Exchange 2016 Install Issue
-
@G-I-Jones said in Exchange 2016 Install Issue:
@dbeato We may have to, but like I said I'm going to power through this build first, and we'll see how it goes.
Do it side by side. Setup another AD in another Server and work through it. I bet the new one will go much faster.
-
@dbeato My plan is to just roll back the snapshot of the AD we have now to when we first built it pre-Exchange. Giving me a blank canvas if it comes to that.
-
@G-I-Jones said in Exchange 2016 Install Issue:
@dbeato My plan is to just roll back the snapshot of the AD we have now to when we first built it pre-Exchange. Giving me a fresh canvas if it comes to that.
This is a horrible idea. Rolling back AD is almost never a good idea.
-
@JaredBusch please elaborate.
-
@JaredBusch said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@dbeato My plan is to just roll back the snapshot of the AD we have now to when we first built it pre-Exchange. Giving me a fresh canvas if it comes to that.
This is a horrible idea. Rolling back AD is almost never a good idea.
OMG - THIS, one million times this!
-
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
-
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
-
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
yeah - you had to readd every PC to the domain - that's the crazy part...
Curious - why did you roll it back?
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
As more or less indicated by my earlier question - the amount of file shares/printer shares/file permissions and devices joined to the domain kinda tell you how much of a PITA setting up a new domain will be, because you have to rebuild all of those things.
-
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
-
Curious - why did you roll it back?
I rolled it back because of the encryption attack.
-
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
-
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
I hear you on this, as I’ve got a bit more than that to deal with myself in terms of numbers. Wouldn’t I have to do that anyways if making a new AD? I feel like the process would be the same save a time change.
-
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
Local admin account, PowerShell, SSH.... five minutes to fix
-
@G-I-Jones said in Exchange 2016 Install Issue:
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
Jumping in late, but is that better than starting over from scratch?
-
@G-I-Jones said in Exchange 2016 Install Issue:
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
I hear you on this, as I’ve got a bit more than that to deal with myself in terms of numbers. Wouldn’t I have to do that anyways if making a new AD? I feel like the process would be the same save a time change.
Oh yeah, starting over either way. For sure.
-
@scottalanmiller said in [Exchange
Local admin account, PowerShell, SSH.... five minutes to fix
I need that script
-
@G-I-Jones said in Exchange 2016 Install Issue:
@scottalanmiller said in [Exchange
Local admin account, PowerShell, SSH.... five minutes to fix
I need that script
Do you already have a local admin account on each machine that is working and SSH enabled?
-
Also, something like SaltStack or Ansible would enable this.
-
@scottalanmiller said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@Dashrender said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
@JaredBusch please elaborate.
AD is extremely time sensitive. By default, a domain joined PC who's time is off more than 5 mins from the AD server, can not authenticate because the server will think it's being attacked.
Computers also generate their own passwords for connectivity to AD - and they update these passwords completely autonomously. So any machine that has updated to a new password since your snapshot, would no longer work on the domain.
There is a process for restoring an old version of AD into a network - but it is rather complex (and something I've never done or seen done).
I literally just rolled back my AD/DC a week ago. The process was very smooth. You just change the time and Boot/re-add every machine to the domain. The latter being the most timely, but it’s really easy.
That’s my experience at least.
I have 120 PCs in my environment - I would never want to roll back AD and have to run around like a chicken with my head cut off rejoining those to my domain.
Local admin account, PowerShell, SSH.... five minutes to fix
True enough. Assuming remote powershell is enabled - which I'm pretty sure it's not by default.
-
@scottalanmiller said in Exchange 2016 Install Issue:
@G-I-Jones said in Exchange 2016 Install Issue:
And if you have so few machines that you don't mind rejoining them all - then really - Just start over. There is Zero benefit to sticking with an AD that has any potential to have problems.
My point is that rolling back the AD to when I first built it, (pre Exchange) would both be starting over and give me the peace of mind that it’s a fresh server with no potential problems.
Jumping in late, but is that better than starting over from scratch?
Exactly! what is this pre-exchange restore point? frankly, unless that was yesterday, why do you still have that?
