RPC over https for clustered exchange 2003

I have an clustered exchanger server with PDC and BDC in the same domain. Now I've followed this
http://www.amset.info/exchange/rpc-http-server.asp (dual server mode)
to setup RPC over https which worked great inside of the local network. However, when I move the computer out of the network, outlook wouldn't connect to the exchange.

1) when using outlook within the network, outlook /rpcdiag shows that it connects to exchange and pdc (for directory service), but the pdc is strictly internal, so does that mean I need to open the pdc to public ? or can I use exchange for authentication?

2) I also have BDC as a backup (it's also a GC),  but in the rpc over http guide, there mentioned only one dc, could I just put BDC in the registry as well?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You shouldn't see a domain controller listed in the /rpcdiag status. It should be just the Exchange server listed.
Is this site fully up to date with service packs for Exchange?

Does it show ALL the connections as going over https?
You don't need to expose the domain controllers to the internet - the entire point of the feature is that all traffic can go through a single port.
As you are using a cluster - are you using a frontend / backend scenario?

Finally, you can add additional domain controllers to the list - before careful with the order though, I have had mixed success with additional DCs. Remember to make the registry change on the domain controllers as well.

No such thing as PDC and BDC in an AD domain...

efurbanAuthor Commented:
Thanks for the input Simon.

I can see all the connections as going over https which is good but I don't understand why I still see outlook contacting pdc.domain.local.
pdc.xxxx.com                                  Directory   .... HTTPS ...
Exchange.xxxxxx.com                     Mail           .... HTTPS ...
pdc.xxxx.com                                  Directory   .... HTTPS ...
Exchange.xxxxxx.com                     Mail           .... HTTPS ...

PDC is the primary and BDC is the backup.  I know there is no difference between the two.
anyway, I am not using frontend/backend, the RPC proxy is install on exchange server itself.

I just double checked the setting in registry on exchange and dc, they look right.

What is the service pack status on the machines?
The behaviour changed at one point in the cycle, and I cannot remember when.
What I do know is that in a correctly working environment that is patched with the latest service packs of everything, the same single server is listed for all four components  -not split.

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

efurbanAuthor Commented:
ok, this is resolved after I reboot both PDC and BDC.  However, what do you mean by "you can add additional domain controllers to the list - before careful with the order though"?
I am going to put something like this:

Does it look alright?
Thank you for the help.
I have seen some funny results with the order of the registry entries. I cannot see any reason for it myself, but during testing, if I knocked over one of the domain controllers, it wasn't using the second one correctly. Played around with the order of the domain controllers listed and it was fine.
A quick check on the site where I did that configuration shows it is identical to the configuration that you have posted above, so it should be fine.
You may want to knock over a domain controller as a test one evening after the users have gone home to see whether it does actually use the second domain controller (or not).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
efurbanAuthor Commented:
Thank u very much. I definitely need to test it out later when we have a break in the company.  :)

Can I ask one more question?  
I have a ISA server in front of the exchange.  If I assign nothing (no authentication) on the listener and configure the exchange to use basic authentication, everything work great. However, if the ISA is configured to use basic authentication, then outlook would just keep asking for password.

I know I may have to open a new question here.. oh well.
I would ask a new question on that one, as my knowledge with ISA isn't very good.

efurbanAuthor Commented:
problem was resolved.  There is a setting in ISA to forward the Basic authentication credential.

Thanks anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.