locked
does exchange 2010 work with a restored 2012 domain controller RRS feed

  • Question

  • Hello all

    I have 2  Microsoft 2012 r2 domain controllers which are infected with botnet.The firewall detects and drops the connection between them and the main bonnet destination but I was wondering if I backup one Domain controller and restore it on a new installed windows server 2012 r2, does exchange 2010 work with it.

    If the answer is positive could you please tell me what to backup and with what app?

    Any answer or advice would be highly appreciated.

    Sunday, October 23, 2016 2:03 PM

Answers

  • Hello,!

    1) Yes, you can force a replication to occur once you've tranferred your FSMO roles. I would wait a few hours before decommissionning the old ones, to have all your SYSVOL replicated.

    2) Exchange: I would go in Exchange Management shell and do the following:

         Get-ADServerSettings | FL

        If your DefaultGlobalCatalog setting is not pointing to the right GCs, please do the following:

         Set-ADServerSettings -PreferredServer yourserverFQDN1,yourserverFQDN2

         Set-ADServerSettings -PreferredGlobalCatalog yourserverFQDN1,yourserverFQDN2

         Set-ADServerSettings -ConfigurationDomainController yourserverFQDN1

        After, please restart the AD Topology Service and check if the settings are good by repeating the Get-ADServerSettings | FL

    This Technet Article explains the Set-AdServerSettings for Exchange 2010: https://technet.microsoft.com/en-us/library/dd298063(EXCHG.140).aspx

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!





    • Edited by Gilles Tremblay Monday, October 31, 2016 11:04 AM Added more CMDLets
    • Proposed as answer by Allen_WangJF Thursday, November 3, 2016 2:52 PM
    • Marked as answer by Allen_WangJF Monday, November 7, 2016 1:28 PM
    Monday, October 31, 2016 10:45 AM

All replies

  • Hello,

    What do you have in term of backup so far ?

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!

    Sunday, October 23, 2016 3:26 PM
  • I mean do you got a backup before the virus ?


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!

    Sunday, October 23, 2016 3:27 PM
  • Hello Gilles

    Thank you for your message.

    Yes I have backups,but the problem is I am not sure for how long this botnet thing is residing on my servers until the firewall gives me warnings about it.If I backup system state does it consist the active directory users and computers?

    Thank you in advance.

    Monday, October 24, 2016 5:48 AM
  • If you did a backup of your DC including it's system state, yes it will contains all the Active Directory objects.

    Here's the link for that : http://www.msserverpro.com/backup-ad-ds-database-windows-server-2012-r2/

    Instead of restoring your DCs, did you considered to add 2 DCs, transfer all the roles to these two, and decommission your 2 infected DC's ? 

    Keep in mind that restoring your 2 DCs from a backup is the last resort, because you dont know if they were infected or not when you took the backup.

    Before restoring anything, I would suggest to backup again your DC's (with the System State) to have the latest backup of your AD if somethings is going bad.

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!

    Monday, October 24, 2016 1:12 PM
  • I forgot. If you are moving the FSMO roles to others DCs, you have to tell your Exchange 2010 where are the new GCs.

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!



    Monday, October 24, 2016 1:22 PM
  • Hi,

    Please note that it's not recommend install Exchange server in a Domain Controller, for your reference(it's similar with Exchange 2010):
    https://technet.microsoft.com/en-us/library/ms.exch.setupreadiness.warninginstallexchangerolesondomaincontroller(v=exchg.150).aspx

    Besides, it's not supported to install Exchange 2010 on Windows Server 2012 R2. Please refer to Supported operating system platforms section.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, November 7, 2016 1:27 PM
    Monday, October 24, 2016 2:19 PM
  • Sorry, but there is no mention that Exchange 2010 was installed on a Domain Controller, or installed on Windows 2012-R2.

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!

    Monday, October 24, 2016 2:40 PM
  • Gilles,

    Thank you for your guidelines and time.I think the best solution is the one you have mentioned,just add 2 new domain controllers and move the FSMO roles to one of them and mark it as the primary.Just one question: I need to manually replicate between the main domain controller( that will be off after role movements) and the new one and then move the FSMO roles right?

    Also if after all of these ,I turn off the infected one and give its IP address to the new one,do I still need to tell my Exchange server where the GC is or for the Exchange Server it looks like nothing changes?

    Thank you

    Regards

    Monday, October 31, 2016 10:27 AM
  • Domain controller is a separated Window server 2012 Standard R2. (Both DCs)

    Exchange server is installed on Windows 2012 R2.It works fine.

    Monday, October 31, 2016 10:31 AM
  • Hello Allen,

    Thank you for your references and reply.Actually I have my Exchange 2010 on Server 2012.It is true that it is not recommended but Servers where handed to me,so I did not have any chance to change the infrusrtucture.

    It is working until now.

    Thank you

    Regards

    Monday, October 31, 2016 10:36 AM
  • Hello,!

    1) Yes, you can force a replication to occur once you've tranferred your FSMO roles. I would wait a few hours before decommissionning the old ones, to have all your SYSVOL replicated.

    2) Exchange: I would go in Exchange Management shell and do the following:

         Get-ADServerSettings | FL

        If your DefaultGlobalCatalog setting is not pointing to the right GCs, please do the following:

         Set-ADServerSettings -PreferredServer yourserverFQDN1,yourserverFQDN2

         Set-ADServerSettings -PreferredGlobalCatalog yourserverFQDN1,yourserverFQDN2

         Set-ADServerSettings -ConfigurationDomainController yourserverFQDN1

        After, please restart the AD Topology Service and check if the settings are good by repeating the Get-ADServerSettings | FL

    This Technet Article explains the Set-AdServerSettings for Exchange 2010: https://technet.microsoft.com/en-us/library/dd298063(EXCHG.140).aspx

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!





    • Edited by Gilles Tremblay Monday, October 31, 2016 11:04 AM Added more CMDLets
    • Proposed as answer by Allen_WangJF Thursday, November 3, 2016 2:52 PM
    • Marked as answer by Allen_WangJF Monday, November 7, 2016 1:28 PM
    Monday, October 31, 2016 10:45 AM
  • Hello again Gilles,

    I need your help again,I did transfer FSMO roles to the new domain controller,everything looks fine except I cannot change the GC and domain controller for exchange 2010.

    I did change the domain controller by GUI in organization configuration in Exchange Management console in  modify organization domain controller to the new domain controller but still Exchange points to the old domain controller.

    As I try to enter Set-ADServerSettings -PreferredServer "Server FQDN" I get the error message that says:

    Active directory error 0x51 occurred,the LDAP server is unavailable.

    If I shutdown the old server my exchange management console wont come up (the error is Kerberos authentication failed,WRM cannot process the request, there are currently no login server available to service the logon request) and also there are 16 services that cannot be started.Could you please let me know what should I do?

    I really appreciate.

    Regards

    Tuesday, November 29, 2016 8:16 AM
  • Hello,

    Sorry, it was quite busy in office since last week...

    Ok.

    So, your Exchange is having trouble finding the new DCs, thats why you are having trouble starting all your Exchange Services when OLD DCs are offline.

    1. Did you change your IP configurations of your Exchange Server to use the new DNS Servers?
    2. Did you moved all FSMO roles from old DCs to the new ones, including GC?

    Regards,


    Gilles Tremblay
    MCSE Server | Desktop | Messaging | Collaboration | Productivity | Mobility | Cloud Platform and Infrastructure

    Dont forget to mark as Answered if you found this post helpful.

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights. Always test before!



    • Edited by Gilles Tremblay Wednesday, November 30, 2016 1:07 AM
    • Proposed as answer by ashim_4398 Wednesday, November 30, 2016 11:40 AM
    Wednesday, November 30, 2016 1:07 AM
  • Yes, remember that new domain controllers are not global catalog servers by default - you have to make them global catalog servers. Once you make them global catalogs (and maybe you have - we just aren't sure) global catalog replication will transfer AD data from the old domain controllers / global catalogs to the new.

    (And hopefully whatever has infected your former domain controllers cannot pass over to the new ones but it looks like that's a risk you have to take in this scenario, since the backups of the infected DCs may be infected also. There's only one 100% sure method to to sure you are clean (wipe and rebuild) but that may not be acceptable - or feasible - for your organization)

    Otherwise, I'd bet that the old domain controllers are still designated in the Exchange servers TCP/IP DNS settings.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, November 30, 2016 1:47 AM
  • Hello Gilles,

    Thank you for all of your guidelines and time ,looks like exchange is working fine now after decommissioning the old DCs from the domain.

    Thanks again, I really appreciate.

    Regards,

    Wednesday, December 7, 2016 2:13 PM
  • Hello David,

    Thank you,looks like the new domain controllers are fine till now.I hope the infection did not pass to the new ones.Hopefully.

    After decommissioning of the old domain controllers,the problem is solved.thank you for your message.

    Regards,

    Wednesday, December 7, 2016 2:17 PM