Solved

Remove Active directory from Exchange 2010

Posted on 2015-01-19
34
156 Views
Last Modified: 2015-01-20
Please watch carefully; Active directory was installed together with Exchange 2010 on 1 Windows 2012 server.

We already have a Seperate active directory 2012 server in the domain. This exchange server WITH active directory is now giving hudge problems (syncing, no users in active directory etc.).

Now I want to remove active directory from the Exchange 2010 SERVER, so that we have just 1 domain controller.

I do NOT want:remove exchange from active directory.

I need to keep the whole exchange 2010 configuration and mailboxes.
0
Comment
Question by:thisis_it
  • 11
  • 7
  • 5
  • +2
34 Comments
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
To demote your 2012 server with Exchange installed on it from being a Domain Controller, follow the steps in this article: http://technet.microsoft.com/en-au/library/jj574104.aspx

I would remove all the AD DS related roles and features as well:
- Active Directory Module for Windows PowerShell feature
- AD DS and AD LDS Tools feature
- Active Directory Administrative Center feature
- AD DS Snap-ins and Command-line Tools feature
- DNS Server
- Group Policy Management Console

Microsoft does not support having Exchange installed on a 2012 DC so it's a good thing you're doing this now, however it still may not fix your Exchange issues. See how you go after you demote the DC.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 200 total points
Comment Utility
You should NOT demote a DC that has exchange on it.  I have not tried on 2012 but previous versions of AD have either stopped you doing it or BROKEN your exchange environment.
0
 

Author Comment

by:thisis_it
Comment Utility
VB ITS; thanks for your information; are you sure this can be done as non-destructive for my exchange environment on that same server ?
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
NO IT CAN NOT. It is not supported by MS
0
 

Author Comment

by:thisis_it
Comment Utility
VB ITS: Exchange 2010 with minimal sp3 is supported on Windows 2012 ?
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
VB ITS; thanks for your information; are you sure this can be done as non-destructive for my exchange environment on that same server ?
Honestly I can't tell you as I've never seen Exchange installed on a 2012 DC before, simply because it's not supported by Microsoft.

Take a backup of the server and your other DC before making any changes to AD.

VB ITS: Exchange 2010 with minimal sp1 is supported on Windows 2012 ?
Nope, only Exchange 2010 SP3 is supported on Server 2012.
0
 

Author Comment

by:thisis_it
Comment Utility
VB ITS: see this article from Microsoft:

http://blogs.technet.com/b/exchange/archive/2012/09/25/announcing-exchange-2010-service-pack-3.aspx

"Support for Windows Server 2012: With Service Pack 3, you will have the ability to install and deploy Exchange Server 2010 on machines running Windows Server 2012."
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Answering a question on Experts exchange and then when questioned saying "Honestly I can't tell you as I've never seen Exchange installed on a 2012 DC before, simply because it's not supported by Microsoft."  Is not REALLY an expert comment.
0
 
LVL 24

Assisted Solution

by:-MAS
-MAS earned 300 total points
Comment Utility
FYI
Running DCPROMO on an Exchange Server is not supported.
You need to install a new Exchange and move mailboxes to it. Once everything is moved ( mailboxes and messaging functionality). you can uninstall Exchange from the DC. And this is the recommended way.
Please check this
https://social.technet.microsoft.com/Forums/exchange/en-US/3108804e-a4ad-4995-b19a-2c71f0bc6540/remove-dc-role-from-exchange-server?forum=exchange2010#58548a76-1ec7-4440-8f08-35a6633b4cd1
0
 

Author Comment

by:thisis_it
Comment Utility
VB ITS:

Now I understand before repsonse to fast;

1) Exchange 2010 sp3 is supported to install on a windows 2012 server but

2) Active driectory is NOT supported to install on Exchange 2010 server
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
You originally asked about Exchange 2010 SP1 :)

I'll assume it was a typo. Yes, as stated in my previous reply Exchange 2010 SP3 is fully supported on Server 2012.

You can also see the Supported operating system platforms matrix in this link for verification: http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
VB ITS:

Now I understand before repsonse to fast;

1) Exchange 2010 sp3 is supported to install on a windows 2012 server but

2) Active driectory is NOT supported to install on Exchange 2010 server
Correct.

@MAS I'm not sure how successful that will be given that his current Exchange environment appears to be having issues talking to AD.
0
 

Author Comment

by:thisis_it
Comment Utility
VB ITS: it was my mistake (wrong servicepack). Confusion fixed ;)

OK; experts: so what we need to do:

1) Backup exchange server with AD and backup other Domain controller (create image)
2) remove active directory from exchange server
3) remove exchange from server
4) install "fresh" exchange server on same server


My questions:

1) What tools do you use to backup the mailboxes and rules created (signatures, automatic replies etc.)
2) When I remove Exchange everything is lost and i need to create new mailboxes per user and import the pst backup to it. Other things to keep in mind ?

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Just sticking my $0.02 in to the mix.

Neilsr is totally correct - you will break Exchange if you Demote or Promote a server with Exchange already installed in it.

Following MAS's advice would be the best way forward for you.

VB_ITS - your advice (if followed here) would have resulted in Exchange being massively broken.  Please stick to answering questions where you have the knowledge to answer them rather than using a search engine to try and answer them for you.

Alan
0
 
LVL 24

Accepted Solution

by:
-MAS earned 300 total points
Comment Utility
If there is problem with AD you will have to fix it first.
or install ADC and point your Exchange to the ADC by command
Set-ADServerSettings -PreferredServer dc2.exchangeserver.local

Open in new window

Then work on next process.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Try the steps in MAS's comment first.

If you can move the mailboxes over to the new Exchange server then great, no need to worry about the above.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:thisis_it
Comment Utility
MAS: problem is  when I reboot the first server with AD on it and afterwards the second server with exchange and active directory everything is ok for 2 days. But some strange things happen ;

1) The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server (domaincontroller). The target name used was domain\domaincontroller. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (domainname) is different from the client domain (domainname), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

2) The average of the most recent heartbeat intervals [482] for request [Ping] used by clients is less than or equal to [540].
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed

3) This happended when there was a time difference of 4 hours between de Active Directory Server and Exchange server with also AD on it.

4) We also do not have mappings anymore at the client site; only ip addresses pointing to the server are possible in stead of domainname\foldername

5) When I create a new dns name; after the errors it disappears in AD.

So it looks like hudge AD problems.
0
 

Author Comment

by:thisis_it
Comment Utility
Any suggestions at the above mentioned errors ?
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
"3) This happended when there was a time difference of 4 hours between de Active Directory Server and Exchange server with also AD on it."

There should never be a time difference between computers in an Active Directory environment.  Allways use Windows Time Sync between all servers/workstations and the PDC Emulator.

AD/Kerberos will break if there is more than around 5 mins of time differential.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
You need ALL machines to have the same exact date/time on them.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
@this_is_is
The question that you asked was answered with my first post.  You can not do it.

What you are asking now is issues with server connectivity and probably replication and should be asked in a separate question.
0
 
LVL 24

Assisted Solution

by:-MAS
-MAS earned 300 total points
Comment Utility
Agree with Neilsr.

You better install an ADC(as mentioned above), check the health of the AD, check replication and try to fix that issue in a separate question. Then continue with the troubleshooting of Exchange.
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Th assignment of points here is totally wrong.  The Answer was provided by myself right at the beginning.  YOU CAN NOT UNINSTALL AD On an exchange server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Neilsr - I agree with you.  As you have already raised an RFA - it should get handled in there.

Mods - IMHO comment http:#40557615 should be awarded the lion's share of the points.
0
 

Author Comment

by:thisis_it
Comment Utility
Neilsr; part of the question is: if it is possible or not. Your first answer is also an answer (not possible) but I was looking for a possible solution to fix this problem.

MAS has offered 3 different solutions to get the work done, so he gets my points.
0
 
LVL 24

Expert Comment

by:-MAS
Comment Utility
Apart from that rating is good not excellent. Please let us know if you are not clear on our comments so it will help you in future.
Please request admin to open the question (by clicking "Request Attention") for you and reassign the points and rating.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
@thisis_it - I would have at least awarded some points to Neilsr then - awarding him nothing is a slap in the face for providing you with an answer that is correct.  If you had followed other expert's advice e.g., demoting the server, you would be in a really bad way right now.

Alan
0
 

Author Comment

by:thisis_it
Comment Utility
Alan; you are right; how can i reopen this one and change my points ?
0
 
LVL 24

Expert Comment

by:-MAS
Comment Utility
Agree with Alan and Neilsr.  Nelsr deserve points.
Click on "Request Attention" and request admin to open the question for you.
0
 

Author Comment

by:thisis_it
Comment Utility
Neilsr: sorry; you also earn point. I have asked to reopen this question.
0
 

Author Comment

by:thisis_it
Comment Utility
Ok; thanks for assisting.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
My pleasure.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video discusses moving either the default database or any database to a new volume.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now