Solved

Concerns and caveats when extending AD schema for Exchange 2010 SP3

Posted on 2015-01-03
13
59 Views
Last Modified: 2015-01-08
People,

I'd like to know if it is possible to run the Exchange Server Service Pack setup.com /PrepareDomain in the Domain controllers during the business hours without any outage ?

My plan is to do the AD preparation steps this week and then the actual SP to be deployed in the weekend for each servers.

Would that be ok to do it like that rather than doing it all in one big hit.

Any comments and suggestion would be greatly appreciated.

Thanks.
0
Comment
  • 6
  • 2
  • 2
  • +2
13 Comments
 
LVL 3

Assisted Solution

by:Sudhir Bidye
Sudhir Bidye earned 100 total points
ID: 40528866
Running Exchange 2010 Sp3 setup will itself prepare the active directory for the Exchange 2010 sp3. It takes around 15 to 25 mins for the Exchange 2010 sp3 setup to prepare the active directory.
Once you install Exchange 2010 sp3 on any one of the servers in your environment it will prepare the AD and then for the next servers the setup will skip the AD preparation step.

Coming back to your original question of preparing AD during business hours, (Although I wont recommend it running in business hours as I wont like to deal with any unexpected issues affecting business), preparing AD should not cause harm unless you already have issues in your AD/Exchange environment.

You can check for below points before you prepare the Ad.
-Dcdiag is clean and not reporting any critical errors.
-Ensure you have your AD replication working fine.
-Run Exbpa for all servers and check if it reports any AD or permissions related issues.

Last but not the least, if the setup takes only 15-25 mins to prepare the AD, why take the risk of running it in business hours :)
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 40528878
It can be run in business hours, as it doesn't make any changes that require a reboot or operationally modify the platform.
However I only tend to prep the domain separately in a multiple site/domain environment, so that the change has time to replicate around the network. For single server/site environments I don't bother, just let setup.exe do the work for me.

Simon.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40528896
Simon,
Thanks for the reply and clarification. My environment is just single domain in a forest.

The reason I run the PrepareDomain in the Schema Master DC is that to repair the missing Microsoft Exchange Security Group that caused my SP3 installation to failed.

Hopefully by running that during the business hours it doesn't affect the email flow.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40528898
Sudhir,

Thank you for the reply.
So by running the setup.com from my Schema Master DC it can automatically detect and repair the missing the default built in exchange server AD security ?
0
 
LVL 3

Expert Comment

by:Sudhir Bidye
ID: 40528957
Below Article will tell you the list of things preparead will do and list of items it will create.

http://technet.microsoft.com/en-in/library/bb125224%28v=exchg.141%29.aspx
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40528989
Yes it seems that it will recreate the AD security group by running the /PrepareDomain switch.

Hopefully it doesn't screw up the current exchange server settings :-/
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 100 total points
ID: 40529002
Look at using the /PrepareAD switch instead of the /PrepareDomain switch.

This document outlines the actual changes that get made to the schema when installing SP3: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=5401

With that being said. running /prepareAD may recreate the missing Exchange security group(s) but if it doesn't you can try the steps in this article: http://careexchange.in/how-to-recreate-corrupted-microsoft-security-groups-in-exchange-2010/

I haven't personally tried the steps in this article myself so, as always, make sure you have proper backups before making any major changes to your environment.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40529109
Hi VB,

Last weekend when I tried with /PrepareAD command it was failed complaining that the security group exist:

$RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
[12/22/2014 22:12:15.0127] [1] [ERROR] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 22:12:15.0127] [1] [ERROR] The object exists.
[12/22/2014 22:12:15.0127] [1] [ERROR-REFERENCE] Id=443949901 Component=

Open in new window

0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40529112
In that case you can try /PrepareDomain but I suspect you'll probably run into the same issue. There shouldn't be any issues running the /PrepareDomain switch during business hours as per Simon's comment above.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 200 total points
ID: 40529743
As some experts have already stated running schema extend during production hours should be fine. I personally, as a best practice would run it off business hours due to the impact if something goes wrong. Althought Microsoft has almost made schema updates bulletproof things can still happen and I personally would rather do changes like this off hours so incase something does go wrong you are not impacting the business and you don't have to work under so much pressure to get services back up.

Also if you are trying to save time by doing this change during production hours why take the risk, schema changes only take minutes to complete so you won't be saving too much time on the weekend before you actually install the service packs.

Somethings to consider before doing schema changes
- test in a lab environment (if possible take a VM of your Exchange/AD environment and test)
- make sure you have a system state backup of your ntds.dit database (make sure that the backup admin is avialable)

Some might think this is overkill but when you are working with AD you don't want anything to go wrong.

"Ounce of prevention is a pound of cure!"

Will.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 40529815
Thanks Will,
So yes I'll take the system state backup from one of my DC to backup the NTDS.DIT file.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 200 total points
ID: 40530414
It is best to get the system state backup from the FSMO role holder, for scheam master specifically. If you take a system state backup from a secondary DC you cannot resotre it to another DC. It has to be resotred to the DC that it was taken from. If you try and do a authoritative restore from a backup DC you may run into issues.

As stated this might be overkill but just want to point the details out.

Your change should be fine.

Will.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 40539377
Thanks
0

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now