Download HKCRScan.exe tool for troubleshooting MS Article ID 823159
Users were getting a "HTTP/1.1 503 Service Unavailable" on both https://<servername>/Exchange , https://<servername>/Public and on https://<servername>/microsoft-server-activesync, they get a login prompt and then a "HTTP 501/HTTP 505"
The below tool should be run from the command prompt. It should identify and remove registry keys over the 259 character limit. It will kick back any errors. If you have null keys (keys that are faulty but unremovable), you can use RootKitRevealer from sysinternals and get rid of them. I understand that regdelnull can do something similar, but in this case, it was a corrupt key, not a key with null characters.
In my case, the affected key was relating to the driver for the Intel storage controller (VEN_8086&DEV_24D3&SUBSYS_458015D9&REV_02). Not cool. I could not delete or rename the key and could not set/view permissions on it. Ran RootKitRevealer, which caused a stop error/reboot (crap) but successfully removed the key. IN OTHER WORDS, DO NOT DO THIS IF YOU DO NOT HAVE A TESTED BACKUP.
"To help troubleshoot this issue, run the HKCRScan tool (HKCRScan.exe). The HKCRScan tool enumerates the HKEY_CLASSES_ROOT registry hive to locate subkeys that contain more than 259 characters. Additionally, HKCRScan helps determine if there is an invalid discretionary access control list by returning error code 0x5. This error code means "Access denied" when it enumerates a registry key. The HKCRScan tool is an internal tool developed by Microsoft."
Weird Problem of the Day: Windows 2008 R2 and Windows 2003 DC’s Not Replicating
OK, one of our techs was onsite upgrading a basic single server DC/File Server/App Server. He joined the server to the domain, promoted it and ensured that the files in the sysvol share were replicating. Everything looked fine. He transferred the FSMO roles, again without error. When he ran the dcpromo on the old server to demote it, he got an errors saying that
"The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers"
Weird. So I had him do all the normal steps, moving FSMO back and forth, waiting 15 minutes, restarting netlogon and FRS services. Nothing helped. FRS was running, stuff was replicating, but apparently something was still missing.
Running "repadmin /showreps" yielded a few errors:
"Last attempt @ 2009-11-12 18:45:37 failed, result 1256 (0x4e8): The remote system is not available. For information about network troubleshooting, see Windows Help."
Bottom line, R2 and 2003 servers sometimes have security problems replicating between them. There is a hotfix, probably the worst-titled one in history, to fix it.
Crap huh? No way you would find that if you were searching for a problem with AD replication. There is a tiny note in there that one of the problems you might experience is replication-related. So we requested and ran the hotfix, rebooted and magically dcpromo worked as the maker intended it to. I hope that this makes it into a service pack or critical update at some point soon, because we have a lot of Windows 2003 servers that are eventually going to need to be replaced.