I have Exchange 2007 fully patched running on 2003 Enterprise Server 64bit. I have 3 Domain Controllers all running 2003 Server. One of my external users is losing Exchange connectivity from Outlook when he is using RPC over HTTPs and when connected to the VPN. Outlook disconnects and then gives a message saying reconnecting to the Exchange server. I looked in his Microsft Exchange Connection Status Window and I saw very high Avg Response times from the directory servers 3000ms to 4000ms. The Exchange server itself only had a 300ms response time (the user was on the VPN during this test). I was also seeing a very high Req/Failure ratio. Approxiamtely 3/2. This user is overseas which would explain the 300ms latency to the Exchange server. I wanted some numbers to compare it to try and narrow it down. On a LAN machine there were no failures for all the requests and the latency was under 10ms for Exchange and directory servers. On my machine at home running RPC of HTTPs I am seeing 100ms response times for Exchange and about 1000ms response times for the directory servers. 45/13 req/fail The directory latency is the same no matter what DC they are connected to. Any ideas why my external performance to my directory servers would be like this? Is this normal? I can provide more info upon request. Thanks! Dave

maybe your internet connection plus the users poor internet connection is causing the dropouts -- not much you can do..http://mscrmblog.net Microsoft Certified Business Management Solutions Specialist Microsoft Certified CRM Developer

What type of WAN circuit do you currently have? Any reports from your ISP you can be provided on Circuit CRC errors, uptime, load, etc. Most ISP's will provide this if you have at least T1 circuit. What latency is the user overseas seeing when not connecting with VPN but just RPC over HTTPs? I would also test by performing a continuous PING from his pc to your Firewall to see if there any drops and response times.MVP Exchange Server

We have Optimum Lighpath fiber as our host. The test I did from home was over Cablevision business with RPC over HTTPS. My home is about 30 miles away. The average latency to Mail is about 130ms but the average latency to the directory is 1300ms. The overseas user tried both RPC over HTTPS and VPN connection. I noticed the same type of results either way for him. 300ms Exchange average and 3000ms directory average. The pattern seems to be that the directory response time is 10 times higher than the Exchange response time for any external user. Is this normal?

Anything over 200ms is considered high. Are you running Outlook in Cached Mode? Any firewalls between your Exchange Server and DC? A quick description of your LAN layout as it relates to DC's and Exchange and Firewall would be helpful. Have you also run ExBPA and Exchange Trouble Shooting Assistant?MVP Exchange Server

We have a watchguard firebox firewall with 7 ports on it. Our Exchange server is connected to the port which is the DMZ network. This network houses all servers that have external users coming into them. The firewall has rules that allow traffic between Exchange server and the domain controllers which reside on our LAN. All of these machines have private IPs through the Firebox's NAT. The Exchange server has very low ping times to the DCs. Do you need more info? I have diagrams but I don't really want to share these on the Internet.

Ok, that help explains your setup. I assume the Exchange Server is a Front End Exchange Server in the DMZ? Can you clarify please.MVP Exchange Server

One Exchange 2007 server with all the roles installed on it.

Ok, well I will be the first to point out that putting Exchange 2007 with all roles in a DMZ is not good practice. For this, you should install Exchange 2007 Edge Transport Server in the DMZ. If you do not want to do this, then put the Exchange 2007 w/all roles behind your firewall, this is secure and standard practice in this scenario. This is why you are having high latency issues with your Directory Servers, you have to punch so many holes in the firewall it actually makes things worse. You can google the preferred setup with Exchange 2007 and roles, but this best practice. Link for your review, http://www.msexchange.org/articles_tutorials/exchange-server-2007/planning-architecture/uncovering-exchange-2007-edge-transport-server-part1.htmlMVP Exchange Server

How should I migrate from our current config to the best practice config?

Put your Exchange Server behind your Firewall (off your DMZ, unplug cable on your firewall from DMZ port to internal LAN port) and create necessary NAT/PAT rules (SMTP, HTTPS) to the internal IP of your Exchange Server. You should also verify TCP/IP settings of your Exchange Server to insure they are correct, post them if you have questions.MVP Exchange Server

Oh ok this way it will just migrate the Exchange server to be internal. On the best practices I saw a config that had the edge transport role running in the DMZ and all the other roles running on the internal LAN. Which way do you recommend?

This really depends on whether and Edge Transport Server is something you require or wish to have. Exchange 2007 will run just fine without and Edge Transport Server and most installations, you will not see one installed. Typically you will see this in larger Exchange environments but it really depends on what features you require in your setup. From your postings, I would think an Edge Transport server is not required so you can move the Ex2007 behind your firewall and you will be good to go and very secure.MVP Exchange Server

How will the Exchange server handle the IP change? It will be going from a 192.168.6.xx to our internal 192.168.1.xx subnet.

It will handle it fine, just make sure you update the DNS Record within your DNS Server. You can run ipconfig /registerdns from cmd prompt to make sure it gets registered properly.MVP Exchange Server

Ok I'll give it a shot. Thanks for all the help John. I'll let you know how it goes.