VNE
asked on
Exchange 2003 in a domain.
Ok Folks,
I'm afraid I might have a little mess on my hands. About 3 years ago I configured and installed an Exchange 2003 server for a client. Everything has been working great. They have never used the Active Directory on this machine ever. Their network gets its dhcp from the cisco router and we just create users on each pc. Well the time has come that we need to start using active directory since we have people moving around the office constantly.
I have two issues:
1. When I created the AD on the exchange server i made it mycompany.com. This is the domain that the exchange server is handling mail for. This is one of our domains that we own and we have a website on it that is hosted by an outside company. Everything that I have read indicates that this is the wrong thing to do as it may cause name resolution problems when people try to go to the website from inside the network. Is it that big of a deal?
2. We just installed a new 2008 server that we will be using as a terminal and file server. The load will be small as it will be used by probably no more than 10 people at a time. Can I just install AD on this server with a different domain such as company.priv and let the other domain just be an exchange server? I built the server pretty stout to handle AD and TS so it should be able to handle the load. Is it asking for trouble to put two domains on one network even though one is never used?
So the question seems to be: Sort of start over with a new and correct domain configuration on the new server and let the old exchange server just keep doing it's exchange job OR do I try to use the exchange server as it is with the domain being the same as our external website???
Either way I need to start getting AD up and running sometime soon. Any thoughts or real world suggestions is much appreciated. I'm sure I havent explained this very well so please be patient and I'll answer as many questions as I need to.
Thanks
vne
I'm afraid I might have a little mess on my hands. About 3 years ago I configured and installed an Exchange 2003 server for a client. Everything has been working great. They have never used the Active Directory on this machine ever. Their network gets its dhcp from the cisco router and we just create users on each pc. Well the time has come that we need to start using active directory since we have people moving around the office constantly.
I have two issues:
1. When I created the AD on the exchange server i made it mycompany.com. This is the domain that the exchange server is handling mail for. This is one of our domains that we own and we have a website on it that is hosted by an outside company. Everything that I have read indicates that this is the wrong thing to do as it may cause name resolution problems when people try to go to the website from inside the network. Is it that big of a deal?
2. We just installed a new 2008 server that we will be using as a terminal and file server. The load will be small as it will be used by probably no more than 10 people at a time. Can I just install AD on this server with a different domain such as company.priv and let the other domain just be an exchange server? I built the server pretty stout to handle AD and TS so it should be able to handle the load. Is it asking for trouble to put two domains on one network even though one is never used?
So the question seems to be: Sort of start over with a new and correct domain configuration on the new server and let the old exchange server just keep doing it's exchange job OR do I try to use the exchange server as it is with the domain being the same as our external website???
Either way I need to start getting AD up and running sometime soon. Any thoughts or real world suggestions is much appreciated. I'm sure I havent explained this very well so please be patient and I'll answer as many questions as I need to.
Thanks
vne
ASKER
I've read that changing the domain of a primary domain controller can be a nightmare. What do you think? This would solve my problem.
You are correct about wiping the exchange server. I have thought of this in the past but have been putting it off.
You are correct about wiping the exchange server. I have thought of this in the past but have been putting it off.
ASKER
Where would the issue of multiple user name and passwords come in? If the user name and passwords were the same on the new server and the new server did dns couldnt I just tell all the outlook clients where the exchange server is? Remember, we're not using the exchange server for anything but email and calendar. There's no AD authentication of any kind being done on the exchange server (except through Outlook).
Actually in a few years we will be buying a new exchange server as the ours is already about 3 years old.
vne
Actually in a few years we will be buying a new exchange server as the ours is already about 3 years old.
vne
Please don't do it.
You *can* change the domain. But, don't forget the Domain Controller is also an Exchange server. Exchange will most likely break if you do that.
There is plenty of documentation out there on using the rendom.exe and xdr-fixup tools. Although it can be time-consuming, it can be done.
However, Microsoft tells you in its documentation that you can't use these tools successfully if Exchange is installed on a DC. See: http://msexchangeteam.com/archive/2004/08/30/222719.aspx
You *can* change the domain. But, don't forget the Domain Controller is also an Exchange server. Exchange will most likely break if you do that.
There is plenty of documentation out there on using the rendom.exe and xdr-fixup tools. Although it can be time-consuming, it can be done.
However, Microsoft tells you in its documentation that you can't use these tools successfully if Exchange is installed on a DC. See: http://msexchangeteam.com/archive/2004/08/30/222719.aspx
Um yeah, different passwords for logging in, and for email.
Kinda defeats the purpose of Active Directory, which promises Single-Sign-On, to access company resources - logons, email, file access, sharepoint, etc
Kinda defeats the purpose of Active Directory, which promises Single-Sign-On, to access company resources - logons, email, file access, sharepoint, etc
Oh, you said "ours".
That changes things.
You are internal IT for mycompany.com? The same company that has the Exchange server? If so, then you don't really have any worries. There are many organizations that have their internal and external DNS names the same. Not a Best Practice, but not a big deal either. Just maintain your internal DNS zone properly, and you will have no worries.
That changes things.
You are internal IT for mycompany.com? The same company that has the Exchange server? If so, then you don't really have any worries. There are many organizations that have their internal and external DNS names the same. Not a Best Practice, but not a big deal either. Just maintain your internal DNS zone properly, and you will have no worries.
ASKER
Kaffiend,
Now I'm a little confused. Why would I be in a situation where the users email password and their logging in password would be different? Right now in the host file of each pc I've got an entry for our internal exchange server. When I setup a user on a new pc I just set the user up to use their email name and password for access to the pc. Outlook then takes that password when I configure it and accesses the exchange server with it.
For instance: John's email address is john@mycompany.com and his email password is john123. When John logs onto his pc he uses the user name of John and the password of john123. When john accesses the file server Windows also uses these credentials because his username and password are the same on the file server.
I was thinking maybe I could configure AD on the new server with a different domain than the exchange server and join Johns pc to the new domain leaving his Outlook and Exchange configurations alone.
Clear as mud??
vne
Now I'm a little confused. Why would I be in a situation where the users email password and their logging in password would be different? Right now in the host file of each pc I've got an entry for our internal exchange server. When I setup a user on a new pc I just set the user up to use their email name and password for access to the pc. Outlook then takes that password when I configure it and accesses the exchange server with it.
For instance: John's email address is john@mycompany.com and his email password is john123. When John logs onto his pc he uses the user name of John and the password of john123. When john accesses the file server Windows also uses these credentials because his username and password are the same on the file server.
I was thinking maybe I could configure AD on the new server with a different domain than the exchange server and join Johns pc to the new domain leaving his Outlook and Exchange configurations alone.
Clear as mud??
vne
ASKER
Keffiend,
And you are correct about our company configuration. I am the internal IT guy and we have our own exchange box. On that box I created an AD domain that is the same as our external website domain. When I think about your response it would seem perfectly doable to handle any traffic destined for the website with our internal dns. I mean, thats what dns is for right?
I mean the ONLY issue here is that our internal domain is the same as our website domain. Cant we just route traffic to the website with dns entries?
And you are correct about our company configuration. I am the internal IT guy and we have our own exchange box. On that box I created an AD domain that is the same as our external website domain. When I think about your response it would seem perfectly doable to handle any traffic destined for the website with our internal dns. I mean, thats what dns is for right?
I mean the ONLY issue here is that our internal domain is the same as our website domain. Cant we just route traffic to the website with dns entries?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help Kaffiend. This is exactly the kind of info I needed. I felt like it wouldnt be a big deal but needed someone to verify it for me.
Thanks man.
vne
Thanks man.
vne
You *could* work around this by making sure that the Exchange server does not perform DNS resolution on the internal network. (You could use the other new server to do DNS)
2. Yes, what you say can be done. But now, you have 2 different sets of usernames/passwords to contend with or keep track of. You can send out memos till you're blue in the face, but there will be some users who don't bother to read/understand, and these people will be the ones who complain (loudly) that things are "broken" when they can't log on, or they can't get their email.
If it is not a really big environment, the ideal solution would be to bite the bullet, and redo everything once, so that you have a firmer foundation to build on. It would (sorry to say this) be kind of embarassing to show this kind of setup to peers or colleagues - you can make it work, yes, but not very optimal, and may make management much more of a headache. If this company were to grow in size, then it would just be unacceptable.
If you can, do this:
Take brick-level backups of all Exchange mailboxes - export PSTs from Outlook if you have to
Install AD on the new server
Wipe the old Exchange server
Install Win2003 on the old server (can't run Exchnage 2003 on a Windows 2008 server)
Install and configure Exchange
Create user accounts and (empty) mailboxes
Import PSTs into "new" Exchange server