Configuring Exchange 2000, ISA 2000 on W2K Advanced Server

View Full Version : Configuring Exchange 2000, ISA 2000 on W2K Advanced Server

Wil Biscardi

We are currently running W2K Advanced Server. We have two
(2) W2K ISA 2000 servers with the external ISA acting as
the PDC and running IIS. We also have a W2K Exchange 2000
cluster running on 2 servers. Things have not been
working very well and we are working with consultants to
help us reconfigure this arrangement to a more "industry-
standard", "best-practices" setup....

One consultant suggests moving the PDC functionality from
the ISA server to the Exchange Cluster. One of the ISA
servers would then act as our external firewall while the
second ISA server would act as an internal firewall
creating a DMZ in the process. There are other details,
but this is the basic concept.

Another vendor is recommending a similar arrangement, but
they suggest obtaining a NEW server to act as the PDC.
The ISA servers and the Exchange servers would act as
member servers on the network.

Any comments, recommendations, advice would be
appreciated. We are sure that there are probably many
acceptable ways to set up a network that is secure,
redundant, etc., so there is more than likely not ONE
answer that says "this is THE way to do it." But we are
looking for suggestions from experts and those of you with
the technical experience to help shed some light on the
matter for us. Please advise. Thank you!

Rob Elder, MVP

I would side with the second vendor. I would never recommend running ISA on
domain controller. That's just plain foolish.

"Wil Biscardi" wrote in message
news:7d9b01c3e847$4bdb4850$a501280a@phx.gbl...
> We are currently running W2K Advanced Server. We have two
> (2) W2K ISA 2000 servers with the external ISA acting as
> the PDC and running IIS. We also have a W2K Exchange 2000
> cluster running on 2 servers. Things have not been
> working very well and we are working with consultants to
> help us reconfigure this arrangement to a more "industry-
> standard", "best-practices" setup....
>
> One consultant suggests moving the PDC functionality from
> the ISA server to the Exchange Cluster. One of the ISA
> servers would then act as our external firewall while the
> second ISA server would act as an internal firewall
> creating a DMZ in the process. There are other details,
> but this is the basic concept.
>
> Another vendor is recommending a similar arrangement, but
> they suggest obtaining a NEW server to act as the PDC.
> The ISA servers and the Exchange servers would act as
> member servers on the network.
>
> Any comments, recommendations, advice would be
> appreciated. We are sure that there are probably many
> acceptable ways to set up a network that is secure,
> redundant, etc., so there is more than likely not ONE
> answer that says "this is THE way to do it." But we are
> looking for suggestions from experts and those of you with
> the technical experience to help shed some light on the
> matter for us. Please advise. Thank you!
>

Wil Biscardi

Hi, Rob!

Thanks for your quick reply! I don't think I was clear in
my explanation....
We CURRENTLY have the Domain Controller running on the ISA
server, and we realize, as you noted, that this is a poor
design. Both consultants agree with your assessment. The
difference is that the FIRST consultant would move the PDC
functionality to the Exchange cluster servers. The SECOND
consultant recommends a SEPARATE server to act as the PDC,
and the Exchange and ISA boxes would be member servers.
Are you still leaning towards the second consultant's
recommendation? Thanks again for your time!

Regards,
Wil

>-----Original Message-----
>I would side with the second vendor. I would never
recommend running ISA on
>domain controller. That's just plain foolish.
>
>"Wil Biscardi"
wrote in message
>news:7d9b01c3e847$4bdb4850$a501280a@phx.gbl...
>> We are currently running W2K Advanced Server. We have
two
>> (2) W2K ISA 2000 servers with the external ISA acting as
>> the PDC and running IIS. We also have a W2K Exchange
2000
>> cluster running on 2 servers. Things have not been
>> working very well and we are working with consultants to
>> help us reconfigure this arrangement to a
more "industry-
>> standard", "best-practices" setup....
>>
>> One consultant suggests moving the PDC functionality
from
>> the ISA server to the Exchange Cluster. One of the ISA
>> servers would then act as our external firewall while
the
>> second ISA server would act as an internal firewall
>> creating a DMZ in the process. There are other details,
>> but this is the basic concept.
>>
>> Another vendor is recommending a similar arrangement,
but
>> they suggest obtaining a NEW server to act as the PDC.
>> The ISA servers and the Exchange servers would act as
>> member servers on the network.
>>
>> Any comments, recommendations, advice would be
>> appreciated. We are sure that there are probably many
>> acceptable ways to set up a network that is secure,
>> redundant, etc., so there is more than likely not ONE
>> answer that says "this is THE way to do it." But we are
>> looking for suggestions from experts and those of you
with
>> the technical experience to help shed some light on the
>> matter for us. Please advise. Thank you!

Rob Elder, MVP

Also agree with a seperate dc.

"Wil Biscardi" wrote in message
news:7e0301c3e857$fbb46c10$a501280a@phx.gbl...
> Hi, Rob!
>
> Thanks for your quick reply! I don't think I was clear in
> my explanation....
> We CURRENTLY have the Domain Controller running on the ISA
> server, and we realize, as you noted, that this is a poor
> design. Both consultants agree with your assessment. The
> difference is that the FIRST consultant would move the PDC
> functionality to the Exchange cluster servers. The SECOND
> consultant recommends a SEPARATE server to act as the PDC,
> and the Exchange and ISA boxes would be member servers.
> Are you still leaning towards the second consultant's
> recommendation? Thanks again for your time!
>
> Regards,
> Wil
>
> >-----Original Message-----
> >I would side with the second vendor. I would never
> recommend running ISA on
> >domain controller. That's just plain foolish.
> >
> >"Wil Biscardi"
> wrote in message
> >news:7d9b01c3e847$4bdb4850$a501280a@phx.gbl...
> >> We are currently running W2K Advanced Server. We have
> two
> >> (2) W2K ISA 2000 servers with the external ISA acting as
> >> the PDC and running IIS. We also have a W2K Exchange
> 2000
> >> cluster running on 2 servers. Things have not been
> >> working very well and we are working with consultants to
> >> help us reconfigure this arrangement to a
> more "industry-
> >> standard", "best-practices" setup....
> >>
> >> One consultant suggests moving the PDC functionality
> from
> >> the ISA server to the Exchange Cluster. One of the ISA
> >> servers would then act as our external firewall while
> the
> >> second ISA server would act as an internal firewall
> >> creating a DMZ in the process. There are other details,
> >> but this is the basic concept.
> >>
> >> Another vendor is recommending a similar arrangement,
> but
> >> they suggest obtaining a NEW server to act as the PDC.
> >> The ISA servers and the Exchange servers would act as
> >> member servers on the network.
> >>
> >> Any comments, recommendations, advice would be
> >> appreciated. We are sure that there are probably many
> >> acceptable ways to set up a network that is secure,
> >> redundant, etc., so there is more than likely not ONE
> >> answer that says "this is THE way to do it." But we are
> >> looking for suggestions from experts and those of you
> with
> >> the technical experience to help shed some light on the
> >> matter for us. Please advise. Thank you!
>

Wil Biscardi

Thanks for the follow-up, Rob!
Regards,
Wil

>-----Original Message-----
>Also agree with a seperate dc.
>
>"Wil Biscardi"
wrote in message
>news:7e0301c3e857$fbb46c10$a501280a@phx.gbl...
>> Hi, Rob!
>>
>> Thanks for your quick reply! I don't think I was clear
in
>> my explanation....
>> We CURRENTLY have the Domain Controller running on the
ISA
>> server, and we realize, as you noted, that this is a
poor
>> design. Both consultants agree with your assessment.
The
>> difference is that the FIRST consultant would move the
PDC
>> functionality to the Exchange cluster servers. The
SECOND
>> consultant recommends a SEPARATE server to act as the
PDC,
>> and the Exchange and ISA boxes would be member servers.
>> Are you still leaning towards the second consultant's
>> recommendation? Thanks again for your time!
>>
>> Regards,
>> Wil
>>
>> >-----Original Message-----
>> >I would side with the second vendor. I would never
>> recommend running ISA on
>> >domain controller. That's just plain foolish.
>> >
>> >"Wil Biscardi"
>> wrote in message
>> >news:7d9b01c3e847$4bdb4850$a501280a@phx.gbl...
>> >> We are currently running W2K Advanced Server. We
have
>> two
>> >> (2) W2K ISA 2000 servers with the external ISA
acting as
>> >> the PDC and running IIS. We also have a W2K Exchange
>> 2000
>> >> cluster running on 2 servers. Things have not been
>> >> working very well and we are working with
consultants to
>> >> help us reconfigure this arrangement to a
>> more "industry-
>> >> standard", "best-practices" setup....
>> >>
>> >> One consultant suggests moving the PDC functionality
>> from
>> >> the ISA server to the Exchange Cluster. One of the
ISA
>> >> servers would then act as our external firewall while
>> the
>> >> second ISA server would act as an internal firewall
>> >> creating a DMZ in the process. There are other
details,
>> >> but this is the basic concept.
>> >>
>> >> Another vendor is recommending a similar arrangement,
>> but
>> >> they suggest obtaining a NEW server to act as the
PDC.
>> >> The ISA servers and the Exchange servers would act as
>> >> member servers on the network.
>> >>
>> >> Any comments, recommendations, advice would be
>> >> appreciated. We are sure that there are probably
many
>> >> acceptable ways to set up a network that is secure,
>> >> redundant, etc., so there is more than likely not ONE
>> >> answer that says "this is THE way to do it." But we
are
>> >> looking for suggestions from experts and those of you
>> with
>> >> the technical experience to help shed some light on
the
>> >> matter for us. Please advise. Thank you!
>>
>
>
>.
>