Replacing Fiber Adapter (HBA) in IBM AIX 5.2.0 on p595

One of the lpar running on p595 servers had Started reporting  Errors on one of the two Fiber Adapters (fscsi1) in Error report, the errors appeared as Type:TEMP as shown below.
825849BF   1106105211 T H fcs1           ADAPTER ERROR
B8FBD189   1106105211 T S fscsi1         SOFTWARE PROGRAM ERROR
LABEL:          FSCSI_ERR6
IDENTIFIER:     B8FBD189

Date/Time:       Sun Nov  6 10:52:31 EST
Sequence Number: 872005
Machine Id:      XXXXXX
Node Id:        XXXXXXX
Class:           S
Type:            TEMP
Resource Name:   fscsi1
LABEL:          FCS_ERR2
IDENTIFIER:     825849BF

Date/Time:       Sun Nov  6 10:52:31 EST
Sequence Number: 873473
Machine Id:      XXXXXXXX
Node Id:         XXXXXXX
Class:           H
Type:            TEMP
Resource Name:   fcs1
Resource Class:  adapter
Resource Type:   df1000fa
Location:        U5791.001.992083W-P1-C05-T1
VPD:

Description
SOFTWARE PROGRAM ERROR

Probable Causes
ADAPTER MICROCODE
SOFTWARE PROGRAM
SOFTWARE DEVICE DRIVER

Failure Causes
ADAPTER MICROCODE
SOFTWARE PROGRAM
SOFTWARE DEVICE DRIVER

        Recommended Actions
        IF PROBLEM PERSISTS THEN DO THE FOLLOWING
        CONTACT APPROPRIATE SERVICE REPRESENTATIVE
This server was running DB2 and DB2 crashed around the same time when we started getting these alerts. Found that DB2 crashed due to super block corruption in the filesystem and DB2 was unable to create files..,Unmounted the Filesystem,  corrected superblock corruption by copying secondary superblock.

dd count=1 bs=4k skip=31 seek=1 if=/dev/LVXX of=/dev/LVXX
dd: 1+0 records in.
dd: 1+0 records out.

Had contacted SAN Team to look into any SAN issues and they did not find any issues on SAN.
Found that it works for a while and goes into degraded state and eventually into Failed state.
Placed a service call with IBM to replace the Adapter and replacing the adapter fixed the issue.. Steps followed to replace the Fiber Adapter..

• datapath query adapter --- To identify the faulty or degraded adapter

Adpt# Name State Mode Select Errors Paths Active
0 fscsi1 FAILED ACTIVE 2059041211 711 20 0
1 fscsi3 NORMAL ACTIVE 231765446 37 20 18

• datapath remove adapter 0 --- To remove the adapter from SDD
• rmdev -Rdl fcs1 ---To remove adapter from ODM. This will also remove all child devices ( hdiskXX). This step is not needed as the following step will do this for you, hotplug mgr will do that for you, having the device still there allows you to identify it easier
• diag, choose Task Selection, Hot Plug Task, PCI Hot Plug Manager.... tasks to replace the adapter
• lscfg -vl fcs1 ---To identify new wwn. Have SAN Team assign LUN's to this adapter
• cfgmgr -vl fscsi1 --- Run cfgmgr to rediscover the deleted paths to LUNs
  cfgmgr -v
• addpaths ---add paths to SDD
• datapath query device ----verify all LUNS have same number of active paths
   datapath query adapter

AiX Commads

1. ssa_ela -h 7 ; To get SRN Status for ssa (output
   ssa0 SRN 45002
   enclosure0 SRN 80221)
2.  lscfg -vlpdisk3 -- To get details of pdisk3
3.   lsdev –C –c pdisk –s ssar –H –To list all pdisks or use smit Devices->SSA Disks—>SSA Physical Disks->List All Defined SSA Physical Disks 
4. lsdev –C –t hdisk –c disk –s ssar –H – To list SSA Logical Disks or use smit Devices->SSA Disks—> SSA Logical Disks->List All Defined SSA Logical Disks
5.   smit -> SSA Dsks—>SSA Physical Disks ->Show Physical to Logical SSA Disk Relationship or--for I in $(lsdev –CS1 –c pdisk –ssar –F name); do; echo “$i: “$ssaxlate –l $i);done
6.  lsdev -P -H  --To list all devices in the Predefined Devices object class with column headers, type--The system displays a message similar to the following:(class type  subclass   description--logical_volume vgtype vgsubclass Volume group ) 
7.  To Remove pdisk3 follow the steps below 
   
   
   pdisk3, which is  hdisk5
   go into diags
   Task Selection (Diagnostics, Advanced Diagnostics, Service Aids, etc.
   SSA Service Aids
   Set Service Mode
   <ServerName>:pdisk3
   Do Identify on pdisk3 to find out where it's located
   
   
   Once you find it backout to the service mode menu  again and do
   Set or Reset Service Mode on pdisk3
   
   
   This is when the drive light should come on solid and can be replaced
   Pull old drive out and put new drive in
   
   
   Then
   rmdev -l pdisk3 -d
   rmdev -l hdisk5 -d
   
   
   cfgmgr
   
   
   lscfg -vl pdisk3
   
   
   You should see the new pdisk3

RHEL 4-- NFS Setup

I was trying to setup NFS share to Share  folder (/NFS_PROJECT/SPECS) on one of our server(hostname: nfsserver) and have it Automounted on the client both running RHEL4ES
Checks and Setups On the NFS Server:

#rpm -qa nfs-utils ---To confirm  if NFS Service is  installed  on the server, in the response shown below, I found it installed, if it was not installed, install NFS:  yum install nfs-utils
nfs-utils-1.0.6-93.EL4
#service nfs status  ---To confirm that NFS Services are running,  they are running as shown below. If the services are not running, start NFS by using the command: /sbin/service nfs start
rpc.mountd (pid 26598) is running...
nfsd (pid 26594 26593 26592 26591 26588 26587 26586 26585) is running...
rpc.rquotad (pid 26581) is running...

Edit the /etc/exports file and include the Folder to be shared, following are the details of /etc/exports after the change:

/NFS_PROJECT/SPECS      nfsclient1(rw,root_squash) nfsclient2(rw,root_squash)

/usr/sbin/exportfs -ra ---To export the added contents of the /etc/exports file. Reexport  all  directories.  It  synchronizes /var/lib/nfs/xtab with /etc/exports.  It  removes  entries  in  /var/lib/nfs/xtab which  are  deleted  from  /etc/exports, and remove any entries from the kernel export table which are no longer valid.

Following Actions taken on NFS Client: Hostname: nfsclient2

Check the automount.master file for the key files, on client2 found /misc is labelled  and found key file /etc/auto.misc. Edited the automount.misc and following is the entry after the edit

nfstester -fstype=nfs,rsize=8192,wsize=8192,ro,soft nfssrever:/NFS_PROJECT/SPECS

That's it, configuration is done..check it out by

cd misc 

cd tester --- The NFS Share got mounted as /misc/tester..

Useful Links

IBM xSeries Manuals
AIX Virtual User Group-Wiki
AIX NIM Setup Guide
AIX Health Check Blog
pSeries Info Center
Linux_Slackware
Electronics
Demartek_iSCSI_Deployment_Guide.html
Windows Scripting - Users..
IBM Education Assistant

Windows Active Directory Migration from Windows 2000 to Windows 2008

Reference Link#1 for Domain Controllers Migration from Windows 2000 to Windows 2008 R2

Reference Link#2 for Domain Controllers Migration from Windows 2000 to Windows 2008 R2

Reference Link#3 for Domain Controllers Migration from Windows 2000 to Windows 2008 R2

Current Hardware: Hardware: Intel Pentium III Processor, 767.52 MB RAM (.7 GB), 2x16 GB HDD

Current Roles on these Servers:

·         Active Directory

·         DNS for the Domain environment

Tasks:

·         Extend the Schema master (Active Directory) so that Windows 2008 can be a member server

1. Copy adprep32.exe from Windows 2008 DVD to d:\adprep directory on the Windows 2000 DC's
2. Login to All Domain Controllers one at a time and run the following steps. This will prepare Active Directory Schema for Windows 2008 R2
3. adprep32.exe  /forestprep
4. adprep32.exe  /domainprep

Screen Output for adprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in the forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]

If ALL your existing Windows 2000 Active Directory Domain Controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.

C

Opened Connection to DCTEST

Note: Schema update from sch17(windows 2000) to sch 47 for Windows 2008 R2 & 44 for Windows 2008

For windows 2000 we might get error msgs

To resolve the issue - http://support.microsoft.com/kb/329194

·  Create the Schema Update Allowed DWORD value in the following registry key, and then set the value to  1:

HKEY LOCAL MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

216060  Registry Modification Required to Allow Write Operations to Schema

·  Create and run the Ipsec_acl_fix.vbs script. To do so:

a.                 Option Explicit

b.                  

c.                 '**************************************************

d.                 '* ADS_RIGHTS_ENUM

e.                 '**************************************************

f.                 Const ADS_RIGHT_DS_READ_PROP = &H10&

g.                 const ADS_RIGHT_DS_LIST = &H4&

h.                 Const ADS_RIGHT_DS_LIST_OBJECT = &H80&

i.                 Const READ_CONTROL = &H20000&

j.                 Const ADS_RIGHT_DS_WRITE_PROP  = &H20&

k.                 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100&

l.                 Const ADS_RIGHT_DS_CREATE_CHILD =&H1&

m.                 Const ADS_RIGHT_DS_DELETE_CHILD = &H2&

n.                 Const WRITE_OWNER = &H80000&

o.                 Const WRITE_DAC = &H40000&

p.                 Const DELETE = &H10000&

q.                 Const ADS_RIGHT_DS_DELETE_TREE = &H40&

r.                 Const ADS_RIGHT_DS_SELF = &H8&

s.                  

t.                 '**************************************************

u.                 '* ADS_ACETYPE_ENUM

v.                 '**************************************************

w.                  

x.                 Const ADS_ACETYPE_ACCESS_ALLOWED = &H0&

y.                  

z.                 '**************************************************

aa.             '* ADS_ACEFLAGS_ENUM

bb.             '**************************************************

cc.              

dd.             Const CONTAINER_INHERIT_ACE = &H2&

ee.             Const OBJECT_INHERIT_ACE = &H1&

ff.              

gg.             Const ADS_ACEFLAG_INHERIT_ACE = &H2&

hh.              

ii.             '**************************************************

jj.             '* Check if a "IP Security" container exists and correct the

kk.             '* Acls for the container

ll.             '* 0 -> container exists, Success

mm.             '* 1 -> container doesn't Exist

nn.             '* 2 -> other failures

oo.             '*

pp.             '**************************************************

qq.             Function FixupIpsecContainerAcls(InputDomainDN, DomainShortName)

rr.              

ss.                     Dim x, deletedAce, Dacl, hResult, ace1, RemoveFlags, sd, ace

tt.                    

uu.                     hResult = 0

vv.              

ww.                     Set x = GetObject( "LDAP://cn=IP Security,cn=system," & InputDomainDN)

xx.                     if Err.Number <> 0 Then

yy.                            MsgBox "Container cn=IP Security,cn=system," & InputDomainDN & "does not exist"& " Error :" & Err.Number, vbCritical

zz.                            hResult = 1

aaa.                 End If

bbb.          

ccc.                 Set sd = x.Get("nTSecurityDescriptor")

ddd.                 if Err.Number <> 0 Then

eee.                        MsgBox "Could not get nTSecurityDescriptor for cn=IP Security,cn=system," & InputDomainDN & " Error :" & Err.Number, vbCritical

fff.                        hResult = 2

ggg.                 End If

hhh.          

iii.                 deletedAce = FALSE

jjj.          

kkk.                 Set Dacl = sd.DiscretionaryAcl

lll.          

mmm.                 For Each ace In Dacl

nnn.                        If(ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then

ooo.                                if (ace.AceFlags = 0) Then

ppp.                                        if(ace.Trustee = "NT AUTHORITY\Authenticated Users") Then

qqq.                                               RemoveFlags = 0

rrr.                                               RemoveFlags = ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_LIST Or ADS_RIGHT_DS_LIST_OBJECT Or READ_CONTROL

sss.                                               If (ace.AccessMask AND RemoveFlags) <> 0 Then

ttt.                                                       Dacl.RemoveAce ace

uuu.                                                       deletedAce = TRUE

vvv.                                               End If 

www.                                        End If

xxx.                                End If

yyy.                        End If

zzz.                 Next

aaaa.            

bbbb.             if deletedAce = FALSE Then

cccc.                    MsgBox "ACE to remove rights for Authenticated users was not found or was changed from the default installation", vbExclamation

dddd.             End If

eeee.      

ffff.             set ace1 = CreateObject("AccessControlEntry")

gggg.      

hhhh.             ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED

iiii.             ace1.AceFlags = CONTAINER_INHERIT_ACE OR OBJECT_INHERIT_ACE

jjjj.             ace1.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_LIST OR ADS_RIGHT_DS_LIST_OBJECT OR READ_CONTROL

kkkk.             ace1.Trustee = DomainShortName &"\Domain Computers"

llll.      

mmmm.             Dacl.AddAce ace1

nnnn.             sd.DiscretionaryAcl = Dacl

oooo.      

pppp.             x.Put "nTSecurityDescriptor", Array(sd)

qqqq.             x.SetInfo

rrrr.             if Err.Number <> 0 Then

ssss.                    MsgBox "There was an Error Adding ACls for cn=IP Security"& " Error :" & Err.Number, vbCritical

tttt.                    hResult = 2

uuuu.             End If

vvvv.      

wwww.             FixupIpsecContainerAcls = hResult

xxxx.      

yyyy.     End Function

zzzz.      

aaaaa.  

bbbbb. '**************************************************

ccccc. '* Clear the ACLs for all the IPSec objects so that

ddddd. '* they inherit Acls from their container.

eeeee. '*

fffff. '* 0 -> container exists, Success

ggggg. '* 1 -> other failures

hhhhh. '*

iiiii. '**************************************************

jjjjj. Function ClearIpsecObjectAcls(InputDomainDN)

kkkkk.  

lllll.         Dim ZeroAcl, obj(22), i

mmmmm.  

nnnnn.         set ZeroAcl = CreateObject("AccessControlList")

ooooo.        

ppppp.         obj(0) ="LDAP://cn=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

qqqqq.         obj(1) ="LDAP://cn=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

rrrrr.         obj(2) ="LDAP://cn=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

sssss.         obj(3) ="LDAP://cn=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

ttttt.         obj(4) ="LDAP://cn=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

uuuuu.         obj(5) ="LDAP://cn=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

vvvvv.         obj(6) ="LDAP://cn=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

wwwww.         obj(7) ="LDAP://cn=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

xxxxx.         obj(8) ="LDAP://cn=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

yyyyy.         obj(9) ="LDAP://cn=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

zzzzz.         obj(10) ="LDAP://cn=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

aaaaaa.                                    obj(11) ="LDAP://cn=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

bbbbbb.                                    obj(12) ="LDAP://cn=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

cccccc.                                    obj(13) ="LDAP://cn=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

dddddd.                                    obj(14) ="LDAP://cn=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

eeeeee.                                    obj(15) ="LDAP://cn=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

ffffff.                                    obj(16) ="LDAP://cn=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},cn=IP Security,cn=system," & InputDomainDN

gggggg.                                    obj(17) ="LDAP://cn=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

hhhhhh.                                    obj(18) ="LDAP://cn=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

iiiiii.                                    obj(19) ="LDAP://cn=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

jjjjjj.                                    obj(20) ="LDAP://cn=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

kkkkkk.                                    obj(21) ="LDAP://cn=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},cn=IP Security,cn=system," & InputDomainDN

llllll.                                   

mmmmmm.                                    for i=0 To 21

nnnnnn.                                           Dim x, hResult, sd, ace

oooooo.                             

pppppp.                                           hResult = 0

qqqqqq.                                          

rrrrrr.                                           set x = GetObject(obj(i))

ssssss.                                           if Err.Number = 0 Then

tttttt.                                                   Set sd = x.Get("nTSecurityDescriptor")

uuuuuu.                                                   if Err.Number <> 0 Then

vvvvvv.                                                           MsgBox "nTSecurityDescriptor could not be retrieved from " & obj(i) & " Error :" & Err.Number, vbCritical

wwwwww.                                                           hResult = 1

xxxxxx.                                                   End If

yyyyyy.                                   

zzzzzz.                                                   set ZeroAcl = sd.DiscretionaryAcl

aaaaaaa.                                               For Each ace In ZeroAcl

bbbbbbb.                                                       ZeroAcl.RemoveAce ace

ccccccc.                                               Next

ddddddd.                                               sd.DiscretionaryAcl = ZeroAcl

eeeeeee.                                               x.Put "nTSecurityDescriptor", Array(sd)

fffffff.                                               x.SetInfo

ggggggg.                                               if Err.Number <> 0 Then

hhhhhhh.                                                       MsgBox "Error setting Acls for " & obj(i) & " Error :" & Err.Number, vbCritical

iiiiiii.                                                       hResult = 1

jjjjjjj.                                               End If 

kkkkkkk.                                       End If

lllllll.                                Next

mmmmmmm.                         

nnnnnnn.                                ClearIpsecObjectAcls = hResult

ooooooo.                         

ppppppp.                        End Function

qqqqqqq.                         

rrrrrrr.                        Function FixupSchemaObjectAcls(InputDomainDN)

sssssss.                         

ttttttt.                                Dim ZeroAcl, obj(6), i, container, deletedDAAce, deletedSYAce, RemoveFlags, deletedAUAce, hResult

uuuuuuu.                               

vvvvvvv.                                hResult = 0

wwwwwww.                         

xxxxxxx.                                set ZeroAcl = CreateObject("AccessControlList")

yyyyyyy.                         

zzzzzzz.                                container = "CN=Schema, CN=Configuration," & InputDomainDN

aaaaaaaa.                            obj(0) ="LDAP://cn=Ipsec-Base," & container

bbbbbbbb.                            obj(1) ="LDAP://cn=Ipsec-Filter," & container

cccccccc.                            obj(2) ="LDAP://cn=Ipsec-ISAKMP-Policy," & container

dddddddd.                            obj(3) ="LDAP://cn=Ipsec-Negotiation-Policy," & container

eeeeeeee.                            obj(4) ="LDAP://cn=Ipsec-NFA," & container

ffffffff.                            obj(5) ="LDAP://cn=Ipsec-Policy," & container

gggggggg.                           

hhhhhhhh.                            for i = 0 To 5

iiiiiiii.                     

jjjjjjjj.                                   Dim x, sd

kkkkkkkk.                     

llllllll.                                   Set x = GetObject( obj(i) )

mmmmmmmm.                                   if Err.Number <> 0 Then

nnnnnnnn.                                           MsgBox obj(i) & "does not exist"& " Error :" & Err.Number, vbCritical

oooooooo.                                           hResult = 1

pppppppp.                                   Else

qqqqqqqq.                                           sd = x.Get("defaultSecurityDescriptor")

rrrrrrrr.                                           x.Put "defaultSecurityDescriptor", "D:"

ssssssss.                                           x.SetInfo

tttttttt.                                           if Err.Number <> 0 Then

uuuuuuuu.                                                   MsgBox "Error setting defaultsecurityDescriptor for " & obj(i) & " Error :" & Err.Number, vbCritical

vvvvvvvv.                                                   hResult = 1

wwwwwwww.                                           End If 

xxxxxxxx.                                   End If

yyyyyyyy.                            Next

zzzzzzzz.                           

aaaaaaaaa.                        FixupSchemaObjectAcls = hResult

bbbbbbbbb.                 

ccccccccc.                End Function

ddddddddd.                 

eeeeeeeee.                Function IsSchemaUpdateAllowed()

fffffffff.                 

ggggggggg.                        Dim WshShell, bKey

hhhhhhhhh.                 

iiiiiiiii.                        Set WshShell = WScript.CreateObject("WScript.Shell")

jjjjjjjjj.                        bKey = WshShell.RegRead("HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed")

kkkkkkkkk.                 

lllllllll.                        IsSchemaUpdateAllowed = bKey

mmmmmmmmm.                 

nnnnnnnnn.                End Function

ooooooooo.                 

ppppppppp.                '**************************************************

qqqqqqqqq.                '* MAIN

rrrrrrrrr.                '**************************************************

sssssssss.                 

ttttttttt.                        Dim Info

uuuuuuuuu.                        Dim dnsName, domainDN

vvvvvvvvv.                        Dim regOk, retVal1, retVal2, retVal3

wwwwwwwww.                 

xxxxxxxxx.                        MsgBox "This script attempts to correct the ACLs of IP Security related objects and schema in Active Directory. For this, it needs Schema changes be allowed through a registry Key."& vbcrlf & "Please read Q<KB #> and Q216060 for more details."

yyyyyyyyy.                 

zzzzzzzzz.                        regOk = IsSchemaUpdateAllowed()

aaaaaaaaaa.                    if regOk <> 1 Then

bbbbbbbbbb.                           MsgBox "The registry key to allow schema updates is not set. Please read Q216060 for more information." & vbcrlf & "The Script will stop processing. The ACL corrections have not been made.", vbExclamation

cccccccccc.                    Else

dddddddddd.                            Set Info = CreateObject("AdSystemInfo")

eeeeeeeeee.                           dnsName = Info.DomainDNSName

ffffffffff.                           domainDN = Replace(dnsName, ".", ",dc=")

gggggggggg.                           domainDN = "dc=" & domainDN

hhhhhhhhhh.             

iiiiiiiiii.                           retVal1 = FixupIpsecContainerAcls(domainDN, Info.DomainShortName)

jjjjjjjjjj.             

kkkkkkkkkk.                           retVal2 = ClearIpsecObjectAcls(domainDN)

llllllllll.             

mmmmmmmmmm.                           retVal3 = FixupSchemaObjectAcls(domainDN)

nnnnnnnnnn.             

oooooooooo.                           If retVal1 = 0 And retVal2 = 0 And retVal3 = 0 Then  

pppppppppp.                                   MsgBox "The ACL corrections for IPSec Objects on domain " & Info.DomainShortName & " Completed successfully." & vbcrlf & "You may now reset/delete the registry key that allows schema updates per Q216060"

qqqqqqqqqq.                           Else

rrrrrrrrrr.                                   MsgBox "The ACL corrections for IPSec Objects on domain " & Info.DomainShortName & " Completed with some errors" & vbcrlf & "If you are not going to retry the operation, you may reset/delete the registry key that allows schema updates per Q216060"

ssssssssss.                           End If

tttttttttt.                         End If

uuuuuuuuuu.      On the File menu, click Save, click All Files in the Save as type box, type ipsec_acl_fix.vbs in the File name box, specify a location where you want to save the file, and then click Save.

vvvvvvvvvv.                  Quite Notepad.

wwwwwwwwww.                      Run the Ipsec_acl_fix.vbs script from a command prompt.

                        Delete the Schema Update Allowed registry value that you created in step 1.

Note You can also use this procedure to modify the permissions of the IPSec policy of a Windows Server 2003 domain that you upgraded from Windows 2000, in the situation where the permissions of policy objects were not modified during the upgrade operation.

After the above script run the adprep /forestprep it should come up without any errors.

·         Install new Windows 2008 Server and join to our Production Domain Controller as Member Server

·         Transfer the Active Directory & DNS role to the new Windows 2008 Server and bring the new Windows 2008 server as one of the new Directory server.

·         Once we checked & confirmed that the new Domain controller server is good we can start the other server.

·         Back out plan – if the server didn’t work as we expected, bring down the server. There is no impact/outage to any of the services as we have two domain controllers and we are migrating only one Domain controller at a time.

·         Once the new domain controller is migrated all the users will be authenticated via Windows 2008