Roger! How many years have I seen your name floating around these (and Dean's) lists? Yours is definitely a trusted voice my friend! I agree with you, and Squid is a solution I am familiar with. But, this is a small shop and that particular box does more than just OWA. I know what you're thinking, but my hands are tied on this one. Can I simply move the FMSO role off that box (by very quickly placing it inside), then move it back into the DMZ with no grief?
-----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master I'd suggest rearchitecting the network to be a more sane envrionment. Putting Exchange in the DMZ is fairly scary. IF your users are so intent on OWA from outside, it's a far better option, IMO, to put a proxy server (either ISA or Squid-proxy if you're Unix savvy) in the DMZ and putting the OWA box inside. You're putting an aweful lot of collateral into an untrusted section of your domain, and having to allow a LOT of traffic into the inside network. Permanently moving the Exchange box inside would make a LOT of sense - even if you end up just passing all OWA traffic all the way in. Second - the issue with the schema master is most likely because the necessary ports aren't open enough from the outside. One alternate, which is a bit ugly but could work, would be to set up IPSec tunneling between the two boxes - that way its 100% open traffic because all of it would get encapsulated and passed through the pipe. Personally, I'd permanantly move the Exchange box to address both issues at once. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Frank Buechler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 03, 2004 11:08 AM > To: ActiveDir (E-mail) > Subject: [ActiveDir] Moving Schema Master > > > Good Morning Folks > > I'm having a bit of a problem and I'm wondering if one of you > fine people can help me > out. First, let me give you a outline of the structure here. > I have (2) 2000 servers, one > in the DMZ (Exchange Server, our clients rely heavily on > OWA), and the other sitting > in trusted. The Operations Master is the server sitting on > the inside, the Schema > Master is the server sitting in the DMZ. I have been called > here to upgrade everything > to 2003 Server. Here's where I'm at: > > I have placed a 2003 server (brand new box) on the network. > This box is currently sitting > in trusted, but it will eventually be the new Exchange > server. I want to run ADPREP > /FORESTPREP on the Schema Master to bring the 2003 server > into the AD. Since I > really don't want to take the Exchange server off the network > to do this, and since that box > will be getting demoted anyway, I thought I would move the > Schema Master role to the > server currently sitting in trusted, and run ADPREP against > it. However, when I attempt to > do this, I get an error; "The current FSMO holder could not > be contacted". > > Does the Exchange server (Schema Master) need to come out of the DMZ? > > TIA! > > -Frank > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
