Changing Exchange server OU's

If you change the OU membership of your Exchange 2000 servers, you may run into a common issue. This issue might be benign, but the events in the event log certainly are disconcerting.  The article (271335) explains in detail.

After you move Exchange servers into a new OU, you might see the following events:

Event ID: 9186
Source: MSExchangeSA
Type: Warning
Category: General
Description:
Microsoft Exchange System Attendant has detected that the local computer is not a member of group 'cn=Exchange Domain Servers,cn=Users,dc=microsoft,dc=com'. System Attendant is going to add the local computer into the group.
The current members of the group are 'CN=SERVERNAME,OU=NEWOU,DC=microsoft,DC=com; '.

-and-

Event ID: 9187
Source: MSExchangeSA
Type: Error
Category: General
Description:
Microsoft Exchange System Attendant failed to add the local computer as a member of the DS group object 'cn=Exchange Domain Servers,cn=Users,dc=microsoft,dc=com'.
Please stop all the Microsoft Exchange services, add the local computer into the group manually and restart all the services.

The article explains what you should do, depending on what else you are seeing.

This brings up an interesting topic to discuss.  What types of OU's should I setup for my Exchange servers?  Of course, the answer is always, "it depends."  A very common design (picture below) is to break out the servers into different types.  This allows you to set a base company policy at the top level Server OU.  Then each server of various kinds can be locked down differently if needed.  We often see people placing a single policy object to all servers.  Certainly all servers are not the same and a policy setting on an IIS server may not make sense on an Exchange cluster node (and vice-versa).