HOWTO: Minimize Exchange Authentication Traffic over TCP/IPID: Q187825
|
Computers running Microsoft Exchange Server can generate considerable WAN traffic authenticating users. This article indicates possible measures to minimize the traffic.
Users accessing Exchange using a Domain Account must be authenticated. If
the computer running Exchange Server is a backup domain controller (BDC)
for the domain in which the user account resides, no network traffic is
generated authenticating the user. If the computer running Exchange Server
is not a domain controller (DC) or the account is from a trusted domain,
pass-through authentication is used to validate the user.
In a pass-through authentication scenario, the computer running Exchange
Server must find a domain controller for the user desiring access. With
TCP/IP, Exchange will usually query WINS for the <DomainName>[1C] entry of
the user's domain. That returns a list of up to 25 domain controllers that
the computer running Exchange Server attempts to contact. After a DC is
found, a secure channel is setup, and the computer running Exchange server
validates the user.
Depending on NetBIOS name resolution strategy, the computer running
Exchange Server may setup its secure channel with a non-local or distant
DC. This can lead the authentication traffic to go over the WAN instead of
going to a more local DC (if available).
To limit the amount of authentication traffic over the WAN, place a BDC for
every domain in which an Exchange user account is located on the same
network segment as the computer running Exchange Server. Then take the
necessary steps to ensure the Exchange server uses these local DCs for
validation purposes.
To manage the Exchange server's pass-through authenication partners, please
see the following Microsoft Knowledge Base article:
ARTICLE-ID: Q181171
TITLE : Secure Channel Manipulation with TCP/IP.
Keywords :
Version : WinNT:3.51,4.0
Platform : winnt
Issue type : kbhowto Last Reviewed: February 11, 1999