Solved

Exchange and CA Server Rejoin Domain

Posted on 2009-06-29
8
1,081 Views
Last Modified: 2012-05-07
Our email server stopped responding, and upon reboot, would not connect to the domain.  The onsite guy used the reset account command in the active directory gui, rebooted, but still would not connect.

If I understand it correctly, now that he has reset the machine account, the only way to get back on the domain would be to unjoin\rejoin.  I tried netdom without success (I assume because he reset the account).  DNS and connectivity seem fine because I can ping back and forth via address and name.  When logged in local (it uses same administrator password as the domain) I can access the system shares of the PDC via unc.

Is there a procedure to backup the CA database, unjoin\rejoin, and restore the ca information without breaking Exchange?

It's a single Exchange 2003 Enterprise on a 2003 member server.  The PDC is also 2003 server.

Thanks!
0
Comment
Question by:FredCred
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 14

Accepted Solution

by:
mds-cos earned 500 total points
ID: 24741115
In THEORY, assuming the Exchange Server is not the CA, you should be able to simply unjoin then rejoin the domain without breaking anything.  I think I would turn of the Exchange services first so they don't try to come up while the system is not part of the domain...just me being paranoid.  All of the Exchange specific info stored in AD will still be there, and since you are not messing with the name of the server or anything else all should be happy.  Nothing is changing on the system iteself either (other than the machine account for AD), so the certificate that was generated and is loaded on that machine should also (in THEORY) be fine.

If the machine is a CA, which I suspect based on your question, you can back up and restore the database.  This admin guide tells you how:  http://technet.microsoft.com/en-us/library/bb727098.aspx.  Again, in THEORY the issued certificates should continue to be viable once you restore them.

Fortunately, if the certificate gets messed up all you will need to do is generate a new certificate and plug into IIS for OWA and OMA to start working again.  If Exchange gets messed up, you obviously will be doing a restore -- but I can't see any reason it would have problems.


Note that I say in theory several times.  I have never performed this procedure, and hopefully never will (resetting the machine account, as you doubtless know, would be the last resort -- not the first).  The closest I've come is taking AD off an Exchange server that was inappropriately set up as an AD to begin with.

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24745870
If you boot the machine up out of the domain with Exchange installed you will break Exchange. While you are moving things around you must disable all of the Exchange and IIS related services.

The same trick might work for the certificate authority, but I haven't done it.

Simon.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24745917
Hi Mestha (or should I say Sembee ;-)

Do you agree that when he joins back to the domain all will be good with Exchange, or do you have a differing opinion?  I can't think of any reason Exchange won't come right back up after rejoining the domain....but as I said I've never actually done it.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24746608
As long as the machine account is intact then after the machine has been joined to the domain then Exchange should start. I have dropped machine a off the domain then put it back on again in the past with Exchange involved.

Simon.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24747198
Actually it sounds more like the CA is on the Exchange box.  Can't say that I would recommend that (as I recommend all CA servers be on a dedicated box or VM), but at least it isn't a DC.

I can't speak much to the Exchange part of dis/rejoining the domain, but for the CA:
1) Full backup including system state.
3) Open up the Certification Authority MMC (certsrv.msc).  Take note of what CAName is (the friendly name of the CA listed under Certification Authority (servername), including capitalization)
4) Expand CAName - right-click Revoked Certificates - All Tasks - Publish.
5) Open %systemroot%\system32\certsrv\certenroll directory and copy CRL file to the CDP locations.
6) Back in CA MMC/Revoked Certs - properties - Check what the CRL Publication Interval is - if it is not at least a month long then write down current setting, increase to be at least a month, and publish another CRL (see #3).  Do not copy this to the CDP locations, but rather to a location like your workstation that isn't getting messed with right now.  You could put it at the CDP locations if you rename it, but keep the regular CRL there for now.  This extended period CRL is your emergency contingency plan for your PKI.
7) Reset CRL timeframe back to original settings so you don't forget later.
8) Right-click CAName - All Tasks - Backup CA... - follow the wizard and select private key and certificate database, do not select incremental, follow rest of wizard.
9) Full backup including system state.
10) Uninstall certificate services from Add or Remove Programs/Windows Components.
11) I don't think you will need to worry about your Exchange server cert, but you can always back it up from Certificates MMC (certmgr.msc) - probably in the Computer Account / Personal Store unless it got installed somewhere else, maybe look under Trusted Roots.  Export including private key to a .pfx file.  Never hurts to have an extra thing backed up.
12) Do whatever you need to for Exchange, if necessary.  Sorry, I'm not your guy for this part.  
13) Disjoin from domain.
14) Reboot server.
15) Rejoin domain.
16) Do what you need to with Exchange first, its much more sensitive to being offline than a CA.
17) Reinstall Cert Services -  Make sure to enter the CAname exactly as the old one or the private key will not like you.
18) Open up CA MMC - right click CAName - All Tasks - Restore CA... and follow the wizard.
19) Reboot server to make sure everything comes up okay.
20) Open CA MMC - issue a new CRL - this will test access to the database and to the private key.  Copy to CDP locations.
21) Full backup including system state.
22) Sit down, relax, drink beer.
0
 

Author Comment

by:FredCred
ID: 24755642
It is now up and working.  Thanks all for your comments and help!!  I'll add details and award points tonight.  Thanks again!!!
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24841348
Glad to hear everything turned out okay!  Is there anytime else you needed or just haven't had time to follow up to close this out yet?
0
 

Author Closing Comment

by:FredCred
ID: 31598160
Thanks for the quick response to my question.  Your answer was accurate and complete.  Thanks all!
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now