Find out which user is logged in to which computer

 

While I was doing a cross forest migration in a customer’s environment I had to make sure that of some computers’ logged in users before starting the migration process due to the customer’s policy how Computer hostnames are used.

There was about 500 computers, most of these computers don’t use their users’s names but company’s name and then a number e.g. (PC5123).

 

Luckily Mark Russinovich has provided the great PSTOOLS for administrators to work remotely and find out everything about user’s computers in domain without having to go physically or interact with the users.

So I had to download the tools from this link and use the following command to get the logged in user.

 

wmic /node:”smart0498″ ComputerSystem GET UserName

image

 

Hope you find this useful

Install Frontend Skype for Business 2015

Install prerequisites

Frontend/Standard edition as well

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client,

Windows-Identity-Foundation

From <https://technet.microsoft.com/en-us/library/dn951388.aspx>

Installing Director Prerequesties

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client

From <https://technet.microsoft.com/en-us/library/dn951388.aspx>

Check Powershell version

$psversiontable

clip_image001

Install prerequisites

clip_image002

clip_image003

Restart is required

clip_image004

clip_image005

clip_image006

clip_image007

Prepare Active Directory

clip_image008

clip_image009

clip_image010

clip_image011

clip_image012

clip_image013

clip_image014

Install Administrative tools

clip_image015

clip_image016

clip_image017

clip_image018

Prepare First standard edition server

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

clip_image024

clip_image025

clip_image026

clip_image027

clip_image028

clip_image029

clip_image030

clip_image031

I will create a shared folder

clip_image032

clip_image033

clip_image034

clip_image035

clip_image036

clip_image037

clip_image038

It’s time to publish the topology

clip_image039

clip_image040

Publishing failed with an error that states the following

clip_image041

So I will double check that I am member of the required groups

clip_image042

It seems not, I will add Csadministrator and RTCUniversalServerAdmins

clip_image043

Solution:

Still I get the same error every time I try to publish the topology. Apparently the way I solved this was by creating a new topology where the standard pool name must match the server’s hostname otherwise Topology won’t be able to access the SQL Express that’s installed by Lync setup.

So in this case I am going to re-create my topology as following

Moh10ly.com is my public domain which is going to be my sip domain in this case not my local one (Lab.com)

clip_image023[1]

clip_image024[1]

clip_image025[1]

clip_image026[1]

clip_image027[1]

Next I will put my server’s FQDN in the pool name, my FQDN Is

clip_image044

clip_image045

clip_image028[1]

clip_image029[1]

clip_image030[1]

clip_image046

clip_image047

clip_image034[1]

clip_image035[1]

clip_image036[1]

clip_image048

clip_image049

Now it’s time to publish the topology once again

clip_image050

clip_image051

clip_image052

Seems we have passed the permission issue as soon as the Standard edition FE server matches the FQDN of the server

clip_image053

clip_image054

We’ll look up at the open to-do list now

The to do list seems a bit different from Lync 2013 as it requires the part about the certificate

clip_image055

I will run the Local setup for the server since I only have one server now.

clip_image056

Before we run the local setup we need to make sure that our account has the required privileges which is shown under the Install local CS below. Since I already have configured the account’s privileges I will continue my setup.

clip_image057

clip_image058

clip_image059

clip_image060

There’s nothing new about the local store installation on S4B except that it checks and downloads updates during this process as the report shows below.

clip_image061

Detailed steps for the local store installation can be found in the sub page.

clip_image062

Now it’s time to move to the next step and check for the prerequisites

clip_image063

clip_image064

clip_image065

S4B says that a prerequisite is not meet, checking the link posted in the error information it seems that it needs a hotfix to be installed on the server

http://go.microsoft.com/fwlink/?LinkId=519376

clip_image066

I am attaching the hotfix after requesting and Installing as requested

<<478232_intl_x64_zip.rar>>

clip_image067

clip_image068

After finishing we’ll double check if the prerequisites are meet or not

Running the setup again it seems that the prerequisite has been satisfied.

clip_image069

The setup and in particular the next step could take approximately about 5-10 minutes depending on the resources you have assigned to the Skype for business server.

clip_image070

clip_image071

I will navigate to the MSI file location and try to install it without using the wizard.

clip_image072

The file path is as showed in the previous path:

C:ProgramdataMicrosoftSkype for Business ServerDeploymentcache6.0.9319.0

clip_image073

So the problem is that Windows Identity foundation is not installed. Although I have copied the prerequisite cmdlet from the official Microsoft Skype for business’s technet article but it seems they have missed out there so I will adjust the powershell cmdlet to include it which means you won’t face this issue.

clip_image074

clip_image075

Now I’ll re-run the setup again

clip_image076

We have passed the error already and now in the process of assigning accounts to SQL services.

The setup might take approximately 30-60 minutes installing all the required components.

clip_image077

clip_image078

In order to continue to the next step we must deploy CA (Certification Authority) to issue a certificate for Skype for Business Front end web services.

I already have one CA deployed on my CA so I will just go ahead and click run on the step 3

This process will be easy as it’s automated if you have configured your CA properly. First click on Request

clip_image079

Now S4B certificate request wizard provides new user interface that’s easier and faster to fill, I will fill it and go ahead with issuing the certificate.

clip_image080

clip_image081

clip_image082

clip_image083

clip_image084

clip_image085

clip_image086

And it’s done

clip_image087

I will do the same steps for the OAuthTokenIssuer

clip_image088

clip_image089

Now it’s time to start the Services and check eventviewer

Trying to start the services from the wizard fails with event ID 20002 so instead I am going to try Lync Management shell instead

clip_image090

Trying Management shell with the cmdlet start-cswindowsservices seems to work

clip_image091

clip_image092

All the services are running now

clip_image093

 

Stay tuned for the next article of deploying Edge server Winking smile

Free Multi SAN Certificate for your Exchange for two years

 

I am sure there is a lot of people out there who has been looking for free certificate but the search  in google would always give you the same result of the CA providers and the only Free SSL certificate provider which is startcom company that provides a single SAN certificate for a year that.

 

But this provider wosign (Which also uses Startcom CA too) provides 2 years Multi SAN certificate for free (I tried 2 SANs and 6 SANs) and in both cases it worked perfectly for me although I don’t use these certificates for production environment but they are so important for lab and test environments e.g. (Exchange Hybrid Integration or migration and Lync Integration with Lync Online for EV integration).

Link to the free certificate click Here

I am going to write the steps below to get the certificate, also the longest time that I have waited for the certificate was 12 hours but I eventually has got it

 

The multi san cert is limited only to two years maximum but it serves the purpose.

Step 1 :

Fill in the subdomains that you want to use the SSL certificate for. each should be entered in a new line.

Note:

Then select 2 years and the type of Algorithms (mostly SHA2 as it’s more secure)

Step 2: Step 2 is to verify your domain ownership.

To do so you will have to click on Validate Now and then select the email which is entered in your domain’s Whois or the default admin or Administrator@domain.com users

I usually create admin user or have access to the administrator user’s email on Exchange or google apps.

 

Note, The validation process is restricted to be finished in only 60 seconds and that the validation email will get to you in 35 seconds so you only have 25 seconds to copy the validation

 

Step 3:

Generate CSR and paste it in the CSR box and once you paste it click with your mouse anywhere outside of the box in order for the SANs to appear in the small box on the right.

 

clip_image001

 

Once the SANs appear then click on Generate certificate and you should see the below screen

clip_image002

 

I am already using Hybrid integration between Exchange 2013 and Exchange online and the certificate works very well for me.

 

clip_image003

 

Hope you find this useful

Exchange 2010 to 2013 Migration fails with “You cannot have ArchiveDomain set when archive is not enabled for this user”

 

I have previously done a Hybrid integration with Office 365 with my Exchange 2010 server and enabled Archiving online when I migrated my user to Exchange online but then I finished my demo and decided to bring the user back on-premises. Now I have deployed Exchange 2013 and wanted to migrate the same user to Exchange 2013 from 2010 but the migration request fails with the following message.

 

clip_image001

 

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​6/7/2015 1:23:24 PM [EXCH2K13] ” created move request.

6/7/2015 1:23:57 PM [EXCH2K13] The Microsoft Exchange Mailbox Replication service ‘EXCH2K13.demotesas.local’ (15.0.1076.6 caps:1FFF) is examining the request.

6/7/2015 1:23:59 PM [EXCH2K13] Connected to target mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’, database ‘Mailbox Database 0439787427’, Mailbox server ‘EXCH2K13.demotesas.local’ Version 15.0 (Build 1076.0).

6/7/2015 1:23:59 PM [EXCH2K13] Connected to source mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’, database ‘Database1’, Mailbox server ‘EXCH01.demotesas.local’ Version 14.3 (Build 174.0).

6/7/2015 1:23:59 PM [EXCH2K13] Request processing started.

6/7/2015 1:23:59 PM [EXCH2K13] Source mailbox information:

Regular Items: 104, 5.549 MB (5,818,789 bytes)

Regular Deleted Items: 0, 0 B (0 bytes)

FAI Items: 50, 0 B (0 bytes)

FAI Deleted Items: 0, 0 B (0 bytes)

6/7/2015 1:23:59 PM [EXCH2K13] Cleared sync state for request b6ee5dd7-beab-45a0-9933-8e926a694de3 due to ‘CleanupOrphanedMailbox’.

6/7/2015 1:23:59 PM [EXCH2K13] Mailbox signature will not be preserved for mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’. Outlook clients will need to restart to access the moved mailbox.

6/7/2015 1:24:04 PM [EXCH2K13] Stage: CreatingFolderHierarchy. Percent complete: 10.

6/7/2015 1:24:05 PM [EXCH2K13] Initializing folder hierarchy from mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’: 76 folders total.

6/7/2015 1:24:05 PM [EXCH2K13] Folder creation progress: 0 folders created in mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’.

6/7/2015 1:24:10 PM [EXCH2K13] Folder hierarchy initialized for mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’: 75 folders created.

6/7/2015 1:24:10 PM [EXCH2K13] Stage: CreatingInitialSyncCheckpoint. Percent complete: 15.

6/7/2015 1:24:10 PM [EXCH2K13] Initial sync checkpoint progress: 0/76 folders processed. Currently processing mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’.

6/7/2015 1:24:12 PM [EXCH2K13] Initial sync checkpoint completed: 66 folders processed.

6/7/2015 1:24:12 PM [EXCH2K13] Stage: LoadingMessages. Percent complete: 20.

6/7/2015 1:24:14 PM [EXCH2K13] Messages have been enumerated successfully. 154 items loaded. Total size: 5.55 MB (5,819,724 bytes).

6/7/2015 1:24:14 PM [EXCH2K13] Stage: CopyingMessages. Percent complete: 25.

6/7/2015 1:24:14 PM [EXCH2K13] Copy progress: 0/154 messages, 0 B (0 bytes)/5.55 MB (5,819,724 bytes), 55/76 folders completed.

6/7/2015 1:24:58 PM [EXCH2K13] Copying messages is complete. Copying rules and security descriptors.

6/7/2015 1:25:04 PM [EXCH2K13] Initial seeding completed, 154 items copied, total size 5.55 MB (5,819,724 bytes).

6/7/2015 1:25:04 PM [EXCH2K13] Stage: IncrementalSync. Percent complete: 95.

6/7/2015 1:25:05 PM [EXCH2K13] Folder hierarchy changes reported in source ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’: 2 changed folders, 0 deleted folders.

6/7/2015 1:25:05 PM [EXCH2K13] Content changes reported for mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’: Batch 1, New 3, Changed 1, Deleted 0, Read 0, Unread 0, Total 4.

6/7/2015 1:25:05 PM [EXCH2K13] Total content changes applied to mailbox ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’: New 3, Changed 1, Deleted 0, Read 0, Unread 0, Skipped 0, Total 4.

6/7/2015 1:25:05 PM [EXCH2K13] Incremental Sync ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’ completed: 2 hierarchy updates, 4 content changes.

6/7/2015 1:25:05 PM [EXCH2K13] Stage: IncrementalSync. Percent complete: 95.

6/7/2015 1:25:07 PM [EXCH2K13] Final sync has started.

6/7/2015 1:25:07 PM [EXCH2K13] Folder hierarchy changes reported in source ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’: 0 changed folders, 1 deleted folders.

6/7/2015 1:25:07 PM [EXCH2K13] Incremental Sync ‘b6ee5dd7-beab-45a0-9933-8e926a694de3 (Primary)’ completed: 1 hierarchy updates, 0 content changes.

6/7/2015 1:25:07 PM [EXCH2K13] Source mailbox information:

Regular Items: 108, 5.562 MB (5,832,087 bytes)

Regular Deleted Items: 0, 0 B (0 bytes)

FAI Items: 50, 0 B (0 bytes)

FAI Deleted Items: 0, 0 B (0 bytes)

6/7/2015 1:25:07 PM [EXCH2K13] Stage: FinalIncrementalSync. Percent complete: 95.

6/7/2015 1:25:09 PM [EXCH2K13] Mailbox store finalization is complete.

6/7/2015 1:25:09 PM [EXCH2K13] SessionStatistics updated.

6/7/2015 1:25:09 PM [EXCH2K13] Verifying mailbox contents…

6/7/2015 1:25:10 PM [EXCH2K13] Mailbox contents verification complete: 66 folders, 157 items, 5.562 MB (5,831,953 bytes).

6/7/2015 1:25:10 PM [EXCH2K13] Mailbox ‘Mohammed JA. Hamada’ was loaded from domain controller ‘ad.demotesas.local’.

6/7/2015 1:25:18 PM [EXCH2K13] Fatal error UpdateMovedMailboxPermanentException has occurred.

 

On Exchange 2010, I launched Exchange Management shell and ran the following cmdlet which will show any attribute that has arch in it for the user Mohammed

Get-mailbox User | fl arch*

clip_image002

 

Since there’s no archive mailbox then the archive domain is invalid and I don’t even own it anymore as it has expired a while ago.

 

Resolution:

I will try to remove the archive domain object from the user’s properties using the following cmdlet

 

Set-mailbox mailboxname -ArchiveDomain $null

 

clip_image003

Using the above cmdlet seems to fail due to this property being administered by Exchange server so it’ll have to be removed manually.

I will open the user’s attribute and delete the value and try to continue the migration again.

clip_image004

I’ll click on Edit then Clear and OK

clip_image005

clip_image006

clip_image007

Migration finished successfully

clip_image008

clip_image009

 

Hope this helps Winking smile

Replication after tombstone life expired

 

As I was preparing for Exchange migration from 2010 to 2013 I had two DCs, one of those two DCs was off for about 8 months and has already passed the default tomb stone life so it was not authorized for replication in the forest.

Whenever I try to replicate the server I get the following error

 

image

 

image

“The following error occurred during the attempt to syncronize naming context CN=Configuration,DC=Domain,DC=Local from Domain Controller AD to Domain Controller AD2; The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. This operation will not continue.”

 

My FSMO roles holder and PDC is the demotesas.local domain so on this DC I will run the following command

W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

 

clip_image001

 

And this

 

w32time & net start w32time & W32tm /resync /rediscover

 

clip_image002

 

On the additional DC

 

w32tm /config /syncfromflags:domhier /update

w32time & net start w32time & W32tm /resync /rediscover

 

If the above doesn’t work then I will go ahead and force replication to the tomb stoned DC by using the following command.

 

repadmin /regkey * +allowDivergent

 

clip_image003

 

Now we’ll replicate and see what happens

 

clip_image004

 

Problem solved

image

 

 

REF:

http://www.techieshelp.com/active-directory-replication-issues-after-timesync-problems/

https://social.technet.microsoft.com/Forums/windowsserver/en-US/893b09d8-636e-4f87-8260-11613a2a4e43/unable-to-replicate-between-2-dcs-error-message-exceeded-the-tombstone-lifetime?forum=winserverDS>

Prepare Schema for Exchange 2013 Migration while having Hybrid Integration with Exchange 2010

 

In a very interesting situation that I came through I had an environment with two DCs and Exchange 2010 that I had previously setup for Hybrid integration with Office 365 for demonstration with a trial subscription but I haven’t removed the integration after I finished my test and the trial expired and the tenant was deleted.

Next I intended to upgrade my existing Exchange 2010 to Exchange 2013 and setup coexistence between them however, I have stumbled in the step of preparation of AD schema for Exchange 2013. While trying to prepare the schema I got the following error

clip_image001

Setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

Welcome to Microsoft Exchange Server 2013 Cumulative Update 8 Unattended Setup

Copying Files…

File copy complete. Setup will now collect additional information needed for

installation.

Performing Microsoft Exchange Server Prerequisite Check

Prerequisite Analysis FAILED

A hybrid deployment with Office 365 has been detected. Please ensure that you are running setup with the /TenantOrganizationConfig switch. To use the TenantOrganizationConfig switch you must first connect to your Exchange Online tenant via PowerShell and execute the following command: “Get-OrganizationConfig | Export-Clixml -Path MyTenantOrganizationConfig.XML”. Once the XML file has been generated, run setup with the TenantOrganizationConfig switch as follows “/TenantOrganizationConfig MyTenantOrganizationConfig.XML”.

If you continue to see this this message then it indicates that either the XML file specified is corrupt, or you are attempting to upgrade your on-premises Exchange installation to a build that isn’t compatible with the Exchange version of your Office 365 tenant. Your Office 365 tenant must be upgraded to a compatible version of Exchange before upgrading your on-premises Exchange installation. For

more information, see: http://go.microsoft.com/fwlink/?LinkId=262888

For more information, visit: http://technet.microsoft.com/library(EXCHG.150

)/ms.exch.setupreadiness.DidTenantSettingCreatedAnException.aspx The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the <SystemDrive>:ExchangeSetupLogs folder.

 

The Office 365 Hybrid setup was still there in my Exchange Console and since I couldn’t follow MS’s recommended steps to connect to O365 tenant and get the XML file then I had to do things manually.

First I connected to the EMC and removed all the instances that were created during the Exchange Hybrid Wizard Configuration

1- Organization Relationships

clip_image001[4]

 

image

 

2- Federation Trust

clip_image001[6]

clip_image002

 

3- Remote Domains

 

clip_image001[8]

clip_image002[4]

 

4- Accepted Domains

clip_image001[10]

clip_image002[6]

 

5- Send and Receive Connectors

clip_image001[12]

clip_image002[8]

clip_image003

 

Lastly the Hybrid Configuration object…

Since remove-hybridconfiguration cmdlet is not supported to remove the hybrid configuration object from AD then we have no choice but to use ADSIEDIT tool to do so.

I will navigate to Configuration > Services > Microsoft Exchange > First Organization > Delete “CN=Hybrid Configuration”

 

image

 

image

image

 

Restart MSExchangeServicehost

clip_image001[14]

 

image

 

Now I will try again to prepare AD schema for Exchange 2013 but I got a different error

clip_image001[16]

Extending Active Directory schema FAILED

The following error was generated when “$error.Clear);

install-ExchangeSchema -LdapFileName ($roleInstallPath + “SetupData”+$

RoleSchemaPrefix + “schema0.ldf”)” was run: “Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running ‘ldifde.exe’ to import the schema file ‘C:WindowsTempExchangeSetupSetupDataPostExchange2003_schema0.ldf’. The error code is: 8224. More details can be found in the error file: ‘C:UsersAdministrator.DEMOTESASAppDataLocalTemp2ldif.err’at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchem

aFile(String schemaMasterServer, String schemaFilePath, String macroName, StringmacroValue, WriteVerboseDelegate writeVerbose)at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalPro

cessRecord()at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.The Exchange Server setup operation didn’t complete. More details can be found

in ExchangeSetup.log located in the <SystemDrive>:ExchangeSetupLogs folder.

 

Checking the ldif.err file mentioned in the error above it seems that Exchange is complaining because the changes of the AD schema is not being replicated to the other AD partners which is true since I have another additional dC that’s turned off.

clip_image001[19]

After turning on the other DC we’ll see what happens

The other DC had another issue as I have turned it off for long time and it was not syncing due to expired Tomb stone life so I had to fix this issue as well and I have published it in a different article.

Please click here to see how the replication issue was fixed.

 

Issue has been fixed

clip_image001[21]

 

clip_image002[10]

 

Hope someone finds this useful Winking smile

Exchange 2007/2010 Doesn’t show new DC (2012) servers after adding them as additional DCs

 

Symptoms

In an environment where one DC exist after adding Windows 2012 R2 Servers as additional servers, Exchange 2007 doesn’t show the new servers although they also hold GC.

 

Research

image

 

Research:

To locate the problem you should search the event ID (2080) which shows the populated DCs and the permissions allowed on Exchange servers

In the below screenshot, the SACL right was not provided to the new DCs due to GPO problem.

 

image

 

After checking sites, Replication, all is healthy and no issue with it.

3 servers (Two 2012 servers) and one DC 2003 Server

Exchange 2010 SP3 servers.

image

 

Reason:

The Default Domain Controllers Policy was not linked to the Domain Controllers OU.

image

 

image

 

image

 

Resolution:

After Linking the Domain Controllers OU to the Default Controllers policy, the SACL permission was provided without any issue.

image

 

Now Exchange is reporting healthy and can read the new DCs which allow us to demote the old DCs

image

After removing the old DC

image

 

 

Hope you find this useful Winking smile

ref:

http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx