Re: DMZ server and access to AD / Logon server

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Lasse Taul Bjerre (LasseTaulBjerre_at_discussions.microsoft.com)
Date: 10/20/04 

Date: Wed, 20 Oct 2004 07:01:10 -0700

The old DC is not listed under DSACCESS on the Exchange Frontend. It is not
an “Exchange” issue, but an Windows issue.

If I type “echo %LOGONSERVER%” on the command prompt it shows one of the old
DC Servers.

I’ve tried moving the server out of the DMZ to the LAN, and here it picks up
the correct DC as logon server, but it switches back when it is moved back to
the DMZ.

I’ve already opened for ALL traffic between the between the involved servers.

Thanks Anyway :)

Lasse

"Glenn L" wrote:

> I'm no exchange guru, but I know you can specifiy the domain controllers you
> want it to talk to on the DSACCESS tab of the server properties page.
> Perhaps the old ones are specified, or you could configure the new ones, and
> make sure you have host and lmhost entries for them.
>
> I suspect Exchange needs access to DNS to enumerate all the GC records
> before it will "discover" there existence.
> Maybe you could temporarily open up TCP port 53 and allow that discovery to
> take place, then close the hole, unplug the old DCs from the network and see
> what happens.
>
> --
> Glenn L
> CCNA, MCSE 2000, MCSE 2003 + Security
>
>
> "Lasse Taul Bjerre" <LasseTaulBjerre@discussions.microsoft.com> wrote in
> message news:46B3547B-1238-40DA-8628-7658E0D6630B@microsoft.com...
> > HI,
> >
> > We are in the process of moving our system to 2003 from win2K.
> > I've moved my 2 Domain Controllers to 2 new 2003 servers, the 2 old win2K
> > Domain Ccontrollers are still running, but all the rolls are moved to the
> new
> > servers.
> >
> > The servers on LAN side use the new domain controllers as logon servers -
> no
> > problems.
> >
> > In a DMZ zone we have an Exchange 2003 FrontEnd. It works, but persists to
> > use the old Domain Controllers as logon serves.
> > Since the server in the DMZ cannot get the correct IP via DNS we use host
> > and lmhost files for that.
> >
> > I'm now planning to remove the old Win2K Domain Controllers, but can't
> > because of the DMZ server.
> >
> > To make sure there are no conflicting firewall rules, I've for test
> purposes
> > enabled all traffic between the DMZ (Exchange Frontend) and the LAN side
> > Exchange and the 2 Win2K3 Domain Controllers.
> >
> > Any good ideas why the DMZ server won't use the new Win2K3 Domain
> Controllers?
> >
> > Lasse
>
>
>

Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
    ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ...
    (Firewall-Wizards)