none
swing migration from a server/exchange 2003 environment to server 2012/exchange 2010 /preparead fails RRS feed

  • Question

  • setup /pl & /ps complete successfully

    ./setup.com /preparead fails with the following

    Welcome to Microsoft Exchange Server 2010 Unattended Setup
    
    Preparing Exchange Setup
    
        Copying Setup Files                           COMPLETED
    
    No server roles will be installed
    
    Performing Microsoft Exchange Server Prerequisite Check
    
        Organization Checks                                                                               COMPLETED
    
    Configuring Microsoft Exchange Server
    
        Organization Preparation                                                                          FAILED
         The following error was generated when "$error.Clear();
              if ($RolePrepareAllDomains)
              {
                  initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:($RoleIsDatacenter -or $RoleIsPartnerHost
    ed);
              }
              elseif ($RoleDomain -ne $null)
              {
                  initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot:($RoleIsDatacenter -or $RoleIsPartnerHo
    sted);
              }
              else
              {
                  initialize-DomainPermissions -CreateTenantRoot:($RoleIsDatacenter -or $RoleIsPartnerHosted);
              }
            " was run: "Active Directory operation failed on SERVERNAM.MYCORRECTDOMAIN.local. The object 'CN=Deleted Objects,DC=MY_CORRECT_DOMAIN,DC=local' does not exist.".
    
    
    The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
    <SystemDrive>:\ExchangeSetupLogs folder.
    

    log shows

    [05/02/2013 15:25:15.0524] [1] [ERROR] Active Directory operation failed on SERVERNAME.MYCORRECTDOMAIN.local. The object 'CN=Deleted Objects,DC=MYCORRECTDOMAIN,DC=local' does not exist.
    [05/02/2013 15:25:15.0524] [1] [ERROR] The object does not exist.

    I took ownership and gave permissions using DCALS

    PS C:\Windows\system32> dsacls "CN=Deleted Objects,DC=MYCORRECTDOMAIN,DC=local"
    Owner: MYCORRECTDOMAIN\Domain Admins
    Group: NT AUTHORITY\SYSTEM
    
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Allow MYCORRECTDOMAIN\JZiter         SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow MYCORRECTDOMAIN\JZiter         FULL CONTROL
    Allow MYCORRECTDOMAIN\Administrator  FULL CONTROL
    Allow BUILTIN\Administrators   SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow BUILTIN\Administrators   FULL CONTROL
    Allow NT AUTHORITY\SYSTEM      SPECIAL ACCESS
                                   DELETE
                                   READ PERMISSONS
                                   WRITE PERMISSIONS
                                   CHANGE OWNERSHIP
                                   CREATE CHILD
                                   DELETE CHILD
                                   LIST CONTENTS
                                   WRITE SELF
                                   WRITE PROPERTY
                                   READ PROPERTY
    
    The command completed successfully
    PS C:\Windows\system32> dsacls "CN=Deleted Objects,DC=MYCORRECTDOMAIN,DC=local" /g MYCORRECTDOMAIN\jziter:LCRP
    Owner: MYCORRECTDOMAIN\Domain Admins
    Group: NT AUTHORITY\SYSTEM
    
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Allow MYCORRECTDOMAIN\JZiter         SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow MYCORRECTDOMAIN\JZiter         FULL CONTROL
    Allow MYCORRECTDOMAIN\Administrator  FULL CONTROL
    Allow BUILTIN\Administrators   SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow BUILTIN\Administrators   FULL CONTROL
    Allow NT AUTHORITY\SYSTEM      SPECIAL ACCESS
                                   DELETE
                                   READ PERMISSONS
                                   WRITE PERMISSIONS
                                   CHANGE OWNERSHIP
                                   CREATE CHILD
                                   DELETE CHILD
                                   LIST CONTENTS
                                   WRITE SELF
                                   WRITE PROPERTY
                                   READ PROPERTY
    
    The command completed successfully
    PS C:\Windows\system32> dsacls "CN=Deleted Objects,DC=MYCORRECTDOMAIN,DC=local" /g hrhousing\Administrator:LCRP
    Owner: MYCORRECTDOMAIN\Domain Admins
    Group: NT AUTHORITY\SYSTEM
    
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Allow MYCORRECTDOMAIN\JZiter         SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow MYCORRECTDOMAIN\Administrator  SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow MYCORRECTDOMAIN\JZiter         FULL CONTROL
    Allow MYCORRECTDOMAIN\Administrator  FULL CONTROL
    Allow BUILTIN\Administrators   SPECIAL ACCESS
                                   LIST CONTENTS
                                   READ PROPERTY
    Allow BUILTIN\Administrators   FULL CONTROL
    Allow NT AUTHORITY\SYSTEM      SPECIAL ACCESS
                                   DELETE
                                   READ PERMISSONS
                                   WRITE PERMISSIONS
                                   CHANGE OWNERSHIP
                                   CREATE CHILD
                                   DELETE CHILD
                                   LIST CONTENTS
                                   WRITE SELF
                                   WRITE PROPERTY
                                   READ PROPERTY
    

    does anybody have a word from the wise ?

    Thursday, May 2, 2013 6:14 PM

All replies

  • I suppose you've seen this since you seem to be performing the recommended action:

    http://technet.microsoft.com/en-us/library/bb676691(v=exchg.80).aspx

    Have you run this command to verify that the account you are using is a member of the Enterprise Admins group?

    whoami /groups

    ???

    That's what I would try (not knowing for sure if you have already).


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, May 2, 2013 9:23 PM
  • Yup I have the keys to the kingdom, I am a member of Domain Schema & Enterprise Admin
    Thursday, May 2, 2013 9:31 PM
  • Well... one more thing that has messed me up when running DCDIAG on a Windows 2008 / R2 domain controller: when you opened the command prompt, did you select "Run As Admin" (with right click on icon)? That's the only other thing I can think of off the top of my head.

    I have a working E2K7 SP3 that I just ran those commands on a couple days ago. I cannot access it immediately but I'll see if I can't get a "good" dsacls output for comparison later on. If someone else or yourself solves the problem in the meantime, well, so much the better.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, May 2, 2013 9:49 PM
  • I ran as admin, would it be helpful to post the dcdiag / netdiag ? Thanks for your help Le Pivert
    Thursday, May 2, 2013 10:29 PM
  • Hello,

    Is there any AD replication issues? Any child-domains?

    Thanks,


    Simon Wu
    TechNet Community Support

    Monday, May 6, 2013 4:35 PM
    Moderator
  • no child domains , when I run repadmin /showreps everything was successful but interestingly enough while looking through the logs 

    Warning
    NTFRS
    EVENT ID: 13508
    
    The File Replication Service is having trouble enabling replication from UNRELATED_DC to 03EXCHANGESERVER for c:\windows\sysvol\domain using the DNS name UNRELATED_DC.MYCORRECTDOMAIN.local. FRS will keep retrying. 
     Following are some of the reasons you would see this warning. 

    and then promptly after

    Information
    EventID 13516
    
    The File Replication Service is no longer preventing the computer EXCHANGE03SERVER from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.

    OF NOTE - recently did a P2V conversion due to old hardware and I was getting srv 2011 errors changed irpstack value in registry and that seemed to fix file share issues.

    I tired to do the setup /preparead before the P2V conversion with the same results. 

     
    Monday, May 6, 2013 5:13 PM
  • Sure, you can post the DCDIAG and NETDIAG (netdiag if you still have a W2K3 DC in the mix).

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Tuesday, May 7, 2013 10:15 AM
  • Netcard queries test . . . . . . . : Passed
    
    Per interface results:
    
        Adapter : Local Area Connection
    
            Netcard queries test . . . : Passed
    
            Host Name. . . . . . . . . : 03EXCHANGESERVER.MYCORRECTDOMAIN.local
            IP Address . . . . . . . . : 192.168.34.4
            Subnet Mask. . . . . . . . : 255.255.255.0
            Default Gateway. . . . . . : 192.168.34.1
            Dns Servers. . . . . . . . : 192.168.34.4
                                         192.168.34.3
    
    
            AutoConfiguration results. . . . . . : Passed
    
            Default gateway test . . . : Passed
    
            NetBT name test. . . . . . : Passed
            [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
    r Service', <20> 'WINS' names is missing.
    
            WINS service test. . . . . : Skipped
                There are no WINS servers configured for this interface.
    
    
    Global results:
    
    
    Domain membership test . . . . . . : Passed
    
    
    NetBT transports test. . . . . . . : Passed
        List of NetBt transports currently configured:
            NetBT_Tcpip_{31A4CC5A-DC49-47CE-8DBD-156C28FA2DA4}
        1 NetBt transport currently configured.
    
    
    Autonet address test . . . . . . . : Passed
    
    
    IP loopback ping test. . . . . . . : Passed
    
    
    Default gateway test . . . . . . . : Passed
    
    
    NetBT name test. . . . . . . . . . : Passed
        [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.
    
    
    Winsock test . . . . . . . . . . . : Passed
    
    
    DNS test . . . . . . . . . . . . . : Passed
        PASS - All the DNS entries for DC are registered on DNS server '192.168.34.4
    ' and other DCs also have some of the names registered.
        PASS - All the DNS entries for DC are registered on DNS server '192.168.34.3
    ' and other DCs also have some of the names registered.
    
    
    Redir and Browser test . . . . . . : Passed
        List of NetBt transports currently bound to the Redir
            NetBT_Tcpip_{31A4CC5A-DC49-47CE-8DBD-156C28FA2DA4}
        The redir is bound to 1 NetBt transport.
    
        List of NetBt transports currently bound to the browser
            NetBT_Tcpip_{31A4CC5A-DC49-47CE-8DBD-156C28FA2DA4}
        The browser is bound to 1 NetBt transport.
    
    
    DC discovery test. . . . . . . . . : Passed
    
    
    DC list test . . . . . . . . . . . : Passed
    
    
    Trust relationship test. . . . . . : Skipped
    
    
    Kerberos test. . . . . . . . . . . : Passed
    
    
    LDAP test. . . . . . . . . . . . . : Passed
    
    
    Bindings test. . . . . . . . . . . : Passed
    
    
    WAN configuration test . . . . . . : Skipped
        No active remote access connections.
    
    
    Modem diagnostics test . . . . . . : Passed
    
    IP Security test . . . . . . . . . : Skipped
    
        Note: run "netsh ipsec dynamic show /?" for more detailed information
    
    
    The command completed successfully

    DCDIAG only noticable thing was

     Starting test: frssysvol
        ......................... HREX passed test frssysvol

    Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.



    • Edited by JKZfixme Wednesday, May 8, 2013 6:19 PM
    Wednesday, May 8, 2013 6:14 PM
  • OK, here is, with some delay, the DSACLS output I said I would post from that one server.

    This is from a practice network - although that should not influence the results:

    *****

    C:\Windows\System32>dsacls "CN=Deleted Objects,DC=mylan,DC=lan"
    Owner: MYLAN\admin
    Group: NT AUTHORITY\SYSTEM

    Access list:
    {This object is protected from inheriting permissions from the parent}
    Allow MYLAN\Exchange Servers  SPECIAL ACCESS
                                  LIST CONTENTS
    Allow BUILTIN\Administrators  SPECIAL ACCESS
                                  LIST CONTENTS
                                  READ PROPERTY
    Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                                  DELETE
                                  READ PERMISSONS
                                  WRITE PERMISSIONS
                                  CHANGE OWNERSHIP
                                  CREATE CHILD
                                  DELETE CHILD
                                  LIST CONTENTS
                                  WRITE SELF
                                  WRITE PROPERTY
                                  READ PROPERTY

    Permissions inherited to subobjects are:
    Inherited to all subobjects
    Allow MYLAN\Exchange Servers  SPECIAL ACCESS
                                  LIST CONTENTS

    ****

    Note: I did not have to take permission of anything and the ensuing E2K10 install succeeded without any other special adjustments.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, May 9, 2013 10:57 AM
  • NETDIAG output looks ok and any possible SYSVOL replication problems might affect Group Policy operations but (probably) not Exchange since Exchange data is not stored in SYSVOL folders.

    I cannot imagine even an indirect effect but that could be due to the limits of my imagination :)

    Not sure where to go from here... ???

    Although... comparing my DSACLS outout and yours, just at first glance, I notice that in your output the Exchange servers do not have access to the object in question.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, May 9, 2013 11:06 AM
  • Bump ... anybody have any other thoughts ? I have been dealing with microsoft tech support for over a month. An hour or two at a pop 3-4 days a week for the last month. They excel ( lol get it ? ) at doing the same thing over and over again  ..... so far no sucess.

    before even calling them I ...

    transfered FSMO roles to a newly created DC

    added and deleted a user

    created a new user with appropriate permissions and tried via that user account

    does anybody know if there is a higher level of support ? They just keep passing me from the AD team to the Exchange team, do the same things and pass onto the next person on the other team who does the same things.

    Thursday, June 13, 2013 10:11 PM