Exchange on a Domain Controller – How to Move Exchange off a DC

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Formerly Titled: Exchange on a DC: Moving from Exchange 2000 currently on a Windows 2000 domain controller to a new Exchange 2003 server on a Windows 2003 member server



Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer



Edits and updates:
9/16/2009, 8:30 PM EST. Added Errata and blurb on Exchange not recommended to be installed on a DC, with additional links to articles explaining this issue.
10/4/2010, 1:54 AM EST. Retitled Blog and added new links for Exchange 2007
10/9/2010 – Added blurb about write-caching being disabled on a DC by default, how it conflicts with Exchange, and how you can’t change it.
10/28/2011 – Updated syntax and wording.
1/15/2012 – Added additional info in the section about demoting a DC with Exchange on it,


 


Preface


Other than Small Business Server (SBS), which is designed to run Exchange on a DC, installing Exchange on a DC, is not recommended. There are a number of implications:


  • When a machine is promoted to a DC, it disabled the write cache function on the drive controller. This is to protect the AD database (ntds.dit) and its method of transactional logging. However, Exchange needs this function to be enabled for its transactional logging method. Thisresults in a substantial performance loss.
  • Difficult and complex to recover.
  • Internet exposure of a DC when accessing OWA. IIS on a DC is not best security practice.
  • Exchange on a DC will “lock” itself to the local DC for a GC and won’t look elsewhere. Make sure at least it’s a GC.
  • You can’t demote a DC with Exchange. You must uninstall Exchange first.
  • Exchange is not supported in a clustered configuration where the cluster nodes are domain controllers

Complete list can be found here:
Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx


“You can run Exchange Server 2003 on either a member server or on a domain controller. After you install Exchange Server 2003 on a server, do not change the role of the server. For example, if you install Exchange Server 2003 on a member server, do not use the Dcpromo tool to promote the server to a domain controller. Or, if you install Exchange Server 2003 on a domain controller, do not use the Dcpromo tool to demote the server to a member server. Changing the role of a server after you install Exchange Server 2003 may result in loss of some Exchange functionality and is not supported.”


That was quoted from the following, and applies to all versions of Exchange:
Overview of operating system and Active Directory requirements for Exchange Server 2003
http://support.microsoft.com/kb/822179/en-us


 


Write-Cache is Disabled on a DC


When a server is promoted to a DC, write cache is disabled by default. You can try to enable it, but it will revert back to disabled. This is default and can’t be changed. It’s done to protect the AD database as well as improve AD DC performance. However as mentioned above, this conflicts with Exchange, which requires write-cache to be enabled for performance and the way Exchange’s transactional logging works. More info in the following links on DC write caching being disabled.


Event ID 1539 — Database integrity – Domain controllers attempt to protect this data from accidental loss or by disabling write-caching…
http://technet.microsoft.com/en-us/library/dd941847(WS.10).aspx


Slow Network Performance After You Promote a Windows 2000-Based …If you use the Dcpromo tool to promote a Windows 2000-based server to a domain controller, the write caching functionality (write-back cache is a firmware …
http://support.microsoft.com/kb/321543


Things to consider when you host Active Directory domain …Discusses the issues that affect a domain controller that runs as a guest …
http://support.microsoft.com/kb/888794


Event 13512 Logged on a Domain ControllerThe File Replication Service has detected an enabled disk write cache on the …
http://support.microsoft.com/kb/316504


 


DSAcess – Global Catalog Ramifications


The other implication is the fact Exchange “locks” on to the DC it’s installed on for its GC DSAccess. If it is not a GC, it may cause issues. If AD services on the DC fail, and you have other DCs, Exchange will not failvoer to another DC for DSAccess. This is by design based on to use the closest DC for DSAccess, and since it is installed on a DC, it will not look elsewhere.


Also, if you manage to demote the DC without removing Exchange first, Exchange will not look elsewhere for a DC/GC because it “locks” on to the GC it was installed on. Read more on this in the following articles.


This Exchange server is also a domain controller, which is not a recommended configuration
http://technet.microsoft.com/en-us/library/aa997407.aspx


Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx


Running Exchange on a Domain Controller
http://robertmoir.com/blogs/someone_else/archive/2006/01/04/2029.aspx


Problems with Exchange 2003 Installed on Domain Controllers
http://www.petri.co.il/problems_with_exchange_2003_installed_on_domain_controllers.htm


 


Recovering a DC/Exchange Server


For the most part, if a DC is lost for any reason, such as a failed drive, etc, you can simply manually remove the orphaned DC out of the AD database, in addition to a few other steps, reinstall a new operating system with the same name and promote it. It’s much faster and simpler than trying to recover the DC. However, with Exchange installed on it, it adds a complexity because you must recover the DC first, then Exchange.


Also, you can’t backup a DC’s System State and an Information Store backup on the same backup job, otherwise the INformation Store backup is useless when trying to restore any Exchange data. They need to be run separately. Albeit, some third party backup processes can overcome this limitation.


More info on recovering a failed DC:


Complete Step by Step to Remove an Orphaned Domain controller
Published by acefekay on Oct 5, 2010 at 12:14 AM
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx


 


SBS is the Exception!


Of course, the ONLY exception to this rule regarding Exchange on a DC, is SBS. SBS was specifically designed to run Exchange, SQL and other services together on a DC.


 


Removing Exchange from a DC


Keep in mind the following fact:


If the computer is running Exchange 2000 Server, you can demote the server to a member server using DCPromo at the first opportunity.


If the computer is running Exchange Server 2003, Exchange Server 2007, or Exchange Server 2010, you can’t demote it. YOu must uninstall Exchange first, before you can demote it. That will involve installing another Exchange server and move the mailboxes, public folders, system & hidden folders, rehoming public folders, reconfigure connectors, etc, and then uninstall Exchange, then demote it.


Read more on this:


Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx


 


Documentation where I had to demote a DC that was an Exchange 2003 Server


(This applies to any version of Exchange and Windows)


I previously preformed this procedure for a customer in Feb, 2009, without a hitch. Here are the steps I followed. Keep in mind, as pointed out at the top, if you want to demote a DC to a member server that has Exchange installed, it cannot be done. Exchange must be removed first, then the DC can be demoted.


Therefore, you must install Exchange on another server, whether or not you want to move up to a newer version of Exchange. Of course, with Exchange 2007 or 2010, this would depend on if the company’s budget allows for acquiring the new version taking into account the new licensing rules and beefy 64 bit server requirements. In this case, the customer already had an SA that included Exchange Enterprise 2003, so they wanted to stick with 2003.


You can follow the steps I performed to install a new Windows 2003 DC, then install Exchange 2003 on a member server, moved everything to the new Exchange 2003 server, then remove the original Exchange installation off the DC, then demoted it.


8 Steps…


1. Run the command in the following article to fix the mangled attributes in your current domain. This is because Exchange 2000 creates two incompatible attributes that Windows 2003 cannot use since it was updated in 2003 AD. Follow the steps under “Scenario 2: Exchange 2000 Schema Changes Are Installed Before You Run the Windows Server 2003 adprep /forestprep Command”


Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers:
http://support.microsoft.com/kb/314649


2. Then promote the Windows 2003 as a replica DC in the existing domain.


3. Move the FSMO roles and the GC to the new server. Run repadmin /syncall and wait about 30 minutes allowing replication to take place and insure that the new DC has taken on the FSMO roles and it became a GC. Check DNS to insure that it’s now registerd as a GC.


4. Install Exchange as an additional Exchange server in the existing organization. Moving forward, it’s recommended to install it on a member server.


5. In ADUC, highlight all of your mailbox enabled accounts, right-click, choose Exchange Tasks, choose to move all mailboxes to the new Exchange server.


6. Move ALL Public and System (hidden) folders to the new Exchange server. Follow the following articles for specific steps. Look for the section about “Migration of mailboxes and public folders”. This is extremely important because the system folders are only created when a new Exchange organization is created. If you remove the first server without moving the hidden system folder, it’s possible to recreate them, but it’s extremely difficult and quite involved.


822450 – How to Remove the Last Exchange Server 5.5 Computer from an Exchange Server 2003 Administrative Group (Look at “Migration of mailboxes and public folders”):
http://support.microsoft.com/default.aspx?kbid=822450&product=exch2003


822450 – How to Remove the Last Exchange Server 5.5 Computer from an Exchange Server 2003 Administrative Group (Look at Step 4 about how to view the System folders and how to replicate them and remove the original instances):
http://support.microsoft.com/kb/822450


Step-by-Step Migrating Exchange 2000 to Exchange 2003 Using New Hardware:
http://www.msexchange.org/tutorials/Migrating-Exchange2000-Exchange-2003-Hardware.html


7. Once you’ve verified the folders are all moved, mailboxes are working, then run the Exchange setup and remove (uninstall) Exchange off of the original DC.


8. Double check in ADSI Edit, configuration container, Services, Exchange, drill down to the server list, and insure that the original Exchange server reference is gone on the original DC, and all Exchange components are on the new DC.


 


Clustered Exchange on Domain Controllers?


Nope. It’s not recommended, or supported


Exchange is not supported in a clustered configuration where the cluster nodes are domain controllers
http://support.microsoft.com/kb/281662


Domain Controllers as Cluster Nodes – Bad Idea (Microsoft recommends against it)
http://msmvps.com/blogs/clusterhelp/archive/2008/02/12/domain-controllers-as-cluster-nodes-bad-idea.aspx


 


Complete List of Related links including the Aforementioned Links


Exchange Server 2003 and Domain Controllers – A Summary:
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchange-server-2003-and-domain-controllers-a-summary.aspx


This Exchange server is also a domain controller, which is not a recommended configuration
http://technet.microsoft.com/en-us/library/aa997407.aspx


Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx


Exchange Server 2007 and Domain Controllers – A Summary
http://theessentialexchange.com/blogs/michael/archive/2008/03/29/exchange-server-2007-and-domain-controllers-a-summary.aspx 


Exchange Server 2003 and Domain Controllers – A Summary:
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchange-server-2003-and-domain-controllers-a-summary.aspx


Running Exchange on a Domain Controller
http://robertmoir.com/blogs/someone_else/archive/2006/01/04/2029.aspx


Problems with Exchange 2003 Installed on Domain Controllers
http://www.petri.co.il/problems_with_exchange_2003_installed_on_domain_controllers.htm


How to remove Exchange Server 2003 from your computer. This how-to article describes the steps to automatically or manually remove Microsoft Exchange Server 2003 from your computer.
http://support.microsoft.com/kb/833396


How to completely remove a Exchange server or the entire Exchange …Oct 19, 2004 … Remove the Exchange 2003 server object from the Exchange 5.5 Admin … How to Remove the First Exchange 2003 Server Computer from the Site …
http://www.msexchange.org/tutorials/Remove-Exchange-server-entire-Exchange-organization.html


Removing The Last Exchange 2003 Server From Exchange 2007 (Part 1)Jun 5, 2008 … The steps required in order to remove the last Exchange 2003 server from an organization that has been migrated to Exchange 2007.
http://www.msexchange.org/articles_tutorials/exchange-server-2007/migration-deployment/removing-last-exchange-2003-server-exchange-2007-part1.html


How to remove the first Exchange Server 2003 computer from the …This article describes the steps to remove the first Microsoft Exchange Server 2003 computer from an administrative group. The first Exchange Server 2003 …
http://support.microsoft.com/kb/822931


CANNOT REMOVE EXCHANGE 2003 SERVER FROM ACTIVE DIRECTORY: Note: this site requires a membership. If you don’t have a membership, no problem. The thread makes mention that after following KB833396, to delete or confirm deletion of the old server object out of the Administrative Group using ADSIEdit, that is if you plan to never install that server by name, which is assuming you are moving it off the DC anyway.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22501384.html


 


All comments, suggestions or corrections welcomed!


Ace Fekay
==================================================================

Leave a Reply