Prepare Active Directory for Exchange 2007

To prepare active directory for Exchange 2007 you need to perform the following actions:

On the Schema master using an account with appropriate privileges navigate to the root of the installation media and run the following from the command prompt:

setup /pl

The command above prepares the legacy permissions. Next run:

setup /ps

This prepares the AD Schema. Next run the following command, where ORGANIZATION_NAME is the name of your Exchange Organization:

setup /PrepareAD /organizationName:ORGANIZATION_NAME

This creates the necessary OUs and security groups for Exchange. Then run:

setup /pd

This prepares the local domain for Exchange.

References:

http://technet.microsoft.com/en-us/library/bb125224(v=exchg.80).aspx

NtFrs Event ID 13555 and 13552 The file replication Service is in an error state

I discovered an issue at a client site the other day where event IDs 13555 and 13552 with a source of NtFrs were present in the event log of a Windows Server 2003 Domain Controller. The relevant error messages were as follows:

‘The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed’

The File Replication Service is unable to add this computer to the following replica set:

“DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”

In this case the network had a single DC. It appeared from the errors that the SYSVOL share was in an inconsistent state. This error had obviously first occurred some time before and as a result there were no system state backups from when the SYSVOL share was in a consistent state.

To fix the error I had to set the Burflags option to D4 under the following registry key to force the DC into thinking an authoritative restore had been performed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID_OF_YOUR_REPLICA_SET\Burflags

After Setting this, and restarting the server the errors disappeared.

In a multi Domain Controller network much more care needs to be taken. On the plus side in this case you will normally have a good copy of SYSVOL on a different DC. Detailed information on how to recover from this error in a multi Domain Controller network can be found in the references below but the basic premise is this:

  • Stop NtFrs on all servers
  • Set Burflags to D4 in the registry of a Domain Controller with a known good copy of SYSVOL and start NtFrs
  • Set Burflags to D2 on the remaining Domain Controllers and start NtFrs

Exercise extreme caution if using the advice above. It is not a substitute for restoring from a good system state backup if you have one, and more of a last resort. In any event refer to the Microsoft documentation for much more detailed instructions.

References:

How to rebuild the SYSVOL tree and its content in a domain

Burflags Query

Using DNSlint to verify the integrity of DNS records used for Active Directory Replication

DNSlint is a Microsoft Support tool that can be used to inspect the integrity of your domain’s DNS records. This can be useful if you are having problems with Active Directory replication, or if you want to check the integrity of your of your DNS records after removing a failed Domain Controller for example.

To check DNS records used for for AD replication in your domain install DNSlint and run the following command:

dnslint /ad /s IP_ADDRESS

Where IP_ADDRESS is the IP address of one of the DNS servers in your domain.

References:

DNSlint Utility