locked
Help! Applying Computer Settings after domain controller demotion RRS feed

  • Question

  • I have 2 exchange servers.  I demoted my oldest DC.  Both exchange servers dns was already changed to point to the remaining two active servers.  Both exchange server were rebooted and hung at "Applying Computer Settings"  I did some quick research and rebooted in to safe mode and found exchange was hanging the boot of the machines.  I set all exchange services to manual and the machines booted up just fine.  I see errors that exchange services can't find the domain, but the server can just fine.

    I went into the exch console and set the domain and server for the organization to the one of my new dc's but that didn't help.  Finally on one exch server, it's a hub trans/mailbox, I did a registry search and found an entery for "GlobalCatalogServer" hard coded to the old DC.  I changed that to a new dc and then all of the echange services fired right up.

     

    On my other exch server however, which is only a mailbox server, I can't find any hard coded DC settings.  So I can't replicate my success!  Help!

    Friday, May 6, 2011 5:59 PM

All replies

  • i fixed it by adding this server item in AD to the domain admin's group.  i don't think that's the best solution but it worked.
    Friday, May 6, 2011 6:13 PM
  • Did you go through DNS and clean out any stale SRV records for the decomm'd DC?
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 6:33 PM
  • I assumed that running dcpromo and demoting the DC would do all of that for me.  Still, i just went and checked all of DNS and that DC is already gone.  I checked in multiple places.  Also, I DID do a syncall after demoting the dc.  Strange thing though, i still see a computer account in DC for the machine itself, but when I click on it to delete it i get a message that object does not exist.

     

    We have a 3rd exchange server for OWA and it had the same problems.  I used the same solution and it's working.  I think the problem is that the MS Exchange AD topology service didn't have permissions anymore to talk to the domain until I added the computer account to the domain admins group.  I'm sure tha'ts not the perfect solution.

     This doesn't make sense though.  I demoted 1 dc and this all happened so there must be some configuration that locked the exchange environment to that one dc, and on that dc they had permissions to do what they needed.  The DC is blown away now and almost rebuilt as 2008 (in the process of upgrading the domain) so I guess all is good for now.  I would like to take those exchange servers out of the domain admins group though when I can find the right solution.

    I'm still at a loss.


    Friday, May 6, 2011 6:51 PM
  • Yeah I've seen that issue before where object is there but can't delete saying doesn't exist. I think I ended up deleting the directory object using adsiedit. Maybe you're also running into some AD replication issues which could explain the behavior of the orphaned object and Exchange still thinking the old DC exists.

    Try deleting the object using adsiedit.

    Also run dcdiag on your dc's to see if there are any replication issues going.

    Also on the Exchange server open regedit and do a find for your old DC see if anything comes up.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 6:56 PM
  • Yeah i actually did all of those things you mentioned.  Dcdiag shows no problems.  replication is successful.  i think it's the way my predecessors set up this environment originally.
    Friday, May 6, 2011 6:57 PM
  • The applying computer settings doesn't really have anything to do with Exchange yet. It's an issue way before Exchange even gets involved. The fact that you say it works when you added it to the domain admins makes me believe that you have a GPO that can't be applied due to permission issue, some service\process can't start due to permission.

    Try some of the suggestions here, I would start with disabling all the services at startup using msconfig first and see if you can isolate to certain process. If that fails you need to enable the userenv logging and compare them when it fails and compare it when it suceeds after you add it back into the domain admin. See if it's failing on a certain GPO>

     

    Help! I’m stuck at “Applying Computer Settings” …

    http://blogs.technet.com/b/askperf/archive/2008/10/14/help-i-m-stuck-at-applying-computer-settings.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 7:21 PM
  • Well, I rebooted to safe mode, then set all the exchange services to manual, then rebooted and it booted fine.  I then tried to manually start them one at a time and I got errors.

     

    Process MSEXCHANGEADTOPOLOGY (PID=2060). When updating security for a remote procedure call (RPC) access for the Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object NCSBCS2 - Error code=80040a01.

    The Exchange Active Directory Topology service will continue with limited permissions.

     

    and

     

    Unable to initialize the Microsoft Exchange Information Store service. - Error 0x96f.

     

    When I googled those errors that's when i found someone put the exchange servers in their domain admins group to fix it.

     

    Friday, May 6, 2011 7:37 PM
  • What version of Exchange are you running? Maybe your Exchange servers are no longer in all the default Exchange servers security groups.

    Exchange 2007 Server

    Exchange install domain servers

    Exchange servers

     

    Or worse, the default permissions of your Exchange partition got mucked with. Open adsiedit, configuration partition, services, microsoft exchange. Right click microsoft exchange, properties, security tab see if Exchange servers is listed in there.

     

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 8:01 PM
  • It's 2007.  I checked the Exchange Servers, Exchange Install Domain servers, and they are there.  I don't see an Exchange 2007 Server security group.

     

    I do have these though.

    Exchange view-only administrators

    Exchange Trusted Subsystem

    Exchange Services

    Exchange Recipient Administrators

    Exchante Public Folder Administrators

    Exchange Organization Administrators

    ExchangeLegacyInterop

    Exchange Enterprise Servers

     

    Interestingly, only 1 of my servers is in the Exchange Domain Servers group.  Same with Interop, Same with enterprise servers

    Friday, May 6, 2011 8:49 PM
  • So you don't have an "Exchange servers" security group? If so that is a problem and you will have to re-run prepareAD to recreate those groups and memberships fixed. It will also fix any deviated permissions issues from the default on the Exchange org partition. Don't worry about Exchagne domain servers group or interop those are legacy groups from 2003.

     

    How to Prepare Active Directory and Domains
    http://technet.microsoft.com/en-us/library/bb125224(EXCHG.80).aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 9:38 PM
  • "It's 2007.  I checked the Exchange Servers, Exchange Install Domain servers, and they are there."
    Friday, May 6, 2011 11:03 PM
  • Hi Statistic,

    Please run the Exbpa to do a health check.

    And it worth trying to prepare AD again.

    How to Prepare Active Directory and Domains

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 10, 2011 3:24 AM
  • Make sure that you have Global Catalog servers available and dont hardcode server to use specific DC or GC's.

     


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
    Tuesday, May 10, 2011 11:27 AM
  • Which exbpa type would you like me to perform?

    Thursday, May 12, 2011 1:35 AM
  • I ran the full exbpa

    1 Critical warning "Database backup" for one of my servers. We use a service though to do real time backups of all servers every night.

    all 3 servers had warning about nic drivers and storage drivers being old (not really too concerned about that)

    1 warning about a self signed certificate

    2 warnings about page file size not being physical memory plus 10 mb, but it's set to = the physical memory, so not worried there.

    Then about 10 informational ranging from storage quota suggestions to Outlook connection range ro checkpoint file replacement.

    I went through the exbpa and fixed all of the higher end problems about 2 months ago.

    Thursday, May 12, 2011 1:44 AM