Using DSAccess in a perimeter network firewall scenario requires a registry key setting

This article was previously published under Q320529
This article has been archived. It is offered "as is" and will no longer be updated.
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
By default, Directory Access (DSAccess) uses Internet Control Message Protocol (ICMP) to ping each server that it connects to. This action is used to determine whether the server is available. In a perimeter network firewall scenario, there is no ICMP connectivity between the server that is running Exchange 2000 and the domain controllers. (A perimeter network is also known as a DMZ, demilitarized zone, and screened subnet.) This situation causes Directory Access to respond as if every domain controller is unavailable. Directory Access then discards old topologies and frequently performs new topology discoveries. This behavior affects server performance. You can turn off the Directory Access ping by creating a registry key for the Microsoft Windows implementation of Lightweight Directory Access Protocol (wLDAP).
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
The following registry key controls the ping protocol:
If the registry key does not exist, Directory Access uses the wLDAP ping protocol. If the registry key already exists, or if you create the key, set the value of REG_DWORD to 0 (zero). Only the value 0 turns off the ping protocol for all LDAP connections in Directory Access. Values other than 0 are not supported for this registry key.

Note You do not have to restart any service for this registry change to become effective.

Caution Do not use a registry editor to modify the registry directly unless you have no alternative. The registry editors bypass the standard safeguards that are provided by administrative tools. These safeguards prevent you from entering conflicting settings, or settings that are likely to decrease performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting, and require that you reinstall Exchange 2000. To configure or to customize Exchange 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

Note You can manually configure Directory Access in Exchange System Manager by using the Directory Access tab of the server Properties page. However, you must configure the server while it is not on the perimeter network. After you make the manual configurations, you can put the server back on the perimeter network. However, the registry key setting that is mentioned in this article is still required for Directory Access to function.

For additional information about how to use this registry key in a perimeter network, click the following article number to view the article in the Microsoft Knowledge Base:
320228 The "DisableNetLogonCheck" registry value and how to use it

Article ID: 320529 - Last Review: 10/24/2013 11:15:04 - Revision: 4.2

Microsoft Exchange 2000 Server Standard Edition

  • kbnosurvey kbarchive kbinfo KB320529