[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

Instructions for Exchnage infrastructure (Front end 2 servers running NLB, back end 2 servers active/passive cluster)

Hi guys

Here is the situation

One forest, one DC, one tree

I would like some help with my plan implementing the following scenario in a test lab. 2 frond end servers running NLB in the DMZ, back end active/passive cluster. I need some guidance and list with the actual steps. Like

1.Run forest prep and domain prep on the DC
2.Set up the a 2 node cluster

And so on….

Something that is not very clear for me … the frond end servers will be in DMZ .. how they will be part of the domain then?

How the whole thing must be configured. What exchange protocols I must have on the frond end and on the back end.

Please advice ..
1 Solution
this is way over my head....but read the articles i copied from MS ....it is good to know
if u will be playing around with DMZ..These days dmz requires more ports open than
a non dmz configuration....so u may want to reconsider....but if it is not ur choice
then so be it....I am not an expert in this field so i wont post anymore but i just wanted
u to know about the two reg hacks i posted ...it makes life easier if u decide to go
with DMZ....also since u wont have any DNS servers in ur DMZ then u will have
all the info in ur host files....for example the ip addressess of ur DC's and GC's will
be posted in the front end's hosts files since they wont be anything more than a MEMBER SERVERS......take care and good luck...

Hard Coding Active Directory Servers
Exchange 2000 SP2 and later eliminates remote procedure calls (RPCs) in the DSAccess component. Because DSAccess now uses Lightweight Directory Access Protocol (LDAP) to locate available domain controllers and global catalog servers, deployment is improved for perimeter networks.
In earlier versions of Exchange 2000, if DSAccess was deployed in a perimeter network, the list of Active Directory servers had to be manually configured because DSAccess discovery methods depended upon RPCs. The discovery methods have been changed to use non-RPC Microsoft Windows implementation of LDAP (wLDAP) calls exclusively. Therefore, hard coding Active Directory servers is no longer required.
Stopping The NetLogon Check
DSAccess skips the NetLogon check during initial topology discovery, but runs the NetLogon check every 15 minutes during ongoing discovery. The check determines whether the NetLogon service is running.
In a perimeter network where RPC traffic is not allowed, the NetLogon check cannot occur; however, the NetLogon check will continue to issue RPCs until it fails, which can take a long time. Because repeated NetLogon checks decrease performance, you should stop DSAccess from issuing NetLogon checks by creating the following registry key.

Location      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Name      DisableNetLogonCheck
Type      REG_DWORD
Value      1

For more information, see Microsoft Knowledge Base article Q320228, “XGEN: The ‘DisableNetLogonCheck’ Registry Value and How to Use It” at http://go.microsoft.com/fwlink/?LinkId=3052&ID=320228.
Stopping The Directory Access Ping (LDAP ICMP Keep Alive)
By default, DSAccess uses Internet Control Message Protocol (ICMP) to ping each server that it connects to, in order to determine if the server is available. In a perimeter network, ICMP is typically blocked between the Exchange 2000 server and the domain controllers. This situation causes DSAccess to respond as if every domain controller is unavailable. DSAccess then discards old topologies and frequently performs new topology discoveries, which affects server performance. You can turn off the ICMP ping by creating the following registry key.

Location      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Name      LdapKeepaliveSecs
Type      REG_DWORD
Value      0

Microsoft only supports conditions in which the LdapKeepaliveSecs registry key is either set to 0 or not present in the registry. For more information about the LdapKeepaliveSecs registry key, see Microsoft Knowledge Base article Q320529, “XADM: Using DSAccess in a Perimeter Network Firewall Scenario Requires a Registry Key Setting” at http://go.microsoft.com/fwlink/?LinkId=3052&ID=320529 .
geiyer71Author Commented:
Thank you very much for this information .. i was looking for different answer. But this is deffinately something be consider.

I need some help with the actual steps building this scenario..

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now