• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

New Domain and Exchange Setup

Hi Guys,

This is a general implementation question;

We are deploying a new Exchange installation as part of a Windows Server 2008 domain.
We have three servers (Exchange, DC & Firewall).

In terms of the DCs, and servers roles, will it be best to make the Exchange box a member server and to share roles with the DC?

Should the ISA box also manage roles, or only be joined to the domain?
0
Rupert Eghardt
Asked:
Rupert Eghardt
  • 4
  • 4
  • 3
  • +3
3 Solutions
 
BusbarSolutions ArchitectCommented:
1- Exchange should be separated on its box.
2- TMG could be joined to the domain.
0
 
bcrosby007Commented:
By practice, you never want your exchange server to also be a domain controller. Let the exchange server jsut worry about exchange. Same thing for the ISA box. It's not supported to run AD on it.
It would be smart to have another domain controller though, so that you have multiple copies of your AD database as well as golbal catalog for the Exchange server...
0
 
TasmantCommented:
Exchange and ISA should be member of the domain only and no others roles than for what they are.
DCs should be only DC, DNS, and maybe DHCP.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
Sigurdur HaraldssonSystem AdministratorCommented:
I agree with the others.

I noticed that you posted this to Exhcange 2007. Is there any reason you're not installing Exchange 2010? I suggest you go that way rather than the 2007.
0
 
tigermattCommented:

If you ONLY have three servers to play with, then you my recommendation is to consider virtualisation technology OR installing Exchange on a Domain Controller.

Why?

Any Active Directory environment put into production should be using AT LEAST two Domain Controllers. Active Directory holds the entire configuration for the company and is the critical backbone required for any IT services to function, so having at least two servers as DCs ensures one can be taken out of service for maintenance without adversely affecting the network. If one fails hard, having a redundant box means the network can carry on working while you fix the problems. Having just one DC means EVERYTHING will fail if that box goes down, requiring you to both fix the hardware (or source new hardware), restore AD from a backup and do all that knowing that the company is potentially losing money all the time their IT services are down.

Your Forefront TMG cannot be installed on the same server as a Domain Controller (ref: http://technet.microsoft.com/en-us/library/ee796231.aspx) so there are no two ways about it, that MUST be a member server. If the Forefront TMG is to be a physical server, that only leaves you two physical boxes with which to build the Active Directory domain and Exchange environments.

Your redundant DCs need to be on separate hardware, otherwise you gain little by having two of them. So, in this scenario there are two options:
make both servers Domain Controllers, and then install Exchange on one of them. Although this is not a recommended configuration, it is by all means supported.
install a hypervisor solution, such as Hyper-V or VMWare ESX/ESXi, on one of the servers, and build two Server 2008 R2 virtual machines: one a Domain Controller, the other an Exchange Server. This is my preferred configuration, because it means you have two DCs on isolated hardware but you also have the Exchange box installed in its own virtual member server.
Of course, there are other alternatives. You could use Hyper-V and virtualise two Virtual Machines - a DC and a Forefront TMG server - on the same physical box, leaving two physical servers, one to act as a DC and one to run Exchange. There's nothing stopping you doing that, but you need to make sure you properly configure the networking in the virtual environment so that TMG is networked correctly.

Making Exchange a DC is not a preferred configuration because it causes complications should you ever need to recover a failed server from backup. However, given a choice between one DC and one Exchange member server, or two DC but Exchange on a DC, I would opt for the latter every time. Active Directory is the most important role on the network, so you want to ensure redundancy for that role at all costs.

-Matt
0
 
Rupert EghardtProgrammerAuthor Commented:
Hi Everyone,

Thanks for the prompt responses, much appreciated.
We are using Exchange 2007, as this is the licensed version.  I've been quite happy with the performance and stability of Exchange 2007 in general.
Sighar, any specific reason why you suggested for 2010 instead?

What I can gather from the above info, I think the best scenario will be to:
Setup a single DC, make ISA and Exchange members on the domain ONLY, and get another entry-level PC to host a copy of the GC and AD.  I personally don't like playing around with PC's in a server environment, but to ONLY "backup" the domain structure - I am sure this could work?
0
 
BusbarSolutions ArchitectCommented:
fine by me
0
 
bcrosby007Commented:
That would work. 2K10 is the newest versions of exchange, so there is better I/O. Personally, I am sticking with 2007 for a while longer.
0
 
tigermattCommented:

That would certainly work - but my experience of using PCs as servers is less than optimal. You have to remember that the entry-level PC wouldn't just be a backup which was called upon as needed, but would be actively serving clients, Exchange requests, authentications, DNS lookups et just like the "main" DC installed on server-grade hardware. If I were doing that, I'd certainly ensure the PC had a RAID configuration if nothing else.

My recommendation - if your server hardware can support it - would still be to configure one server as a virtual host, running two VMs - one DC, one Exchange. If you have the licenses for Server 2008 R2, then you have Hyper-V already, and most server-grade CPUs from the last couple of years support hypervisor technology. If you don't have the licenses, you could use Hyper-V Free Server (www.microsoft.com/hyper-v-server/) which means that you only need one net additional license to build two VMs, maintain isolated DC/Exchange and still have it all on server grade kit.

It really depends on your requirements, the budget etc. We run most of our environment on Hyper-V now though, and my home environment runs on it too; I can vouch that it is incredibly stable and easy to configure!

-Matt
0
 
Rupert EghardtProgrammerAuthor Commented:
While we are on the DC subject, is it advised to put an antivirus client on the main DC server?
I was thinking of installing the AV management server on the main DC, but realize that the web management functionality / IIS may cause some issues with the DC.

mmm, I guess I need a server for this as well ... as I would prefer not to put this on the Exchange box.
Perhaps the ISA box would work?
0
 
tigermattCommented:
From a strictly security perspective, no - nothing else should be installed on DCs other than the DC role.

However, money doesn't grow on trees, and so sometimes you have to compromise, particularly when it's a smaller network. :) AV isn't exactly taxing software and IIS on a DC isn't a MAJOR issue when used internally on smaller networks. Just make sure you document what you do for disaster recovery purposes.

As long as the AV product isn't anything Symantec-related, in this case I would probably install it on the DC rather than the Exchange box as you already mentioned. I wouldn't put it on the Forefront TMG because I doubt it's rated for installation on that box, and in any event, that's your firewall, so you don't want a third-party product causing issues with your protection or increasing your attack surface.

-Matt
0
 
Rupert EghardtProgrammerAuthor Commented:
What roles would you delegate to the secondary DC, in this case PC box?
0
 
tigermattCommented:

If it's a PC box then I'd install just the minimum required: dcpromo it to domain controller, make it a Global Catalog server and install DNS so there is a replica of your DNS zones present. You could possibly install DHCP too, if you want redundancy for that service, but make sure the scopes are split such that each DHCP server hands out a different range of IP addresses.

-Matt
0
 
bcrosby007Commented:
I would leave all fsmo roles on your best DC. Just have AD installed and also make it a GC server.
0
 
Rupert EghardtProgrammerAuthor Commented:
Thanks Everyone!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 4
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now