Using DSAccess in a perimeter network firewall scenario requires a registry key setting (320529)
The information in this article applies to:
- Microsoft Exchange 2000 Server
This article was previously published under Q320529 Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry SUMMARY By default, Directory Access (DSAccess) uses Internet
Control Message Protocol (ICMP) to ping each server that it connects to. This action is used to
determine whether the server is available. In a perimeter network firewall scenario, there is no
ICMP connectivity between the server that is running Exchange 2000 and the domain controllers.
(A perimeter network is also known as a DMZ, demilitarized zone, and screened subnet.) This situation causes Directory Access to respond as if every domain controller
is unavailable. Directory Access then discards old topologies and frequently
performs new topology discoveries. This behavior affects server performance. You can
turn off the Directory Access ping by creating a registry key for the Microsoft
Windows implementation of Lightweight Directory Access Protocol (wLDAP).
MORE INFORMATIONWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. The following registry key controls the ping
protocol: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess\LdapKeepAliveSecs
If the registry key does not exist, Directory Access
uses the wLDAP ping protocol. If the registry key already exists, or if you
create the key, set the value of REG_DWORD to 0 (zero). Only the value 0 turns off the ping protocol for all LDAP
connections in Directory Access. Values other than 0 are not supported for this
registry key. Note
You do not have to restart any service for this registry change to
become effective. Caution Do not use a registry editor to modify the registry directly
unless you have no alternative. The registry editors bypass the standard
safeguards that are provided by administrative tools. These safeguards prevent you from
entering conflicting settings, or settings that are likely to decrease
performance or damage your system. Editing the registry directly can have
serious, unexpected consequences that can prevent the system from starting, and
require that you reinstall Exchange 2000. To configure or to customize Exchange
2000, use the programs in Control Panel or Microsoft Management Console (MMC)
whenever possible. Note You can manually configure Directory Access in Exchange System
Manager by using the Directory Access tab of the server Properties page. However, you must configure the server while it is not on
the perimeter network. After you make the manual configurations, you can put
the server back on the perimeter network. However, the registry key setting
that is mentioned in this article is still required for Directory Access to function.
For additional information about how to use this registry key in a perimeter network, click the following article number to view the article in the Microsoft Knowledge Base:
320228
The "DisableNetLogonCheck" registry value and how to use it
| Modification Type: | Minor | Last Reviewed: | 4/25/2005 |
|---|
| Keywords: | kbinfo KB320529 kbAudITPRO |
|---|
|