Link to home
Start Free TrialLog in
Avatar of mmurfmis
mmurfmis

asked on

Adding a second Exchange 2000 server

We are an educational institution and they now want a second Exchange server for the students. They want the students to be able to see certain people in the administrative address book and vise vera.

What would be suggested as far as the configuration is concerned for the student exchange server?

Should I install it into the same organization as the admin server? Or should I install it into its own org?
Avatar of mmurfmis
mmurfmis

ASKER

Also, the existing admin server is installed in the forest domain, the student accounts in AD are in a child domain.

Example:

admin.edu(administrative Exchange server and Accounts)-----
                                                                                        |
                                                                                        |
                                                                     students.admin.edu(student accounts)
A new org would require a new Active Directory forest, and the 2 servers wouldn't be able to share anything such as address lists or calendering info, so you should set it up in the same org/admin group.  As for having different Global Address Lists for each group that would have some people be in both, I would suggest you look at the ASP Deployment guide that Microsoft released when Exchange 2000 first came out, it handles situations like this through the use of custom attributes on each mail enabled object and custom GAL's that use LDAP queries based on those custom attributes.

http://www.microsoft.com/serviceproviders/whitepapers/exchange_2000_ASP_deploykit.asp
Also we don't want them to be able to receive mail @ourdomain.com we want them to receive mail @students.ourdomain.com. How is this done?

Did you see my comment above? Is this going to be possible with the students being in a child domain of the existing exchange/AD forest?
A recipient policy based on the above mentioned custom attributes that stamps them with @students.ourdomain.com email addresses instead of @ourdomain.com addresses, also covered in the ASP deployment guide I believe.
U have two options after what subsoniq sugested which is to put the second server
in the same exchange organization.first option will be to put each exchange in diff
routing group and connect each other with an smtp connector and the restric users on new server to send messages to the old server.U can also restric which public folders if any they (students )may have access to.
If ur goal is to just split ur global address list then u have to go to ur exchange system manager and delete ur default GAL nad creat two new ones,One for users
on the first exchange u can acll it admins and one for students which u can call it students.Before hand u must create two OU's and and one group each OU (u can call them admins and students)Move admins to admin ou \group and students to
students ou\group.Now in ur exchange system manager\students GAL security box
delete authenticated and everyone group and add just students and give them list content permission.If u want admin group also to see this GAL then add them also.
Do the same for admin GAL and make sure not to include students.This is ur second option.
As far as students being able to send and reciece under @students.domain.com
U must have that name registerd and MX record must point to ur public ip address
in addition to a reipient policy.
One thing to remember is that this is not going to be an easy project, I would suggest sending someone to exchange training, or at least buying some good books and reading them cover to cover.  Also set up a lab to test all of this in before trying to do it in production.
Vahik,

Very good point, we do not want them to see our Public folders either. I guess I could do that with an ACL. The students already have there own OU in a child domain of the forest. I know how to restrict the GAL because I already do that now with our admin server seperating a training mail group on the same server as the admin. I just want to make sure I can do everything I want to do with adding a second server to the org using users in a child domain
U can do that wit ACL or just dont create instances of ur public folders on the second server and do not allow public folder refferals on ur smtp connectors.
Now u must remember that no matter how many domains u may have u will
have one exchange organization and one public folder tree.
U wont have any problems with this setup and it is very flexible.U can always take out smtp connectores and put all the servers in the same routing group if the need arises.Call back if need more help.
Ok guys, I am having a problem with the install of the second server. As I said this is being installed in a child domain. The existing admin exchange server is in the parent domain so I think I have having a rights issue.

Here is the error I am receiving when it is trying to start the SA

Event ID 9157
Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute.
Dis u run domain prep in ur child domain before u run the exchange setup?
Yes I ran domain prep and forest prep prior. I guess now thinking about it I didnt need to run forest.

I followed this article and it didnt help.

As per Microsoft: "This behavior can occur if the computer account for the Exchange Server computer has been deleted, lost or does not have Full Control permissions to the Exchange Server computer object in Active Directory". See Q297295 for more details

I checked the schema through ADSI and all the objects are there and seem to be ok. It just hangs on starting the system attendent.

The server I am installing this on is in the child domain, but I logged into the machine as my exchange admin for my admin exchange server and then installed exchange. I dont think that would matter though.

Any thoughts?
I am stuck here, I have tried to add all the proper rights where they should be. It just will not start the services.

Any ideas?
put it in the same domain as the other server, just have the students AD accounts in that child domain.
Does it need to be in the same domain?

I would think that this would be possible.
I don't know off the top of my head, but the ASP I sued to work for had all the exchange servers in the same domain, a domain restricted to servers, and users accounts in domains in other forests.  We also had a child domain in that same forest where employee accounts were kept.  We followed the MS ASP Deployment Guide that I mentioned earlier.
I dont think this is possible because of the domain trusts. I can see the Exchange Domain Servers and Enterprise servers in both domains but I can not see Exchange Services in both. And when I try to add the exchange server from the child domain into the services group on the parent domain it doesn't work.
Exchange Domain server group is local to each domain. A new domain would have a new group, and this would be part of the Enterprise group. Now, my feeling on this is that you need to be schema admins to get this installed, although schema has already been done, exchange will not allow this to proceed, I believe this behavior has changed in 2003. The domain account you're using needs to be made part of the enterprise and schema admins group, if only for a little while.

D
Vahik,

Are you referring to the account I am installing this with? Because I logged into the parent domain on the exchange server that is in the child domain and installed exchange. This account is used as the exchange admin for the parent domain and is a part of the schema admin group. So I am not sure what you are refferring to?
I meant to say Kidego on that last done sorry D. I am working on so many things at once I get lost at times.

Kidego, look at the error. I dont have a system attendant account on my child domain.

Event ID 9157
Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute.

And I have followed this
As per Microsoft: "This behavior can occur if the computer account for the Exchange Server computer has been deleted, lost or does not have Full Control permissions to the Exchange Server computer object in Active Directory". See Q297295 for more details
OK, hold on. ther SA error you're getting, new server or existing server? Second, existing server is in child domain, correct? 3rd, the account you're loggin in with now to the child domain, it's a member of the enterprise and schema admins group? Make sure that this computer account is a member of the Exchange domain servers group. We aren't offbase here, just a little misunderstanding of terms.

there is no specific SA account, all E2K services start with the local system account. That's why I say that your account doesn't have the perms it should. But just to be sure the computer account is solid. your account in the child domain must have certain rights.
Kidego:

The error is on the new server. Yes the second server is being installed into the child domain. And yes the account I am logging in with is a member of both enterprise admins and schema admins. Each exchange server is a part of its own Exchange Domain server group.

I followed that 236146 doc and I did everything the way it says there. This is strange??
yes, very. Sounds like there is something awry. Run netdiag /v and port it out to a text file, see if there are any errors. Have you tried to reset the computer account on the new server, and rebooting? DON'T do this if this is a DC or GC.

D
Thats what I was just thinking because these damn Dells have there own setup and I added the server to the domain through that.

Is resetting the account through AD the same as removing it manually on the server server itself and then re-adding it?
I reset the account and then re-added it to the domain and it is still happening. So you are saying with exchnage 2000 there is NO System Attendent mailbox/account? I am just trying to find out why it doesn't have proper rights.
no, didn't say that. There is an SA mailbox, just not a service account as before. All Exchange 2000 service start as local system account. could be a problem with your child domain and having rights in the parent. I'll revisit this later this eve....

D










Kidego, there are no mailboxes at all in the child domain.
ASKER CERTIFIED SOLUTION
Avatar of David Wilhoit
David Wilhoit
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sure should I send this to the email address I know for you?
Thanks for the great work from Kidego we are up and running. But thanks to all for your help and suggestions.

The problem existed in Active Directory. The Exchange permissions were not propagating throughout the Exchange org. I had to use ADSI edit and give Exchange Domain Servers for the child domain the correct rights and manually propagate them down. For some reason possibly due to replication issues the Exchange Domain Servers group did not have Read and List contents, though it had the rest of the proper rights.
I guess I can't increase this to more then 500
no, not more than 500. don't worry about it, you may have more questions later this week, use your points then :)

D