Solved

Exchange 2010, and ADS on internet facing server.

Posted on 2011-09-03
3
872 Views
Last Modified: 2013-11-16
I'm curious to know if there are any major risks involved in having a exchange 2010 server (win2k8r2) on a internet facing server, and running dcpromo on it so that AD objects are replicated on it.  It wouldn't be used as a secondary domain controller, but I do like being able to create a user within the exchange management console, and have the user created automatically on the DC.

In any case, my question and concern is:   Is it safe to run DCpromo on a member server that is facing the internet, but only on ports related to (HTTPS/HTTP/SMTP/secureIMAP/POP3S)?

If there are any good articles, blogs, or sites, please feel free to share. I would appreciate it.
0
Comment
Question by:metazend
  • 2
3 Comments
 
LVL 25

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 36478156
You wouldn't do that.

You would use an Exchange Edge Transport server.

These are designed to sit in the DMZ and as such are hardened copies of Exchange (it does this during install, when you pick the role).

It has a copy of LDS (Lightweight Directory Services) - what used to be known as ADAM - and this holds a ready only copy of AD objects.

They use this copy for things such as SMTP hygiene - does the email address exist, etc. This is where you'd also normally install antispam and antimalware. Or, in places where this is cost-prohibitive, I have not used Edge servers but have installed a free, downloadable appliance that you can install onto hardware or virtual machine called mailcleaner (www.mailcleaner.org). This sits in the DMZ and handles the SMTP hygiene and comes with antispam, antimalware and antivirus tools. It too can perform LDAP callouts but it looks back in at the domain for the information.

Putting a DC as an internet facing server is just begging for a world of pain. If it became compromised, you'd instantly have compromised your internal AD as well and all the objects and security within it.

0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 36478159
Oh - one other thing, if this is because you're hardware constrained then stick a free hypervisor on it:

VMware, Citrix and Microsoft all do free versions.

That way you could have a new domain controller, and a mail hygiene solution of Edge Transport or alternative.
0
 

Author Closing Comment

by:metazend
ID: 36478190
Perfect, thank you.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In-place Upgrading Dirsync to Azure AD Connect
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question