Hi William, Good info, makes sense. Thanks! Tom -----Original Message----- From: William Lefkovics [mailto:william@xxxxxxxxxxxxxxxxx] Sent: Tuesday, January 18, 2005 12:04 AM To: [ExchangeList] Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way http://www.MSExchange.org/ Danny recently compiled why on another list, so I'm going to borrow from his post: here is what Microsoft says about... Running Exchange 2003 on a Domain Controller http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3HighAvG uide /6115570d-9f61-47a0-bd73-419a89380fe3.mspx As a best practice, you should not run Exchange 2003 on servers that also function as Windows domain controllers. Instead, you should configure Exchange servers and Windows domain controllers separately. However, if your organization requires that you run Exchange 2003 on a domain controller, consider the following limitations: . If you run Exchange 2003 on a domain controller, it uses only that domain controller. As a result, if the domain controller fails, Exchange cannot fail over to another domain controller. . If your Exchange servers also perform domain controller tasks in addition to serving Exchange client computers, those servers may experience performance degradation during heavy user loads. . If you run Exchange 2003 on a domain controller, your Active Directory and Exchange administrators may experience an overlap of security and disaster recovery responsibilities. . Exchange 2003 servers that are also domain controllers cannot be part of a Windows cluster. Specifically, Exchange 2003 does not support clustered Exchange 2003 servers that coexist with Active Directory servers. For example, because Exchange administrators who can log on to the local server have physical console access to the domain controller, they can potentially elevate their permissions in Active Directory. . If your server is the only domain controller in your messaging system, it must also be a global catalog server. . If you run Exchange 2003 on a domain controller, avoid using the /3GB switch. If you use this switch, the Exchange cache may monopolize system memory. Additionally, because the number of user connections should be low, the /3GB switch should not be required. . Because all services run under LocalSystem, there is a greater risk of exposure if there is a security bug. For example, if Exchange 2003 is running on a domain controller, an Active Directory bug that allows an attacker to access Active Directory would also allow access to Exchange. . A domain controller that is running Exchange 2003 takes a considerable amount of time to restart or shut down. (approximately 10 minutes or longer). This is because services related to Active Directory (for example, Lsass.exe) shut down before Exchange services, thereby causing Exchange services to fail repeatedly while searching for Active Directory services. One solution to this problem is to change the time-out for a failed service. A second solution is to manually stop the Exchange services before you shut down the server. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, January 17, 2005 8:16 PM To: [ExchangeList] Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way http://www.MSExchange.org/ Hi John, What shouldn't Exchange be installed on a DC? Its obvious why you should install enterprise groupware on a network firewall, but what's the problem with putting it on a DC, even without the SBS installation? Thanks! Tom -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Monday, January 17, 2005 7:13 PM To: [ExchangeList] Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way http://www.MSExchange.org/ It is highly recommended that Exchange, and SQL for that matter and other such services include ISA not be installed on a DC. The recommendation part is for various reasons. However, it is possible otherwise there would be no such thing as SBS. Tom is Tom Shinder, a ISA guru and creator of the document in question. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Michael B. Smith [mailto:michael@xxxxxxxxxx] > Sent: Monday, January 17, 2005 4:31 PM > To: [ExchangeList] > Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way > > http://www.MSExchange.org/ > > Sorry, I don't know who Tom is and I don't know which article you are > referring to. > > That being said, while installing Exchange on a DC is not optimal, it > is supported, and it is pretty obvious that these instructions are > suggesting you do so. I'm guessing that that is part of the "single > server". > > -----Original Message----- > From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] > Sent: Monday, January 17, 2005 6:49 PM > To: [ExchangeList] > Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way > > http://www.MSExchange.org/ > > Here is what the section on in Tom's chapter says: > > Because we are using global catalog server as the Exchange back-end > mailbox, we need to modify the registry setting on the Exchange Server. > The step is always necessary when using a single Exchange Server > installation. > > 1. On Exchange server, start Registry Editor; click Start, click Run, > and enter regedit in the Open text box. Click OK. > > 2. in the console tree, navigate to the following registry key: > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameteres > > 3. Click Edit, click New, and then select Multi String value. > > 4. Create a new value with the name NSPI interface protocol sequences > > 5. Right-click the NSPI interface protocol sequences multi-string > value and choose Modify. > > 6. Int the Value data filed, enter ncan_http:6004. Click OK. > > ... Then there key to enter after this point..... > > So if you are implying that NTDS service is a only apart of AD or the > DC why would Tom say that you have to modify this under Exchange when > it's clear that Exchange SHOULD NOT BE INSTALLED ON A DC to begin with? > > Andrew > > > -----Original Message----- > From: Michael B. Smith [mailto:michael@xxxxxxxxxx] > Sent: Monday, January 17, 2005 6:30 PM > To: [ExchangeList] > Subject: [exchangelist] RE: Problem with RPC over HTTP Tom's way > > http://www.MSExchange.org/ > > The NTDS service is A/D on the DC you are using (NT Directory Service > is what it means). > > -----Original Message----- > From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] > Sent: Monday, January 17, 2005 5:25 PM > To: [ExchangeList] > Subject: [exchangelist] Problem with RPC over HTTP Tom's way > > http://www.MSExchange.org/ > > > I am following Tom's "Secure RPC over HTTP Publishing - Single Server > Configuration" guide and I am stuck at the point were he says on page > 23 to navigate through the registry to: > > HLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Exchange > Server 2003. > > Anyhow I get to Services and there is no NTDS folder there, so I am > wondering if he meant NDIS instead? > > Can anyone help me? > > Andrew > > > > ------------------------------------------------------ > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network Security Library: > http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > michael@xxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network Security Library: > http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > andrew@xxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network Security Library: > http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > michael@xxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: tshinder@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: william@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: tshinder@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx