March 26th, 2007


Previous Entry Next Entry
jimbojones
11:54 am - It's easy because it's Windows! ...not
The common perception is that Windows is much easier and simpler to use and maintain than Unix-like operating systems. After all, it's got that nice GUI to maneuver, and Microsoft makes it, so it's gotta be simple, right...?

You might think that. At least, you might think that if you'd never needed to muck around with Active Directory and its astonishingly byzantine, godawful Secrets Of The Hidden Masters style of maintenance. If you need to change the configuration of a Unixlike server, you pretty much just have to find a nice, plain, simple human-readable config file and edit it. Unless you've done something odd with it, odds are pretty good that any option you need will already be in the file, even if it's commented out - so it's self-documenting. Just read, make your changes, and restart whatever service you need to play with. Simple.

On the other hand, over on the "easy" side of the road - the Windows server family - check out what you have to do if you want to perform a very simple(!), very common task - add a Windows 2K3 domain controller to a Windows network with a Windows 2000 Server domain controller. Should be a simple upgrade, right? Just start up the appropriate nice, friendly, GUI-driven clicky-clicky and "Next" your way through, right?

... Right?

Well actually, the very first thing you have to know about adding domain controllers to a Windows network is... a command line tool. There's this tool you run from the command line called DCPROMO, which promotes a server to domain controller status in a domain. Well, okay, that's not so hard right? There's just one command line tool you somehow need to know you have to run. Hey, you learn that once, you remember it for the next time. No biggie! ... Right?

Well actually no, because you're going to have to run another command line tool that isn't mentioned anywhere in any friendly little wizards, called ADPREP. Well, okay. And, uh, you're going to have to run it several times on as many different DC's as you already have, to prep several different roles - you need to do an ADPREP /forestprep, and an ADPREP /domainprep at a bare minimum, and you'll probably have to be damn careful about which machine you run the /forestprep on, since you need to make sure you get that on the "FSMO Role Owner". Um. Okay. Well... still not so bad... Right?

OH BUT WAIT THERE'S MORE. Since you've got an Exchange service running somewhere on the domain, you can't prep the forest yet - when you try, it bombs out with an error.

Adprep was unable to extend the schema.
[Status/Consequence]
There is a schema conflict with Exchange 2000. The schema is not upgraded.
[User Action]
The schema conflict must be resolved before running adprep. Resolve the schema conflict, allow the change to replicate between all replication partners, and then run Adprep. For information on resolving the conflict, see Microsoft Knowledge Base article Q325379.


Well, at least it directs you... somewhere... so um, as long as you have live broadband internet access, you can just look up that KB, and it will tell you everything you need to do... Right?

1. Log on to the console of the schema operations master by using an account that is a member of the Schema Admins security group.
2. Click Start, click Run, type notepad.exe in the Open box, and then click OK.
3. Copy the following text including the trailing hyphen after "schemaUpdateNow: 1" to Notepad.
dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X

changetype: Modify

replace:LDAPDisplayName

LDAPDisplayName: msExchAssistantName

-

dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X

changetype: Modify

replace: LDAPDisplayName

LDAPDisplayName: msExchLabeledURI

-

dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X

changetype: Modify

replace: LDAPDisplayName

LDAPDisplayName: msExchHouseIdentifier

-

dn:

changetype: Modify

add: schemaUpdateNow

schemaUpdateNow: 1

-
4. Confirm that there is no space at the end of each line. [...]


So, okay. We go to the KB article, we faithfully copy all the text to make ourselves an .ldf script file, we save it, and then we run it with - ANOTHER - Cryptic Monks of Shaolin command line tool you've never heard of... ldifde -i -f inetorgpersonprevent.ldf -v -c DC=x "dc=subdomain,dc=domain,dc=TLD. This is getting to be a lot less friendly than we expected. But we're out of the woods now... Right?

Weeellll... turns out if you hit THAT particular copy of the KB article, you're fucked. Because, well, the tool you're gonna have to run to load that script doesn't know how to handle double-spaced lines. So you're going to get "There is a syntax error in the input file. Failed on token starting with 'C' on line 3. 0 entries modified successfully. An error has occurred in the program." response. And you're going to pull your hair out, and you're going to go back and Google, and you're going to find no useful articles referring to syntax error and failed token because, well, that could be anything. But don't worry, EVENTUALLY you'll find the OTHER copy of the KB article on microsoft.com, and this one will have the .ldf script present for copying WITHOUT the double-spacing, and you'll put THAT in instead, and you'll run the arcane command line tool on it, and everything will be hunky-dory! ... Right?

Actually, once you get the CORRECT script saved to Inetorgpersonprevent.ldf, you're still not out of the woods. NOW when you run the Quivering Palm of Death tool on your CORRECTED .ldf script, you get a DIFFERENT error: "Add error on line 1: Referral. The server side error is A referral was returned from the server. 0 entries modified successfully. An error has occurred in the program." Now, I don't know about you, but the first thing I thought when I saw that was "PC Load Letter? What the fuck does THAT mean?!" This one's a REAL joy to google, by the way, because it turns out about a billion different scripts return similar errors to that, very few of which have fuck-all to do with a domain controller preparation. But eventually, because your google-fu is strong (and has gained two levels and +1 attack per round during this exercise alone) you find the answer: you gotta make sure this machine has the FSMO Master role on the domain. Whatever the hell that is. So, you run yet ANOTHER command line tool - ntdsutil - to check for and/or transfer and/or seize the FSMO Master role (incidentally, if the machine that had that role blew up in a fire or was removed from the domain without first transferring the role, that's Bad Juju... so better hope none of your Windows DCs ever die!). So now you're positive you've got the FSMO Master role on your DC, so now you'll be able to get shit imported! ..Right?

Yeah, you're probably used to disappointment now. But plenty of Googling later (haven't seen a nice friendly clicky little wizard to guide you through anything YET, have you noticed?) you'll find out that, first, what you have to do is ENABLE the update of the schema on the DC that... well... is the only one that can update the schema anyway... by going into the MMC tool, then right-clicking the Active Directory Schema applet (once you've added it) and selecting Operations Master, then checking the box that says to allow updating the schema on this DC. Finally, a GUI! Even if you do have to start the MMC from the command line, most likely! NOW IT WILL BE EASY! ... Right?

Well, actually, NO, because there won't BE an Active Directory Schema snap-in available. You will stare at this, and you will maybe whimper a little. Then you will return to the Internet to find out where the fuck the AD Schema snap-in is, and you will discover that you need to - imagine this - perform ANOTHER arcane kung-fu move on the command line to make this snap-in appear on the list of shit you can add to the management console in order to right-click it and find something else and click a box. (Whew.) So... "regsvr32 schmmgmt.dll". And THEN you can find the Active Directory Schema snap-in. And THEN you can right click it, and select Operations Master, and check the box that says to allow schema updates. And THEN you can run the Quivering Palm of Death on the .ldf script file you created (and replaced with a second copy that actually works) from a page on the internet. And THEN you can run adprep /forestprep and it will actually work.

Thanks for making it easy, Microsoft! God forbid I'd have had to read a self-documenting config file and edit it or something!

Tags: , ,

 
Current Mood: frustrated

(11 comments | Leave a comment)

Comments:



 
[User Picture] From: discogravy
Date: March 26th, 2007 - 08:35 pm
  (Link)
honestly your main problem is that you're trying to run AD w/ 2k and 2k3 mixed. 2k3-only environments are much less hassle.

and if you don't want to upgrade every DC you've got all in one go, well...that's your problem, saith MS.


 
[User Picture] From: jimbojones
Date: March 26th, 2007 - 09:50 pm
  (Link)
Gross Conceptual Error there, chief - I actually AM trying to run a 2k3-only environment; problem is in order to do that I need to add my 2K3 server, migrate the roles over to it, THEN I can decommission the old 2K DC and chuck it in the trash can.

Incidentally, AFTER all that, I discovered that - even though it says absolutely nothing about this on either the packaging, the DVD itself, or the marketing material - Exchange 2007 is ONLY available in 64-bit. Which simultaneously makes it the only application that requires a 64-bit Windows environment, and the only application that works in a 64-bit Windows environment.

And, of course, this customer wants the server to fill multiple roles - mainly, they want it to be a print server as well - so even if I were willing to dump everything and start over again, it still wouldn't fit their needs. So I have to put them 4 years behind on the support cycle.

GREAT.

Honestly, if MS isn't careful, they're finally going to start breaking up their own monopoly. The degree to which their fucking up is increasing is just jaw-dropping.


 
From: mostlyfakinit
Date: March 26th, 2007 - 10:11 pm
  (Link)


 
[User Picture] From: jimbojones
Date: March 26th, 2007 - 10:17 pm
  (Link)
St. Augustine is incredibly cheesy. Good god is it ever cheesy. It's like somebody tried to do Disney on a 2-block scale and 0.1% of the budget and brainpower.

We didn't do Ripley's, because the LINE to get in was estimated to us at 55 minutes, and it was crammed like cattle into a tiny little reception area that was giving me the frantic urge to start wildly swinging elbows into people's faces just to get some breathing room the minute we walked into the door.

The Castillo was fucking excellent, though. Very well preserved, tons of good information, really great volunteer-crewed demonstration of volleyed musket fire and of cannon fire, complete with the master at arms calling out the manual of arms in Spanish. VERY nice.

Also, there's a quite nice Cuban restaurant in the tourist district. Which is a good thing, because it's the ONLY actual restaurant in the district, EVERYTHING else is a shitty little burger stand. Sigh. =)

Still, I'm glad we went. It was nice to have a long weekend away from it all together.


 
[User Picture] From: discogravy
Date: March 27th, 2007 - 12:09 am
  (Link)
if you ever come back, make the detour to the dali museum, it's worth it.


 
[User Picture] From: discogravy
Date: March 27th, 2007 - 12:09 am
  (Link)
ripley's....meh. kinda tourist-y.


 
[User Picture] From: discogravy
Date: March 27th, 2007 - 12:10 am
  (Link)
although now that i think about it if you were really drunk, stoned or tripping, i suppose nothing could possibly top it. (or if you were like, 9.)


 
[User Picture] From: jimbojones
Date: March 27th, 2007 - 12:10 am
  (Link)
I visited that with Mademoiselle Reptile a few years ago, actually. Bought a print there, in fact; it's still hanging on my foyer wall.


 
[User Picture] From: xkisses
Date: March 30th, 2007 - 03:22 am
  (Link)
As much as I don't know about that thar computering anymore, I still rather enjoy your MS-related rants. Cheers to your frustration entertaining the masses.


 
[User Picture] From: discogravy
Date: November 6th, 2007 - 05:14 pm
  (Link)
coming back to this due to recent googling, have you used ADSIEdit and would it be useful for this? (it's mainly used to schema updates and it's a GUI tool that should only be in the hands of those with serious Windows-Fu -- czech it out, I think you may find it useful.)


 
[User Picture] From: jimbojones
Date: November 6th, 2007 - 05:16 pm
  (Link)
Haven't ever used it (or heard of it), have no idea if it would be useful for this or not. I'll prolly check it out eventually, thanks. =)


 
[User Picture] From: discogravy
Date: November 6th, 2007 - 09:47 pm
  (Link)
cf: http://technet2.microsoft.com/windowsserver/en/library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true

if you have adminpak installed (and you should) then you already have it and just need to find the .msc and run it


> Go to Top
LiveJournal.com