Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Concerns and caveats when extending AD schema for Exchange 2010 SP3

Posted on 2015-01-03
13
Medium Priority
?
75 Views
Last Modified: 2015-01-08
People,

I'd like to know if it is possible to run the Exchange Server Service Pack setup.com /PrepareDomain in the Domain controllers during the business hours without any outage ?

My plan is to do the AD preparation steps this week and then the actual SP to be deployed in the weekend for each servers.

Would that be ok to do it like that rather than doing it all in one big hit.

Any comments and suggestion would be greatly appreciated.

Thanks.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +2
13 Comments
 
LVL 3

Assisted Solution

by:Sudhir Bidye
Sudhir Bidye earned 400 total points
ID: 40528866
Running Exchange 2010 Sp3 setup will itself prepare the active directory for the Exchange 2010 sp3. It takes around 15 to 25 mins for the Exchange 2010 sp3 setup to prepare the active directory.
Once you install Exchange 2010 sp3 on any one of the servers in your environment it will prepare the AD and then for the next servers the setup will skip the AD preparation step.

Coming back to your original question of preparing AD during business hours, (Although I wont recommend it running in business hours as I wont like to deal with any unexpected issues affecting business), preparing AD should not cause harm unless you already have issues in your AD/Exchange environment.

You can check for below points before you prepare the Ad.
-Dcdiag is clean and not reporting any critical errors.
-Ensure you have your AD replication working fine.
-Run Exbpa for all servers and check if it reports any AD or permissions related issues.

Last but not the least, if the setup takes only 15-25 mins to prepare the AD, why take the risk of running it in business hours :)
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 40528878
It can be run in business hours, as it doesn't make any changes that require a reboot or operationally modify the platform.
However I only tend to prep the domain separately in a multiple site/domain environment, so that the change has time to replicate around the network. For single server/site environments I don't bother, just let setup.exe do the work for me.

Simon.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40528896
Simon,
Thanks for the reply and clarification. My environment is just single domain in a forest.

The reason I run the PrepareDomain in the Schema Master DC is that to repair the missing Microsoft Exchange Security Group that caused my SP3 installation to failed.

Hopefully by running that during the business hours it doesn't affect the email flow.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40528898
Sudhir,

Thank you for the reply.
So by running the setup.com from my Schema Master DC it can automatically detect and repair the missing the default built in exchange server AD security ?
0
 
LVL 3

Expert Comment

by:Sudhir Bidye
ID: 40528957
Below Article will tell you the list of things preparead will do and list of items it will create.

http://technet.microsoft.com/en-in/library/bb125224%28v=exchg.141%29.aspx
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40528989
Yes it seems that it will recreate the AD security group by running the /PrepareDomain switch.

Hopefully it doesn't screw up the current exchange server settings :-/
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 400 total points
ID: 40529002
Look at using the /PrepareAD switch instead of the /PrepareDomain switch.

This document outlines the actual changes that get made to the schema when installing SP3: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=5401

With that being said. running /prepareAD may recreate the missing Exchange security group(s) but if it doesn't you can try the steps in this article: http://careexchange.in/how-to-recreate-corrupted-microsoft-security-groups-in-exchange-2010/

I haven't personally tried the steps in this article myself so, as always, make sure you have proper backups before making any major changes to your environment.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40529109
Hi VB,

Last weekend when I tried with /PrepareAD command it was failed complaining that the security group exist:

$RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
[12/22/2014 22:12:15.0127] [1] [ERROR] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 22:12:15.0127] [1] [ERROR] The object exists.
[12/22/2014 22:12:15.0127] [1] [ERROR-REFERENCE] Id=443949901 Component=

Open in new window

0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40529112
In that case you can try /PrepareDomain but I suspect you'll probably run into the same issue. There shouldn't be any issues running the /PrepareDomain switch during business hours as per Simon's comment above.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 800 total points
ID: 40529743
As some experts have already stated running schema extend during production hours should be fine. I personally, as a best practice would run it off business hours due to the impact if something goes wrong. Althought Microsoft has almost made schema updates bulletproof things can still happen and I personally would rather do changes like this off hours so incase something does go wrong you are not impacting the business and you don't have to work under so much pressure to get services back up.

Also if you are trying to save time by doing this change during production hours why take the risk, schema changes only take minutes to complete so you won't be saving too much time on the weekend before you actually install the service packs.

Somethings to consider before doing schema changes
- test in a lab environment (if possible take a VM of your Exchange/AD environment and test)
- make sure you have a system state backup of your ntds.dit database (make sure that the backup admin is avialable)

Some might think this is overkill but when you are working with AD you don't want anything to go wrong.

"Ounce of prevention is a pound of cure!"

Will.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 40529815
Thanks Will,
So yes I'll take the system state backup from one of my DC to backup the NTDS.DIT file.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 800 total points
ID: 40530414
It is best to get the system state backup from the FSMO role holder, for scheam master specifically. If you take a system state backup from a secondary DC you cannot resotre it to another DC. It has to be resotred to the DC that it was taken from. If you try and do a authoritative restore from a backup DC you may run into issues.

As stated this might be overkill but just want to point the details out.

Your change should be fine.

Will.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 40539377
Thanks
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question