[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2010, and ADS on internet facing server.

Posted on 2011-09-03
3
Medium Priority
?
888 Views
Last Modified: 2013-11-16
I'm curious to know if there are any major risks involved in having a exchange 2010 server (win2k8r2) on a internet facing server, and running dcpromo on it so that AD objects are replicated on it.  It wouldn't be used as a secondary domain controller, but I do like being able to create a user within the exchange management console, and have the user created automatically on the DC.

In any case, my question and concern is:   Is it safe to run DCpromo on a member server that is facing the internet, but only on ports related to (HTTPS/HTTP/SMTP/secureIMAP/POP3S)?

If there are any good articles, blogs, or sites, please feel free to share. I would appreciate it.
0
Comment
Question by:metazend
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Tony J earned 2000 total points
ID: 36478156
You wouldn't do that.

You would use an Exchange Edge Transport server.

These are designed to sit in the DMZ and as such are hardened copies of Exchange (it does this during install, when you pick the role).

It has a copy of LDS (Lightweight Directory Services) - what used to be known as ADAM - and this holds a ready only copy of AD objects.

They use this copy for things such as SMTP hygiene - does the email address exist, etc. This is where you'd also normally install antispam and antimalware. Or, in places where this is cost-prohibitive, I have not used Edge servers but have installed a free, downloadable appliance that you can install onto hardware or virtual machine called mailcleaner (www.mailcleaner.org). This sits in the DMZ and handles the SMTP hygiene and comes with antispam, antimalware and antivirus tools. It too can perform LDAP callouts but it looks back in at the domain for the information.

Putting a DC as an internet facing server is just begging for a world of pain. If it became compromised, you'd instantly have compromised your internal AD as well and all the objects and security within it.

0
 
LVL 26

Expert Comment

by:Tony J
ID: 36478159
Oh - one other thing, if this is because you're hardware constrained then stick a free hypervisor on it:

VMware, Citrix and Microsoft all do free versions.

That way you could have a new domain controller, and a mail hygiene solution of Edge Transport or alternative.
0
 

Author Closing Comment

by:metazend
ID: 36478190
Perfect, thank you.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question