Configuring the Exchange 2003 Cluster Nodes
To accommodate the policies applied by the Windows and Exchange security GPO templates, you must configure two components on your Exchange cluster nodes:
Services The Windows and Exchange security GPO templates configure some services to start automatically. You must change some of these services to start manually. In addition, you must also enable the Cluster service and the Microsoft Distributed Transaction Coordinator (MSDTC) service.
Network Security You must download a Windows Server 2003 post-RTM hotfix that allows NTLM version 2 (NTLMv2) session security to operate correctly in a Windows Server cluster. For more information, see Microsoft Knowledge Base article 890761, "You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003."
The following table lists the recommended baseline startup settings for cluster nodes running in a hardened environment. Specifically, Table 1 shows the startup mode for each service after you apply the Exchange 2003 Cluster Node Base GPO template above the Exchange 2003 Backend and Windows Enterprise Client Member Server GPO templates. Services that are added or changed by the Exchange 2003 Cluster Node Base GPO template appear in italic.
Note
Many of the services configured by both the Exchange 2003 Backend and Exchange 2003 Cluster Node Base GPO security templates enforce the default of service configuration when Exchange 2003 is installed. Applying these GPO security templates provides a mechanism to assure a consistent service configuration across your Exchange organization.
To enable the POP3 or IMAP4 services, which are disabled by both the Exchange 2003 Backend and Exchange 2003 Cluster Node Base GPO templates, you must apply either the Cluster Node POP3 template (Exchange_2003-Cluster_Node_POP3_V1_1.inf) or the Cluster Node IMAP4 template (Exchange_2003-Cluster_Node_IMAP4_V1_1.inf).
Note
For detailed steps about how to enable POP3 or IMAP4 functionality on your Exchange cluster nodes, see How to Configure and Run Exchange Server 2003 Clusters in a Security-Hardened Environment.
Service settings configured by applying the Exchange 2003 Cluster Node Base GPO template above the Exchange 2003 Backend GPO security template
| Service Name | Startup Mode | Reason |
|---|---|---|
Microsoft Exchange IMAP4 |
Disabled |
Server not configured for IMAP4 |
Microsoft Exchange Information Store |
Manual |
Needed to access mailbox and public folder stores |
Microsoft Exchange POP3 |
Disabled |
Server not configured for POP3 |
Microsoft Search |
Manual |
Used by full-text indexing |
Microsoft Exchange Event |
Disabled |
Only needed for backwards compatibility with Exchange 5.5; not supported on Exchange clusters |
Microsoft Exchange Site Replication Service |
Disabled |
Only needed for backwards compatibility with Exchange 5.5; not supported on Exchange clusters |
Microsoft Exchange Management |
Automatic |
Publishes Exchange management information to Windows Management Instrumentation (WMI); required for message tracking to function |
Windows Management Instrumentation |
Automatic |
Used by Microsoft Exchange Management service to publish a variety of Exchange management information |
Microsoft Exchange MTA Stacks |
Manual |
Needed for backwards compatibility |
Microsoft Exchange System Attendant |
Manual |
Needed for Exchange maintenance and other tasks |
Microsoft Exchange Routing Engine |
Manual |
Needed to coordinate message transfer between Exchange servers |
IPSEC Services |
Automatic |
Needed to implement and use Internet Protocol security (IPSec) policy on server for communication with clients and servers that support IPSec |
Remote Procedure Call (RPC) |
Automatic |
Provides RPC endpoint and endpoint mapping for communications with Windows servers and workstations; also for communication between Exchange servers and Microsoft Outlook® clients |
IIS Admin Service |
Automatic |
Required by the World Wide Web Publishing Service, the Simple Mail Transfer Protocol (SMTP) service, and the Microsoft Exchange Routing Engine service |
NT LM Security Support Provider |
Automatic |
Provides security for remote procedure calls (RPC) |
Simple Mail Transfer Protocol (SMTP) |
Manual |
Required for Exchange transport |
World Wide Web Publishing Service |
Automatic |
Required for communication with servers running Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync®, and Outlook 2003 clients connecting to Exchange using RPC over HTTP; required for accessing Public Folder stores and content from Exchange System Manager |
HTTP SSL |
Manual |
Implements secure HTTP (HTTPS) for the World Wide Web Publishing Service |
Network News Transfer Protocol (NNTP) |
Disabled |
Only needed for setup and newsgroup functionality; not supported on Exchange clusters |
Cluster Service |
Automatic |
Required to install and run Exchange on a Windows Server cluster |
Microsoft Distributed Transaction Coordinator |
Manual |
Required by Exchange Setup and Exchange service pack Setup when Exchange is installed on a Windows Server cluster |
As previously mentioned, the Exchange 2003 Cluster Node Base GPO template only adds or changes services that have been configured by the Exchange 2003 Backend and Windows Member Server GPO security templates. This section describes the services that are added and changed when you apply the Exchange 2003 Cluster Node Base GPO template above the Exchange 2003 Backend and Windows Enterprise Client Member Server GPO security templates.
Because core Exchange services are controlled by the Windows Cluster service, Exchange 2003 cluster nodes require that these core services are set to start manually. The Exchange 2003 Cluster Node Base GPO template sets the following Exchange services to start manually:
Microsoft Exchange Information Store
Microsoft Exchange MTA Stacks
Microsoft Exchange System Attendant
Microsoft Exchange Routing Engine
Simple Mail Transfer Protocol (SMTP)
Furthermore, running Exchange in a Windows cluster requires the following additional services:
Cluster service This service is the core Windows Clustering service and is set to start automatically. The Exchange 2003 Cluster Node Base GPO template sets auditing on the Cluster service such that any audit failures on the Cluster service (Clussvc.exe). Additionally, the template secures the Cluster service with the following security permissions:
Built-in Administrators: Full Control
Authenticated Users: Read
SYSTEM: Full Control
The SYSTEM and Built-in Administrators permissions are required for the Cluster service to operate in any environment. Granting authenticated users Read access is required for Outlook Web Access. For more information about the permission specific to Outlook Web Access, see Microsoft Knowledge Base article 833001, "Users cannot access Outlook Web Access after you apply security templates from the Security Operations Guide for Windows 2000."
Microsoft Search This service is set to start manually. This Exchange-related service is not required; however, a Microsoft Search cluster resource is created when an EVS is created. Disabling this service results in a partially online cluster resource.
If you do not use full-text indexing in your organization, you can delete the Microsoft Search cluster resource and then disable this service. In the Exchange 2003 Backend.inf template, which the Exchange Cluster Node OU inherits, this service is set to Disabled. Therefore, to disable the Microsoft Search service, remove the following line from Exchange_2003-Cluster_Node_Base_V1_1.inf file:
"MSSEARCH",3,"D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
For more information about deleting and re-creating the Microsoft Search service resource on an Exchange 2003 cluster, see Microsoft Knowledge Base article 830189, "Exchange Server 2003 computer cannot bring the Microsoft Search resource online."
Microsoft Distributed Transaction Coordinator (MSDTC) This service is set to start manually. Exchange only uses the MSDTC during Setup. During Exchange Setup, COM+ is used to register the Microsoft CDO Workflow Event Sink (CDOWFEVT.DLL) so that the functions of the dll can be used. In order for COM+ to register the event sink, a clustered MSDTC resource must be installed and running in the cluster. If a clustered MSDTC is not installed and running during Exchange Setup, or service pack Setup, then Setup will fail. For more information about configuring MSDTC, see Microsoft Knowledge Base article 301600, "How to configure Microsoft Distributed Transaction Coordinator on a Windows Server 2003 cluster."
The Windows Member Server GPO security templates (included with the Windows Server 2003 Security Guide) enable minimum session security for NTLM security support provider (SSP)-based servers and clients. Specifically, the Windows Enterprise Client Member Server GPO template configures the following NTLM settings:
Message integrity (encryption)
Message confidentiality
NTLMv2 authentication
128-bit encryption
NTLMv2 authentication does not operate correctly on the RTM version of Windows Server 2003 clusters. Specifically, on a Windows Server 2003 cluster, enabling NTLMv2 authentication for NTLM SSP prevents the Cluster service from starting. However, NTLM version 1 session security with message integrity, message confidentiality, and 128-bit encryption is functional. Therefore, the Windows Enterprise Client Member Server GPO security template causes Exchange cluster nodes to fail because the GPO security templates enforce NTLMv2 authentication.
To enable Exchange 2003 clustering where the Windows Member Server GPO security templates are being enforced, you must install the Windows hotfix described in the Microsoft Knowledge Base article 890761, "You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003."
Note
To allow NTLMv2 Session Security to operate correctly, it is recommended that you install the hotfix. If NTLMv2 authentication is enabled and this hotfix is not applied, the Windows Clustering service will not start.
Again, it is important to stress that applying the Exchange 2003 Cluster Node Base GPO template in isolation does not harden your Exchange environment. The Exchange 2003 Cluster Node Base GPO template assumes that both the Exchange Backend and the Windows Server 2003 Enterprise Client Member Server Security GPO security templates have been applied and are inherited by the OU where you placed your Exchange cluster nodes.