A Little Studying Goes a Long Way

It’s been one of those weeks again, and it’s only Tuesday.  Ooh boy.  One of the interesting patterns I’m seeing is an uptick in people hitting me up for help with various AD things.  I need help also, but I will get to that later.  One question was from a former colleagues trying to introduce a new 2008 R2 domain controller into his 2003 AD forest.  I had to help walk him through getting his ingredients in order before putting the pans in the oven. 

Here’s a tip on that end: don’t rush it!  When you bump your functional levels to native mode, give it a little time to settle out before bumping more things around.  In this case, he was running in 2000 mode, so he needed to get to 2003 native mode first.  Then run ADPREP /forestprep and then /domainprep and /gpprep, blah blah.  But whatever you do, don’t run ADPREP within a few seconds after having raised the functional forest and domain levels.  Not a good idea.  Thankfully he held off.  But if he hadn’t reached me by phone first, he likely would have.

Another issue was helping another acquaintance move FSMO roles around to avoid potential hardware failure impacts on older servers, while paying special care to put them on servers in well-connected sites to avoid replication problems.

Another issue, for yet another former colleague (I try to be careful with “friend” since most people I know are colleagues and acquaintances rather than true “friends”, but that’s not a bad thing) who was running some domain controllers on physical machines and others in virtual machines.  That can be interesting if you don’t read up on what to watch out for.

I suppose the case in point is that Google can be your friend.  Or it can be your biggest frustration.  But regardless of web searches (Bing, Yahoo! or whatever you prefer) having some books around can be a big help.  One of these days I’m buying a Kindle or some other decent (and affordable) book reader.  It’s MUCH easier to search through ebooks than a physical book shelf.

An interesting side note, and one I’ve commented on before, is the unique contrast between how much need there is for Active Directory troubleshooting knowledge, against the almost zero job potential for that skillset.  If you bundle it with Exchange, SharePoint and maybe IIS, it becomes marketable. But all the focused AD knowledge and experience in the world isn’t very marketable in and of itself.  It’s becoming a tier 1 skillset: Something tied more to sys-admins than to system engineers or systems architects, etc.  Even more ironic is that the vast majority of problems I’ve seen with AD environments can be nailed directly onto the foreheads of systems architects and systems engineers.  They often downplay the importance of AD in a logical, topological sense.  Especially as it relates to sites, site links and the modeling of security boundaries for policy-based management.

That’s where books are best suited.  Don’t buy just one.  I’ve never seen a single book cover enough of a given technology subject to really be helpful.  At least two or three on the same subject (by different authors) is what I recommend.  My wife hates that, of course, because my book shelf is a mess.  Hence the desire for a Kindle.  Maybe when I catch up on bills that’ll happen.  Oh wait a minute, I just told a joke?  Catching up on bills?!  Ha ha ha hahha aah oweor wefijoelkfjlfksdlksowierjwo…hrmph..uh.. (cough cough, gasp…)  Ok, I’m back.

Now, for the issue [I] need help with (anyone?):  One of my 2008 R2 domain controllers fails to display Roles and Features in the Server Manager console.  The MMC console opens and it says it’s “collecting data…” and it pauses forever, then says “error” and it can’t display them…

The event log shows the following error information…

Source: ServerManager
EventID: 1601
Level: Error
OpCode: Info
Log Name: Microsoft-Windows-ServerManager/Operational

General:

Could not discover the state of the system. An unexpected exception was found:
System.Runtime.InteropServices.COMException (0x800706BE): The remote procedure call failed. (Exception from HRESULT: 0x800706BE)
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Windows.ServerManager.ComponentInstaller.CreateSessionAndPackage(IntPtr& session, IntPtr& package)
   at Microsoft.Windows.ServerManager.ComponentInstaller.InitializeUpdateInfo()
   at Microsoft.Windows.ServerManager.ComponentInstaller.Initialize()
   at Microsoft.Windows.ServerManager.Common.Provider.RefreshDiscovery()
   at Microsoft.Windows.ServerManager.LocalResult.PerformDiscovery()
   at Microsoft.Windows.ServerManager.ServerManagerModel.CreateLocalResult(RefreshType refreshType)
   at Microsoft.Windows.ServerManager.ServerManagerModel.InternalRefreshModelResult(Object state)

Clicking the Event Lookup link (TechNet) shows no help at all.  I’ve tried most of the suggestions I found from web searches, but nothing seems to help.  This one looked like it was close (http://social.technet.microsoft.com/Forums/en-US/winservermanager/thread/ae211676-4858-4b03-9360-280ab3dacd6f) but it didn’t help either.

However, this led me down another rat hole…

To replace in-process service packages you have to run the request in the SYSTEM context.  One of the age-old ways to insert yourself into the SYSTEM context is (or was) to use the AT command (example: at HH:MM /interactive cmd.exe) but this doesn’t work on 2008 R2.  You get this…

C:\Windows\servicing\Packages>at 20:42 /Interactive cmd.exe
Warning: Due to security enhancements, this task will run at the time expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?' for details).
Added a new job with job ID = 1

Bummer #1.  So I used SCHTASKS instead and…

schtasks /create /tn “CmdShell” /tr cmd.exe /ru “SYSTEM” /st 20:49 /sc ONCE

Bummer #2 = This will not open interactively on 2008 R2. 

Then came the suggestion to make a new service using the sc.exe command…

sc create cmdshell type= own type= interact binpath= “cmd.exe /k”

It prompts you to “View” the program’s message.  When you click that it opens a secure desktop shell and hides the previous desktop entirely.  You can interact through that, but oh man is that a pain.

Bummer #3

Which, as my blog’s name eludes to, reminded me to ask this question: Why the **** doesn’t Microsoft just stop and take a few weeks to clean up their command syntax structures?  Forget PowerShell.  I’m not running through a bunch of PowerShell to do things that utilities like SCHTASKS do very well as-is.  But note the spaces after the “=” in the SC command.  They matter!  Is this not retarded?!

Where was I?  Oh yeah, my stupid Server Manager console on this one DC refuses to be nice and help with roles and features.  I’m close to nuking the ****ing thing and replacing it.  I’m so frustrated, that I’m ready to just outright NUKE it, use ntdsutil to seize its roles and blow it out of the partition with adsiedit.  Yep.  I’m that pissed.  It’s annoying the crap out of me.  Any suggestions are welcome (besides Xanax and sleep).