Solved

Exchange 2010, and ADS on internet facing server.

Posted on 2011-09-03
3
875 Views
Last Modified: 2013-11-16
I'm curious to know if there are any major risks involved in having a exchange 2010 server (win2k8r2) on a internet facing server, and running dcpromo on it so that AD objects are replicated on it.  It wouldn't be used as a secondary domain controller, but I do like being able to create a user within the exchange management console, and have the user created automatically on the DC.

In any case, my question and concern is:   Is it safe to run DCpromo on a member server that is facing the internet, but only on ports related to (HTTPS/HTTP/SMTP/secureIMAP/POP3S)?

If there are any good articles, blogs, or sites, please feel free to share. I would appreciate it.
0
Comment
Question by:metazend
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 36478156
You wouldn't do that.

You would use an Exchange Edge Transport server.

These are designed to sit in the DMZ and as such are hardened copies of Exchange (it does this during install, when you pick the role).

It has a copy of LDS (Lightweight Directory Services) - what used to be known as ADAM - and this holds a ready only copy of AD objects.

They use this copy for things such as SMTP hygiene - does the email address exist, etc. This is where you'd also normally install antispam and antimalware. Or, in places where this is cost-prohibitive, I have not used Edge servers but have installed a free, downloadable appliance that you can install onto hardware or virtual machine called mailcleaner (www.mailcleaner.org). This sits in the DMZ and handles the SMTP hygiene and comes with antispam, antimalware and antivirus tools. It too can perform LDAP callouts but it looks back in at the domain for the information.

Putting a DC as an internet facing server is just begging for a world of pain. If it became compromised, you'd instantly have compromised your internal AD as well and all the objects and security within it.

0
 
LVL 26

Expert Comment

by:Tony Johncock
ID: 36478159
Oh - one other thing, if this is because you're hardware constrained then stick a free hypervisor on it:

VMware, Citrix and Microsoft all do free versions.

That way you could have a new domain controller, and a mail hygiene solution of Edge Transport or alternative.
0
 

Author Closing Comment

by:metazend
ID: 36478190
Perfect, thank you.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question