?
Solved

Seting up a backup domain controller

Posted on 2011-05-04
20
Medium Priority
?
314 Views
Last Modified: 2012-08-13
I have a windows 2003 Domain controller that also serves as a DNS and a DHCP server; I also have a Windows 2003 server with Exchange server running on it, the other function of the Exchange is a secondary DNS server. We have just migrated off the Exchange server to an online hosted Exchange server and they want me do away with the old Exchange server. The down fall of this is there are several of our web sites that have the old Exchange server IP address hard coded in the scripts for outbound emails, both of these servers are VM servers.

Now my company wants me create new server with two functions:
•      Backup Domain controller so that if the main Domain controller goes down at any time the backup would kick in until the main controller is backup
•      SMTP Relay for our outgoing automated email programs.

Questions
Can I have a Backup domain controller?
Should I create a completely new server or can I uninstall Exchange and use the old Exchange server.

Thanks
0
Comment
Question by:ahmad1467
  • 9
  • 7
  • 2
  • +1
20 Comments
 
LVL 8

Expert Comment

by:steinmto
ID: 35691716
You can always have a backup domain controller and yes to do it you can uninstall exchange.
0
 
LVL 8

Expert Comment

by:steinmto
ID: 35691719
It may be cleaner to rebuilt but you can use the old one.
0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 35691728
The backup domain controller part is pretty easy. All you have to do is promote a second server to be a Domain Controller. Once that's done failover is mostly automatic. The SMTP relay might be a little trickier, though.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:ahmad1467
ID: 35691872
If I create a new server do you see it being a problem with using the IP address of the old Exchange server once I shut it down.

Why do you say the SMTP part might be a little trickier?

0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 35692104
There shouldn't be any problems re-using the IP address. SMTP relay is tricky because the SMTP functions of Windows Server without Exchange are very very limited. I haven't messed with it much, so I don't know if Relay is possible with just the built in SMTP Server functionality.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35692965
I've done it.  It should work with just the Defaults on everything.   Since the mail clients (the scripts on the websites in this case) are going to be coming from internal LAN IP#s (at least I assume they are) it should be fine.

By default the SMTP Service allows relaying from the LAN IP Range and also from any user account that authenticates.  Even if I am mistaken about it being the default setting it is still no big deal just to tell it to do that.  The only other thing you have to tell the SMTP Service is what upstream smart host to use if that is what is desired,...otherwise it will send direct to the destiantion mail server determined by MX lookups.

BTW - side thing,...this kinda shows why it is a bad idea to hardcode IP# into scripts.  With this being web services It might be better to have the IP#s in an application variable such as:

Application("mailip") = 192.168.1.1

and then just have all the scripts use Application("mailip") to retreive the data.  Then when the IP#s change you just change the Application level variables.
Just a thought.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35693232
Could also install SMTP on the Web Server itself,...it already has IIS anyway.  Then it can use LocalHost or 127.0.0.1 in the Scripts and you wouldn't have to worry about it anymore.
0
 

Author Comment

by:ahmad1467
ID: 35699158
Ok I have created the new server and I have SMTP working.
Now the old Exchange server was also the secondary DNS server but I am getting rid of it,
I have just change the IP address of the old Exchange server and gave the old IP to the new SMTP server.
Now I would like to make this new SMTP server the secondary DNS and the Backup domain controller
Can this be done also?
Do I need to do anything to the old Exchange/Second DNS server before shutting it down?

Thanks
0
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 35699331
Old one:
Ok,..be careful here.  There are proper processes involved when removing Exchange from a Domain.  Remember Exchange ties into AD and so it has to be properly "untied" from it.  The First Exchange introduced is "special" and several things have to be taken care of when it is removed.  The Last Exchange removed from a Domain is also special and things have to be handled properly there.  If there was only one Exchange then it is both the First and the Last Exchange at the same time so both situations have to be considered.

The high-level view would be:
1. Properly uninstall Exchange.  See the links below to the material,...read and understand both situations before you begin,...a "whoops!" can be very hard to recover from.
2. DC Promo the OS to demote it from being a DC to just a Member Server
3. Uninstall the DNS Service
4. Unjoin the machine to make it a non-member stand-alone server,....do whatever you want with it after that

How to remove the first Exchange Server 2003 computer from the administrative group
http://support.microsoft.com/kb/822931

How to Remove the Last Legacy Exchange Server from an Organization
http://technet.microsoft.com/en-us/library/bb288905%28EXCHG.80%29.aspx
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35699393
The second DC:
You can have SMTP and a DC on the same machine,...but IMO, not a great idea.  My DCs run DNS, DHCP, and WINS,..that is all and I am very strict about it.

Anyway...
1. The machine needs to be a domain member (probably already is by now)
2. Install the DNS Service, but do not configure it, just leave it sit.
3. Set the DNS in the TCP/IP specs of the Nic to to the existing DC
4. Run DCPromo from a command prompt and tell it that you are adding a DC to an existing Domain in an existing Forest.
5. When finished and before rebooting set the DNS in the TCP/IP Specs of the Nic to be the exsiting DC first,..and itself second,...and 127.0.0.1 thirdly.  The third one is a new recommendation that I have been seeing and consider it optional.  The first two there is always going to be debate over which order they should be in,....so this is my recommendation I am giving you.  Repeat the same idea on the original DC
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35699524
Don't forget on both DCs to add the DNS Forwarders to the Config within the DNS MMC on each.  Every machine on the LAN must use only the AD/DNSs for their DNS and never anything else.  The only place you should ever see any outside DNS listed would be in the Forwarders List.   Be sure the Firewall allows the DCs to make outbound DNS queries,..it is also a good idea to set the firewall to Deny any DNS queries from anything else to prevent rogue DNS settings on clients on the LAN or to also hamper Malware infections from making independent outbound DNS queries to outside rogue DNS Servers.
0
 

Author Comment

by:ahmad1467
ID: 35700900

After looking at article in http://support.microsoft.com/kb/822931 it looks like theses directions are for if I had another Exchange server in my environment, is this true?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35700944
Logically you can not have a First Exchange if you never had a "second" Exchange,...and logically you can not have a Last Exchange if there was not one or more Exchanges before that one.  However, if you only have one Exchange,...then it is both the First and the Last Exchange at the same time,...so elements of both those articles apply and have to be considered.

So you deal with the pieces of each article that fit you,..ignore the parts that don't apply.  Most likely the article for the Last Exchange will be the most applicable to you.  There may be very few if any things from the First Exchange article that apply,...but you need to be mentally aware of all the aspects of it and the reasons for it just the same.
0
 

Author Comment

by:ahmad1467
ID: 35701119
Ok before I got you first message from you I had created a new server and gave it the IP address of the Exchange server and assigned the Exchange server DHCP settings then I switched it back but I never changed anything on the Domain controller could this have done something because now if I do a {nslookup IP} I get:

C:\Documents and Settings\user.ALLIED>nslookup 192.168.15.6
*** Can't find server name for address 192.168.15.6: Non-existent domain
*** Can't find server name for address 192.168.15.20 Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  192.168.15.6

*** UnKnown can't find 192.168.15.6: Non-existent domain
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35701440
Exchange should never be involved in DHCP,...it needs static unchanging IP#s.

NSLookup,...well I've been messing with this stuff for over a decade and I think I have maybe used NSLookup,...hmmm,...3 times?  There is just too many simpler ways to deal with things.

All you have to worry about is if you ping the Exchange Server by the Netbios Name and by the FQDN it returns the correct IP# of the Exchange Server.  If not, then shutdown the original Exchange delete any "rogue" DNS entries created in DNS or WINS by you previous actions and start the Exchange back up so it will re-register itself with DNS and WINS.  If the new server is up and is using the IP# the Exchange previously had then just give the original Exchange a new static IP,...it really does not matter squat what IP the Exchange has now just as long as it is static and is properly registered in DNS and WINS. Exchange is refered to in AD by the Netbois name or FQDN,..not by IP#.

Anyway,...if the Exchange box is running and is reasonably "healthy" read the articles and decommission it properly and gracefully and you should be fine.
0
 

Author Comment

by:ahmad1467
ID: 35722556
Now that I have taken my Exchange server out of the domain is their a way for me to check to see is everthing is OK?

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35722880
Run DCDIAG
Run NetDIAG

Watch the event log in the Event Viewer on the DCs.

There are not typically any problems after removing Exchange as long as you followed the correct procedures.  It is usually very dependable.

Me being the simple kinda guy I am,...If everything works, then everything is fine,...if something ain't workin' right then it's broke.
0
 

Author Comment

by:ahmad1467
ID: 35729591
I did run into a few problems. On one of my serves in my domain is having some problems with the services some of the ones that were using logon stop working, then when I tried to use a different user and brows to find the user it sees the user but when I select apply I get a message that says {The specific domain ether does not exist or could not be contacted}. I did run
I did run dcdiag & net diag and I did see some this that did look like it might be a problem did you want me to post the report?

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35729695
I just need to know what Service it is and what it is using as a Service User account.  Most Services run off of just the built in "System Account".

In any case that would have nothing to do with removing Exchange.  This would have pre-existed you Exchange removal.

If you post the DCDiag only post the relevant part,...don't bomb the thread with the whole thing,..they are too long to deal with,...at least for me anyway.

Another thing that might be a good idea is to start a new thread to deal specifically with your current DCs and Domain "as it sits" with Exchange no longer being part of the conversation.  This thread is starting to get excessively long.
0
 

Author Comment

by:ahmad1467
ID: 35729805
OK thans for all your help I will create a new thread.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month4 days, 9 hours left to enroll

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question