Configuring DSAccess for Perimeter Networks
Topic Last Modified: 2005-05-24
The DSAccess component in Exchange 2000ServerSP2 was redesigned to provide better support for perimeter networks in which RPC traffic is not allowed across the internal firewall. However, to prevent performance problems, there are two additional registry keys that you should set on the front-end server to disable NetLogon and the Directory Access ping. Additionally, you can configure DSAccess so that your front-end servers contact specific domain controllers and global catalog servers. The following sections describe how to configure these settings.
|This section contains information about editing the registry. Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.|
|Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (regedt32.exe.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Information" Help topics in regedt32.exe. Note that you should back up the registry before you edit it. If you are running Microsoft Windows NT® Server or Windows 2000Server, you should also update your Emergency Repair Disk (ERD).|
DSAccess connects to Active Directory servers to check available disk space, time synchronization, and replication participation by using the NetLogon service with RPC. If you do not allow RPC traffic across the internal firewall, you should stop the NetLogon check by creating the DisableNetlogonCheck registry key on the front-end server.
For detailed instructions on how to disable the NetLogon check, see How to Disable the NetLogon Check on a Front-End Server.
In a perimeter network, you must also create a registry key on the front-end server to prevent Directory Access from pinging domain controllers.
For detailed instructions on how to disable the directory access ping, see How to Disable the Directory Access Ping.
In a perimeter network, you may want to configure DSAccess to use specific domain controllers and global catalog servers, and then use IP filtering to ensure that the front-end servers connect to only those domain controllers and global catalog servers. To specify domain controllers and global catalog servers, use the Directory Access tab in the <server name> Properties dialog box. Specifying servers on the Directory Access tab sets keys in the registry. The Directory Access tab was not available in earlier versions of Exchange; if you have previously set registry keys to specify domain controllers and global catalog servers, these registry keys will still work.