How to Enable a New Security Policy on Exchange Cluster Nodes

  • Article

 

This topic explains how to enable a new GPO security policy for the purposes of hardening an Exchange Cluster.

Before You Begin

It is highly recommended that you read Running Exchange Server 2003 Clusters in a Security-Hardened Environment before implementing this procedure.

Procedure

To enable the new security policy on an Exchange Cluster Node

  1. In the Active Directory site where the Exchange clusters reside, verify that all domain controllers are updated with the new GPO policies. Depending on your Active Directory environment, it may take several minutes for the new GPO policies to be replicated to all domain controllers in the site. To force Active Directory replication within the site, you can use the Active Directory Sites and Services MMC snap-in or the Windows Support tool, Repadmin.exe.

    For more information about both methods, see Microsoft Knowledge Base article 232072, "Initiating Replication Between Active Directory Direct Replication Partners."

  2. Using Cluster Administrator, take all Exchange System Attendant cluster resources offline.

  3. Move all cluster groups to the primary node.

    Note

    For the purposes of this procedure, nodes in the cluster are referred to as primary node or secondary nodes. The primary node is the node to which you move all resources while enabling the policy. The secondary nodes represent all other nodes in the cluster

  4. To update the new policy to the cluster nodes, at the command prompt, type gpupdate /force. GPUpdate.exe is a utility that forces the local system to update its group policy settings. If you do not run GPUpdate.exe, then the cluster nodes may take up to 90 minutes to update the policy.

  5. Shut down all secondary nodes in the cluster.

  6. After shut down of secondary nodes is complete, restart the primary node.

  7. After the primary node restarts, verify that the Cluster service is running and that all cluster resources are running and online.

  8. Start the secondary nodes, and then verify that the cluster service is running.

  9. In Cluster Administrator, under Groups, right-click the primary node, and then click Move Group to move the EVS to the secondary node. After verifying that the resources start successfully, move the EVS back to the primary node.

  10. Run the Resultant Set of Policy MMC snap-in (Rsop.msc) to verify that the GPO policies are set. For more information about using the Resultant Set of Policy MMC snap-in, see Microsoft Knowledge Base Article 312321, "How to Use Resultant Set of Policy Logging to Gather Computer Policy Information."