Solved

Exchange 2010, and ADS on internet facing server.

Posted on 2011-09-03
3
871 Views
Last Modified: 2013-11-16
I'm curious to know if there are any major risks involved in having a exchange 2010 server (win2k8r2) on a internet facing server, and running dcpromo on it so that AD objects are replicated on it.  It wouldn't be used as a secondary domain controller, but I do like being able to create a user within the exchange management console, and have the user created automatically on the DC.

In any case, my question and concern is:   Is it safe to run DCpromo on a member server that is facing the internet, but only on ports related to (HTTPS/HTTP/SMTP/secureIMAP/POP3S)?

If there are any good articles, blogs, or sites, please feel free to share. I would appreciate it.
0
Comment
Question by:metazend
  • 2
3 Comments
 
LVL 25

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 36478156
You wouldn't do that.

You would use an Exchange Edge Transport server.

These are designed to sit in the DMZ and as such are hardened copies of Exchange (it does this during install, when you pick the role).

It has a copy of LDS (Lightweight Directory Services) - what used to be known as ADAM - and this holds a ready only copy of AD objects.

They use this copy for things such as SMTP hygiene - does the email address exist, etc. This is where you'd also normally install antispam and antimalware. Or, in places where this is cost-prohibitive, I have not used Edge servers but have installed a free, downloadable appliance that you can install onto hardware or virtual machine called mailcleaner (www.mailcleaner.org). This sits in the DMZ and handles the SMTP hygiene and comes with antispam, antimalware and antivirus tools. It too can perform LDAP callouts but it looks back in at the domain for the information.

Putting a DC as an internet facing server is just begging for a world of pain. If it became compromised, you'd instantly have compromised your internal AD as well and all the objects and security within it.

0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 36478159
Oh - one other thing, if this is because you're hardware constrained then stick a free hypervisor on it:

VMware, Citrix and Microsoft all do free versions.

That way you could have a new domain controller, and a mail hygiene solution of Edge Transport or alternative.
0
 

Author Closing Comment

by:metazend
ID: 36478190
Perfect, thank you.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question