Solved

Removing Exchange 2010 on a Domain Controller

Posted on 2014-11-07
12
459 Views
Last Modified: 2014-11-07
OK let's not get into the why so much as I've spent hours on the phone with Microsoft, and others.  The conclusion is that the Domain Controller that Exchange resides on (not recommended for precisely this reason), is corrupt beyond repair. I can't remove the DC role as exchange still exists.  I'm going on 3 months limping along, and even the Exchange install still has legacy x400 public folders and crap we don't want/need. Even if I could somehow patch it back together I think a fresh start may be the better option here.

So this isn't so much a question, as it is a request for validation of my steps.

1. Dismount the mailboxes, and be sure they go down Clean. Backup the EDB files.
2. Uninstall Exchange via add/remove. Since AD replication is not happening I will likely have to manually remove from the other DC using the below steps.
2. Open ADSIEDIT

3. Right Click on ADSIEdit and Click Connect to

4. Connect to “Default Naming Context”

5. Navigate to the following objects and Delete them.

DC=Domain,DC=Com -> OU=Microsoft Exchange Security Groups 

DC=Domain,DC=Com -> CN=Microsoft Exchange System Objects

6. Right Click on ADSIEdit and Click Connect to

7. Connect to “Configuration”

8. Navigate to the following objects and Delete them.

CN=Configuration,DC=Domain,DC=Com -> CN=Services -> CN=Microsoft Exchange

CN=Configuration,DC=Domain,DC=Com -> CN=Services -> CN=Microsoft Exchange Autodiscover

Open in new window


3. Once I verify that exchange is truly gone. Remove the AD role as well. Again probably won't go away cleanly so I'll follow http://support.microsoft.com/kb/555846 in the event it doesnt.

Once both the DC and exchange are no longer in the domain. I'll start the rebuild.

1. Install new exchange server. It is going into a new VM, and I planned to put all the roles on one. We won't be doing a DAG ever as in the next 6 months I will be moving people to a hosted solution probably Office365.  One question here is there any reason not to give the new box the same IP and name as the old one? If I've verified by ADSI edit that it is truly gone. This will just save some work on apps that use SMTP to send email either by name or address.

2. Once installed create an empty mailbox for all the users that had one before.

3. Setup OWA, and reissue certs, and set up internal relays for other app servers.

4. Mount EDB's that were backed up during uninstall as Recovery DB and restore.

5. Finally get a full night's sleep.

Does anyone see any glaring issues here?
0
Comment
Question by:bhieb
  • 6
  • 6
12 Comments
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
On your point 1 question.  Exchange is so tightly coupled with Active Directory that you may not be able to use the same name as the old server (that is unless, you are 100% absolutely certain that the old entries are all gone).  The IP I don't really believe will matter as you just remove the old DNS entries for the old server name, flush and re-register dns.

Now just to put a little fly on your wall, it may be possible to stand-up a new VM with the old server name if you reinstall Exchange in disasterrecovery (using setup.exe /M:RecoverServer) mode.  Also you wont have to fuss with modifying the AD database.

A few things to consider before you go jumping for joy.

1.  You won't use your plan with regards to the clean-up of AD.  You will just make your old server unavailable (disconnected from the network, etc.)
2.  The version of Exchange on the new server must match the old version *excactly* (you can't decide to install Exchange 2013, or if you were using Exchange 2007 Standard, move it to Exchange 2007 Enterprise).
3.  The version of the OS must match the old server OS, you guessed it, *exactly*
4.  This only works if there is an Active Directory replica on the domain (another DC that contains, at a minimum, the AD records associated with the old Exchange server).

So if your interest is piqued enough to try it:
http://clintboessen.blogspot.com/2010/09/exchange-setup-mrecoverserver.html
How to recover an exchange server using the RecoverServer switch
https://social.technet.microsoft.com/Forums/exchange/en-US/50880262-dd08-4534-8105-177e8d3e3441/exchange-2010-setup-mrecoverserver-ad-error
http://technet.microsoft.com/en-us/library/dd876880.aspx

Might gain you a few more moments of shut-eye.  ;)

-saige-
0
 

Author Comment

by:bhieb
Comment Utility
I had seen this, and considered it. But the same admin that put it on the DC also left some stuff like legacy x400 addresses, free/busy public crap, and god knows what else (this server has never had a perfectly clean event viewer). So if I recover it won't some of those other "legacy stuff" stick around?

I meet all those requirements, I'm just not sure if "polishing a turd" is worth it, my way I get a truly fresh start. There is only 150 users so scripting out the mailbox creation and recoveries should be minimal work especially since i have all that data.

I do have a good PDC that has all the roles. Question tho, if I choose this. I still have the domain expecting an DC @ the old name. So how do I get that out of the domain? Do I clean it up after exchange is back up, or do I do it first. I'd assume not first as then i couldn't do the recovery.
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
All things considered, performing a reinstall of the original OS, rejoining it to the domain, standing it back up as a DC, reinstalling Exchange in /M:DisasterRecovery, recovering your DB's and then performing an Exchange migration to a new server may seem like "polishing a turd", but may actually provide a cleaner slate to work from than going through the manual process of gutting and cleaning AD.  

I say this because, in the process of promoting the server to a DC, you may get a clean-up of the DC related entries in AD.  Once this is completed and you recover Exchange, yes everything associated with the old one will (e.g. - legacy stuff) still be there but so will the other things that may not be considered (Transport Rules, Anti-Spam rules, etc.)  It will, also, allow for a cleaner removal of Exchange and the AD roles associated with the server when you stand up your new VM that you migrate to.

Ultimately though, it is a double-edged sword either way you go.  Both scenarios do offer pitfall's and celebratory moments.  It just come's down to which method will be the most time and cost effective for not only the present but also for the future.

-saige-
0
 

Author Comment

by:bhieb
Comment Utility
Correct me if I'm wrong but if I do the recovery, I'm standing it back up as a DC too. So I'd have to go through another migration to another VM later in order to finally cleanly remove the server and dc. That definitely seems like the approved way of doing it, but after the restore I'm still not in the state I want to be in.

Hmm. Like you said both have pluses and minuses. I'll have to sleep on it. Good thing is (i suppose) this has been dragging on long enough that my users aren't going to be upset at the downtime (especially over a weekend), as the flaky up and down nature that we've been living with has soften them up a bit. An (un)fortuante side effect of living in an unstable environment long enough, is that the price for stability becomes an easier pill to swallow.
0
 

Author Comment

by:bhieb
Comment Utility
I'm still a little perplexed on the DC role. Assuming a recover install.

1. Shutdown clean the old server, make sure edb's are dismounted cleanly. Make copies.
2. Reset computer object in AD on PDC.
3. Install new VM, join to the domain with same name.
4. Activate DC role? This is the step confusing me won't it expect it already there, and iirc I can't add it before I join???
5. install exchange prereq.
6. run recovery install
7. put edb's in the same path on new vm
8. mount db's
9. Redo owa cert im sure, double check other settings like internal relays...

At this point I'd assume all the Outlook profiles would need to be rebuilt, or would that pick up fine?
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
You are correct, you would stand it back up as a DC.  But in your plan you had stated that you ultimately plan to move it to a VM.  So doing the migration seems like a more appropriate (perhaps?) course of action.

If your ultimate goal is to clean out garbage from AD, then removing those entries via the recommended methods (e.g. - removing exchange via setup, removing AD roles via DCPROMO, etc.) seems cleaner and less likely to produce orphaned entries (hey no one is perfect, there will probably still be orphans to consider).

I feel both your pain and aprehension.  I'm not trying to be the voice of dissidence, I'm trying to be the voice of reason.

-saige-
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:bhieb
Comment Utility
To clarify it is a VM now, and will be restored as one as well.
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
Comment Utility
See if this answers your previous questions:

http://msexchangeguru.com/2011/02/27/move-exchange-to-a-member-server/

-saige-
0
 

Author Comment

by:bhieb
Comment Utility
Actually I tried that, but I forget what error it was. Essentially since the 2 DC's aren't talking correctly moving it while the DC's aren't replicating cause issues. So I backed off of trying that, as the what-ifs were stacking up beyond safe levels. :)

I think I'm gonna try the recover, but to address my question on #4 above. After I join it to the domain, I put the DC role on it? The "standing it back up as a DC" part is my only concern at this point. Since the primary working DC thinks it is a DC, when i join it without the DC role is that gonna be an issue to put the DC role on after joining.
0
 

Author Comment

by:bhieb
Comment Utility
Oh never mind actually that link looks to be exactly what I want to do. Bring it up on a new member, manually clean out the old DC. Good find.

Thanks for all your insight and help. Good to have someone to bounce ideas off of. If this fails I can always use my nuclear option :)
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
In the link that I posted above, the auther took a crashed DC, cleaned the AD role related metadata and rejoined a new computer with the same name, made it a member of the domain and reinstalled Exchange (without re-adding the DC roles).

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Scalpel vs Hatchet, eh. ;)

Glad I could be of assistance.

-saige-
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now