Re: DMZ server and access to AD / Logon server

From: Glenn L (the.only_at_gmail.com)
Date: 10/20/04 

Date: Wed, 20 Oct 2004 04:02:14 -0700

I'm no exchange guru, but I know you can specifiy the domain controllers you
want it to talk to on the DSACCESS tab of the server properties page.
Perhaps the old ones are specified, or you could configure the new ones, and
make sure you have host and lmhost entries for them.

I suspect Exchange needs access to DNS to enumerate all the GC records
before it will "discover" there existence.
Maybe you could temporarily open up TCP port 53 and allow that discovery to
take place, then close the hole, unplug the old DCs from the network and see
what happens. 

-- 
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security
"Lasse Taul Bjerre" <LasseTaulBjerre@discussions.microsoft.com> wrote in
message news:46B3547B-1238-40DA-8628-7658E0D6630B@microsoft.com...
> HI,
>
> We are in the process of moving our system to 2003 from win2K.
> I've moved my 2 Domain Controllers to 2 new 2003 servers, the 2 old win2K
> Domain Ccontrollers are still running, but all the rolls are moved to the
new
> servers.
>
> The servers on LAN side use the new domain controllers as logon servers -
no
> problems.
>
> In a DMZ zone we have an Exchange 2003 FrontEnd. It works, but persists to
> use the old Domain Controllers as logon serves.
> Since the server in the DMZ cannot get the correct IP via DNS we use host
> and lmhost files for that.
>
> I'm now planning to remove the old Win2K Domain Controllers, but can't
> because of the DMZ server.
>
> To make sure there are no conflicting firewall rules, I've for test
purposes
> enabled all traffic between the DMZ (Exchange Frontend) and the LAN side
> Exchange and the 2 Win2K3 Domain Controllers.
>
> Any good ideas why the DMZ server won't use the new Win2K3 Domain
Controllers?
>
> Lasse

Relevant Pages

  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • Re: Exchange 2000 containers (Fields) not showing up in active directory!!
    ... Don't need to log on with a domain admin ID. ... exchange should be done, there is a chapter in the up and coming Windows Server ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>be managing users directly from domain controllers, ...
    (microsoft.public.win2000.active_directory)
  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)
  • Re: Netzschema
    ... Wenn du den SMTP Server in der DMZ zusätzlich auch als OWA Server verwenden möchtest, bedeutet das zwangsläufig, dass du Exchange installieren musst. ... Insofern braucht der DMZ Exchange auch entsprechende Zugriffe auf das AD. ... Denke an das Regelwerk, das nötig ist, um alleine den Intra-Domain-Traffic zu routen, zusätzlich zu den SMTP und Publishing-Regeln. ...
    (microsoft.public.de.german.isaserver)
  • Re: Exchange 2000 System Attendant not starting
    ... You say you promoted Windows 2003 Domain Controllers but you did not mention whether your AD is 2003? ... If you run ADPREP while Exchange 2000 is present you could have issues, ... > "Brian Hammer" wrote in> message ... The server that is running exchange has also>> always ...
    (microsoft.public.exchange.admin)