Instructions for Exchnage infrastructure (Front end 2 servers running NLB, back end 2 servers active/passive cluster)

Posted on 2005-04-13
Last Modified: 2013-11-15
Hi guys

Here is the situation

One forest, one DC, one tree

I would like some help with my plan implementing the following scenario in a test lab. 2 frond end servers running NLB in the DMZ, back end active/passive cluster. I need some guidance and list with the actual steps. Like

1.Run forest prep and domain prep on the DC
2.Set up the a 2 node cluster

And so on….

Something that is not very clear for me … the frond end servers will be in DMZ .. how they will be part of the domain then?

How the whole thing must be configured. What exchange protocols I must have on the frond end and on the back end.

Please advice ..
Question by:geiyer71
    LVL 26

    Accepted Solution

    this is way over my head....but read the articles i copied from MS is good to know
    if u will be playing around with DMZ..These days dmz requires more ports open than
    a non dmz u may want to reconsider....but if it is not ur choice
    then so be it....I am not an expert in this field so i wont post anymore but i just wanted
    u to know about the two reg hacks i posted makes life easier if u decide to go
    with DMZ....also since u wont have any DNS servers in ur DMZ then u will have
    all the info in ur host files....for example the ip addressess of ur DC's and GC's will
    be posted in the front end's hosts files since they wont be anything more than a MEMBER SERVERS......take care and good luck...

    Hard Coding Active Directory Servers
    Exchange 2000 SP2 and later eliminates remote procedure calls (RPCs) in the DSAccess component. Because DSAccess now uses Lightweight Directory Access Protocol (LDAP) to locate available domain controllers and global catalog servers, deployment is improved for perimeter networks.
    In earlier versions of Exchange 2000, if DSAccess was deployed in a perimeter network, the list of Active Directory servers had to be manually configured because DSAccess discovery methods depended upon RPCs. The discovery methods have been changed to use non-RPC Microsoft Windows implementation of LDAP (wLDAP) calls exclusively. Therefore, hard coding Active Directory servers is no longer required.
    Stopping The NetLogon Check
    DSAccess skips the NetLogon check during initial topology discovery, but runs the NetLogon check every 15 minutes during ongoing discovery. The check determines whether the NetLogon service is running.
    In a perimeter network where RPC traffic is not allowed, the NetLogon check cannot occur; however, the NetLogon check will continue to issue RPCs until it fails, which can take a long time. Because repeated NetLogon checks decrease performance, you should stop DSAccess from issuing NetLogon checks by creating the following registry key.

    Location      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
    Name      DisableNetLogonCheck
    Type      REG_DWORD
    Value      1

    For more information, see Microsoft Knowledge Base article Q320228, “XGEN: The ‘DisableNetLogonCheck’ Registry Value and How to Use It” at
    Stopping The Directory Access Ping (LDAP ICMP Keep Alive)
    By default, DSAccess uses Internet Control Message Protocol (ICMP) to ping each server that it connects to, in order to determine if the server is available. In a perimeter network, ICMP is typically blocked between the Exchange 2000 server and the domain controllers. This situation causes DSAccess to respond as if every domain controller is unavailable. DSAccess then discards old topologies and frequently performs new topology discoveries, which affects server performance. You can turn off the ICMP ping by creating the following registry key.

    Location      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
    Name      LdapKeepaliveSecs
    Type      REG_DWORD
    Value      0

    Microsoft only supports conditions in which the LdapKeepaliveSecs registry key is either set to 0 or not present in the registry. For more information about the LdapKeepaliveSecs registry key, see Microsoft Knowledge Base article Q320529, “XADM: Using DSAccess in a Perimeter Network Firewall Scenario Requires a Registry Key Setting” at .

    Author Comment

    Thank you very much for this information .. i was looking for different answer. But this is deffinately something be consider.

    I need some help with the actual steps building this scenario..

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    Join & Write a Comment

    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
    This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now