Solved

Exchange 2003 in a domain.

Posted on 2011-02-20
11
369 Views
Last Modified: 2012-09-17
Ok Folks,

I'm afraid I might have a little mess on my hands.  About 3 years ago I configured and installed an Exchange 2003 server for a client.  Everything has been working great.  They have never used the Active Directory on this machine ever.  Their network gets its dhcp from the cisco router and we just create users on each pc.  Well the time has come that we need to start using active directory since we have people moving around the office constantly.

I have two issues:

1.  When I created the AD on the exchange server i made it mycompany.com.  This is the domain that the exchange server is handling mail for.  This is one of our domains that we own and we have a website on it that is hosted by an outside company.  Everything that I have read indicates that this is the wrong thing to do as it may cause name resolution problems when people try to go to the website from inside the network.  Is it that big of a deal?  

2.  We just installed a new 2008 server that we will be using as a terminal and file server.  The load will be small as it will be used by probably no more than 10 people at a time.  Can I just install AD on this server with a different domain such as company.priv and let the other domain just be an exchange server?  I built the server pretty stout to handle AD and TS so it should be able to handle the load.  Is it asking for trouble to put two domains on one network even though one is never used?

So the question seems to be:  Sort of start over with a new and correct domain configuration on the new server and let the old exchange server just keep doing it's exchange job OR  do I try to use the exchange server as it is with the domain being the same as our external website???

Either way I need to start getting AD up and running sometime soon.  Any thoughts or real world suggestions is much appreciated.  I'm sure I havent explained this very well so please be patient and I'll answer as many questions as I need to.

Thanks

vne

0
Comment
Question by:VNE
  • 5
  • 5
11 Comments
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34940745
1.  Yes, unfortunately, as you have recognized, this could be a problem.  

You *could* work around this by making sure that the Exchange server does not perform DNS resolution on the internal network.  (You could use the other new server to do DNS)

2.  Yes, what you say can be done.  But now, you have 2 different sets of usernames/passwords to contend with or keep track of.  You can send out memos till you're blue in the face, but there will be some users who don't bother to read/understand, and these people will be the ones who complain (loudly) that things are "broken" when they can't log on, or they can't get their email.  


If it is not a really big environment, the ideal solution would be to bite the bullet, and redo everything once, so that you have a firmer foundation to build on.  It would (sorry to say this) be kind of embarassing to show this kind of setup to peers or colleagues - you can make it work, yes, but not very optimal, and may make management much more of a headache.  If this company were to grow in size, then it would just be unacceptable.

If you can, do this:
Take brick-level backups of all Exchange mailboxes - export PSTs from Outlook if you have to
Install AD on the new server
Wipe the old Exchange server
Install Win2003 on the old server (can't run Exchnage 2003 on a Windows 2008 server)
Install and configure Exchange
Create user accounts and (empty) mailboxes
Import PSTs into "new" Exchange server
0
 

Author Comment

by:VNE
ID: 34940806
I've read that changing the domain of a primary domain controller can be a nightmare.  What do you think?  This would solve my problem.

You are correct about wiping the exchange server.  I have thought of this in the past but have been putting it off.

0
 

Author Comment

by:VNE
ID: 34940829
Where would the issue of multiple user name and passwords come in?  If the user name and passwords were the same on the new server and the new server did dns couldnt I just tell all the outlook clients where the exchange server is?  Remember, we're not using the exchange server for anything but email and calendar.  There's no AD authentication of any kind being done on the exchange server (except through Outlook).

Actually in a few years we will be buying a new exchange server as the ours is already about 3 years old.

vne
0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34940911
Please don't do it.

You *can* change the domain.  But, don't forget the Domain Controller is also an Exchange server.  Exchange will most likely break if you do that.

There is plenty of documentation out there on using the rendom.exe and xdr-fixup tools.  Although it can be time-consuming, it can be done.  

However, Microsoft tells you in its documentation that you can't use these tools successfully if Exchange is installed on a DC.  See:  http://msexchangeteam.com/archive/2004/08/30/222719.aspx

0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34940934
Um yeah, different passwords for logging in, and for email.

Kinda defeats the purpose of Active Directory, which promises Single-Sign-On, to access company resources - logons, email, file access, sharepoint, etc

0
 
LVL 14

Expert Comment

by:Kaffiend
ID: 34940982
Oh, you said "ours".

That changes things.

You are internal IT for mycompany.com?  The same company that has the Exchange server?  If so, then you don't really have any worries.  There are many organizations that have their internal and external DNS names the same.  Not a Best Practice, but not a big deal either.  Just maintain your internal DNS zone properly, and you will have no worries.
0
 

Author Comment

by:VNE
ID: 34946374
Kaffiend,

Now I'm a little confused.  Why would I be in a situation where the users email password and their logging in password would be different?  Right now in the host file of each pc I've got an entry for our internal exchange server.  When I setup a user on a new pc I just set the user up to use their email name and password for access to the pc.  Outlook then takes that password when I configure it and accesses the exchange server with it.

For instance:  John's email address is john@mycompany.com and his email password is john123.  When John logs onto his pc he uses the user name of John and the password of john123.  When john accesses the file server Windows also uses these credentials because his username and password are the same on the file server.

I was thinking maybe I could configure AD on the new server with a different domain than the exchange server and join Johns pc to the new domain leaving his Outlook and Exchange configurations alone.

Clear as mud??

vne

0
 

Author Comment

by:VNE
ID: 34946431
Keffiend,

And you are correct about our company configuration.  I am the internal IT guy and we have our own exchange box.  On that box I created an AD domain that is the same as our external website domain.  When I think about your response it would seem perfectly doable to handle any traffic destined for the website with our internal dns.  I mean, thats what dns is for right?

I mean the ONLY issue here is that our internal domain is the same as our website domain.  Cant we just route traffic to the website with dns entries?
0
 
LVL 14

Accepted Solution

by:
Kaffiend earned 500 total points
ID: 34949093
If you were to install AD with a different domain on the new server, then there would (potentially) be 2 separate usernames and passwords for logging in and for email.  I suppose you could keep them both the same, but it's not really necessary to do that.

My suggestion, is to keep the present domain.  Even though it may not be considered a best practice, there are many organizations getting along just fine that have their internal and external domain names the same.  If you populate your DNS with the applicable records that point to external IPs, then you are all set.

Not really an issue.

Installing a new Active Directory side-by-side, is really not necessary.


Oh, and BTW, re your post at 12:46pm: When a PC is joined to Active Directory, you would want the user to log on to the domain (as opposed to logging on to the local computer), and a new user profile would be created on that PC when a user logs on to the domain.  You need to be ready to import the existing profile into the user's domain profile.
0
 

Author Comment

by:VNE
ID: 34949104
Thanks for your help Kaffiend.  This is exactly the kind of info I needed.  I felt like it wouldnt be a big deal but needed someone to verify it for me.

Thanks man.

vne
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now