Using DSAccess in a perimeter network firewall scenario requires a registry key setting

Article translations Article translations
Article ID: 320529 - View products that this article applies to.
This article was previously published under Q320529
This article has been archived. It is offered "as is" and will no longer be updated.
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Expand all | Collapse all


By default, Directory Access (DSAccess) uses Internet Control Message Protocol (ICMP) to ping each server that it connects to. This action is used to determine whether the server is available. In a perimeter network firewall scenario, there is no ICMP connectivity between the server that is running Exchange 2000 and the domain controllers. (A perimeter network is also known as a DMZ, demilitarized zone, and screened subnet.) This situation causes Directory Access to respond as if every domain controller is unavailable. Directory Access then discards old topologies and frequently performs new topology discoveries. This behavior affects server performance. You can turn off the Directory Access ping by creating a registry key for the Microsoft Windows implementation of Lightweight Directory Access Protocol (wLDAP).


Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
The following registry key controls the ping protocol:
If the registry key does not exist, Directory Access uses the wLDAP ping protocol. If the registry key already exists, or if you create the key, set the value of REG_DWORD to 0 (zero). Only the value 0 turns off the ping protocol for all LDAP connections in Directory Access. Values other than 0 are not supported for this registry key.

Note You do not have to restart any service for this registry change to become effective.

Caution Do not use a registry editor to modify the registry directly unless you have no alternative. The registry editors bypass the standard safeguards that are provided by administrative tools. These safeguards prevent you from entering conflicting settings, or settings that are likely to decrease performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting, and require that you reinstall Exchange 2000. To configure or to customize Exchange 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

Note You can manually configure Directory Access in Exchange System Manager by using the Directory Access tab of the server Properties page. However, you must configure the server while it is not on the perimeter network. After you make the manual configurations, you can put the server back on the perimeter network. However, the registry key setting that is mentioned in this article is still required for Directory Access to function.

For additional information about how to use this registry key in a perimeter network, click the following article number to view the article in the Microsoft Knowledge Base:
320228 The "DisableNetLogonCheck" registry value and how to use it


Article ID: 320529 - Last Review: October 24, 2013 - Revision: 4.2
  • Microsoft Exchange 2000 Server Standard Edition
kbnosurvey kbarchive kbinfo KB320529

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from