Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

       How did you like this article? Please vote and let us know.          

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Shannal L. Thomas
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links

 

 
 

Q & A -- some of the Questions I get asked by people who have come to see this site, and my answers.

By Drew Nicholson, dnicholson@OutlookExchange.com

This will be another one of those articles that gets constantly updated and added to, when I get questions funneled to me from this site. The first question has to do with the problem that arises when a former administrator leaves your organisation under less than ideal circumstances:

Dear Sir:
I truly appreciate your white paper on your experience with the disaster recovery project with the stolen servers. An excellent source of information. I am presently enrolled as the third Exchange admin at my university. In other words, I have inherited a small monster. The first admin did a sufficient job in bringing up the first server. But he used the administrator account for the domain as the exchange service account. Well, the second admin that came in a year ago after the first one left, brought up a second exchange server using the same account for that box as well. Two months ago he left and I have been appointed the admin. Which I truly love by the way. At any rate, both of these people are gone and the service account is still the same and they both know the password to that account. I have read some info on how to change the service account and it seems that Microsoft doesn't like anyone doing that. At least the article's I have found say that Microsoft doesn't advise this and enter at your own risk. Well my boss wants all of the passwords changed as do I because the last admin was sketchy as to his devotion and maybe a risk to us now. Which brings me to this. The white papers that I have dug out, are they ok? I have found several and they do seem to cover this topic in full. Have you ever done this? Or do you have a resource that would prove helpful to me.

Further, we are looking at Exchange 2000. We have already consulted with Compaq as to the scope of this project. 30,000 users to start. Do you think I should wait until we go to 2000 to change this account? I do appreciate any info that you may afford me. Have a nice day.

My answer:
Ok. First of all, here's the link to info on changing the service account: http://www.simpler-webb.com/resource/exch_faq_appxe.htm. I know the info there is good.

If all you want to do is change the PASSWORD for the service account, all you have to do is this: shut down all the services, change the password for the account on the Domain Controller, then go into each service that uses this account -- theoretically, just your Exchange services, although if you have any AV software (and you should) on the Exchange server, they may also use the same account -- and change the password in each service. Then start the services up again. If any one of them fails to start, you know you typed the password in wrong. Don't forget to have the Domain Controller synch up with the other domain controllers...

This may all be irrelevant if your servers are protected sufficiently. But it's probably a good idea.

As far as any whitepapers you've found, if they're from Microsoft, I'd believe them, however, you may have configurations that they don't cover, in which case you may have problems. Product Support Services is a good resource to use in these cases.

The key to doing ANYTHING in Exchange is getting GOOD BACKUPS. When doing something like this, it's good to get a confirmed ONLINE backup and a good OFFLINE backup -- as in, shut the server down, let all the transactions commit, and backup the files themselves.

Now, about waiting to change the account until you upgrade to Exchange 2000 -- I don't know what kind of time-table you have, but if this possibly malicious guy is out there, I wouldn't wait. There are too many things that can go wrong with a migration to Exchange 2000 (that I've heard of, since I've never done it myself). You do realize that you have to be running a Win2K Active Directory Domain before you can use Ex2K, right? I'm constantly surprised by the number of people who don't know that...

So I'd go ahead and change the password, if not the account itself. Then you can rest easy, knowing that you have a heckuva task before you just in the Ex2K migration itself, but at least you don't have to worry about a hacker who knows your passwords...

That's all for now, but there'll be more later!

Click here to go back to my OutlookExchange homepage.

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Pro Exchange. OutlookExchange.Com and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

© Copyright Pro Exchange, Inc., 2006