Preparing to Decommission a DC, Exchange 2010 Shows it is Exclusively Using it as DC and GC
-
A couple months ago during maintenance on this DC, I noticed the mail stopped flowing through my Exchange server when the DC was rebooted during the update process. I found that my Exchange server was using it, exclusively, as a DC and GC. I decided that since I was already in a maintenance window, I would statically assign the more current DC and GC servers to Exchange using the Set-ADServerSettings commandlet in EMS. This caused the server to hang at applying settings during a reboot. A couple hours after the customary pants soiling and mad Googling, I found a post in the comments section of a random blog that explained I needed to add the Exchange server to the domain admins group. Didn't make sense to me either, but it worked. Once I got the server to boot, I went in and removed the static DC entries.
All that to say, I want to make sure that the Exchange server will pickup the correct DCs before I demote the other one and decommission it. Running Get-ADServerSettings | fl in EMS, shows me that the only DC and GC Exchange is using is the old one! In EMC>Modify Configuration Domain Controller it is set to "use a default domain controller"; although I am not sure where it gets that info, as the NIC doesn't have the older DC listed in any properties. I had also transferred the FSMO roles from the old DC to the newer ones over a year ago and verified that both my would be remaining DCs are GC servers.
I don't want to set it statically and have the same problem again and not be able to get up and running because it wants to use a server that no longer exists. Does anyone know how I can get Exchange to pickup the correct servers automatically?
-
Do you have AD Sites and Services setup properly?
-
I think I do. This is the only strange issue I see but this domain has been around since Windows 2000 and has been migrated a few times to newer versions. How would I check to see if it is setup properly?
-
I only have one site and the servers listed are all 3 of my DCs, including the one I will be demoting. Each server has the other two listed in the as connections in the NTDS Settings. If I check AD Replication Status Tool, I have 0 errors.
-
-
What machine is Exchange using for DNS? Is the primary DNS still pointed to the old server?
I've seen issues where machines won't flip over to the secondary DNS server for extended times - I wonder if that was your issue?
-
@Dashrender The DNS servers specified in the Windows NIC properties are the two newer DCs. I don't have the old one that Exchange is currently pointing to referenced in those settings, anywhere.
-
Do you see a setting that shows Exchange pointing to a DC? It really shouldn't work that way - unless the person who set it up specifically setup a specific AD server to answer Exchange quires (bad design).
-
This thread has several trouble shooting tips
https://social.technet.microsoft.com/Forums/exchange/en-US/62269213-6034-4c60-9b69-37eb302f5e5b/how-to-set-new-default-domain-controller-for-exchange?forum=exchange2010 -
This is the Exchange management console window you get when you click "Modify Configuration Domain Controller"
This is the output when running the Get-ADServerSettings | fl command in EMS to see the servers Exchange is using
-
Assuming you can afford a little downtime,
What happens when you unplug the old AD from the network?
Also, do the new DC's only point to each other for DNS? or do either of them point to the old AD box for DNS?
-
@Dashrender Currently, they point to each of the others. FP01 is the server that will be decommissioned.
On DC03:
Preferred- FP0 1
Alternate- DC03
Tertiary- DC01On DC01:
Preferred- DC03
Alternate- DC01
Tertiary- FP01On FP01 (to be decommissioned):
Preferred- DC03
Alternate- FP01
Tertiary- DC01 -
I'd start by removing FP01 from all DNS entries everywhere.
Again, double check DNS entries on the Exchange server itself - make sure it's not looking to FP01.Then open a command prompt, type NSLOOKUP and see what it uses as a server - should be whatever your primary DNS is, close the window.
Now unplug the FP01 server from the network and see What exchange does - if it works as desired, you're done. Plug the server back in, DCPromo it down.
I just ran the
Get-ADServerSettings | flcommand and it showed me two different AD servers for the different roles listed. Also, I have retired an AD since I installed Exchange and it never skipped a beat.
-
@Dashrender said:
I'd start by removing FP01 from all DNS entries everywhere.
Again, double check DNS entries on the Exchange server itself - make sure it's not looking to FP01.Then open a command prompt, type NSLOOKUP and see what it uses as a server - should be whatever your primary DNS is, close the window.
Now unplug the FP01 server from the network and see What exchange does - if it works as desired, you're done. Plug the server back in, DCPromo it down.
I just ran the
Get-ADServerSettings | flcommand and it showed me two different AD servers for the different roles listed. Also, I have retired an AD since I installed Exchange and it never skipped a beat.
The exchange server doesn't have FP01 specified in the NIC properties but, as indicated, it is the only server showing up when running the Get-ADServerSettings | fl command.
I have also checked the event log for event ID 2080 and found that Exchange sees all 3 of the DCs. I did find that the SACL Right was not set correctly on DC01 and DC03. A result of them having been added after the Exchange server. I modified the default domain controllers GPO to apply the correct permissions by adding the Exchange servers group to the "Manage auditing and security log" setting. Now the 2080 shows the SACL right as 1 for all DCs.
I don't know whether or not that has any bearing on the reason I posted because I have run the Get-ADServerSettings | fl command since the changes and it still only shows the FP01 server as the default.
-
As long as FP01 is online, why would you ever expect the response to Get-ADServerSettings to change?
For example, when you login from your workstation, the logon server is who your computer goes to for AD stuff until it's unavailable. I wouldn't expect anything different in Exchange.
-
@Dashrender said:
As long as FP01 is online, why would you ever expect the response to Get-ADServerSettings to change?
For example, when you login from your workstation, the logon server is who your computer goes to for AD stuff until it's unavailable. I wouldn't expect anything different in Exchange.
This is what I would do first.
Shut down DC and Exchange. The leaving the old DC off, turn Exchange back on.
Then see what you get.
-
@Dashrender said:
As long as FP01 is online, why would you ever expect the response to Get-ADServerSettings to change?
For example, when you login from your workstation, the logon server is who your computer goes to for AD stuff until it's unavailable. I wouldn't expect anything different in Exchange.
I was thinking that the following window would show all available DCs, not just one. Is that a thing?
-
@JaredBusch said:
@Dashrender said:
As long as FP01 is online, why would you ever expect the response to Get-ADServerSettings to change?
For example, when you login from your workstation, the logon server is who your computer goes to for AD stuff until it's unavailable. I wouldn't expect anything different in Exchange.
This is what I would do first.
Shut down DC and Exchange. The leaving the old DC of, turn Exchange back on.
Then see what you get.
Definitely an idea - do you think the reboot of Exchange will or should make a difference?
-
@wrx7m said:
@Dashrender said:
As long as FP01 is online, why would you ever expect the response to Get-ADServerSettings to change?
For example, when you login from your workstation, the logon server is who your computer goes to for AD stuff until it's unavailable. I wouldn't expect anything different in Exchange.
I was thinking that the following window would show all available DCs, not just one. Is that a thing?
Let me see if I can get to mine and look
-
@Dashrender said:
@JaredBusch said:
@Dashrender said:
As long as FP01 is online, why would you ever expect the response to Get-ADServerSettings to change?
For example, when you login from your workstation, the logon server is who your computer goes to for AD stuff until it's unavailable. I wouldn't expect anything different in Exchange.
This is what I would do first.
Shut down DC and Exchange. The leaving the old DC of, turn Exchange back on.
Then see what you get.
Definitely an idea - do you think the reboot of Exchange will or should make a difference?
Well, it will force it to auth to a different DC. He stated before that he had no mail while the old DC was down.
