Unable to Raise Domain Functional Level - NTDS-DSA object error

[GeorgeTuk]

Good evening all,

I need to install Exchange 2007 and have to raise the domain from Windows 2000 mixed to at least Windows 2000 native. Since I inherited this domain there is quite messy things I have found so this could be one.

Anyway when I try to Raise The Domain Functional Level I immediately get the error below:

"The NTDS-DSA object:
'CN=NTDS Settings, CN=LEWISHAM-SRV, CN=Servers, CN=Lewisham, CN=Sites, CN=Configuration, DC=enara, DC=co, DC=UK' is not properly configured and is preventing the forest functional level from being raised. It refers to the object '<unknown>', if this domain controller is off-line then bringing it back on-line may cause replication that will repair the configuration. Otherwise delete this object using the ADSI Edit MMC Snapin or a similar tool."

So where do I start, is it Lewisham-Srv causing the error or is it that <unknown>? I know there has been a dc server removed from the domain shortly before I started, could it be that causing the issue, if so how do I sort this.

Thanks again for any help.

George

 

[TechyMcSe2k]

If that was a DC and that server no longer exists, you will need to do a Metadata Cleanup of that server. also, check to see if it still lingers in your Sites and Services for that site and if so, delete it.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[itsp1965]

Okay I am not an Exchange expert but since when can you add an Exchange 2K7 server into a Win2K domain. You need to be at least at Windows 2003 before you can do so.

 

[TechyMcSe2k]

LOL, I didnt even notice the 2000...I assumed 2K3

Good catch itsp1965


_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[pagy]

The domain needs to be at 2000 native level for Exchange 2007. You do however need to the schema master to be running 2003 sp1 and a gc in each that holds an exchange also needs t be 2003 sp1.

Tecymcse2k is right, you need to do a metadata cleanup to get rid of that server

Clean up server metadata

http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[pagy]

and a dc in each site that has an exchange server also needs to be 2003 sp1

That was what I was supposed to say first time.

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[pagy]

aghhhhhhhhhh. I'll try again.

And a DC in each site that has an exchange server also needs to be a gc and be running 2003 sp1.

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[GeorgeTuk]

Well I will only have one Exchange server in a hosted environment and there is a Windows 2003 DC at that level so we should be ok, am I right?

And any ideas on how to start with a metadata cleanup, never had to do that before?!

 

[pagy]

As long as the 2003 DC has at least SP1 on it and that you have the domain functional level at 2000 native then yes you are ok.

Yeah, follow the link I provided.

Or this one;

http://technet.microsoft.com/en-us/library/cc728068(WS.10).aspx

or this one

http://support.microsoft.com/kb/216498

or this one

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

ir this screencast on how to do it

http://www.netometer.com/video/tutorials/sbs-metadata-cleanup/

Ensure you have a good back of your server and AD before you do it. If you are unsure on any aspect of the procedure then please ask before attempting it.

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[GeorgeTuk]

Right, there is no other server listed in the metadata server list other than the current domain controller.

However I have other domain controllers and sites in the domain that no longer exist (like I say not my doing!), should i try and find those and clear them out? How would be the best way of doing this?

Also since it mentions specifically <unknown>, is there anyway of finding and deleting the object?

 

[pagy]

Do you mean you have other domain controllers listed in AD sites and services that are not physically part of your environment any more? How about domain controllers listed in the domain controllers container in ADUC? Just the one you actually have or are there others in there as well?

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[GeorgeTuk]

There are former DCs in the domain that are no longer connected, one is still physically available and can be demoted the others were apparently formatted and used for something else.

 

[pagy]

So you currently have 1 domain controller that physically exists but others showing up in AD sites and services and in ADUC? Is that right?

If so then first of all check that your existing DC holds all the FSMO roles, from a command prompt
netdom query fsmo

This will list the fsmo roles and what server currently holds them, hopefully your existing DC will hold all the roles but please check.

Ensure you have a backup (I'd actually have 2 backups) and then remove the superfluous DCs from sites and services and ADUC, leaving only the DC that you actually have.

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[GeorgeTuk]

Sorry misread your question, we have 1 DC in ach office but we have domain controllers in AD that no longer exist where the office has been closed and server disposed of.

I guess your points still apply though, capture the FSMO roles and then delete old DCs from ADUC and ADS&S?

Thanks

 

[pagy]

Yep. I'll say again to take a backup first and then delete the non existent DCs from ADUC and sites and services. Then I'd leave it a day or so, use dcdiag and netdiag and check any errors then raise your functional level.

Paul
MCTS: Exchange 2007, Configuration
MCSA:2003
MCSE:2003
MCITP:Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[GeorgeTuk]

When using Replication Monitor from the Windows 2000 Support Tools, alot of the replication servers in the CN=configuration panel have red crosses against them.

When I try to force it to sync I get the message ERROR_REPLICA_SYNC_FAILED_ACCESS IS DENIED

When I try to get more info, through checking the USN the supplied credentials don't work with the message "....the crendentials could not be located"

Also there are 2563 failed attempts to synchronise.

Any ideas where to go next?

 

[TechyMcSe2k]

Seiourly, follow pagy's links to "metadata" cleanup your environment.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.