7 Steps to a Clean Slate
DomainPrep exposed a well-hidden Active Directory mess from a previous, failed Exchange migration. A call to PSS took care of the problem.
- By Bill Boswell
We're having a problem running DomainPrep for Exchange Server 2003. ForestPrep ran perfectly the first time; however, DomainPrep continues to fail with the error "Object doesn't exist". If you can help, I can forward the Exchange Server Setup Progress log so you can see the exact problem.
I know that the previous enterprise administrator made a number of changes to Active Directory, including moving many groups from the Users container and renaming both the Enterprise and Domain Administrator accounts. From what little I've found on the Web concerning this problem, the fact he moved users and groups could very well be causing the error.
We've tried moving the users and groups that we're aware of, back into the Users container, but that doesn't seem to solve the problem.
We're running the DomainPrep on the PDC Emulator with Enterprise Administrator privileges.
Any light you might be able to shed on this problem would be greatly appreciated.
|Get Help from Bill
Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.
When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)
Readers: Just for some quick background, ForestPrep and DomainPrep are two preliminary stages in the deployment of Exchange. They are both part of the main Setup program. Exchange 2003 ForestPrep installs a placeholder organization in the Configuration naming context and populates the organization with objects in preparation for installing the first Exchange 2003 server. DomainPrep creates special system groups in the Domain naming context along with a new container for holding objects that represent mail-enabled public folders and Exchange system accounts.
Mark put his finger on the most likely culprit for the "object not found" error when running DomainPrep. There are three critical Exchange groups that must reside in the Users container and cannot be moved:
- Exchange Enterprise Servers
- Exchange Server domain Enterprise Servers
- Exchange Services
Unfortunately, when Mark moved these objects back where they belonged, that did not resolve the problem. At that point, we did a little more digging.
It turned out that a previous attempt had been made to install Exchange 2000. Although there were no Exchange servers in the organization, there was an Exchange 2000 Active Directory Connector.
We did some browsing in Active Directory. Although the ADC was present in the Sites and Services console, it turned out that many of the objects that you'd expect to find in Active Directory Users and Computers under the Microsoft Exchange System Accounts container were missing. Mark speculated that a previous administrator might have removed these following the failed attempt to install Exchange.
I pointed out KB article 273478, "How to completely remove Exchange 2000 or Exchange 2003 from Active Directory," and suggested that Mark remove the existing ADC and use the advice in the KB article to get back to a clean slate, then try ForestPrep and DomainPrep again.
Mark decided — wisely, as it turned out — to call Product Support Services before doing any more surgery to Active Directory.
They discovered that the previous administrator had actually removed the default Users container and put an Organizational Unit called Users in its place so that he could apply group policies to it.
Even though the container had the same name, DomainPrep failed because the Distinguished Name (DN) was different. The DN for the default Users container is cn=Users,dc=Domain,dc=Root. The typeful name for a Users OU would be ou=Users,dc=Domain,dc=Root.
Mark wrote me about what they had to do to fix the problem:
- Created a new OU and linked the Group Policy Object (GPO) that was linked to the Users OU to the new OU.
- Moved all the objects in the Users OU to the new OU.
- Used ADSIEdit and LDP, with direction from a Microsoft Technician, to modify the Users OU's attributes and rename it to Users2.
- Using ADSIEdit, created a new Users container. (Active Directory Users and Computers does not have the option for creating a plain Container object.)
- Using ADSIEdit and LDP, modified the Users Container to have the correct system attributes.
- Moved the three Exchange groups to the new Users Container.
- Ran DomainPrep. It ran successfully.
Mark also took advantage of a new feature in Windows Server 2003 and used a utility called Redirusr to redirect any new user objects created using the default container as a target into an OU, rather than putting them in the Users container. This ensures that new users get group policies the first time they log on following account creation. This is documented in KB 324949
, "Redirecting the users and computers containers in Windows Server 2003 domains." Another utility, Redircmp, redirects new computer accounts to an OU rather than the default Computers container.
Something like this might never happen to you, but the lesson is clear. If you decide to tidy up your Active Directory, stay away from the default container structure and any objects created by applications until you research thoroughly to determine if there will be repercussions.
Hope this helps!
Feather in His Cap
In last week's column, I talked about a way to populate all the mass storage device drivers in a SysPrep image to avoid a bugcheck when the image is applied to a machine with different hardware. Pat Estes wrote to tell me about a great product that is designed to handle not just mass storage drivers but all sorts of device drivers when running Sysprep:
There is a utility you should know about made by Big Bang LLC for imaging PCs. It is the greatest thing since Ghost itself! The product is called the Universal Imaging Utility and is a way to put drivers for just about every piece of hardware onto a base system before Sysprep is run. The end result is an image file that will detect 99 percent of any hardware. This even works when you take the image from a desktop and deploy to a laptop. Wow! The Holy Grail! They have a Win2K and WinXP version, and I hear they are working on a Tablet edition. The biggest catch seems to be that it does not work with SCSI drives, but since we only have IDE drives on our fleet of PCs, it is not a big deal to me..
In case you were wondering, Pat is not an employee of Big Bang LLC — he's just a satisfied customer. For his efforts and recommendation, Q&A sends Pat an MCPmag.com baseball cap. Oh, and you can find out more about Universal Imaging Utility by clicking here.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.