Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Richard de Jong (richard.de.jongFRAMFAB.NL)
Date: Tue May 01 2001 - 12:21:04 CDT
We have a master/resource NT domain configuration, meaning that workstations
are in one domain, users are in another. The user-domain is the master
domain. The resource domains "trust" the users from the master domain. Then
there is a second resource domain, in which the Exchange server lives. The
Exchange server is not the PDC or BDC for this domain, these are separate,
lowcost machines. This might be a little overkill for your situation (we
have some 2500 users), since you only have 30 users, but it would be nice to
at least have the Exchange server in a resource domain, with it's own PDC
and BDC, then establish a trust, to make the Exchange-domain a trusting
domain of the master domain.
We have the SMTP relay in the DMZ which does Anti-Virus scanning and mail
relaying, nothing more. The Exchange server is in the internal network, so
users connecting to it achieve the best possible speed, besides, it does
nothing more than serving email, no one from the outside connecting to it,
so I think there is no reason to put a firewall between the users and the
Check this document for reinstalling an Exchange server, retaining the same
Public and Private information store:
http://seer.support.veritas.com/docs/192377.htm Remember the parrt about the
computer name. It may be necessary to fiddle even more with isinteg and
eseutils. Reinstalling is necessary because you don't want the Exchange
server to be a DC. BTW, exporting user mailboxes to .pst and exporting the
config to .csv would be very wise.
I think I've answered all your questions now,
HTH, Grtz, Richard
> -----Original Message-----
> From: Brian Cervenka [mailto:brianBE-BEE.COM]
> Sent: Wednesday, April 25, 2001 23:52
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Domain questions
> I have an NT domain with ~30 desktop users and a box running
> as PDC and also
> running Exchange 5.5.
> In order to facilitate future expansion, I am adding two
> separate machines
> to become PDC/BDC, and let the Exchange box just do exchange.
> I would like
> to at the same time, create a new domain from scratch and make new
> accounts/groups for everyone.
> I have the following questions:
> - Will it be possible to have the Exchange box in the old
> domain 'A' and the
> real network in the new domain 'B'?
> (I realize I would have to go through and change the
> 'Primary NT Account'
> for each user)
> - Will there need to be some sort of trust relationship
> between the new PDC
> and the Exchange box?
> - Will all the user mailboxes survive this change? (I don't
> see why not, but
> maybe I'm missing something...)
> If I want to put a firewall between the users and the
> exchange box, do I
> just allow udp/137 and udp/138 between the internal net and
> the exchange
> box? (There would be a DMZ1 with the real net servers, and a *nix box
> forwarding external stuff to the Exchange box which is in a
> DMZ2). I guess I
> would need to have the exchange box point to an internal WINS
> box? Will this
> allow the standard NT authentication exchange normally uses?