Monday, April 7, 2008

Delete Exchange Computer Account from Active directory in production Environment



Problem:

Exchange computer accounts have been deleted, from active directory. The network administrator deleted the OU (Organizational Unit) where all Exchange computer accounts in.

Side effects:

No mail flow, outage for E-mail, Exchange application logs showing following errors 9187, 9186

Solution:

  • Log into exchange server locally and take then exchange servers out the domain,
  • Reboot the exchange servers
  • Re-join the exchange servers back to the domain

Notes:

  • Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).
  • Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain. In my scenario this was done on Exchange server. The computer account was reset and there was no way to log into the server, except server itself locally. Taking the server out from domain rebooting it, adding the server back to the domain worked. All exchange services were up and running after joining to domain with same name. Remember renaming Exchange will break the exchange and there will be no way to bring exchange back to the live from death, this is of course not supported by Microsoft.


Event Type: Error

Event Source: MSExchangeSA

Event Category: General

Event ID: 9187

Date: 4/7/2008

Time: 2:12:44 PM

User: N/A

Computer: RCOBHSCHI010

Description:

Microsoft Exchange System Attendant failed to add the local computer as a member of the DS group object 'cn=Exchange Domain Servers,cn=Users,dc=smtp25,dc=org'.

Please stop all the Microsoft Exchange services, add the local computer into the group manually and restart all the services.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event Type: Warning

Event Source: MSExchangeSA

Event Category: General

Event ID: 9186

Date: 4/7/2008

Time: 2:27:44 PM

User: N/A

Computer: RCOBHSCHI010

Description:

Microsoft Exchange System Attendant has detected that the local computer is not a member of group 'cn=Exchange Domain Servers,cn=Users,dc=smtp25,dc=org'. System Attendant is going to add the local computer into the group.

The current members of the group are 'CN=CH,OU=Computers,OU=CH Rich VA,DC=smtp25,DC=org; CN=CH,OU=Computers,OU=CH Wilkes PA,DC=smtp25,DC=org; CN=CH,OU=Computers,OU=CH MilfCT,DC=smtp25,DC=org; CN=CH,OU=Computers,OU=CH High NC,DC=smtp25,DC=org; CN=CH,OU=Computers,OU=CH Lee VA,DC=smtp25,DC=org;; CN=CH,OU=Computers,OU=CH Charles SC,DC=smtp25,DC=org; CN=CHNY,OU=Computers,OU=CH White NY,DC=smtp25,DC=org; '.

For more information, click http://www.microsoft.com/contentredirect.asp.


Oz ozugurlu,
Systems Engineer
MCITP (EMA), MCITP (SA),
MCSE 2003 M+ S+ MCDST
Security Project+ Server+
oz@SMTp25.org

http://smtp25.blogspot.com

3 comments:

elikat said...

Hello,

I have a Windows 2003 AD with Exchange server 2003 in place.
I want to delete a user in the AD,and hence Exchange server lists.
Will I be able to recreate the same user?

I have heard people say its imposible.Anyone who is informed about this please assist!

Oz Ozugurlu said...

Please make it clear, what are you trying to achieve

Delete Exchange computer account from AD
--if yes why do you want to do this, I am just curious

Second, how a user account is related to your exchange server in your scenario, you will need to be little more clear for me to understand the current problem

--oz

Ali said...

After joining the Exchange server back with the domain. You need to add "exchange_server" computer account as the member of "Exchange Domain Servers" group. And it will start all the exchange services.