RPC over https for clustered exchange 2003

Posted on 2006-04-01
Last Modified: 2013-11-15
I have an clustered exchanger server with PDC and BDC in the same domain. Now I've followed this (dual server mode)
to setup RPC over https which worked great inside of the local network. However, when I move the computer out of the network, outlook wouldn't connect to the exchange.

1) when using outlook within the network, outlook /rpcdiag shows that it connects to exchange and pdc (for directory service), but the pdc is strictly internal, so does that mean I need to open the pdc to public ? or can I use exchange for authentication?

2) I also have BDC as a backup (it's also a GC),  but in the rpc over http guide, there mentioned only one dc, could I just put BDC in the registry as well?

Question by:efurban
    LVL 104

    Expert Comment

    You shouldn't see a domain controller listed in the /rpcdiag status. It should be just the Exchange server listed.
    Is this site fully up to date with service packs for Exchange?

    Does it show ALL the connections as going over https?
    You don't need to expose the domain controllers to the internet - the entire point of the feature is that all traffic can go through a single port.
    As you are using a cluster - are you using a frontend / backend scenario?

    Finally, you can add additional domain controllers to the list - before careful with the order though, I have had mixed success with additional DCs. Remember to make the registry change on the domain controllers as well.

    No such thing as PDC and BDC in an AD domain...


    Author Comment

    Thanks for the input Simon.

    I can see all the connections as going over https which is good but I don't understand why I still see outlook contacting pdc.domain.local.
    Activity:                                  Directory   .... HTTPS ...                     Mail           .... HTTPS ...                                  Directory   .... HTTPS ...                     Mail           .... HTTPS ...

    PDC is the primary and BDC is the backup.  I know there is no difference between the two.
    anyway, I am not using frontend/backend, the RPC proxy is install on exchange server itself.

    I just double checked the setting in registry on exchange and dc, they look right.

    LVL 104

    Expert Comment

    What is the service pack status on the machines?
    The behaviour changed at one point in the cycle, and I cannot remember when.
    What I do know is that in a correctly working environment that is patched with the latest service packs of everything, the same single server is listed for all four components  -not split.


    Author Comment

    ok, this is resolved after I reboot both PDC and BDC.  However, what do you mean by "you can add additional domain controllers to the list - before careful with the order though"?
    I am going to put something like this:

    Does it look alright?
    Thank you for the help.
    LVL 104

    Accepted Solution

    I have seen some funny results with the order of the registry entries. I cannot see any reason for it myself, but during testing, if I knocked over one of the domain controllers, it wasn't using the second one correctly. Played around with the order of the domain controllers listed and it was fine.
    A quick check on the site where I did that configuration shows it is identical to the configuration that you have posted above, so it should be fine.
    You may want to knock over a domain controller as a test one evening after the users have gone home to see whether it does actually use the second domain controller (or not).


    Author Comment

    Thank u very much. I definitely need to test it out later when we have a break in the company.  :)

    Can I ask one more question?  
    I have a ISA server in front of the exchange.  If I assign nothing (no authentication) on the listener and configure the exchange to use basic authentication, everything work great. However, if the ISA is configured to use basic authentication, then outlook would just keep asking for password.

    I know I may have to open a new question here.. oh well.
    LVL 104

    Expert Comment

    I would ask a new question on that one, as my knowledge with ISA isn't very good.


    Author Comment

    problem was resolved.  There is a setting in ISA to forward the Basic authentication credential.

    Thanks anyway.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Set OWA language and time zone in Exchange for individuals, all users or per database.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now