS server

If reverse DNS for that IP address is not setup correctly, then NSLOOKUP cannot determine the name associated with the IP address

so in short you have to set your Reverse Zone for the IP address of the DNS Server.


Have u checked by executing nslookup command on another DC and wht result it gives may be the same result it is expected as Server: UNKNOWN
0
DATABAXAuthor Commented:
when running nltest /dsgetdc:dbxdc02.dbx.local /force on both dbxdc02 and dbxdc03 I get the flowing:

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbxdc02.dbx.l
ocal /force
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Users\Administrator\Downloads\Exchange 2010 SP3>nltest /dsgetdc:dbxdc03.dbx.l
ocal /force
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


DNS settings seem to be fine, the reverse Zone is set for the IP address of the DNS Server.

Where do I check host entries on exchange server?


When running the nslookup dbxdc02.dbx.local on dbxdc03 I get the following:

C:\Users\administrator.DBX>nslookup dbxdc02.dbx.local
Server:  dbxdc02.dbx.local
Address:  192.168.16.2

Name:    dbxdc02.dbx.local
Address:  192.168.16.2


C:\Users\administrator.DBX>nslookup dbxdc03.dbx.local
Server:  dbxdc02.dbx.local
Address:  192.168.16.2

Name:    dbxdc03.dbx.local
Address:  192.168.16.88
0
Ahmed786Commented:
Can you restart your exchange server and again paste your DCdiag and Netdiag results in txt file.

Is your DC on which Exchange server is installed a GC ?

-------------------------------------

Also try some final steps once more

Use port query tool and verify the both 3268 and 3269 are open on firewall or in LISTENING state.( Because LDAP GC 3268 & LDAP GC SSL 3269 are important and should be opened)

If ports are open, use Network Sniffer tool to locate the network problem.

Port Query UI : http://www.microsoft.com/download/en/details.aspx?id=24009
Network Sniffer: http://www.colasoft.com/resources/network-sniffer.php


--------------------------------------------------------------------------------

If required port are not open refer below link for the same or due to dns misconfig on DC.

Active Directory Firewall Ports - Let's Try To Make This Simple
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

Also ensure that correct dns setting is configured on the server as below.
1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
2. Each DC has just one IP address and single network adapter is enabled.
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
Do not put private DNS IP addresses in forwarder list.
5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended

Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic.

Check the health of DC as well run dcdiag/q and repadmin /replsum,if any error post the same.Check the event log as well.
0
DATABAXAuthor Commented:
All the FSMO roles have been moved from dbxdc02 to dbxdc03. this was the first step we did prior to attempting the exchange migration. Ultimately dbxdc02 will be decommissioned once I have the exchange migrated over to dbxdc03.

I just ran the port scanner on dbxdc02 and told it to scan the ports on dbxdc03 (192.168.16.88) and got the following result:

 Starting portqry.exe -n 192.168.16.88 -e 3268,2369 -p TCP ...


Querying target system called:

 192.168.16.88

Attempting to resolve IP address to a name...


IP address resolved to DBXDC03

querying...

TCP port 3268 (msft-gc service): FILTERED

TCP port 2369 (unknown service): FILTERED
portqry.exe -n 192.168.16.88 -e 3268,2369 -p TCP exits with return code 0x00000002.

the word "FILTERED" indicates it's not listening ad this potentially where the problem lies. Not quite sure how to use the network sniffer!
0
Ahmed786Commented:
If you have a firewall between the two, you need to ensure you have the proper fierwall ports open


Try this to open port in windows firewall

How to manually open Port 3268/tcp in Windows Firewall?

Windows Firewall may block port 3268/tcp by default. If you want to allow a program to communicate using Port 3268/tcp through the firewall, you can usually do that by selecting the required program on the Exceptions tab in Windows Firewall. However, sometimes the program is not listed in the Exceptions tab. In this case you need to open the port manually.


1.Open Windows Firewall by clicking Start, Control Panel, Security, and then Windows Firewall.

2.Click 'Allow a program through Windows Firewall'.

3.Click 'Add port'.

4.In the 'Name' field, type a friendly name for the port like 'Port-3268/tcp'.

5.In the 'Port number' field, enter the port number '3268/tcp'.

6.Select TCP or UDP, depending on the protocol required for port 3268/tcp.

------------------

Try this to check replication

repadmin /showreps

Can you execute this pls

DCDIAG /V /C /D /E /s:yourdcname>c:\dcdiag.log
0
Ahmed786Commented:
For sniffing network, you may use many third party tools one of such is Wireshark, Network Sniffer etc...
0
Ahmed786Commented:
Is GC enabled on your DC where exchange 2010 is installed ?

Because if you telnet as below on your exchange server in which GC is not enabled then you will get error.

C:\>telnet localhost 3268
Connecting To localhost...Could not open connection to the host, on port 3268: C
onnect failed
0
DATABAXAuthor Commented:
How do I check which server is GC?

I ran telnet localhost 3268 on the exchange server and it does connect, but when running telnet dbxdc03 3268 or telnet 192.168.16.88 3268 it doesn't connect.

The firewall port is open as I previous followed to steps you suggested.

I ran the DCDIAG /V /C /D /E /s:yourdcname>c:\dcdiag.log command on dbxdc02 (Exchange server) and attached the results. Was this right or should it have been run on dbxdc03?

When running the repadmin /showreps command, here is the output:

C:\Users\Administrator>repadmin /showreps
Default-First-Site-Name\DBXDC02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 79ba937d-02d7-4b9a-a99c-761783c0058e
DSA invocationID: 79ba937d-02d7-4b9a-a99c-761783c0058e

==== INBOUND NEIGHBORS ======================================

DC=dbx,DC=local
    Default-First-Site-Name\DBXDC03 via RPC
        DSA object GUID: 073b2042-39d5-4449-8a86-a2483f9d6a0c
        Last attempt @ 2013-09-20 09:50:20 was successful.

CN=Configuration,DC=dbx,DC=local
    Default-First-Site-Name\DBXDC03 via RPC
        DSA object GUID: 073b2042-39d5-4449-8a86-a2483f9d6a0c
        Last attempt @ 2013-09-20 09:50:20 was successful.

CN=Schema,CN=Configuration,DC=dbx,DC=local
    Default-First-Site-Name\DBXDC03 via RPC
        DSA object GUID: 073b2042-39d5-4449-8a86-a2483f9d6a0c
        Last attempt @ 2013-09-20 09:50:20 was successful.

DC=DomainDnsZones,DC=dbx,DC=local
    Default-First-Site-Name\DBXDC03 via RPC
        DSA object GUID: 073b2042-39d5-4449-8a86-a2483f9d6a0c
        Last attempt @ 2013-09-20 09:50:20 was successful.

DC=ForestDnsZones,DC=dbx,DC=local
    Default-First-Site-Name\DBXDC03 via RPC
        DSA object GUID: 073b2042-39d5-4449-8a86-a2483f9d6a0c
        Last attempt @ 2013-09-20 09:50:20 was successful.

Source: Default-First-Site-Name\DATABAX-MONITOR
******* 11 CONSECUTIVE FAILURES since 2013-09-20 08:10:20
Last error: 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failu
re.

Naming Context: DC=monitoring,DC=dbx,DC=local
Source: Default-First-Site-Name\DATABAX-MONITOR
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=dbx,DC=local
Source: Default-First-Site-Name\DATABAX-MONITOR
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=dbx,DC=local
Source: Default-First-Site-Name\DATABAX-MONITOR
******* WARNING: KCC could not add this REPLICA LINK due to error.

C:\Users\Administrator>
dcdiag.log
0
Ahmed786Commented:
Is GC enabled on your DC where exchange 2010 is installed ?

Because if you telnet as below on your exchange server in which GC is not enabled then you will get error.

C:\>telnet localhost 3268
Connecting To localhost...Could not open connection to the host, on port 3268: Connect failed

hope when you try to execute LDP tool you type your DC name as DBXDC03 and not as DBXDC02.

So you have DBXDC02 :- WINDOWS 2008 act as a DC but no GC ( so its not a  Member Server).

and you have DBXDC03 :- windows 2012 act as a DC + GC with all FSMO roles assigned to it.


So have u checked telnet localhost 3268 on DBXDC03 and see if it listens over there ? if not then something is causing to block that port, may be firewall, so refer my steps which i have given u earlier or try to stop firewall and check telneting.


IF its properly lsitening to port 3268 then there might be something between your DBXDC02 & DBXDC03 which is preventing to contact that DC on port 3268 ( so need to find out that).
0
DATABAXAuthor Commented:
I tried the following:

C:\>telnet localhost 3268 on dbxdc02 - it connects.
C:\>telnet localhost 3268 on dbxdc03 - it does not connect.

C:\>telnet dbxdc03 3268 on dbxdc02 - it does not connect
C:\>telnet dbxdc02 3268 on dbxdc03 - it connects.

so it clearly looks like dbxdc03 is blocking 3268.

If I turn off the firewall off dbxdc03 I get the following:

C:\>telnet localhost 3268 on dbxdc03 - it does not connect.
C:\>telnet dbxdc03 3268 on dbxdc02 - it does not connect




in terms of the set up, your statement is correct when stating, but not 100% sure if dbxdc02 is GC, how would I determine this?

DBXDC02 :- WINDOWS 2008 act as a DC but no GC ( so its not a  Member Server).
DBXDC03 :- windows 2012 act as a DC + GC with all FSMO roles assigned to it.
0
Ahmed786Commented:
To check your 2008 server is GC or not just follow below steps.

1.Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue.

2.In the console tree, expand the Sites container, expand the site of the domain controller that you want to check, expand the Servers container, and then expand the Server object.

3.Right-click the NTDS Settings object, and then click Properties.

4.On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

------------------------------

so if u r able to telnet localhost i.e. DBXDC02 on 3268 port it means GC is enabled on DBXDC02.

meanwhile i m checking your logs
0
DATABAXAuthor Commented:
I have just checked and yes both servers are GC servers.
0
Ahmed786Commented:
There are many errors on Dcdiag you have to really work hard on this.

your group policy will not work many things will not work.

Some parts you have to correct is as follows as others are still but till then correct some below issues.

1> First of all we have found another DC named as DATABAX-MONITOR, so might be you have decomissioned but it is not completely removed, so you have to remove it so that its entries are not present anywhere. ( for this you have to refer documents if you are not sure different docs for 2003 and 2008, so dont know what it was, May be it was 2003 if i m not wrong.

May be try this technet article http://social.technet.microsoft.com/Forums/windowsserver/en-US/37c96adc-c4d6-40b1-b3f3-760c7eccbeb3/how-do-i-remove-a-dead-domain-controller-in-ad



2> Second i have seen that DC DBXDC03 is having lots of issues like LDAP and RPC connectivity error, which points to firewall settings on that server

3> Third is that there is clock difference from DBXDC02 and DBXDC03 so check it on DBXDC03 and do it proper, so resynchronize the time between these servers


Meanwhile check this and try to solve as much error based on DcDiag and then again you have to execute DCdiag command with /s and paste here also later run Dcdiag with all other option what i had given you earlier, so both logs and also pls execute Netdiag test aswell.
0
Ahmed786Commented:
Any good news .......


Hello meanwhile you can just open your LDP from run command and try to connect your DC 1 and then bind it with your password and copy that with mouse and send us the log and also same for DC 2 and send us the log just to check that.

Do for both ports 389 and 3268
0
DATABAXAuthor Commented:
sorry I have just seen these replies, I will work on them and advise.
0
Ahmed786Commented:
any update
0
DATABAXAuthor Commented:
I am struggling to delete the Databax-monitor server. The server is no longer connected to the network but when I try delete it off in AD Sites and Services I get an error, see attachment. I have searched for a solution to this and tried various things to delete this orphaned dc but it just keeps erroring. Have you come across this one before?
error2.JPG
0
Ahmed786Commented:
Go through below Microsoft Article, it always happen we forgot to delete it completely and then we have to face problems in future.

http://support.microsoft.com/kb/216498

http://support.microsoft.com/kb/230306
0
DATABAXAuthor Commented:
Tried these two articles already - it seems that it is looking for the server on the network but as it is no longer there it is not finding it and therefore not allowing us to run the full metadata cleanup.

After running the 'connect to server' command, it does not find the server (the error message returned is 'Not connected to a server - use 'connections').
0
Ahmed786Commented:
listen dear you are not running metadeta properly.

First check which DC has Domain Naming Master FSMO Role

you may be aware that we have 5 foles Schema / Domain / PDC / RID and Infrastructure, so first check which DC has Domain Naming role

On your DC just type below things and when you "connect to server" "type here the name of the DC which has Domain Role"

Dont type the name of the DC which is already decomissioned.


C:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server DC NAME WHICH HAS DOMAIN ROLE
Binding to DOMAIN CONTROLLER ...
Connected to DOMAIN CONTROLLER using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=xxx,DC=XYZ,DC=ZZZ,DC=CCC
select operation target:
0
DATABAXAuthor Commented:
We have managed to remove the databax-monitor server and re-ran the SP3 Upgrade Wizard but now we have a different error being:

"Setup encountered a problem while validating the state of Active Directory: Setup has determined that the schema master domain controller DBXDC03.dbx.local is not available or cannot be contacted."

Any ideas on how to fix this error?
0
Ahmed786Commented:
so i think your DBXDC02 is at different site and DBXDC03 is at different site, so you have to transfer role of Schema master to 02 server inorder to accomplish this task, because its trying to contact your schema master which is on 03 server and its on different site and hence its not able to contact it.

So you can transfer schema role to 02 and then after all is fine you can again transfer back schema role to 03
0
DATABAXAuthor Commented:
Hi,

After transferring the schema role to dbxdc02, we get the following error message (see attached file).
Error-1.docx
0
Ahmed786Commented:
Please try to reboot the machine on which SP3 is being installed because its giving same error of schema master and now you have already transferred schema to 02 then this error should go automatically.

If still same error then you can do below procedure.


• Open Exchange Management Console
• Right click on Organization Configuration
• Click Modify Configuration Domain Controller
• You have already done thos to Use Default Domain Conroller, so now point it to your 02 DC.

After this is done and SP3 is installed you can again point it back to use it as Default DC.

---------------------------

Try to execute Exchange Best Practice Analyzer Tool on 02 Server and check the results.

Also check by executing Netdom Fsmo Query command by following below steps on 2008.

Open Command prompt as Run as Administrator on your 02 server.
C:\>Windows\system32>netdom query /domain:dbx fsmo  --> Hit Enter

Check whether schema master is properly showing to 02 server or not, if possible transfer Domain Naming Master as well to 02 server.

Then force replication manually from GUI interface as shown below and again try for SP3 installation

To force replication over a connection
--------------------------------------------------------------------------------

1.Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

2.In the console tree, expand Sites, and then expand the site to which you want to force replication from the updated server.

3.Expand the Servers container to display the list of servers that are currently configured for that site.

4.Expand the server objects and click their NTDS Settings objects to display their connection objects in the details pane. Find a server that has a connection object from the server on which you made the updates.

5.Click NTDS Settings below the server object. In the details pane, right-click the connection object whose From Server is the domain controller that has the updates that you want to replicate, and then click Replicate Now.

6.When the Replicate Now message box appears, review the information, and then click OK.
0
Ahmed786Commented:
Any Update on this ?
0
Ahmed786Commented:
Still fighting with issues ?
0
Ahmed786Commented:
Any update on this ?
0
DATABAXAuthor Commented:
Sorry for not getting back to you, we have just seen this comment and will reboot the DC shortly and give you the results.
0
DATABAXAuthor Commented:
After rebooting the server and running the upgrade procedure again they all passed - so rebooting the server rectified this last problem. However, after hitting the 'upgrade' button and it takes us to a new list of checks, it fails on this first one. (See attached screenshot). Any ideas of what is going wrong here? It is still referring to the dbx.monitoring DC even though it should be fully deleted now?
Error2.docx
0
Ahmed786Commented:
Go and check in sites and services whether such name still exist...


Also rerun once again, Open cmd and type dcdiag /s:DCName >>DC.txt  and then run netdiag /v >>net.txt is everything showing normal overhere.

Paste the latest results here
0
DATABAXAuthor Commented:
There is no reference to databax-monitor in sites and services.

When I do the above commands, I get the following results:



Directory Server Diagnosis


Performing initial setup:

   Ldap search capabality attribute search failed on server databax-monitor,

   return value = 81
0
Ahmed786Commented:
Apologies for delay as i was busy in Eid Festivals...


Listen, please go through below Petri's article written by Daniel, its properly explained so jsut follow that and try to remove culprit wherever it is hidden.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

----------------------------------

i have simply written same below but above link is good to refer as you have to check other things as well.


clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container

1> Execute once again below command and check if Databax-Monitor Dc is not showing in Domain list

Execute below command from DC, which you have already done before.

C:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server "DC NAME WHICH HAS DOMAIN ROLE"
Binding to DOMAIN CONTROLLER ...
Connected to DOMAIN CONTROLLER using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=xxx,DC=XYZ,DC=ZZZ,DC=CCC
select operation target: Select Domain "0 or 1 whatever number Databax-Monitor has"


then do below

select operation target: list sites  (press Enter)


then do below

Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.


select operation target: Select site "0 or 1" (Press Enter)

then do below

Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site (Press Enter)

then do below

Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

select operation target: Select server "0 or 1" (Press Enter)


then do below

Type quit and press Enter. The Metadata cleanup menu is displayed.

select operation target: q
metadata cleanup:


then do below

Type remove selected server and press Enter. (You will receive a warning message. Read it, and if you agree, press Yes.)

metadata cleanup: Remove selected server  (Press Enter)

(At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.)


then do below

Type quit, and press Enter until you return to the command prompt.
0
DATABAXAuthor Commented:
Hi Ahmed,

Thank you for your reply. I have run this command and found that it does somewhere still recognise the domain name of the monitoring.dbx.local server but the server itself is not listed.

I then did a search on how to delete the child domain name and I have pasted the results in the attached document.

Its as if the PC knows the domain name is there but doesn't find anything to delete from it.
MetaData-Cleanup-Error.docx
0
Ahmed786Commented:
So have u tried deleting it using ADSIEdit.msc (run this command from Start --> Run)

You can also try ADSIEdit to delete the trustDomain object for the child

Click Start, click Run, type adsiedit.msc in the Open box, and then click OK

a.Expand the Domain NC container.
b.Expand DC=<var>Your Domain</var>, DC=COM, PRI, LOCAL, NET.
c.Expand CN=System.
d.Right-click the Trust Domain object, and then click Delete.
0
Ahmed786Commented:
any update ?
0
DATABAXAuthor Commented:
I have followed your instructions and deleted the Trust Domain Object as it was displaying the DBX Monitoring domain name and then re ran the upgrade procedure and still get the same error.

Is there anywhere else that this name could be recognised?
0
Ahmed786Commented:
Just reboot the server once again and try again with upgrade, if again same error then once again, Open cmd and type dcdiag /s:DCName >>DC.txt  and then run netdiag /v >>net.txt is everything showing normal overhere.

Please paste me entire content because everything is in that only.

Atach me both the txt files here.
0
DATABAXAuthor Commented:
I still get the same responses as last time:
net.txt
DC.txt
0
Ahmed786Commented:
Can you please once again execute the NTDSUTIL command for Metadata an done previously.

Please check once again if its showing there ?

Please try to reboot both the DCs after that and then try again with upgrade.

Sure something wrong is going on in your step.
0
Ahmed786Commented:
Have u executed the NTDS command and checked once again the existence of your deleted domain server ?

And hope your all FSMO roles are on Server which has exchange.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ahmed786Commented:
any update pls ?
0
DATABAXAuthor Commented:
Hi, yes we tried this yesterday and with a bit of a hiccup with the services not functioning properly, the upgrade to SP3 finally went through!

Thank you so much for your patience and time with this case, you have been a great help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.