Exchange 2016 Install Issue
-
@JaredBusch said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@dbeato My plan is to just roll back the snapshot of the AD we have now to when we first built it pre-Exchange. Giving me a fresh canvas if it comes to that.
This is a horrible idea. Rolling back AD is almost never a good idea.
OMG - THIS, one million times this!
-
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
-
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
-
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
yeah - you had to readd every PC to the domain - that's the crazy part...
Curious - why did you roll it back?
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
As more or less indicated by my earlier question - the amount of file shares/printer shares/file permissions and devices joined to the domain kinda tell you how much of a PITA setting up a new domain will be, because you have to rebuild all of those things.
-
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
-
Curious - why did you roll it back?
I rolled it back because of the encryption attack.
-
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
-
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
I hear you on this, as I’ve got a bit more than that to deal with myself in terms of numbers. Wouldn’t I have to do that anyways if making a new AD? I feel like the process would be the same save a time change.
-
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
Local admin account, PowerShell, SSH.... five minutes to fix
-
@G-I-Jones said in Exchange 2016 Install Issue:
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
Jumping in late, but is that better than starting over from scratch?
-
@G-I-Jones said in Exchange 2016 Install Issue:
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
I hear you on this, as I’ve got a bit more than that to deal with myself in terms of numbers. Wouldn’t I have to do that anyways if making a new AD? I feel like the process would be the same save a time change.
Oh yeah, starting over either way. For sure.
-
@scottalanmiller said in [Exchange
Local admin account, PowerShell, SSH.... five minutes to fix
I need that script
-
@G-I-Jones said in Exchange 2016 Install Issue:
@scottalanmiller said in [Exchange
Local admin account, PowerShell, SSH.... five minutes to fix
I need that script
Do you already have a local admin account on each machine that is working and SSH enabled?
-
Also, something like SaltStack or Ansible would enable this.
-
@scottalanmiller said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
Local admin account, PowerShell, SSH.... five minutes to fix
True enough. Assuming remote powershell is enabled - which I'm pretty sure it's not by default.
-
@scottalanmiller said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
Jumping in late, but is that better than starting over from scratch?
Exactly! what is this pre-exchange restore point? frankly, unless that was yesterday, why do you still have that?
-
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
Jumping in late, but is that better than starting over from scratch?
For arguments sake I would say they’re the same. But I’m gonna want to upgrade it to 2016 realistically (currently 2012).
Still having same issues as before the swap from H330 to H730P So I’m currently unable to build anything VM wise that’s worth a damn.. I’m sure it’s user error. Going to keep reading.
-
@G-I-Jones said in Exchange 2016 Install Issue:
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
Jumping in late, but is that better than starting over from scratch?
For arguments sake I would say they’re the same. But I’m gonna want to upgrade it to 2016 realistically (currently 2012).
Still having same issues as before the swap from H330 to H730P So I’m currently unable to build anything VM wise that’s worth a damn.. I’m sure it’s user error. Going to keep reading.
What's the issue? performance?
-
Going home I'll look at this more there.
-
@scottalanmiller said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@scottalanmiller said in [Exchange
Local admin account, PowerShell, SSH.... five minutes to fix
I need that script
Do you already have a local admin account on each machine that is working and SSH enabled?
I’d have to look into the SSH part, but yea.
