efurban
asked on
RPC over https for clustered exchange 2003
HI,
I have an clustered exchanger server with PDC and BDC in the same domain. Now I've followed this
http://www.amset.info/exchange/rpc-http-server.asp (dual server mode)
to setup RPC over https which worked great inside of the local network. However, when I move the computer out of the network, outlook wouldn't connect to the exchange.
1) when using outlook within the network, outlook /rpcdiag shows that it connects to exchange and pdc (for directory service), but the pdc is strictly internal, so does that mean I need to open the pdc to public ? or can I use exchange for authentication?
2) I also have BDC as a backup (it's also a GC), but in the rpc over http guide, there mentioned only one dc, could I just put BDC in the registry as well?
Thanks.
I have an clustered exchanger server with PDC and BDC in the same domain. Now I've followed this
http://www.amset.info/exchange/rpc-http-server.asp (dual server mode)
to setup RPC over https which worked great inside of the local network. However, when I move the computer out of the network, outlook wouldn't connect to the exchange.
1) when using outlook within the network, outlook /rpcdiag shows that it connects to exchange and pdc (for directory service), but the pdc is strictly internal, so does that mean I need to open the pdc to public ? or can I use exchange for authentication?
2) I also have BDC as a backup (it's also a GC), but in the rpc over http guide, there mentioned only one dc, could I just put BDC in the registry as well?
Thanks.
ASKER
Thanks for the input Simon.
I can see all the connections as going over https which is good but I don't understand why I still see outlook contacting pdc.domain.local.
Activity:
pdc.xxxx.com Directory .... HTTPS ...
Exchange.xxxxxx.com Mail .... HTTPS ...
pdc.xxxx.com Directory .... HTTPS ...
Exchange.xxxxxx.com Mail .... HTTPS ...
PDC is the primary and BDC is the backup. I know there is no difference between the two.
anyway, I am not using frontend/backend, the RPC proxy is install on exchange server itself.
I just double checked the setting in registry on exchange and dc, they look right.
I can see all the connections as going over https which is good but I don't understand why I still see outlook contacting pdc.domain.local.
Activity:
pdc.xxxx.com Directory .... HTTPS ...
Exchange.xxxxxx.com Mail .... HTTPS ...
pdc.xxxx.com Directory .... HTTPS ...
Exchange.xxxxxx.com Mail .... HTTPS ...
PDC is the primary and BDC is the backup. I know there is no difference between the two.
anyway, I am not using frontend/backend, the RPC proxy is install on exchange server itself.
I just double checked the setting in registry on exchange and dc, they look right.
What is the service pack status on the machines?
The behaviour changed at one point in the cycle, and I cannot remember when.
What I do know is that in a correctly working environment that is patched with the latest service packs of everything, the same single server is listed for all four components -not split.
Simon.
The behaviour changed at one point in the cycle, and I cannot remember when.
What I do know is that in a correctly working environment that is patched with the latest service packs of everything, the same single server is listed for all four components -not split.
Simon.
ASKER
ok, this is resolved after I reboot both PDC and BDC. However, what do you mean by "you can add additional domain controllers to the list - before careful with the order though"?
I am going to put something like this:
exchange-server:100-5000;
exchange-server:6001-6002;
exchange-server.domain.loc al:6001-60 02;
pdc:6001-6002;
pdc.domain.local:6001-6002 ;
bdc:6001-6002;
bdc.domain.local:6001-6002 ;
exchange-server:6004;
exchange-server.domain.loc al:6004;
pdc:6004;
pdc.domain.local:6004;
bdc:6004;
bdc.domain.local:6004;
mail.external.com:6001-600 2;
mail.external.com:6004;
pdc:593;
pdc.domain.local:593;
bdc:593;
bdc.domain.local:593;
exchange-server:593;
exchange-server.domain.loc al:593;
mail.external.com:593;
Does it look alright?
Thank you for the help.
I am going to put something like this:
exchange-server:100-5000;
exchange-server:6001-6002;
exchange-server.domain.loc
pdc:6001-6002;
pdc.domain.local:6001-6002
bdc:6001-6002;
bdc.domain.local:6001-6002
exchange-server:6004;
exchange-server.domain.loc
pdc:6004;
pdc.domain.local:6004;
bdc:6004;
bdc.domain.local:6004;
mail.external.com:6001-600
mail.external.com:6004;
pdc:593;
pdc.domain.local:593;
bdc:593;
bdc.domain.local:593;
exchange-server:593;
exchange-server.domain.loc
mail.external.com:593;
Does it look alright?
Thank you for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank u very much. I definitely need to test it out later when we have a break in the company. :)
Can I ask one more question?
I have a ISA server in front of the exchange. If I assign nothing (no authentication) on the listener and configure the exchange to use basic authentication, everything work great. However, if the ISA is configured to use basic authentication, then outlook would just keep asking for password.
I know I may have to open a new question here.. oh well.
Can I ask one more question?
I have a ISA server in front of the exchange. If I assign nothing (no authentication) on the listener and configure the exchange to use basic authentication, everything work great. However, if the ISA is configured to use basic authentication, then outlook would just keep asking for password.
I know I may have to open a new question here.. oh well.
I would ask a new question on that one, as my knowledge with ISA isn't very good.
Simon.
Simon.
ASKER
problem was resolved. There is a setting in ISA to forward the Basic authentication credential.
Thanks anyway.
:)
Thanks anyway.
:)
Is this site fully up to date with service packs for Exchange?
Does it show ALL the connections as going over https?
You don't need to expose the domain controllers to the internet - the entire point of the feature is that all traffic can go through a single port.
As you are using a cluster - are you using a frontend / backend scenario?
Finally, you can add additional domain controllers to the list - before careful with the order though, I have had mixed success with additional DCs. Remember to make the registry change on the domain controllers as well.
No such thing as PDC and BDC in an AD domain...
Simon.