Mar 16 2009 11:27AM GMT
Posted by: Roger Crawford
Windows 2003 Server,
USN Rollback,
Active Directory Restore,
Windows 2003 DC Restore
Well we had a DC die on us Friday in our office and this was also the FSMO Master of the domain plus it had the Enterprise CA on it. The DC was brought up Virtually on our BDR Device but in the whole process the DC went into USN Rollback meaning the version of AD on the DC was different or a older version than the rest of the DC’s in the domain but things seemed to be working but they was not right. Not good here well I got those emails from our Network Admin that something was amiss in the domain and could I look at it.
So as I dug through the problems in the event logs on the DC in question and on the other DC’s I keep finding that the error was that the servers was not replicating. I also found when I run the repadmin /showrep I get the error of IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL and also when you ran the dcdiag command you got the same thing and this had the commands to run to try and correct the problem which I ran. But it was not long and this error was showing up again when running the commands. I also found the netlogon service at a paused state this is another sign on USN Rollback problems. Basically all the DC’s had went into a mode of not allowing the replication to happen because of the old data from the bad DC.
I searched and finally came to the conclusion that we was going to have to demote the server down and bring it back on the domain as a member server. I called Randy and gave the bad news to him and just what he wanted to hear on a Saturday evening at 10 and we came up with a plan. We would use the ntdsutil to clean AD on the DC’s to seize the rolls and then get AD cleaned of the bad DC. I had went changed the main DNS IP on a lot of the servers in the network to the soon to be new FSMO master and then verified DNS was still working.
Randy had restored the server on to a physical machine and had it shutdown. We paused the Virtual DC with issues and then brought up the restored server on the physical machine with it plugged into a switch by itself and did a dcpromo /forceremoval to clean AD off the server. As this was being done I seized the roles onto the new FSMO master server and cleaned AD Sites and Services of the bad DC and also cleaned up any remnants of the bad DC out of DNS. This got AD straightened out and replicating to all sites like they should be and DNS functioning the way it should be.
When restoring a DC either into a Virtual Environment or on a Physical machine there is some steps you need to do before you bring it back online in the domain. Here they are this holds true for a Virtual Server or a Physical Server as we move more towards Virtual Servers this is something that really needs to be watch or you will run into this
Procedure for using the recovery option:
- “Restore” the image
- !!! Boot into DSRM !!! (not connected to the network)
- Note the value of “DSA Previous Restore Count”
(HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (Not visible? –> Assume value of 0)
- Add the entry “Database restored from backup” (DWORD) with a value of 1
(HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (This triggers the actions needed for AD right after a system state restore!)
- Stop the “File Replication Service (NTFRS)” and assign the value “D4” (for auth. or primary restore) or “D2” (for an non-auth. restore) to the entry “BurFlags” in (HKLM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup)
(This triggers the actions needed for the SYSVOL right after a system state restore!) (and other replicated DFS namespaces!)
(also see: Using the BurFlags registry key to reinitialize File Replication Service replica sets - http://support.microsoft.com/?id=290762)
- Boot into normal DC mode (not connected to the network)
- Check the value of “DSA Previous Restore Count”
(HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (New value = old value + 1)
- In the DS event log check for event ID 1109
- In the FRS event log check for event ID 13565 & 13520 if a non-auth. restore was performed for the SYSVOL
- In the FRS event log check for event ID 13566 if an auth. restore was performed for the SYSVOL
- Connect to the network again
- Check the health of the DC (AD & SYSVOL)
- DCDIAG /D /C /V
- NETDIAG /DEBUG /V
- GPOTOOL.EXE /CHECKACL /VERBOSE
- REPADMIN.EXE /SHOWUTDVEC <FQDN DC> <NC>
More on the Enterprise CA next and what we had to do to bring that back.
Til later just Roger
Feb 10 2009 12:19PM GMT
Posted by: Roger Crawford
SBS,
SBS 2003,
OWA,
Exchange 2003
We had another site with OWA having issues and I am wondering if this was a problem with maybe a update that came down or was actually just something that came up. But they was getting the 500 error and Site busy from the outside when OWA was tried to go to. What they ended up doing was running this
We had to sync IUSR and IWAM
Used this piece of flotsam
We used the /inetpub/AdminScripts for this.
The syntax we used:
cscript adsutil.vbs set w3svc/anonymoususerpass “f00″
cscript adsutil.vbs get w3svc/anonymoususerpass (reports correct password)
cscript adsutil.vbs set w3svc/wamuserpass “f00″
cscript adsutil.vbs get w3svc/wamuserpass (reports correct password)
To sync the passwords with IIS we used:
cscript.exe synciwam.vbs -v
2nd time through it worked
Til later just Roger
Jan 31 2009 11:29PM GMT
Posted by: Roger Crawford
SBS 2003,
Exchange 2003,
Exhange 2003 SP2,
Microsoft Windows
One of our techs had a Exchange 2003 SP2 server that the OWA quit working and I suggested that he do a Exchange 2003 reinstall. That usually clears up any of these quirky Exchange 2003 problems if you can’t get it correct and of course when he went to install SP2 got the “there is an earlier version of the exchange intelligent message filter installed” So I had this fix for a SBS 2003 Server which it is still Exchange 2003 and this allowed him to get SP 2 installed. http://support.microsoft.com/kb/935916
He got this all done and the OWA would come up but with a 500 error inside and from the outside I would get a “The requested resource is in use.” Error so I did a quick search and found this and this corrected the problem for him regsvr32 %windir%/system32/vbscript.dll life was good and now he has his weekend back.
Til Later just Roger
Dec 31 2008 8:34AM GMT
Posted by: Roger Crawford
Microsoft Windows,
SBS,
Exchange
Well it was back at the migration this week and I worked on moving the Public Folders and everything related to this and had no real issues. I am to the point of removing the Exchange 2003 from the SBS 2003 Server and so far I would have to say this has went very well. Other than the Palm OS phones there has not been any snags on this process. If you don’t care if your Exchange Server ends up on a DC this is a good way to go. If you want it on a Member Server then you need to account for the time of doing a Exchange 2007 to Exchange 2007 migration which will be one of the next steps I do with this and then the customer has that server back to use as he wants and also he has Exchange 2007 where he wants it to be. But the Exchange 2007 to Exchange 2007 is a snap compared to the Exchange 2003 to Exchange 2007 migration.
Til Later just Roger
Dec 23 2008 9:14PM GMT
Posted by: Roger Crawford
Microsoft Windows,
Exchange,
SBS
Well we continued with working on the Palm OS Phones not syncing with the Exchange 2007 SP1 server and what it boiled down to was the Security Policies for the phones not allowing the phones to sync. After a lot of debate and discussion we finally decided to remove the Default Policy. This cannot be done with the Exchange Management but with the Exchange Power Shell. The command for this was remove-ActivesyncMailboxPolicy -identity “default” and then I restarted the Hub transport and boom the phones started syncing.
They are going to get these users different phones so we can re enable this and have the options of wiping the phones if needed. But this got us up and running. I also had a issue with Outlook Anywhere but that was just a matter of going through and defining the External URL’s on the Client Access Server pieces. Nothing big here just things to add to the todo list when you have a customer with the Palm OS Phones.
Til Later just Roger
Dec 22 2008 3:16AM GMT
Posted by: Roger Crawford
Microsoft Windows,
Exchange,
SBS
What a week I had and I finally got to start the migration of a SBS2003 server to Exchange 2007 SP1 and 2008 Servers. We started the move using the Exchange 2007 Console at 5 PM after doing a couple of different types of backups. One of the complete SBS 2003 Server and one of the Information store. We finally got all the email moved by 4:30 in the morning to the Exchange 2007 Server. Took the box down and moved it to the other office and brought the server up and OWA and ActiveSync and email was working and flowing. We also had the Windows Mobile Phones connect up with no issues and the ones running Blackberries had no problems also after we changed that server to point to the new server. What we have run into is a Palm OS Phone not syncing. More on that this week when we find the fix tomorrow. But the migration was a snap just like you would with a Exchange 2003 to Exchange 2007 transition.
I have yet to move the Public folders and remove the Exchange 2003 off the SBS box but we are getting there. I was impressed with the ease of the bring in the new Exchange 2007 server and connecting to the SBS 2003 Server. But more on this move as we go and the fix for the Palm OS phone.
Til Later just Roger
Dec 13 2008 10:47PM GMT
Posted by: Roger Crawford
Exchange,
SBS
I got called into a call for one of our customers that it had been through a few of the other techs and then I got that call can you look at this please. What the problem was they was trying to setup HTTP over RPC and they thought it was good but something wasn’t right yet. I got the articles they had used and reviewed what they had worked with and then did a basic check of the work as most anyone would coming into a project 3rd or 4th handed. Took me a bit but I found in the registry where you set some keys for ports to use for the connection. I found they had the internal NetBIOS and DNS names correct but they had left off the mail off the .domainname.whatever once I added these and they tested and it worked. Moral to the story is don’t over look the obvious and assume that everything was done correctly. It was a honest mistake that I have done myself and it never hurts to have another set of eyes to look at the work when it isn’t just not right yet.
Simple Enough everyone happy and on to the next adventure.
Til Later just Roger
Dec 6 2008 10:17PM GMT
Posted by: Roger Crawford
Virtualization,
Exchange,
SBS
Well the first thing I did was run the SBS BPA on the SBS 2003 server. This machine has had issues in the past, a past crash and a past crash and restore so I run the SBS BPA on the server and it was actually pretty clean. One thing I did was look at the Event logs and got all the logs cleared up that related to AD and the server. Had some old stale DC info in DNS and got that cleared up and also got the domain and forest raised in functional level to 2003. Brought in the new servers to the domain and DCPromoed the the 2 DC’s. One is a temp DC and the reason of this is Exchange 2007.
I did some research and found anything releated to bringing in the Exchange 2007 to a SBS2003 domain and what I found was if you bring it in on a DC things goes pretty smoothly so we will find out and I will let you know how that works out for me. Once I have the mail moved to the temp server and squared away we will move the mail again to the member server it will reside on. Then I have the SQL 2005 Server to install and a File Server and then we also plan on running a 2008 server running HyperV and TS gateway and probably 3 or 4 servers running Virtual. This is a big project and I should get some good insite on how to split out the SBS 2003 Server. Well more as I go and now I have to go wrap the many presents I purchased for family.
Til Later just Roger
Dec 6 2008 1:52PM GMT
Posted by: Roger Crawford
Virtualization,
Exchange,
SBS
No this is not a SBS 2003 to SBS 2008 migration. This is about taking a SBS2003 domain and migrating to the full blown 2008 Server with Exchange 2007 and breaking out and away from SBS 2003. That does happen as companies grow and this one has grown, they might have been a choice for EBS but they did not want to limit themselves to the 250 user limit also. So we are moving them out and I am going to talk about how I work this out and not by using the Transition pack either.
What I have planned is to join the servers to the existing SBS2003 server domain and make 2 domain controllers out of the 5 servers we will be installing and setting up new. We will be taking the old hardware and making them RO DC’s and sending them to the remote sites. But back to the plan once I have the 2 DC’s in the domain I will be installing Exchange 2007 onto one of them and then will migrate the email off the SBS box to the Exchange 2007 server and then removing Exchange 2003 from the SBS box just like you would if you was doing a SBS 2003 to SBS 2008 migration or just a Exchange 2003 to Exchange 2007 Transition. Move all data and whatever sharepoint data they have and then removing the SBS 2003 Server and I should then have everything broke out. I will post more later time to go do some christmas shopping.
Til later just Roger
