This was very odd, since prepping the domain is the first step when installing SFB, and as I said, was done years ago.
From the looks of it, someone (another admin with too much power and little SFB knowledge) deleted a bunch of permissions...most likely the permissions for the various RTC and CS groups that are required on several AD OU's.
The check the full errors, click view logs in the topology builder results, or navigate to C:\Users\"yourusername"\AppData\Local\Temp\2\TopologyBuilder\"date-of-last-publish"
Drill down to the "Get Domain State" section and you'll get the following warnings:
Warning: Access control entry (ACE) Exchangeitup\RTCUniversalServerReadOnlyGroup; Allow; GenericRead; None; None
Warning: The access control entries (ACEs) on the object "users container" are not ready.
Warning: The access control entries (ACEs) on the domain "exchangeitup.com" are not ready.
Result: The domain is not ready.
Next, check the domain state in the SFB Management Shell, by running:
Get-CsAdDomain -Domain domain.com -Verbose
**Note** Change "domain.com" to your domain name.
You'll get the same errors, that the domain isn't ready:
Get-CsAdDomain -Domain exchangeitup.com -Verbose
VERBOSE: Creating new log file
"C:\Users\admin\AppData\Local\Temp\Get-CsAdDomain-10608f49-a1ea-477d-9f01-99fb610a450a.xml".
WARNING: Access control entry (ACE) Exchangeitup\RTCUniversalServerReadOnlyGroup; Allow; GenericRead; None; None
WARNING: The access control entries (ACEs) on the object "users container" are not ready.
WARNING: The access control entries (ACEs) on the domain "exchangeitup.com" are not ready.
WARNING: The domain is not ready.
LC_DOMAINSETTINGS_STATE_DISCOVERED, LC_DOMAINSETTINGS_STATE_ACCOUNTS_READY, LC_DOMAINSETTINGS_STATE_DOMAIN_ROOT_ACES_READY
VERBOSE: Creating new log file
"C:\Users\admin\AppData\Local\Temp\Get-CsAdDomain-10608f49-a1ea-477d-9f01-99fb610a450a.html".
WARNING: "Get-CsAdDomain" processing has completed with warnings. "4" warnings were recorded during this run.
WARNING: Detailed results can be found at
"C:\Users\admin\AppData\Local\Temp\Get-CsAdDomain-10608f49-a1ea-477d-9f01-99fb610a450a.html".
You'll also notice that, if you run the Deployment Wizard, it will show "Partial" for the domain readiness state:
To fix it, we need to run "Enable-CsAdDomain -Domain domain.com"
**Note** Your admin account must be a member of Schema Admins in order to run the Enable-CsAdDomain cmdlet.
After it finishes (which takes all of 5 seconds), verify by running the Get-CsAdDomain cmdlet again...you should be error free and able to publish the topology now.
Get-CsAdDomain -Domain exchangeitup.com -Verbose
VERBOSE: Creating new log file
"C:\Users\admin\AppData\Local\Temp\Get-CsAdDomain-57c6af1d-610c-46cf-b1fe-3159c28f1429.xml".
LC_DOMAINSETTINGS_STATE_READY
VERBOSE: Creating new log file
"C:\Users\admin\AppData\Local\Temp\Get-CsAdDomain-57c6af1d-610c-46cf-b1fe-3159c28f1429.html".
VERBOSE: "Get-CsAdDomain" processing has completed successfully.
VERBOSE: Detailed results can be found at
"C:\Users\admin\AppData\Local\Temp\Get-CsAdDomain-57c6af1d-610c-46cf-b1fe-3159c28f1429.html".
**Note** Running Domain Prep seems to scare a lot of admins (we had to submit a change request and wait a week for it to be approved), because of the "extend schema" part.
If you have previously run domain prep, running it again will not do anything to the schema, as it's already been extended. To see it in action, you can check the Enable-CsAdDomain logs in C:\Users\"youruser"\AppData\Local\Temp\Get-CsAdDomain-10608f49-a1ea-477d-9f01-99fb610a450a.html" and you'll see that all it does is set the required permissions.
Now, publish your topology in the Topology Builder (you can publish it with no changes to test) and it will come up clean with no errors, and run the Deployment Wizard and it will show the domain is ready:
The last step is: tell whoever deleted the permissions to READ THE DESCRIPTION IN AD BEFORE DELETING THINGS! Yes, I'm yelling.
No comments:
Post a Comment