[Exchange] Exchange keeps looking at a old DC
Kinda dealing with a nightmare Exchange/AD setup that I inherited.
I have a problem where a certain domain controller keeps failing and when this happens, no one can authenticate to Exchange. If I run a "Get-DomainController" in Exchange, it shows 3DCs that shouldn't even exist. How do I remove those? More importantly, what's best practice to ensure Exchange keeps running if a single DC were to fail?
I'll be first to admit that I have nearly no experience with Exchange, however I have been given a real mess to clean.
Grants Pass, OR
You've left out quite a lot of detail here. What version are the DC's and what version is the exchange server?
With regard to the "3 DCs" that don't exist, that sounds like somebody either didn't do a proper removal or the servers physically imploded.
You can checkout this post, found using google:
There is also this tip, for "supposedly" setting up the DC's and their DNS server setups and network settings as well. These are all good tips even if just for proper redundant setup of the DC's on your network, irrespective of the current Exchange server issue.
"Do you have two DCs in the SAME domain? Please check that they are two DCs for the same domain.
If it is the case then check the following:
Make sure that each DC has one IP address in use and one NIC card enabled (All other NIC cards should be disabled): Multihoming is not recommended for DCs
Make sure that each public DNS server in use is set as a forwarder and not in IP settings of your DCs
Make sure that each DC is also a DNS and GC server
Make each DC points to the other one as primary DNS server
Make each DC points to the its private IP address as secondary DNS server and 127.0.0.1 as third one
Once done, run ipconfig /registerdns and restart netlogon on both DCs. After that, please delete any DNS records for your DC which is obsolete and still in your domain DNS zones.
Now, make your Exchange server points to both DCs as DNS servers: One as primary and the other one as secondary. Same thing for client computers."
Thank you very much for the tips. I haven't started digging into this today, but I'm going to start.
A little more information about this network. The previous IT Manager was fairly incompetent and not a good fit for the position. He was fired and I was brought in to fix some of the core networking issues and deploy a new VoIP system. I'm not really a Windows guy, but the owner of the place is a friend and he's pretty much begging me to see if I can work out the AD and Exchange issues they have been having.
More about the network:
This network as of now has 2 functioning DCs. Both are running on Windows Server 2003. There is only one Domain and one Forest. There is only 1 Exchange server and it's running Exchange 2010. Previously, Exchange was running on Exchange 2003. The previous IT Manager attempted an upgrade to Exchange 2010. From what I heard from the staff, it didn't go very well. Ideally, I'd like to move all the DCs up to 2008 R2, but baby steps. There also seems to be other issues. For example, I'm not able to access and modify the group policies. The GP snap in reads that it's not able to connect to Active Directory. Without taking the whole network down to start AD from scratch, I'm not really sure what to do.
I'm getting to the point of telling this guy that he needs someone who's an expert in this area to clean up the mess because form my perspective, it seems better to start the whole AD setup from scratch rather than try to fix this one.
|reply to aguen |
Also, thank you for the link. It's in the right direction.
Get-ADServerSettings | fl command returns a DC that doesn't exist. Looks like a step in the right direction.
Here's another problem though: Test-SystemHealth gives warnings that it's not able to connect to the DC that is stable. It returns the following error:
WARNING: Active Directory server *server-name* is down or unreachable. This error could also be the result of a
network or permissions problem. Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Grants Pass, OR
Well, this "Domain" is truly in a mess as you have stated. Without the ability to "see" more detail, I'm not comfortable in trying to provide much in the way of further assistance. It does appear though, that the Exchange server is still "joined" to the non-existent DC and breaking that is problematic at best.
Do you have the Domain Administrators password?
Have you checked both of the current DC's for having the DNS server roll?
That would be my first choice of where to start. Then maybe, you can start to correct the rest of the problems.
|reply to Clever_Proxy |
Sounds like the three "old" DCs weren't properly demoted from the domain and they still have services entries in DNS.
I would make sure the two current DCs hold all 5 FSMO roles then I'd clean up DNS of any entry referring to the "old" DCs.
That should get you started on the way to recovery.
You've nailed it so far. Thank you!
I think I might have this somewhat cleaned up. Thanks again for the help. I'll update you on the progress.