nmmcfk
asked on
Moving an Exchange 2003 server out of the Domain Controller
Hi everybody,
I currently have a Windows 2003 server acting as the Domain Controller with Exchange 2003 Server installed on it. I also use another Windows 2003 Server as a Front End server for OWA. With all my research trough Microsoft.com when i installed my servers 1 year ago, I was not aware that installing the Exchange server on the DC was problematic. Now i have to reboot the servers every week because Exchange crash on me on a weekly basis, I suspect that this is the problem. I will purchase another Server and move my Exchange Server out of my Domain Controller. Basically i was wondering if there is any step by step instructions somewhere i can use.
Thank You in advance and Happy New Year
I currently have a Windows 2003 server acting as the Domain Controller with Exchange 2003 Server installed on it. I also use another Windows 2003 Server as a Front End server for OWA. With all my research trough Microsoft.com when i installed my servers 1 year ago, I was not aware that installing the Exchange server on the DC was problematic. Now i have to reboot the servers every week because Exchange crash on me on a weekly basis, I suspect that this is the problem. I will purchase another Server and move my Exchange Server out of my Domain Controller. Basically i was wondering if there is any step by step instructions somewhere i can use.
Thank You in advance and Happy New Year
ASKER
Thanks Simon,
What is the recommeded scenario for us once we moved that Exchange 2003 out the domain controller. Currently i have a front End Server on the internal network, i want to move that one into the DMZ to secire things out, do i need to purschase a ISA Server or just put the Front end server between 2 firewalls.
Thanks in advance
What is the recommeded scenario for us once we moved that Exchange 2003 out the domain controller. Currently i have a front End Server on the internal network, i want to move that one into the DMZ to secire things out, do i need to purschase a ISA Server or just put the Front end server between 2 firewalls.
Thanks in advance
How do you think that putting Exchange in the DMZ will make the deployment more secure?
It does not. It actually makes things less secure due to the ports that you have to open in the firewall basically turning the server in to swiss cheese.
Leave all the Exchange servers inside. If you don't want to directly expose the server to the internet, then put an ISA server in the DMZ and publish OWA through that. The ISA server would not be a member of the domain.
Simon.
It does not. It actually makes things less secure due to the ports that you have to open in the firewall basically turning the server in to swiss cheese.
Leave all the Exchange servers inside. If you don't want to directly expose the server to the internet, then put an ISA server in the DMZ and publish OWA through that. The ISA server would not be a member of the domain.
Simon.
ASKER
OK, so putting the front end on the DMZ between 2 firewall would not secure the internal ?? Right now the front end is inside with a MIP to the outside, i am afraid that if my front end get compromised, the rest will be as well.
ASKER
I forgot to say, my front end server does not contains any mailboxes, it just relay the info to the Exchange server on the back end server, the exchange server itself will stay inside.
If you put the frontend in the DMZ and it gets compromised, then you still have a problem - as the number of changes made to the firewall will allow an attacker to walk straight in. Exchange - whether a frontend or a backend - references the domain controllers frequently, so it needs constant communication with them. That is your risk.
For smaller sites I simply allow port 443 and 25 ONLY in to the Exchange servers from the internet.
For larger sites I use ISA.
Simon.
For smaller sites I simply allow port 443 and 25 ONLY in to the Exchange servers from the internet.
For larger sites I use ISA.
Simon.
ASKER
So having a DC, one Exchange server acting as the Back end controller and the Front End controller all on the inside is as secure as putting the front end server on the DMZ between 2 frirewalls, if i understand what you are saying.
It is more secure than putting a frontend server in the DMZ, because putting a frontend server in the DMZ is not secure at all. You should be prepared to drop any server in the DMZ with a moments notice. You cannot do that with an Exchange server.
Simon.
Simon.
ASKER
Ok, Thank you very much for your help.
Scott
Scott
ASKER
One other question, If i installed a ISA Server in my DMZ, do i still need a front end server to reach/communicate my Exchange back end server ??
A frontend server provides a single point of entry for multiple backend servers. If you do not have multiple backend servers then all a frontend server does is take off the load of OWA and some other remote functionality from the backend servers.
Simon.
Simon.
ASKER
So i can install my ISA Server on my Front end server and use only 1 ISA, 1 Back End Exchange server and 1 Domain Controller for my whole setup.
The frontend server wouldn't be a frontend. No Exchange installed. Just a simple Windows 2003 server with all service packs and updates, with ISA installed and then hardened.
Simon.
Simon.
ASKER
OK Thank You, that will ease my spendings since i can use the Front End for my ISA.
Thanks for your help
Scott
Thanks for your help
Scott
ASKER
What ISA version you recommend for us ?? Standard or Entreprise.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much Simon,
I appreciate your help
I appreciate your help
My guide is here: http://www.amset.info/exchange/migration.asp
It is quite straight forward, particularly as you on Exchange 2003. Just take your time.
Simon.