EEK.... HT.... You are breaking the biggest rule.... IIS and AD on the same box... assuming that this is your domain's AD and it is publicly available.

Go find that crappy old workstation that will only just run Win2k server. Fire it up in a DMZ and have it run IIS. Have it receive SMTP and forward any mail to the Exchange Server on the private network. The only access to the Exchange Server from the public networm _might_ be SSL for OWA. Run your web site(s) out there too.

If you need the SQL server to server data to the IIS server bring it inside, (since it is also your AD), and only allow 1433 from IIS box to SQL box from the DMZ. That's a more secure stance than you have right now.

Two of my public machines are old PII/266 laptops - one of which has a broken screen so it has to be TS'ed to to administer it. They only serve secondary DNS and one serves as a backup SMTP server. They work fine.

If you allow any DNS resolution in to server one you need to be very careful since the server is an AD server you could leak all your private network structure out to the public network. You need to split that DNS if you do allow DNS queries in.