Configuring the Exchange 2003 Cluster Nodes

Configuring the Exchange 2003 Clust...

Exchange Server 2003

Topic Last Modified: 2006-07-28

To accommodate the policies applied by the Windows and Exchange security GPO templates, you must configure two components on your Exchange cluster nodes:

Services The Windows and Exchange security GPO templates configure some services to start automatically. You must change some of these services to start manually. In addition, you must also enable the Cluster service and the Microsoft Distributed Transaction Coordinator (MSDTC) service.
Network Security You must download a Windows Server 2003 post-RTM hotfix that allows NTLM version 2 (NTLMv2) session security to operate correctly in a Windows Server cluster. For more information, see Microsoft Knowledge Base article 890761, "You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003."

Services

The following table lists the recommended baseline startup settings for cluster nodes running in a hardened environment. Specifically, Table 1 shows the startup mode for each service after you apply the Exchange 2003 Cluster Node Base GPO template above the Exchange 2003 Backend and Windows Enterprise Client Member Server GPO templates. Services that are added or changed by the Exchange 2003 Cluster Node Base GPO template appear in italic.

Note:
Many of the services configured by both the Exchange 2003 Backend and Exchange 2003 Cluster Node Base GPO security templates enforce the default of service configuration when Exchange 2003 is installed. Applying these GPO security templates provides a mechanism to assure a consistent service configuration across your Exchange organization.

To enable the POP3 or IMAP4 services, which are disabled by both the Exchange 2003 Backend and Exchange 2003 Cluster Node Base GPO templates, you must apply either the Cluster Node POP3 template (Exchange_2003-Cluster_Node_POP3_V1_1.inf) or the Cluster Node IMAP4 template (Exchange_2003-Cluster_Node_IMAP4_V1_1.inf).

Note:
For detailed steps about how to enable POP3 or IMAP4 functionality on your Exchange cluster nodes, see How to Configure and Run Exchange Server 2003 Clusters in a Security-Hardened Environment.

Service settings configured by applying the Exchange 2003 Cluster Node Base GPO template above the Exchange 2003 Backend GPO security template

Service Name	Startup Mode	Reason
Microsoft Exchange IMAP4	Disabled	Server not configured for IMAP4
Microsoft Exchange Information Store	Manual	Needed to access mailbox and public folder stores
Microsoft Exchange POP3	Disabled	Server not configured for POP3
Microsoft Search	Manual	Used by full-text indexing
Microsoft Exchange Event	Disabled	Only needed for backwards compatibility with Exchange 5.5; not supported on Exchange clusters
Microsoft Exchange Site Replication Service	Disabled	Only needed for backwards compatibility with Exchange 5.5; not supported on Exchange clusters
Microsoft Exchange Management	Automatic	Publishes Exchange management information to Windows Management Instrumentation (WMI); required for message tracking to function
Windows Management Instrumentation	Automatic	Used by Microsoft Exchange Management service to publish a variety of Exchange management information
Microsoft Exchange MTA Stacks	Manual	Needed for backwards compatibility
Microsoft Exchange System Attendant	Manual	Needed for Exchange maintenance and other tasks
Microsoft Exchange Routing Engine	Manual	Needed to coordinate message transfer between Exchange servers
IPSEC Services	Automatic	Needed to implement and use Internet Protocol security (IPSec) policy on server for communication with clients and servers that support IPSec
Remote Procedure Call (RPC)	Automatic	Provides RPC endpoint and endpoint mapping for communications with Windows servers and workstations; also for communication between Exchange servers and Microsoft Outlook® clients
IIS Admin Service	Automatic	Required by the World Wide Web Publishing Service, the Simple Mail Transfer Protocol (SMTP) service, and the Microsoft Exchange Routing Engine service
NT LM Security Support Provider	Automatic	Provides security for remote procedure calls (RPC)
Simple Mail Transfer Protocol (SMTP)	Manual	Required for Exchange transport
World Wide Web Publishing Service	Automatic	Required for communication with servers running Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync®, and Outlook 2003 clients connecting to Exchange using RPC over HTTP; required for accessing Public Folder stores and content from Exchange System Manager
HTTP SSL	Manual	Implements secure HTTP (HTTPS) for the World Wide Web Publishing Service
Network News Transfer Protocol (NNTP)	Disabled	Only needed for setup and newsgroup functionality; not supported on Exchange clusters
Cluster Service	Automatic	Required to install and run Exchange on a Windows Server cluster
Microsoft Distributed Transaction Coordinator	Manual	Required by Exchange Setup and Exchange service pack Setup when Exchange is installed on a Windows Server cluster

Services Added and Changed by the Exchange 2003 Cluster Node Base GPO Template

As previously mentioned, the Exchange 2003 Cluster Node Base GPO template only adds or changes services that have been configured by the Exchange 2003 Backend and Windows Member Server GPO security templates. This section describes the services that are added and changed when you apply the Exchange 2003 Cluster Node Base GPO template above the Exchange 2003 Backend and Windows Enterprise Client Member Server GPO security templates.

Because core Exchange services are controlled by the Windows Cluster service, Exchange 2003 cluster nodes require that these core services are set to start manually. The Exchange 2003 Cluster Node Base GPO template sets the following Exchange services to start manually:

Microsoft Exchange Information Store
Microsoft Exchange MTA Stacks
Microsoft Exchange System Attendant
Microsoft Exchange Routing Engine
Simple Mail Transfer Protocol (SMTP)

Furthermore, running Exchange in a Windows cluster requires the following additional services:

Cluster service This service is the core Windows Clustering service and is set to start automatically. The Exchange 2003 Cluster Node Base GPO template sets auditing on the Cluster service such that any audit failures on the Cluster service (Clussvc.exe). Additionally, the template secures the Cluster service with the following security permissions:
- Built-in Administrators: Full Control
- Authenticated Users: Read
- SYSTEM: Full Control
The SYSTEM and Built-in Administrators permissions are required for the Cluster service to operate in any environment. Granting authenticated users Read access is required for Outlook Web Access. For more information about the permission specific to Outlook Web Access, see Microsoft Knowledge Base article 833001, "Users cannot access Outlook Web Access after you apply security templates from the Security Operations Guide for Windows 2000."
Microsoft Search This service is set to start manually. This Exchange-related service is not required; however, a Microsoft Search cluster resource is created when an EVS is created. Disabling this service results in a partially online cluster resource.
If you do not use full-text indexing in your organization, you can delete the Microsoft Search cluster resource and then disable this service. In the Exchange 2003 Backend.inf template, which the Exchange Cluster Node OU inherits, this service is set to Disabled. Therefore, to disable the Microsoft Search service, remove the following line from Exchange_2003-Cluster_Node_Base_V1_1.inf file:
"MSSEARCH",3,"D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
For more information about deleting and re-creating the Microsoft Search service resource on an Exchange 2003 cluster, see Microsoft Knowledge Base article 830189, "Exchange Server 2003 computer cannot bring the Microsoft Search resource online."
Microsoft Distributed Transaction Coordinator (MSDTC) This service is set to start manually. Exchange only uses the MSDTC during Setup. During Exchange Setup, COM+ is used to register the Microsoft CDO Workflow Event Sink (CDOWFEVT.DLL) so that the functions of the dll can be used. In order for COM+ to register the event sink, a clustered MSDTC resource must be installed and running in the cluster. If a clustered MSDTC is not installed and running during Exchange Setup, or service pack Setup, then Setup will fail. For more information about configuring MSDTC, see Microsoft Knowledge Base article 301600, "How to configure Microsoft Distributed Transaction Coordinator on a Windows Server 2003 cluster."

Network Security

The Windows Member Server GPO security templates (included with the Windows Server 2003 Security Guide) enable minimum session security for NTLM security support provider (SSP)-based servers and clients. Specifically, the Windows Enterprise Client Member Server GPO template configures the following NTLM settings:

Message integrity (encryption)
Message confidentiality
NTLMv2 authentication
128-bit encryption

NTLMv2 authentication does not operate correctly on the RTM version of Windows Server 2003 clusters. Specifically, on a Windows Server 2003 cluster, enabling NTLMv2 authentication for NTLM SSP prevents the Cluster service from starting. However, NTLM version 1 session security with message integrity, message confidentiality, and 128-bit encryption is functional. Therefore, the Windows Enterprise Client Member Server GPO security template causes Exchange cluster nodes to fail because the GPO security templates enforce NTLMv2 authentication.

To enable Exchange 2003 clustering where the Windows Member Server GPO security templates are being enforced, you must install the Windows hotfix described in the Microsoft Knowledge Base article 890761, "You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003."

Note:
To allow NTLMv2 Session Security to operate correctly, it is recommended that you install the hotfix. If NTLMv2 authentication is enabled and this hotfix is not applied, the Windows Clustering service will not start.

Again, it is important to stress that applying the Exchange 2003 Cluster Node Base GPO template in isolation does not harden your Exchange environment. The Exchange 2003 Cluster Node Base GPO template assumes that both the Exchange Backend and the Windows Server 2003 Enterprise Client Member Server Security GPO security templates have been applied and are inherited by the OU where you placed your Exchange cluster nodes.