What are the things to do in Exchange Server 2010 SP3 before/after decommissioning old Domain Controller ?

Hi,

I'm about to decommission one of the domain controller/global catalog which is running Win2k3 in my AD Site where Exchange Servers are all running. As can be seen from the Exchange Management Console > Server Configuration > Client Access | System Settings tab, I can see the three DC/GC as follows PRODDC01-VM, PRODDC02, PRODDC03-VM

what is the preferred steps to avoid email delivery issue to the Exchange servers or client using Outlook client and Outlook anywhere ?

Here's the topology of my Infrastructure:

      Single AD Domain forest

      AD Site DataCenter contains:
            Domain Controllers / GC: PRODDC01-VM, PRODDC02, PRODDC03-VM
            Exchange Server 2010 SP3 - CAS&HT: PRODMAIL01-VM and PRODMAIL01-VM (Configured with WNLB as outlook.domain.com)
            Exchange Server 2010 SP3 - Mailbox: PRODMAILBOX01-VM and PRODMAILBOX01-VM (no DAG is set)

      AD Site HQ contains:
            Domain Controllers: HQDC01 and HQDC02
            Workstations using Outlook 2010 and 2013
LVL 10
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Make sure the you have proper DNS mX records to avoid any email delivery issue. Check that the replications between domain controllers are in place. By running following commands. Make sure that you set a domain controller for exchange 2013. When exchange 2013 installs it picks a random domain controller. Refer the below link

https://technet.microsoft.com/en-us/library/aa998561(v=exchg.150).aspx

Repadmin /replsum
Repadmin /showrepl
Repadmin /bridgeheads
netdom query fsmo
netdom query dc
DCDiag /v

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Mani,

I'm running Exchange Server 2010 with SP3 not 2013.
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

All applies same but don't forget to set a preferred domain controller from Exchange management  console. Here is the below link

https://technet.microsoft.com/en-us/library/aa998227(v=exchg.141).aspx

Thanks
Manikandan
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, Mani, as per my understanding with managing Exchange Server 2007 CCR, the Domain Controller decommission requires a service to be restarted in the Exchange server (AD Topology service), is that still the case ?

why do I need to explicitly set the preferred DC/GC when there are two already in the same AD site ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

This is just cross check if you see between any 2 of them is selected as a domain controller then you don't need to change it. The reason why i ask to change DC to make sure that the exchange is not pointing to the OLD DC. And of course restarting the AD topology service is still there. Once you have modified the domain controller from Management console you have to restart the AD topology service for changes to take effect

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Mani,

somehow from the EMC 2010, xchange Management Console > Server Configuration > Client Access | System Settings tab there is no way to change it ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Use the Configuration Domain Controller dialog box to specify a domain controller to use to read and write to Active Directory if you modify any server or organization configuration.
To change the configuration domain controller click Organization Configuration, and then, in the action pane, click Modify Configuration Domain Controller.
Use a default domain controller
Click this button to use the default domain controller. The default domain controller is the domain controller to which the computer is currently connected.
Domain
If you want to specify a domain controller instead of using a default one, click Browse to open the Select Domain dialog box. Use this dialog box to select a domain in your Active Directory forest. You must select a domain before you can select a domain controller.
Configuration domain controller
This field isn't made available until you've specified a domain.
Click Browse to open the Select Domain Controller dialog box. Use this dialog box to select the domain controller you want to use when modifying server or organization configuration.

Or you can also use the command

Set-ADServerSettings -PreferredServer dc2.exchangeserverpro.local
Get-ADServerSettings | fl

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
THanks Mani,

so in that case there shouldn't be any outage to the email flow once it is "forced" to a certain domain controller ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Yes however make sure that the DNS servers are has proper MX records pointed to the exchange server. If DNS settings are correct then there will be no outage on email flow.

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
what I'm worries about is that based on the Netowrk monitoring tool software report, in the past 1 day, there are still lots of traffice with the following types to this old DC/GC from all Exchange Servers:

tcp/3268 (msft-gc)
tcp/389 (ldap)
tcp/445 (microsoft-ds)
tcp/88 (kerberos)
udp/389 (ldap)
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

That's what i said you need modify the domain controller and restart the Microsoft Exchange AD Topology service. The best workaround is before removing the old DC change the domain controllers on the exchange servers restart the AD topology service monitor it that the new DC is receving traffic from exchange servers. And after you confirm that exchange is working properly remove the OLD DC.

Thanks
Manikandan
0
tigermattCommented:
If the new server was stood up as a Domain Controller and Global Catalog, Exchange should find it. Look for application event log entries from the AD Topology service listing domain controllers Exchange is aware of, and verify the new server(s) are listed in that log message.

The steps you need to take are mostly identical to any other member server you might have. In particular, updating DNS server addresses, if you use AD-integrated DNS and one of the server entries pointed to the old DC.

While Exchange should gracefully failover, it will only do so if allowed to discover and use a Domain Controller of its choosing. A forced restart of the AD Topology service during the maintenance window, after you demote the old DC, will force a rediscovery of the topology and hence avoids waiting for holddown timers before the disappearance of the old DC is noted and accommodated.

I do not recommend forcefully selecting a Domain Controller as described above. Do VERIFY that no configuration has been made which forces Exchange to use the old DC, but don't force a new DC in the configuration. Remove any hard-coded parameters and let Exchange pick the DCs it wants to deal with; it is more than capable of doing this itself. If traffic is still going to the old DC, that's fine; provided it knows of the existence of the new DCs (see the event log messages) it will use them after the old is demoted.

---

Yes however make sure that the DNS servers are has proper MX records pointed to the exchange server.
DNS MX records internally are irrelevant; unless multiple internal email systems are being operated internally (which the author would know about) they are not required. Moreover any MX records which already exist will:

(a) already point to the Exchange (or other mail system) infrastructure, so taking out a DC will not change the MX record endpoint; and
(b) in any case, internal MX records are present in the DNS, and hence, assuming the author's DNS infrastructure is sound and replicating records correctly, the MX records will be replicated to any new DNS server which the author stands up. No need to re-create them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi Tiger,

I do accept that exchange should find the DC automatically but i have found in varios cases it doesn't found and that's the reason i recommend to change it manually.

Thanks
Manikandan
0
tigermattCommented:
Understood. It's probably fine to make the changes you describe on a temporary basis, and the decision whether to do so or not is purely a matter of style. However, the author should take great care to ensure they are rolled back and Exchange's automated decision making takes place again after the demotion takes place and enough time has elapsed for the old DC to cycle out of the reported AD topology. To not do so would cause difficulties later on, in particular with the fault tolerance of the DCs for Exchange.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
"While Exchange should gracefully failover...." --> is it the mailbox server cluster or something else ?
What are the side effect or impact to the user when it is failing over ?

"A forced restart of the AD Topology service" --> is it going to cause Outlook connection issue or email flow problem ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Restart of AD topology service is not going to cause outlook connection or email flow problem. It will force the exchange servers to detect the topology change in AD and will start communicating with the new AD. The failover which tiger is talking about is the AD failover from old DC to new DC.

Thanks
Manikandan
0
tigermattCommented:
Yes, sorry for confusing terminology; I am not referring to mailbox clusters or any high availability function in Exchange. I am referring to the detection and use of another DC when any old DCs go away and are unreachable. This is standard behavior; DCs are expected to go away if they were to fail, and AD integrated software has to be built to cope with that.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so in conclusion, after I demote the oldDC2k3, I do not need to do anything in all of my Exchange Servers, because there are still two surviving AD/Global Catalog server ?

The decommissioning process is pretty much transparent to Exchange Server 2010 SP3 and also the user connectivity using Outlook 2010 to the HT/CAS NLB cluster name.

is that correct ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Yes it's correct due to you already have 2 Dc uninstall process is very simple and there will not be any impact.

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks guys.

so in this case, I reckon that there will be no roll back plan in case the DCPROMO got into some issue.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
THanks !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.