The Scenario:
A small, but dispersed, network (approximately 35 users at 3 locations in the state; T1 connection, Firewall\VPN Router handles DHCP)
Domain has a single (Windows 2000 Advanced Server) Domain Controller.
Exchange 2000 Server is also running on this (same) system.
My boss\partner recently used the Microsoft® Exchange Server Best Practices Analyzer Tool and it reported the following:
"This Exchange server is also a domain controller, which is not a recommended configuration"
A TechNet article linked from, and related to, this error message listed several performance and security-related issues associated with this configuration, most of which we do, indeed, suffer from. The article concludes with this recommendation:
"If the computer is running Exchange 2000 Server, it is recommended that you demote the server to a member server using DCPromo at your earliest opportunity."
I'm cautious, however:
· On a domain that has never had another domain controller to replicate AD to…
· On a domain in which, when Exchange 2000 was installed, the schema may have not been "extended" as most articles\guides claim it must be (is this even possible?...and if it is, is there a way to check if the schema was extended or not?)…
· On a domain that seems properly configured, but might have any number of flaws not yet exposed...
What would be the best way to go about this?
There are two other (member) servers in this network: a File Server and a new server with no designated role (as yet). This "no-designated-role" server was installed by my partner with an intention of:
· installing Exchange on it
· Move existing mailboxes from the old-Exchange-server\domain-controller to it (using Move Mailbox in the Exchange Task Wizard).
· Un-installing Exchange from the domain controller.
When I pointed out that these steps referred specifically to Exchange Server 2003, this plan was (wisely) halted, and we discussed the other referenced option. In theory, it sounds like it could be easy enough:
· DCPromo the new server to Domain Controller
· DCPromo the old domain controller down to a Member Server and just leave Exchange there.
· (Optional, but desirable) Reload\replace an XP workstation (his) with Windows Server 2000 OS and DCPromo it to domain controller (a second DC, for replication and backup...which this domain should have had all along, ideally).
It is the lack of any kind of AD replication, ever, that concerns me, I suppose. My partner seems to think that, with a second DC, replication will just "occur"...that the client workstations will be automatically updated as to the existence of the new domain controllers and everything will all just work out like clockwork. Maybe he's right, but...well, I have doubts.
Most guides, documentation, forums, etc. read like it's understood that the domain will have at least two DC's...that the domain was set up in such-and-such a way (properly?) from the start. That's all well and good, but this makes it difficult to find (extract) detailed procedures that specifically address this one-DC-with-Exchange-installed issue (how to best resolve it\seperate the two). Few resources, in other words, address it from the perspective "Ok, so this possibly ALL screwed up and now you need to fix it without bringing the company down. Here's how..."
Though this AD server seems to function well enough, with no glaring problems I can point to...I suspect the domain\Active Directory is not (and likely never was) set up 100% correctly. I have no idea what issues we might encounter with either procedure. Unfortunately, I don't know enough to confirm my suspicions, or even where to start looking.
Any advice or information would be most appreciated.
A small, but dispersed, network (approximately 35 users at 3 locations in the state; T1 connection, Firewall\VPN Router handles DHCP)
Domain has a single (Windows 2000 Advanced Server) Domain Controller.
Exchange 2000 Server is also running on this (same) system.
My boss\partner recently used the Microsoft® Exchange Server Best Practices Analyzer Tool and it reported the following:
"This Exchange server is also a domain controller, which is not a recommended configuration"
A TechNet article linked from, and related to, this error message listed several performance and security-related issues associated with this configuration, most of which we do, indeed, suffer from. The article concludes with this recommendation:
"If the computer is running Exchange 2000 Server, it is recommended that you demote the server to a member server using DCPromo at your earliest opportunity."
I'm cautious, however:
· On a domain that has never had another domain controller to replicate AD to…
· On a domain in which, when Exchange 2000 was installed, the schema may have not been "extended" as most articles\guides claim it must be (is this even possible?...and if it is, is there a way to check if the schema was extended or not?)…
· On a domain that seems properly configured, but might have any number of flaws not yet exposed...
What would be the best way to go about this?
There are two other (member) servers in this network: a File Server and a new server with no designated role (as yet). This "no-designated-role" server was installed by my partner with an intention of:
· installing Exchange on it
· Move existing mailboxes from the old-Exchange-server\domain-controller to it (using Move Mailbox in the Exchange Task Wizard).
· Un-installing Exchange from the domain controller.
When I pointed out that these steps referred specifically to Exchange Server 2003, this plan was (wisely) halted, and we discussed the other referenced option. In theory, it sounds like it could be easy enough:
· DCPromo the new server to Domain Controller
· DCPromo the old domain controller down to a Member Server and just leave Exchange there.
· (Optional, but desirable) Reload\replace an XP workstation (his) with Windows Server 2000 OS and DCPromo it to domain controller (a second DC, for replication and backup...which this domain should have had all along, ideally).
It is the lack of any kind of AD replication, ever, that concerns me, I suppose. My partner seems to think that, with a second DC, replication will just "occur"...that the client workstations will be automatically updated as to the existence of the new domain controllers and everything will all just work out like clockwork. Maybe he's right, but...well, I have doubts.
Most guides, documentation, forums, etc. read like it's understood that the domain will have at least two DC's...that the domain was set up in such-and-such a way (properly?) from the start. That's all well and good, but this makes it difficult to find (extract) detailed procedures that specifically address this one-DC-with-Exchange-installed issue (how to best resolve it\seperate the two). Few resources, in other words, address it from the perspective "Ok, so this possibly ALL screwed up and now you need to fix it without bringing the company down. Here's how..."
Though this AD server seems to function well enough, with no glaring problems I can point to...I suspect the domain\Active Directory is not (and likely never was) set up 100% correctly. I have no idea what issues we might encounter with either procedure. Unfortunately, I don't know enough to confirm my suspicions, or even where to start looking.
Any advice or information would be most appreciated.
