Solved

New Domain and Exchange Setup

Posted on 2011-02-23
15
544 Views
Last Modified: 2012-05-11
Hi Guys,

This is a general implementation question;

We are deploying a new Exchange installation as part of a Windows Server 2008 domain.
We have three servers (Exchange, DC & Firewall).

In terms of the DCs, and servers roles, will it be best to make the Exchange box a member server and to share roles with the DC?

Should the ISA box also manage roles, or only be joined to the domain?
0
Comment
Question by:Rupert Eghardt
  • 4
  • 4
  • 3
  • +3
15 Comments
 
LVL 33

Assisted Solution

by:Busbar
Busbar earned 100 total points
Comment Utility
1- Exchange should be separated on its box.
2- TMG could be joined to the domain.
0
 
LVL 7

Assisted Solution

by:bcrosby007
bcrosby007 earned 100 total points
Comment Utility
By practice, you never want your exchange server to also be a domain controller. Let the exchange server jsut worry about exchange. Same thing for the ISA box. It's not supported to run AD on it.
It would be smart to have another domain controller though, so that you have multiple copies of your AD database as well as golbal catalog for the Exchange server...
0
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Exchange and ISA should be member of the domain only and no others roles than for what they are.
DCs should be only DC, DNS, and maybe DHCP.
0
 
LVL 11

Expert Comment

by:sighar
Comment Utility
I agree with the others.

I noticed that you posted this to Exhcange 2007. Is there any reason you're not installing Exchange 2010? I suggest you go that way rather than the 2007.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

If you ONLY have three servers to play with, then you my recommendation is to consider virtualisation technology OR installing Exchange on a Domain Controller.

Why?

Any Active Directory environment put into production should be using AT LEAST two Domain Controllers. Active Directory holds the entire configuration for the company and is the critical backbone required for any IT services to function, so having at least two servers as DCs ensures one can be taken out of service for maintenance without adversely affecting the network. If one fails hard, having a redundant box means the network can carry on working while you fix the problems. Having just one DC means EVERYTHING will fail if that box goes down, requiring you to both fix the hardware (or source new hardware), restore AD from a backup and do all that knowing that the company is potentially losing money all the time their IT services are down.

Your Forefront TMG cannot be installed on the same server as a Domain Controller (ref: http://technet.microsoft.com/en-us/library/ee796231.aspx) so there are no two ways about it, that MUST be a member server. If the Forefront TMG is to be a physical server, that only leaves you two physical boxes with which to build the Active Directory domain and Exchange environments.

Your redundant DCs need to be on separate hardware, otherwise you gain little by having two of them. So, in this scenario there are two options:
make both servers Domain Controllers, and then install Exchange on one of them. Although this is not a recommended configuration, it is by all means supported.
install a hypervisor solution, such as Hyper-V or VMWare ESX/ESXi, on one of the servers, and build two Server 2008 R2 virtual machines: one a Domain Controller, the other an Exchange Server. This is my preferred configuration, because it means you have two DCs on isolated hardware but you also have the Exchange box installed in its own virtual member server.
Of course, there are other alternatives. You could use Hyper-V and virtualise two Virtual Machines - a DC and a Forefront TMG server - on the same physical box, leaving two physical servers, one to act as a DC and one to run Exchange. There's nothing stopping you doing that, but you need to make sure you properly configure the networking in the virtual environment so that TMG is networked correctly.

Making Exchange a DC is not a preferred configuration because it causes complications should you ever need to recover a failed server from backup. However, given a choice between one DC and one Exchange member server, or two DC but Exchange on a DC, I would opt for the latter every time. Active Directory is the most important role on the network, so you want to ensure redundancy for that role at all costs.

-Matt
0
 

Author Comment

by:Rupert Eghardt
Comment Utility
Hi Everyone,

Thanks for the prompt responses, much appreciated.
We are using Exchange 2007, as this is the licensed version.  I've been quite happy with the performance and stability of Exchange 2007 in general.
Sighar, any specific reason why you suggested for 2010 instead?

What I can gather from the above info, I think the best scenario will be to:
Setup a single DC, make ISA and Exchange members on the domain ONLY, and get another entry-level PC to host a copy of the GC and AD.  I personally don't like playing around with PC's in a server environment, but to ONLY "backup" the domain structure - I am sure this could work?
0
 
LVL 33

Expert Comment

by:Busbar
Comment Utility
fine by me
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 7

Expert Comment

by:bcrosby007
Comment Utility
That would work. 2K10 is the newest versions of exchange, so there is better I/O. Personally, I am sticking with 2007 for a while longer.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

That would certainly work - but my experience of using PCs as servers is less than optimal. You have to remember that the entry-level PC wouldn't just be a backup which was called upon as needed, but would be actively serving clients, Exchange requests, authentications, DNS lookups et just like the "main" DC installed on server-grade hardware. If I were doing that, I'd certainly ensure the PC had a RAID configuration if nothing else.

My recommendation - if your server hardware can support it - would still be to configure one server as a virtual host, running two VMs - one DC, one Exchange. If you have the licenses for Server 2008 R2, then you have Hyper-V already, and most server-grade CPUs from the last couple of years support hypervisor technology. If you don't have the licenses, you could use Hyper-V Free Server (www.microsoft.com/hyper-v-server/) which means that you only need one net additional license to build two VMs, maintain isolated DC/Exchange and still have it all on server grade kit.

It really depends on your requirements, the budget etc. We run most of our environment on Hyper-V now though, and my home environment runs on it too; I can vouch that it is incredibly stable and easy to configure!

-Matt
0
 

Author Comment

by:Rupert Eghardt
Comment Utility
While we are on the DC subject, is it advised to put an antivirus client on the main DC server?
I was thinking of installing the AV management server on the main DC, but realize that the web management functionality / IIS may cause some issues with the DC.

mmm, I guess I need a server for this as well ... as I would prefer not to put this on the Exchange box.
Perhaps the ISA box would work?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
From a strictly security perspective, no - nothing else should be installed on DCs other than the DC role.

However, money doesn't grow on trees, and so sometimes you have to compromise, particularly when it's a smaller network. :) AV isn't exactly taxing software and IIS on a DC isn't a MAJOR issue when used internally on smaller networks. Just make sure you document what you do for disaster recovery purposes.

As long as the AV product isn't anything Symantec-related, in this case I would probably install it on the DC rather than the Exchange box as you already mentioned. I wouldn't put it on the Forefront TMG because I doubt it's rated for installation on that box, and in any event, that's your firewall, so you don't want a third-party product causing issues with your protection or increasing your attack surface.

-Matt
0
 

Author Comment

by:Rupert Eghardt
Comment Utility
What roles would you delegate to the secondary DC, in this case PC box?
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 300 total points
Comment Utility

If it's a PC box then I'd install just the minimum required: dcpromo it to domain controller, make it a Global Catalog server and install DNS so there is a replica of your DNS zones present. You could possibly install DHCP too, if you want redundancy for that service, but make sure the scopes are split such that each DHCP server hands out a different range of IP addresses.

-Matt
0
 
LVL 7

Expert Comment

by:bcrosby007
Comment Utility
I would leave all fsmo roles on your best DC. Just have AD installed and also make it a GC server.
0
 

Author Closing Comment

by:Rupert Eghardt
Comment Utility
Thanks Everyone!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now