Troubleshooting Active Directory issues

[CYaBro]

We feel your pain. A helluva responsibility on a live system.

Hopefully, something will go your way.

Yea agree here, can you get a full backup image to take away and mount in a VM or something to play with and see if you can get it fixed?

[chiefnz]

They have no spare infrastructure, it's an overseas government department with very little funding. Took me 5 weeks to convince them to buy 3 more servers.

I may just blow the second DC away I just built and install Hyper-V on there and try to get a backup copy of the current DC restored to a VM.

Whilst doing everything from scratch will be a lot of effort at least I know it will be done properly, to be honest anything would be better than the bowl of noodle soup they have now.

I will continue to troubleshoot on the VM once I have the backup restored.

Cheers,

[chiefnz]

I have found that the Exchange server is a member of the "Domain Controllers" group?

Not sure if this is meant to be here as the Exchange server doesn't have the AD role installed. Is this normal?

I tried to remove it from the "Domain Controllers" group but this returned a message saying that this is the server's "Primary Group" and that I have to select a new Primary Group before I can remove it.

We are running Exchange 2013.

Can any AD or Exchange gurus provide some advice on this?

Thanks,

[Alex B]

Before you go any further make sure you have good backups, use Windows Backup to backup AD system state at least.

Consider opening a support case with MS. I think the cost is about $500, but that can work out cheap with AD issues like you're looking at, they are rarely straightforward to resolve.

I would raise the domain/forest functional level to at least 2008 R2. There hasn't been any improvements since that level, so no real point going past it that I'm aware of.

You may also want to upgrade from FRS to DFSR Replication: https://blogs.technet.microsoft.com/...-sysvol/#quick

As for the Exchange Box being in Domain Controllers. IIRC if a DC is properly demoted, it is automatically removed from the Domain Controllers OU.

How are the logs looking in event viewer? Especially around AD and DNS. AD is very dependent on DNS being healthy.

When you changed to a new DC, did you update DHCP to point the endpoints to the new DC for DNS?

[chiefnz]

Sorry for the delay.

I've been through the logs and here is what I've found... which isn't much really as you will see from the log entry types:

For the DNS, Directory Services and DHCP Server logs:

They all have entries similar to this; they only vary in number, most of them occur in the Directory services log and i'm pretty sure that's because there is only one domain controller, from what I can tell there are many errors relating to AD replication etc. which is to be expected.

The description for Event ID xxxx from source xxxx cannot be found. Either the component that raises this event is not installed
on your local computer or the installation.

The System log is flooded with the following error:

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the
system default credentials from accepting SSL.

I've had to stop working on the client's system for now as they have run out of funding.

I do have copies of the log files so could potentially answer a few queries if any arise from this post.

Cheers,