Solved

Adding a second Exchange 2000 server

Posted on 2003-10-21
32
418 Views
Last Modified: 2008-02-01
We are an educational institution and they now want a second Exchange server for the students. They want the students to be able to see certain people in the administrative address book and vise vera.

What would be suggested as far as the configuration is concerned for the student exchange server?

Should I install it into the same organization as the admin server? Or should I install it into its own org?
0
Comment
Question by:mmurfmis
  • 17
  • 7
  • 5
  • +1
32 Comments
 

Author Comment

by:mmurfmis
Comment Utility
Also, the existing admin server is installed in the forest domain, the student accounts in AD are in a child domain.

Example:

admin.edu(administrative Exchange server and Accounts)-----
                                                                                        |
                                                                                        |
                                                                     students.admin.edu(student accounts)
0
 
LVL 4

Expert Comment

by:subsoniq
Comment Utility
A new org would require a new Active Directory forest, and the 2 servers wouldn't be able to share anything such as address lists or calendering info, so you should set it up in the same org/admin group.  As for having different Global Address Lists for each group that would have some people be in both, I would suggest you look at the ASP Deployment guide that Microsoft released when Exchange 2000 first came out, it handles situations like this through the use of custom attributes on each mail enabled object and custom GAL's that use LDAP queries based on those custom attributes.

http://www.microsoft.com/serviceproviders/whitepapers/exchange_2000_ASP_deploykit.asp
0
 

Author Comment

by:mmurfmis
Comment Utility
Also we don't want them to be able to receive mail @ourdomain.com we want them to receive mail @students.ourdomain.com. How is this done?

Did you see my comment above? Is this going to be possible with the students being in a child domain of the existing exchange/AD forest?
0
 
LVL 4

Expert Comment

by:subsoniq
Comment Utility
A recipient policy based on the above mentioned custom attributes that stamps them with @students.ourdomain.com email addresses instead of @ourdomain.com addresses, also covered in the ASP deployment guide I believe.
0
 
LVL 26

Expert Comment

by:Vahik
Comment Utility
U have two options after what subsoniq sugested which is to put the second server
in the same exchange organization.first option will be to put each exchange in diff
routing group and connect each other with an smtp connector and the restric users on new server to send messages to the old server.U can also restric which public folders if any they (students )may have access to.
If ur goal is to just split ur global address list then u have to go to ur exchange system manager and delete ur default GAL nad creat two new ones,One for users
on the first exchange u can acll it admins and one for students which u can call it students.Before hand u must create two OU's and and one group each OU (u can call them admins and students)Move admins to admin ou \group and students to
students ou\group.Now in ur exchange system manager\students GAL security box
delete authenticated and everyone group and add just students and give them list content permission.If u want admin group also to see this GAL then add them also.
Do the same for admin GAL and make sure not to include students.This is ur second option.
As far as students being able to send and reciece under @students.domain.com
U must have that name registerd and MX record must point to ur public ip address
in addition to a reipient policy.
0
 
LVL 4

Expert Comment

by:subsoniq
Comment Utility
One thing to remember is that this is not going to be an easy project, I would suggest sending someone to exchange training, or at least buying some good books and reading them cover to cover.  Also set up a lab to test all of this in before trying to do it in production.
0
 

Author Comment

by:mmurfmis
Comment Utility
Vahik,

Very good point, we do not want them to see our Public folders either. I guess I could do that with an ACL. The students already have there own OU in a child domain of the forest. I know how to restrict the GAL because I already do that now with our admin server seperating a training mail group on the same server as the admin. I just want to make sure I can do everything I want to do with adding a second server to the org using users in a child domain
0
 
LVL 26

Expert Comment

by:Vahik
Comment Utility
U can do that wit ACL or just dont create instances of ur public folders on the second server and do not allow public folder refferals on ur smtp connectors.
Now u must remember that no matter how many domains u may have u will
have one exchange organization and one public folder tree.
U wont have any problems with this setup and it is very flexible.U can always take out smtp connectores and put all the servers in the same routing group if the need arises.Call back if need more help.
0
 

Author Comment

by:mmurfmis
Comment Utility
Ok guys, I am having a problem with the install of the second server. As I said this is being installed in a child domain. The existing admin exchange server is in the parent domain so I think I have having a rights issue.

Here is the error I am receiving when it is trying to start the SA

Event ID 9157
Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute.
0
 
LVL 26

Expert Comment

by:Vahik
Comment Utility
Dis u run domain prep in ur child domain before u run the exchange setup?
0
 

Author Comment

by:mmurfmis
Comment Utility
Yes I ran domain prep and forest prep prior. I guess now thinking about it I didnt need to run forest.

I followed this article and it didnt help.

As per Microsoft: "This behavior can occur if the computer account for the Exchange Server computer has been deleted, lost or does not have Full Control permissions to the Exchange Server computer object in Active Directory". See Q297295 for more details

I checked the schema through ADSI and all the objects are there and seem to be ok. It just hangs on starting the system attendent.

The server I am installing this on is in the child domain, but I logged into the machine as my exchange admin for my admin exchange server and then installed exchange. I dont think that would matter though.

Any thoughts?
0
 

Author Comment

by:mmurfmis
Comment Utility
I am stuck here, I have tried to add all the proper rights where they should be. It just will not start the services.

Any ideas?
0
 
LVL 4

Expert Comment

by:subsoniq
Comment Utility
put it in the same domain as the other server, just have the students AD accounts in that child domain.
0
 

Author Comment

by:mmurfmis
Comment Utility
Does it need to be in the same domain?

I would think that this would be possible.
0
 
LVL 4

Expert Comment

by:subsoniq
Comment Utility
I don't know off the top of my head, but the ASP I sued to work for had all the exchange servers in the same domain, a domain restricted to servers, and users accounts in domains in other forests.  We also had a child domain in that same forest where employee accounts were kept.  We followed the MS ASP Deployment Guide that I mentioned earlier.
0
 

Author Comment

by:mmurfmis
Comment Utility
I dont think this is possible because of the domain trusts. I can see the Exchange Domain Servers and Enterprise servers in both domains but I can not see Exchange Services in both. And when I try to add the exchange server from the child domain into the services group on the parent domain it doesn't work.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
Exchange Domain server group is local to each domain. A new domain would have a new group, and this would be part of the Enterprise group. Now, my feeling on this is that you need to be schema admins to get this installed, although schema has already been done, exchange will not allow this to proceed, I believe this behavior has changed in 2003. The domain account you're using needs to be made part of the enterprise and schema admins group, if only for a little while.

D
0
 

Author Comment

by:mmurfmis
Comment Utility
Vahik,

Are you referring to the account I am installing this with? Because I logged into the parent domain on the exchange server that is in the child domain and installed exchange. This account is used as the exchange admin for the parent domain and is a part of the schema admin group. So I am not sure what you are refferring to?
0
 

Author Comment

by:mmurfmis
Comment Utility
I meant to say Kidego on that last done sorry D. I am working on so many things at once I get lost at times.

Kidego, look at the error. I dont have a system attendant account on my child domain.

Event ID 9157
Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute.

And I have followed this
As per Microsoft: "This behavior can occur if the computer account for the Exchange Server computer has been deleted, lost or does not have Full Control permissions to the Exchange Server computer object in Active Directory". See Q297295 for more details
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
OK, hold on. ther SA error you're getting, new server or existing server? Second, existing server is in child domain, correct? 3rd, the account you're loggin in with now to the child domain, it's a member of the enterprise and schema admins group? Make sure that this computer account is a member of the Exchange domain servers group. We aren't offbase here, just a little misunderstanding of terms.

there is no specific SA account, all E2K services start with the local system account. That's why I say that your account doesn't have the perms it should. But just to be sure the computer account is solid. your account in the child domain must have certain rights.
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
Here, in case you haven't seen this...

http://support.microsoft.com/default.aspx?scid=kb;en-us;236146

D
0
 

Author Comment

by:mmurfmis
Comment Utility
Kidego:

The error is on the new server. Yes the second server is being installed into the child domain. And yes the account I am logging in with is a member of both enterprise admins and schema admins. Each exchange server is a part of its own Exchange Domain server group.

I followed that 236146 doc and I did everything the way it says there. This is strange??
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
yes, very. Sounds like there is something awry. Run netdiag /v and port it out to a text file, see if there are any errors. Have you tried to reset the computer account on the new server, and rebooting? DON'T do this if this is a DC or GC.

D
0
 

Author Comment

by:mmurfmis
Comment Utility
Thats what I was just thinking because these damn Dells have there own setup and I added the server to the domain through that.

Is resetting the account through AD the same as removing it manually on the server server itself and then re-adding it?
0
 

Author Comment

by:mmurfmis
Comment Utility
I reset the account and then re-added it to the domain and it is still happening. So you are saying with exchnage 2000 there is NO System Attendent mailbox/account? I am just trying to find out why it doesn't have proper rights.
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
no, didn't say that. There is an SA mailbox, just not a service account as before. All Exchange 2000 service start as local system account. could be a problem with your child domain and having rights in the parent. I'll revisit this later this eve....

D










0
 

Author Comment

by:mmurfmis
Comment Utility
Kidego, there are no mailboxes at all in the child domain.
0
 
LVL 24

Accepted Solution

by:
David Wilhoit earned 500 total points
Comment Utility
ok, that's fine. I don't really care about the SA mailbox. I'm talking about why the server will not install in the child. tell you what, zip the setup log for Exchange, and send it to me. I'll review it for errors, cool?

D
0
 

Author Comment

by:mmurfmis
Comment Utility
Sure should I send this to the email address I know for you?
0
 

Author Comment

by:mmurfmis
Comment Utility
Thanks for the great work from Kidego we are up and running. But thanks to all for your help and suggestions.

The problem existed in Active Directory. The Exchange permissions were not propagating throughout the Exchange org. I had to use ADSI edit and give Exchange Domain Servers for the child domain the correct rights and manually propagate them down. For some reason possibly due to replication issues the Exchange Domain Servers group did not have Read and List contents, though it had the rest of the proper rights.
0
 

Author Comment

by:mmurfmis
Comment Utility
I guess I can't increase this to more then 500
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
no, not more than 500. don't worry about it, you may have more questions later this week, use your points then :)

D
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now