AD Design for Exchang Server (Single Server, no Edge Server Role) and LAN!!
Hi all,I have a confused AD Deploy Plan. since I am no experience on it.Now my company's Internal LAN Network are Work Group Based, want to change to Domain Base for center management of the AD with DFS Server using ... but also want a Exchange Server 2007 (Single Server only, no Edge Server Roles, but service over five Domain, it is mean that server much can using one AD and host over five other Domain then need send and received E-Mail) on a SonicWALL TZ190's Public DMZ (Plan not using Private IP, since using Layer 2 look like easy to deploy, just give the Server Public IP)I am wonder do it can make the Internal LAN independent with the Exchange's AD, for example, think the LAN Domain Based are same as Work Group, and the Mail Server in the DMZ is standalone AD like using by 3 rd Exchange Server do, do this work? If yes, how to design like that AD for the LAN and the Exchange?If not, how to build the LAN AD and Exchange from 0 on above case using Public IP based DMZ? Or need the DMZ much using Private IP?And the Domain for LAN, using the same as Public Domain or different is better, for example:If same as Public Domain, than using xxxxcorp.com on the LAN AD (Using xxxxcorp.com on Exchange on DMZ with Public)or If not same as Public Domain, than using xxxxcorp.local on the LAN AD (Using xxxxcorp.com on Exchange on DMZ with Public)orUsing other unrouter (Not registered Domain) like mydomain.com on the LAN AD (Using xxxxcorp.com on Exchange on DMZ with Public)P.S. we have 3rd DNS Server hosting service of the Mail Server and Web Server outside our company.We have following registered Public Domain already ...1. xxxxcorp.com (For The Exchange Server AD)2. x1.com3. x2.com4. x3.com5. x4.comThank you and that anyone teach me this newbie, that the AD easy to let new coming feeling confused on the Design (I had experience deploy non-AD Internet application by IIS, Apache, hMailServer/MDomain Server and Public DNS (Not AD DNS that using Pulbic IP) etc)
February 16th, 2008 5:39am

Whatever you do, do not put your Exchange 2007 Server Roles Hub Transport, Client Access, Mailbox orUnified Messaging in the DMZ. The only role suited for DMZ placement is the Edge Transport Role. Internet (No Roles) | DMZ (Edge Transport) | LAN (Hub Transport, Client Access, Mailbox, Unified Messaging) You can deploy Exchange 2007 without the Edge Transport but this does not alter the recommended placement of the roles. If you are building a corporate network from scratch (it seems that way since all you computers are in a Workgroup and not Domain) then Id reccomend you to really have a look at ISA 2006 as your Firewall/Reverse Proxy in your infrastructure. In regards to Active Directory design you should be fine with one Forest and one Domain. The name you choose for your internal domain name is really up to ones one taste. Some like intra.xxxxcorp.com, some like xxxxcorp.com and some xxxxcorp.local. All works just fine. Take a look at enabling Hub Transport for Internet connectivity here: How to Enable Anti-Spam Functionality on a Hub Transport Server Id guess that one solution would be to point all 5 domain names MX-record to your external firewall and port forward this to the internal IP-address of your Hub Transport. Dont forget to take a look at the Hosted Services at Microsoft. There might be some extra value to your Company there: Microsoft Exchange Hosted Services
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2008 11:25am

Jesper Bernle,, Thank you, But have a thing, my LAN have a Domain already, it is abc.local .... I just said think it is a Workgroup is want the Exchange Server work like standalone, not integration with the abc.local ... So I am feeling confused of AD Design. I had experience on deploy Mail Server like hMailServer standalone etc that not need AD ... Plus, Edge Server Roles for my company is impossible now, since no money, and we will not using ISA Server, since choose SonicWALL Firewall ..., so If I still using Exchange Server 2007, then do it is mean I can using multi DNS Name Space that not integration together be one forest? I don't want to Internet can access the abc.local, just want to deploy a standalone Mail Server ... I can accept management two AD, like the LAN private abc.local have it own user account, the Exchange Server using other AD user account etc. Not integration to be one forest, do this will work? the xxxcorp.com that using by the Exchange Server make it a standalone new AD Forest .... so the LAN person just like uisng 3rd Mail Server that not host in the company, do this way work? If so, the Exchange Server place in where (Private IP DMZ (Like 10.0.1.x) OR still using your suggestion give it same as the LAN IP like 192.168.1.x place in the LAN?) Thank you very much,
February 17th, 2008 5:12pm

I ask about the DMZ IP or LAN IP address is since thinking of the security reason .. Our SonicWALL TZ190 can make the DMZ using Private IP, like 10.0.1.x etc And now our LAN are using 192.168.1.x etc IP Just if place the standalone Exchange Server by using same LAN IP like 192.168.1.x, if the Server let hacker attacked, on the same LAN Zone, then it can access our LAN's Non-Password Share (Yes, we have Private AD here like abc.local ...... but we also have some other non-mission server for not too important share that no need password by some Old XP Home Machine), right? So it is why I plan place the Exchange on the DMZ (No Edge Server Roles) like the post start ... If from using Public IP base change to Private IP base DMZ, what is the different? Now I am consider your suggestion placed it to the LAN, just worry if it broke, then what will happened if it same on the LAN IP zone. Sorry too many question and my poor knowledge. 10000x Thank you again.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2008 5:28pm

It is of course perfectly OK to deploy a second Forest and install Exchange into that Forest/Domain. Its not optimal in any way, but technically it can be done if one whishes such an deployment. Read more here: Deploying an Exchange Resource Forest (Part 1) Deploying an Exchange Resource Forest (Part 2) Of course security is a big concern to all of us but the normal way (or most usual I should say) is to deploy the Exchange Organisation within your internal Windows Forest/Domain. What issues do you see that makes you feel uncomfortable with this type of deployment scenario? One big difference between Private IPs and Public IPs is that Private IPs are not routable on the Internet making them less hackable (if you defend yourself correctly against Source Routingthat is)
February 17th, 2008 9:09pm

Jesper Bernle,Thank you.What issues do you see that makes you feel uncomfortable with this type of deployment scenario?It is because I am new to AD, and on the LAN side , Just two server, they will main using for File Server with Domain-Based DFS and SQL Server ...The File Server have important data on it, so for security reason, I don't want to the Exchange Server integration with the LAN's AD.It is why I am thinking do this two independent AD, one for LAN only, and one for the Mail Server like Split DNS ...So if my LAN's AD two server down or something wrong, it will not effect the Mail Server AD ... and Mail Server let other hacked, they also can not using this AD account to login to the Internel LAN AD File Server ...One question, if the Internel AD using a unregistered Domain, like xxx.com, still can work on this case no problems (LAN AD and Mail AD independent)?Thank you very much and your time.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2008 6:26am

And the other is about the IP,Many suggestion not deploy the Exchange by DMZ, (Hub, Mail, UM Roles etc), only deploy the Edge Server Role on DMZBut for SME in Hong Kong like my company, bought two Tower Server for LAN is expensive, and need buy one more to be Mail Server ...So this Mail Server will only one server, no Edge Server Roles.If like the general network design, place in in the Internal LAN (Our LAN using IP 192.168.1.X) then it is mean that also using 192.168.1.X on the Mail Server if not move it on the DMZ (Public IP or 10.0.0.X)If someone can bypass the Firewall (SonicWALL) or NAT like that, Hacked the Exchange Server, on the same LAN IP range, they can using the same Internal AD User Account or IP to login to my network's File Server or Workstation that host some non-password Share on XP Home Machine etc ...It is why while starting, I am thinking and thinking and then confuse on the ADSince it integration with DNS ... not like Linux Base standalone network or non-Domain ..Thx
February 18th, 2008 6:32am

Okay, so here is my recommendation for your company: If I understand you correctly you already have an internaldomain based on Active Directory, right? Buy 1 new 64-bit compatible server and configure it with RAID 5 for your Exchange Databases (mostbalanced solution in regards tofinancial cost and performance) and2 sets of RAID 1for System Partition & Transaction Logs. If you can take the cost, I also suggest you take a look at LCR to minimize recovery times in the case of a Disaster Recovery Scenario. This also minimizes backup performance hits on the production database since 3rd-party backup applications can take backups of your LCR-copy instead of your live production databse. On your server install CAS, HUB & Mailbox and configure it following: Configuring Exchange 2007 Hub Transport role to receive Internet mailFor minimized cost you should deploy your Exchange Servers into your existing domain (Forest). There is no real security win in deploying Exchange in an extra (Resource) Forest. And also; never ever put any Exchange Server in the DMZ unless its the Edge Transport Role.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2008 12:43pm

Jesper Bernle,1000x Thank you.You make me clear how to do the deploy of the step.But if on the future, my company have money buy one server, make it a Edge Server Role and place it in the DMZ, then what IP using in this DMZ is general? Public IP or Private IP like 10.0.0.X?Plus, Do a Entry level hardware can be Edge Server Roles?My company have not enought money to deploy the RAID-5 with 2 Sets RAID-1, before I just plan buy a HP ML350 G5 Rack Version with Quad-Core Entry level 1.6GHZ Xeon plus 3GB RAM that on one box with TWO 250GB HDD that running RAID-1 ...The Mail Server just need service about 20 - 40 person. And each day just need processing about 200 - 500 E-Mail ...SME in Hong Kong, deploy a Mail Server base on Microsoft platform like Exchange with 20 - 30 person will used over HKD 40,000 it is not a small price for SME.And one more questions.Your suggestion is RAID-5 (At least need 3 HDD) for the Database, plus 2 Sets of RAID-1 (2 HDD), do the 2 Sets RAID-1 is mean using total 4HDD, make it a RAID-1(OS) + RAID-1 (Mail Log)? If yes, then it is need total 2 + 2 + 3 HDD, it is very expersive ... Since I just help company boguht two HP ML 350 G5 for the Internal AD with DFS and SQL using...A 250GB SATA Hot-Swap HDD from HP need HKD 1,000.For a Exchange, two HDD that running RAID-1 (Hot Spare too add one more HDD) with OS and Exchange is not good Choose?Thank you of your time and kindly answer.
February 18th, 2008 6:42pm

With the limited traffic that you will have, an entry level server with Edge Transport will proberbly do fine. Id recommend you to have NAT IPs in your DMZ. When talking disk setup, the basic thing to know is that Databases loves Read performance and Transaction Logs wants write performance. Thats the logic behind choosing what RAID-level to use. Potimal is to have all on RAID-10 but that is generally too expensive for most customers since that involves alot of disks. RAID-5 is a typical Low-Budget version often seen in Small Business Servers. Generall recommendation fron Microsoft is RAID-1 for everything (System, Application (Exchange Binaries),Transaction Logs) and RAID-10 for Databases. But as we all know, we will have to make due withthe resources (budget) at hand.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2008 7:14pm

Jesper Bernle,Thank you very much. I thinking from now let the Mail Server all Roles on one box and place it in the LAN Zone that using the same LAN IP do.Plus using a xxxx.com for the Internal and External AD Domain for Integration like your suggestion is simply way to go.The Storage using RAID-1 with Hot Spare (3 HDD), it is my company maximum effect the price of now.Sorry one more questionsDo the NAT IP is same as the DMZ using Private IP like 192.168.3.X? So that the Edge Server Roles that we deploy on the future give the NIC a NAT IP is ok.1000x Thank you again.
February 18th, 2008 8:03pm

First read this: Deployment Options for Edge Transport Servers then this: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2855360&SiteID=17 Hope things clear up for you.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2008 11:21pm

Jesper Bernle,Thank you.Can you help me check the Network Diagram below I draw, see do it is correct of the Total Design(Please see the attached Image, if not, go here to viewhttp://www.hkpcd.org/NetworkDiagram.jpg)The key point on this is the External DNS (For example GoDaddy.com)Have the A & MX Record point to the External of the Firewall, on this Diagram, it is external IPThen on the Firewall make it NAT Forward to Internal LAN's Exchange Server, on this Diagram, it is192.168.1.191Then all thing will work safe and simply, right?One more question, on this design, do it is mean all user just need using mycorp.com can accross File Server (DFS) and the Mail? If so, then it is need very high password, else other can from outside access the File Server?And on this case design, the LAN's workstation will be using IP 192.168.1.191 (mail.mycorp.com) that not using External IP, do it will have problems?Since the LAN ad01.mycorp.com also a DNS Server on LAN, each workstation using it to resolve the DNS name. so on External, client will see the External IP address, but on my case, the LAN all client will see the mail server using 192.168.1.191 not the 125.215.149.37 ...1000x Thank you.
February 19th, 2008 7:11pm

And on this case,The Exchange Server is join to the mycorp.com Domain while installing is ok, right? Not need make it a DC while install?Since the LAN have two DC ad01.mycorp.com and ad02.mycorp,com already, make the Exchange Server be a DC look like not need, so I make it join the Domain....
Free Windows Admin Tool Kit Click here and download it now
February 19th, 2008 8:08pm

It looks as a normal design and should work great for you. Just dont forget about AntiVirus anf AntiSpam :-)
February 22nd, 2008 5:34pm

Youre right. Since you already have redundant DCs you really shouldnt make the Exchange Server a DC. Leave it as a member server.
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2008 5:36pm

Jesper, Thank you very much of your kindly help and detail URL link and inform, it help mine this newbie a lot. X1000 Thank you.
February 25th, 2008 6:57pm

Happy to be able to assist you.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2008 7:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics