none
Exchange 2010 changing GC from 2003 server to 2008

    Question

  • Currently we're in a 2003 function level with our AD.  I've been transitioning the 2003 servers to 2008 one at a time to avoid down time as much as possible.  Ran into a little situation with our exchange servers not able to find a GC after demoting one of the last two 2003 servers.  I managed to get exchange back up and going after making the final 2003 server a GC.  My question is if I change exchange to use one of the 2008 servers as a GC will it cause me issues?  I'd rather get some feedback before I do this as email is a very vital part of our day to day operation.

    Also would manually changing the exchange server to use another DC/GC and then demoting that last 2003 off the AD and raising the functionality cause any other side affects to exchange?

    Monday, February 20, 2012 7:13 PM

All replies

  • Hi Dusty,

    I think you can use the  Set-ADServerSettings cmdlet with the -PreferredGlobalCatalog parametr or better the -SetPreferredDomainControllers parametr.

    "The SetPreferredDomainControllers parameter specifies the list of domain controllers used to read information from Active Directory in this session. You must specify the FQDN of the domain controllers. Separate multiple domain controllers using commas."

    , and then check configuration via the Get-ADServerSettings | fl UserPreferredDomainControllers.


    Andrey Podlesnykh | MCTS: Microsoft Exchange Server 2007/2010 | MCSA

    Monday, February 20, 2012 7:47 PM
  • Actually, You'd want to set using the Set-ExchangeServer to GC/DC to be used/excluded by DSAcess.

    http://technet.microsoft.com/en-us/library/bb123716.aspx

    Using the Set-AdServerSetting is for the shell.

    Raising the functional/domain shouldn't have any effect on Exchange.

    You can exclude the 2003 DC and let Exchange only use 2008, that wont cause an issue however, I'd install another GC by ASAP for HA/FT.

    Once you've changed it, you should the 2080 show 00000000 for the excluded GC.


    Sukh


    • Edited by Sukh828 Monday, February 20, 2012 8:46 PM
    Monday, February 20, 2012 8:45 PM
  • Changing the GC/AD via exchange gives me all sorts of errors.  Topological services fail stating it cannot find the GC/AD that were specified.  Last event error was id 2103

    Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1392). All Global Catalog Servers in forest DC=DC,DC=local are not responding: 

    Then lists my two GC/ADs.

    Also I get id 2114

    Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1392). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

    Monday, February 20, 2012 9:49 PM
  • Are you sure that your 2008 server is a GC and is in the same site as Exchange?

    If yes, check the 2080 event in app log and see what Exchange sees.


    Sukh

    Tuesday, February 21, 2012 10:51 AM
  • It can see the 2008 GCs just fine which is what is really baffling me.  
    Tuesday, February 21, 2012 1:35 PM
  • Post the event

    And list the steps you took to exclude the 2003 GC.


    Sukh

    Tuesday, February 21, 2012 1:56 PM
  • Not sure what event you're looking for outside the ones I already listed.  I used Set-ExchangeServer -Identity <server_name> -StaticDomainControllers DC-01.dc.local,DC-02.dc.local and Set-ExchangeServer -Identity <server_name> -StaticGlobalCatalogs DC-01.dc.local,DC-02.dc.local to set a static DC/GC.  Prior to this I had removed a 2003 GC the past week by removing the GC from it and using dcpromo to demote it and caused the topology services to fail giving the same events I listed as well.

    Also when this server fails to see a GC I lose most connectivity with it.  You can ping the server but there is no RDP to it or anything else.  

    Tuesday, February 21, 2012 5:27 PM
  • DC-01.dc.local,DC-02.dc.local and Set-ExchangeServer -Identity <server_name> -StaticGlobalCatalogs DC-01.dc.local,DC-02.dc.local to set a static DC/GC.

    Are these the 2003 servers you're adding?

    If yes, did you remove DC before or after running the above?

    I thought you were trying to use a 2008 server for Exch and remove both of the 2003 GC.


    Sukh


    • Edited by Sukh828 Tuesday, February 21, 2012 5:35 PM
    Tuesday, February 21, 2012 5:35 PM
  • Those aren't the names of my servers but I used those commands with my server names. I have 3 2008 AD servers and 1 2003.  The exchange servers are both 2008 and are seperate from my ADs.  I'm trying to remove my last 2003 server but when I do exchange loses all connectivity to the AD.  I have 2 2008 servers that are GCs and I used their names when using the commands I listed.  Once I did that and rebooted the hub transport server lost connectivity and the events I listed a few posts up are what happened.
    Tuesday, February 21, 2012 6:02 PM
  • Use the exclude paramter instead and did you do this on each exchange server?

    How many do you have?


    Sukh

    Tuesday, February 21, 2012 7:46 PM
  • I only tried what I said on the hub transport/client access server.  The 2nd exchange server houses just the mailboxes.  I only did it to the one server as a trial and thats when everything failed.  What is the exclude paramter I should use instead?
    Tuesday, February 21, 2012 9:16 PM


  • Hi 



        According to your error, Exchange servers do not have SACL rights on all domain resources



        Exchange Servers group was added to "Manage auditing and security log" policy on all domain
    controllers.





    http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx



    Terence Yu

    TechNet Community Support

    Wednesday, February 22, 2012 12:55 AM
    Moderator
  • Same link as above but use -StaticExcludedDomainControllers

    Also, can yo post the 2080 event.


    Sukh

    Wednesday, February 22, 2012 8:25 AM
  • Same link as above but use -StaticExcludedDomainControllers

    Also, can yo post the 2080 event.


    Sukh

    Process EXFBA.EXE (PID=1488). Exchange Active Directory Provider has discovered the following servers with the following characteristics: 
     (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version) 
    In-site:
    DC-01.dc.local CDG 1 7 7 1 0 0 1 7 1
    DC-02.dc.local CDG 1 7 7 1 0 1 1 7 1
    DC-03.dc.local CDG 1 7 7 1 0 0 1 7 1
    DC-04.dc.local CD- 1 6 6 0 0 0 1 6 1
    Out-of-site:


    Wednesday, February 22, 2012 1:50 PM
  • DC-01, DC-03 and DC-04 are missing the SACL right.

    What are each of these DC?

    DC1=win 2003

    DC2= xxx


    Sukh

    Wednesday, February 22, 2012 1:55 PM
  • DC2 would be the 2003 server.  The rest are all 2008.  Would you know exactly how to give SACL rights to the servers missing it?
    Wednesday, February 22, 2012 2:11 PM
  • DC2 would be the 2003 server.  The rest are all 2008.  Would you know exactly how to give SACL rights to the servers missing it?

    Run Setup.com /preparead
    But in Exchange 2010 SP1, you don't have to run this command as SACLWatcher will take care of it...It will check for the permissions every 15 minutes and if it finds that permission is missing, it will assign the permissions.

    Cheers,


    Gulab Prasad,
    MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007
    MCITP: Lync Server 2010 | MCITP: Windows Server 2008
    My Blog | Z-Hire Employee Provisioning App

    Wednesday, February 22, 2012 3:56 PM
  • I was able to get SACL rights to the other servers.  I also removed the GC from the 2003 server and exchange has not gone down yet.  Last time I did this it went down within minutes.  Next step is to remove that 2003 server from AD and replace it with a 2008 AD.  
    Wednesday, February 22, 2012 6:06 PM
  • So all working then.  Removing DC will be the ultimate test, once removed it you will know.

    As long as the SCAL is showing 1 it should be OK unless a GPO overrides this.


    Sukh

    Wednesday, February 22, 2012 6:12 PM
  • Removed DC and Exchange is still functional.  Last thing to do is raise the domain function level to 2008 or 2008 R2.  Hopefully that shouldn't affect anything ie workstations from logging on.
    Wednesday, February 22, 2012 7:18 PM