RE: Problem with RPC over HTTP Tom's way

  • From: "William Lefkovics" <william@xxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 17 Jan 2005 22:04:18 -0800

Danny recently compiled why on another list, so I'm going to borrow from his
post:

here is what Microsoft says about...
Running Exchange 2003 on a Domain Controller

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3HighAvGuide
/6115570d-9f61-47a0-bd73-419a89380fe3.mspx

As a best practice, you should not run Exchange 2003 on servers that also
function as Windows domain controllers. Instead, you should configure
Exchange servers and Windows domain controllers separately.

However, if your organization requires that you run Exchange 2003 on a
domain controller, consider the following limitations:

. If you run Exchange 2003 on a domain controller, it uses only that domain
controller. As a result, if the domain controller fails, Exchange cannot
fail over to another domain controller.
 
. If your Exchange servers also perform domain controller tasks in addition
to serving Exchange client computers, those servers may experience
performance degradation during heavy user loads.
 
. If you run Exchange 2003 on a domain controller, your Active Directory and
Exchange administrators may experience an overlap of security and disaster
recovery responsibilities.
 
. Exchange 2003 servers that are also domain controllers cannot be part of a
Windows cluster. Specifically, Exchange 2003 does not support clustered
Exchange 2003 servers that coexist with Active Directory servers. For
example, because Exchange administrators who can log on to the local server
have physical console access to the domain controller, they can potentially
elevate their permissions in Active Directory.
 
. If your server is the only domain controller in your messaging system, it
must also be a global catalog server.
 
. If you run Exchange 2003 on a domain controller, avoid using the /3GB
switch. If you use this switch, the Exchange cache may monopolize system
memory. Additionally, because the number of user connections should be low,
the /3GB switch should not be required.
 
. Because all services run under LocalSystem, there is a greater risk of
exposure if there is a security bug. For example, if Exchange 2003 is
running on a domain controller, an Active Directory bug that allows an
attacker to access Active Directory would also allow access to Exchange.
 
. A domain controller that is running Exchange 2003 takes a considerable
amount of time to restart or shut down. (approximately 10 minutes or
longer). This is because services related to Active Directory (for example,
Lsass.exe) shut down before Exchange services, thereby causing Exchange
services to fail repeatedly while searching for Active Directory services.
One solution to this problem is to change the time-out for a failed service.
A second solution is to manually stop the Exchange services before you shut
down the server. 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Monday, January 17, 2005 8:16 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way

http://www.MSExchange.org/

Hi John,

What shouldn't Exchange be installed on a DC? Its obvious why you should
install enterprise groupware on a network firewall, but what's the problem
with putting it on a DC, even without the SBS installation?

Thanks!
Tom 

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Monday, January 17, 2005 7:13 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way

http://www.MSExchange.org/

It is highly recommended that Exchange, and SQL for that matter and other
such services include ISA not be installed on a DC.

The recommendation part is for various reasons.

However, it is possible otherwise there would be no such thing as SBS.

Tom is Tom Shinder, a ISA guru and creator of the document in question.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -----Original Message-----
> From: Michael B. Smith [mailto:michael@xxxxxxxxxx]
> Sent: Monday, January 17, 2005 4:31 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way
> 
> http://www.MSExchange.org/
> 
> Sorry, I don't know who Tom is and I don't know which article you are 
> referring to.
> 
> That being said, while installing Exchange on a DC is not optimal, it 
> is supported, and it is pretty obvious that these instructions are 
> suggesting you do so. I'm guessing that that is part of the "single 
> server".
> 
> -----Original Message-----
> From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
> Sent: Monday, January 17, 2005 6:49 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way
> 
> http://www.MSExchange.org/
> 
> Here is what the section on in Tom's chapter says:
> 
> Because we are using global catalog server as the Exchange back-end 
> mailbox, we need to modify the registry setting on the Exchange
Server.
> The step is always necessary when using a single Exchange Server 
> installation.
> 
> 1. On Exchange server, start Registry Editor; click Start, click Run, 
> and enter regedit in the Open text box. Click OK.
> 
> 2. in the console tree, navigate to the following registry key:
> 
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameteres
> 
> 3. Click Edit, click New, and then select Multi String value.
> 
> 4. Create a new value with the name NSPI interface protocol sequences
> 
> 5. Right-click the NSPI interface protocol sequences multi-string 
> value and choose Modify.
> 
> 6. Int the Value data filed, enter ncan_http:6004. Click OK.
> 
> ... Then there key to enter after this point.....
> 
> So if you are implying that NTDS service is a only apart of AD or the 
> DC why would Tom say that you have to modify this under Exchange when 
> it's clear that Exchange SHOULD NOT BE INSTALLED ON A DC to begin
with?
> 
> Andrew
> 
> 
> -----Original Message-----
> From: Michael B. Smith [mailto:michael@xxxxxxxxxx]
> Sent: Monday, January 17, 2005 6:30 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way
> 
> http://www.MSExchange.org/
> 
> The NTDS service is A/D on the DC you are using (NT Directory Service 
> is what it means).
> 
> -----Original Message-----
> From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
> Sent: Monday, January 17, 2005 5:25 PM
> To: [ExchangeList]
> Subject: [exchangelist] Problem with RPC over HTTP Tom's way
> 
> http://www.MSExchange.org/
> 
> 
> I am following Tom's "Secure RPC over HTTP Publishing - Single Server 
> Configuration" guide and I am stuck at the point were he says on page
> 23 to navigate through the registry to:
> 
> HLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Exchange 
> Server 2003.
> 
> Anyhow I get to Services and there is no NTDS folder there, so I am 
> wondering if he meant NDIS instead?
> 
> Can anyone help me?
> 
> Andrew
> 
> 
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network
Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List
as:
> michael@xxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network
Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List
as:
> andrew@xxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network
Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List
as:
> michael@xxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List
as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
tshinder@xxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
william@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx



Other related posts: