I have been very lucky recently to have worked on two very interesting problems in the MSExchange forums. The first of which I blogged about here which deals with some of the more interesting features of Recovery Storage Groups and EXMERGE but this post I wish to go through what happens when ForestPrep does not work.

Firstly I will set the scene, I came across a post in the forums here where a chap called Chris had a Windows 2000 domain with a single domain controller and a member server that he wished to install Exchange Server on.

All seemed ok until he tried to run Exchange setup with the /ForestPrep switch which would fail with the following entry in the Exchange Setup Log:

[13:56:50]  ScRunLDIFScript (f:\titanium\admin\src\libs\exsetup\exmisc.cxx:1309)
          Error code 0XC007200E (8206): The directory service is busy.

Followed later on with the next entry:

Prerequisites for Microsoft Exchange Messaging and Collaboration Services failed: The component “Microsoft Exchange Forest Preparation” cannot be assigned the action “ForestPrep” because:
- Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.

Chris free shared this information and at this point I thought that it was potentially one of two issues:

• Firstly as we were working with a Windows 2000 domain (and thusly a single Windows 2000 domain controller) – I asked Chris if he was sure that the Windows 2000 schema had been made writable, by creating the DWORD value of “Schema Update Allowed”  and giving it a value of 1 in the registry located in the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/NTDS/Parameters configuration.

Chris assured me that this key had been set.

• I then asked Chris what the metrics of his domain were, for example how many authenticated users to the single Domain Controller were there, at this point I was acting on the theory that perhaps his Domain Controller WAS actually busy, therefore I advised him on this occasion to reboot the DC (out of hours of course) and this time try and run /ForestPrep directly from the Domain Controller.

Chris came back to me and let me know that he had rebooted the DC and tried to run setup directly on the DC – but was still getting the same error message in the logs.

At this point I was beginning to run out of ideas, so I returned to the part of the error message “Either you do not have permission…” Chris has stated that he was using an account to run /ForestPrep that had been copied from his default domain admin account, so I asked him to post the group membership of the admin account that he was using. Chris came back to me with the following:

• Administrator
• Backup Operators
• Domain Admins
• Enterprise Admins
• Group Policy Creator owner
• Schema Admins

I looked at this list and thought perhaps being a member of the group “Backup Operators” might create a problem (perhaps having a Deny set somewhere) so I advised Chris to remove the group and try again – and guess what? – failed again – Bum.

At this point I decided to turn to my trusty friend “Google” (as I was at this point out of ideas) and the only real items that I found of any use were the following:

• http://msexchangeteam.com/archive/2004/02/11/71405.aspx which explains that errors can occur in ForestPrep if the Logged on users Environmental Variable Temp path contains a space – or – if 8.3 name conversion is disabled on the NTFS volumes.
• http://support.microsoft.com/kb/256184 which explains that ForestPrep can fail if the maxReceiveBuffer for the directory service is set below the installation default.

Again Chris reported back that none of the above had helped – big bum….

I went away, scratched my head – thought about excusing myself from the forum for a little bit and hope no one would notice that I was clue-less, when it hit me to ask Chris to run DCDIAG (lets face it, probably should have done this sooner – but hey ho) – this is where things got interesting.

Chris posted back the following data:

Doing primary tests

  Testing server: Default-First-Site-Name\<Chris’s DC>
     Starting test: Replications
        [Replications Check,<Chris’s DC>] A recent replication attempt failed:
           From <Chris’s Unknown Machine> to <Chris’s DC>
           Naming Context: CN=Schema,CN=Configuration,DC=<Chris’s Domain> 
           The replication generated an error (1722):
           The RPC server is unavailable.
           The failure occurred at 2007-08-06 12:01:08.
           The last success occurred at 2006-12-29 13:58:00.
           5302 failures have occurred since the last success.
           [<Chris’s Unknown Machine>] DsBindWithSpnEx() failed with error 1722,
           The RPC server is unavailable..
           The source remains down. Please check the machine.
        [Replications Check,<Chris’s DC>] A recent replication attempt failed:
           From <Chris’s Unknown Machine> to <Chris’s DC> 
           Naming Context: CN=Configuration,DC=<Chris’s Domain> 
           The replication generated an error (1722):
           The RPC server is unavailable.
           The failure occurred at 2007-08-06 12:00:45.
           The last success occurred at 2006-12-29 14:51:13.
           5302 failures have occurred since the last success.
           The source remains down. Please check the machine.
        [Replications Check,<Chris’s DC>] A recent replication attempt failed:
           From <Chris’s Unknown Machine> to <Chris’s DC>
           Naming Context: DC=<Chris’s Domain> 
           The replication generated an error (1722):
           The RPC server is unavailable.
           The failure occurred at 2007-08-06 12:00:22.
           The last success occurred at 2006-12-29 15:03:17.
           5301 failures have occurred since the last success.
           The source remains down. Please check the machine.

The above told me immediately that Chris had a second DC within his Domain that was down and not playing a part in the domain replication process – this set alarm bells running in my head so I asked Chris about it.

Chris told me that he had recently come to the company and was primarily a Unix expert, but had been handed this domain, which he wasn’t too impressed with as things seemed to be a little strange. I now suspected that as this was the case, perhaps Chris was un-aware of the second DC or its purpose (and I now suspected the the offline DC was the Schema Master) which was causing the issue.

I asked Chris about this and he explained that this was a box that the previous admin had in place, it was a workstation and it was in a corner and turned off (plus he was unsure if it still worked).

At this point I thought that perhaps the best thing to do would be to Seize the Schema master role, so I asked Chris to perform the following on the working domain controller:

• Open a command prompt and type ntdsutil <press enter>
• At the ntdsutil command prompt type in roles <press enter> 
• At the roles command prompt type in connections <press enter>
• After pressing <enter> type in connect to server <Chris’s DC> <press enter>
• Type in q <press enter>
• Then type in seize schema master <press enter>

A prompt will appear asking if this is what you want to do – say yes.

Chris reported back with the following information from the above process:

C:\WINNT\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server <Chris’s DC>
Binding to <Chris’s DC> …
Connected to <Chris’s DC> using credentials of locally logged on user
server connections: q
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0×34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032101FA, problem 5002 (UN
AVAILABLE), data 8438

Win32 error returned is 0×20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure …
Server “<Chris’s DC>” knows about 5 roles
Schema – CN=NTDS Settings,CN=<Chris’s DC>,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=<Chris’s Domain>
Domain – CN=NTDS Settings,CN=<Chris’s DC>,CN=Servers,CN=Default-First-Site-Name,CN=S
ites,CN=Configuration,DC=<Chris’s Domain>
PDC – CN=NTDS Settings,CN=<Chris’s DC>,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=<Chris’s Domain>
RID – CN=NTDS Settings,CN=<Chris’s DC>,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=<Chris’s Domain>
Infrastructure – CN=NTDS Settings,CN=<Chris’s DC>,CN=Servers,CN=Default-First-Site-N
ame,CN=Sites,CN=Configuration,DC=<Chris’s Domain>
fsmo maintenance:

The above (the part that says “The Current FSMO holder could not be contacted”) told me that my theory about the Schema Master was correct and the role was now on Chris’s live and working domain controller.

I asked Chris to wait about 20 minutes and then try Exchange setup again which Chris did and posted back saying…… it failed.

For the love of god, how hard can it be to run ForestPrep! – But I suspected that we were close to the final solution, so I took five and had a think, then remembered the replication problems that “DCDIAG” had reported – this made me think perhaps there is a replication entry for the defunct Domain Controller in Active Directory Sites and Services so I asked Chris to check and sure enough an entry was present.

I asked Chris to delete the entry, now sensing that we had cracked it and I could have a beer, but when Chris tried to remove the entry he received the following error: “The DSA object cannot be deleted” – for the love of Mary I thought!

Having seen this problem before I referred Chris to the following KB article (basically its a brute force kill the DC) http://support.microsoft.com/kb/216498

Which he followed.

After a good nights sleep (for both of us) Chris returned in the morning and ran setup.exe /ForestPrep and it ran without a hitch – yeee– haaa.

Now, there are many reasons why ForestPrep might not run, however I have learned some great lessons from this and they are:

1. Use DCDIAG sooner rather than later
2. Understand that perhaps its not what people are telling you thats important, but what they are not.

Don’t get me wrong, Chris was fabulous to work with, but perhaps I should have asked more questions like “are you sure”.

Chris and I hope that this helps someone along the way.