01 microsoft exchange server 2003 and active directory
TRANSCRIPT
-
Revision no.: PPT/2K403/02
Microsoft Exchange Server 2003 and Active Directory
(70-284)
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
2
Lesson 1: Overview of Active Directory
Active Directory Forests and Domains
Active Directory Sites
Active Directory Schema
Organizational Units
Global Catalogs
Operation Masters
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
3
Active Directory Forests and Domains
Forest is the Primary Security Boundary.
Forest contain Domain Trees
Forest can have Multiple Trees
The First Domain is the Forest Root Domain
Domains in Active Directory are represented by DNS Names
rather than NetBIOS Names
Regardless of the number of domain trees in a forest, there is
centralized administration at the forest level with permissions
to all domain trees.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
4
Contd
Each forest has an Enterprise Admins group as well as a
Schema Admins group. Members of these groups have
authority over all the domain trees in the forest.
Each domain has a Domain Admins group, and administrators
in a parent domain automatically have administrative
permissions to all child domains through automatic transitive
trust relationships.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
5
Active Directory Sites
It is important for computers and services to have a way of identifying Active Directory resources that are located on the same LAN versus resources that are on a different LAN separated by a WAN connection.
Sites contain Active Directory resources that are all connected by reliable high-speed bandwidtha minimum of 10 megabytes (MB).
Site membership is used in the logon process as a computer attempts to locate a domain controller in its own site first; inreplication; in accessing global catalogs; and in the Exchange Server 2003 messaging infrastructure.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
6
Active Directory Schema
The schema is a definition of the types of objects that are
allowed within a directory and the attributes that are
associated with those objects.
These definitions must be consistent across domains in order
for the security policies and access rights to function
correctly.
There are two types of definitions within the schema:
Attributes
Classes
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
7
Contd
Attributes are defined only once, and then can be applied to multiple classes as needed.
The object classes, or metadata, are used to define objects.
A class is simply a generic framework for objects. It is a collection of attributes, such as Logon Name and Home Directory for user accounts or Description and Network Address for computer accounts.
Active Directory comes standard with a predefined set of attributes and classes that fit the needs for many network environments.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
8
Organizational Units
OUs Provide the Ability to organize the networks in a Logical
Manner and Hide Physical Structure of the Network from the end
Users
Active Directory uses a special container known as an OU to
organize objects within a domain for the purpose of
administration.
OUs can be used to split a domain into administrative divisions
that mirror the functional or physical separations within the
company.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
9
Contd
An OU can contain user accounts, computers, printers, shared
folders, applications, and any other object within the domain.
OUs can be used to separate administrative functions within a
domain without granting administrative rights to the whole
domain.
An OU is the smallest element to which you can assign
administrative rights.
OUs can be used to delegate authority and control within a
domain.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
10
Global Catalogs
Domain controllers keep a complete copy of the Active
Directory database for a domain, so that information about
each object in the domain is readily available to users and
services.
The global catalog stores partial replicas of the directories
of other domains.
The catalog is stored on domain controllers that have been
designated as global catalog servers.
These servers also maintain the normal database for their
domain.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
11
Function Of Global Catalog
The global catalog has two primary functions within Active Directory.
These functions relate to the logon capability and queries within Active Directory.
Within a multi-domain environment that is running in Windows 2000 Native mode or the Windows Server 2003 functional level, a global catalog is required for logging on to the network.
The global catalog provides universal group membership information for the user account that is attempting to log on tothe network.
If the global catalog is not available during the logon attempt and the user account is external to the local domain, the user will only be allowed to log on to the local machine.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
12
Contd
The global catalog maintains a subset of the directory
information available within every domain in the forest.
This allows queries to be handled by the nearest global
catalog, saving time and bandwidth.
If more than one domain controller is a global catalog server,
the response time for the queries improves.
The disadvantage is that each additional global catalog server
increases the amount of replication overhead within the
network.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
13
Global Catalog Servers
Active Directory automatically creates a global catalog on the first domain controller within a forest
Each forest requires at least one global catalog. In an environment with multiple sites, it is good practice to
designate a domain controller in each site to function as a global catalog server.
While any domain controller can be configured as a global catalog server, a sense of balance is necessary when designating these servers.
As the number of global catalog servers increases, the response time to user inquiries decreases.
However, the replication requirements within the environment increase as the number of global catalog servers increases.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
14
Operation Masters
Schema Master
Domain naming Master
PDC Emulator
RID Master
Infrastructure Master
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
15
Lesson 2: Exchange Server 2003 Integration with Active Directory
Naming Contexts
Global Catalog Integration
Active Directory Group Integration
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
16
Naming Contexts
Domain
Configuration
Schema
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
17
Domain
The domain naming context is where all the domain objects for
Exchange Server 2003 are stored.
Objects include recipient objects like users, groups, and
contacts.
Exchange Server 2003 extends the attributes
In Exchange Server 2003 mailboxes and Active Directory user
accounts are not separate objects.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
18
Configuration
The configuration naming context stores information about the
physical structure of the Exchange organization, such as
routing groups and connectors.
Active Directory replicates this data to all domain controllers in
the forest, which marks the security boundary of an Exchange
organization.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
19
Schema
The schema naming context contains information about all of
the object classes and their attributes that can be stored in
Active Directory.
This data is replicated to all domain controllers in a forest.
During the deployment of Exchange Server 2003,
Active Directory schema is extended to include the classes
and attributes specific to Exchange Server 2003.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
20
Global Catalog Integration
Exchange Server 2003 uses two services to access Global
Catalog
DSProxy
DSAccess
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
21
DSProxy
While Microsoft Outlook 2000 and 2003 clients can access a global catalog directly, other clients cannot.
Exchange Server 2003 provides a proxy service called DSProxy to function as an intermediary between the client and the global catalog.
DSProxy works as a facilitator to allow Outlook clients to access information within Active Directory through the Name Service Provider Interface (NSPI).
DSProxy service supports older Messaging Application Programming Interface (MAPI) clients by forwarding requests directly from the client to the global catalog server.
DSProxy does not examine the request; instead, it blindly forwards the request and then returns the results.
The process is transparent to the user.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
22
DSAccess
Exchange Server 2003 shares global catalog functionality with other Active Directory services, so it is important to reduce the impact of Exchange Server 2003 queries.
DSAccess implements a directory access cache that stores recently accessed information for a configurable length of time.
This reduces the number of queries made to global catalog servers.
Increasing the cache and timeout period too much can cause problems with out-of-date data, while a cache that is too small and a short timeout period can cause performance problems, as well.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
23
Active Directory Group Integration
The use of security groups and distribution groups is another feature in which Exchange Server 2003 integrates with Active Directory.
Versions of Exchange Server prior to Exchange Server 2000 maintained their own distribution lists, which contained recipients that were members of the Exchange organization
These distribution lists existed only within Exchange and were unrelated to the Windows user accounts database.
Exchange Server 2003 does not maintain its own distribution lists.
Active Directory security groups and distribution groups are extended to support e-mail addresses.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
24
Lesson 3: Exchange Server 2003 and Windows Server 2003 Protocols and Services Integration
Exchange Server 2003 and IIS 6
SMTP
NNTP
World Wide Web Service
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
25
SMTP
Unlike Exchange Server 5.5 and earlier versions, Exchange Server 2003 does not provide its own SMTP services.
Windows 2000 Server and Windows Server 2003 include a core SMTP service with IIS 5 and 6, respectively, and Exchange Server 2003 relies on this service to provide e-mail services.
Exchange simply extends the built-in SMTP service to provide the necessary additional functionality.
Windows Server 2003 also includes a Post Office Protocol 3 (POP3) service, which is listed in the Windows Components Wizard as Email Services.
Native support for Real-Time Blacklists (RBLs) and improved antivirus support.
Fighting spam and viruses is a timeconsuming process for administrators, and the enhanced functionality eases the administrative burden.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
26
NNTP
Exchange Server 2003 also relies on the IIS built-in NNTP service.
The NNTP service provides user access to newsgroups either internally or on the Internet.
Access to newsgroups is made available through Exchange Server 2003 public folders, with security configured through the Exchange Server 2003 organization.
The NNTP service is also useful for sharing public folders between organizations.
Exchange Server 2003 does not modify or extend the IIS NNTP service, as it does the SMTP service.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
27
World Wide Web Service
OWA integrates into IIS and doesnt even have to be installed
on the same server as Exchange Server 2003.
Because of the integration, services can be installed almost
anywhere within Active Directory, providing flexibility and a
very scalable messaging solution.
OWA provides client access to an Exchange mailbox through a
Web browser.
The HTTP protocol, which is part of the World Wide Web
Service, is the transport used for OWA functionality.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
28
Contd
A new feature exclusive to Exchange Server 2003 running on Windows Server 2003 is the ability to use Outlook 2003 to connect to Exchange Server 2003 servers using the HTTP protocol.
This is known as RPC over HTTP. In previous versions of Exchange Server and IIS, if a remote
user needed to connect to a corporate Exchange server using the Outlook client rather than OWA, they would have to establish a virtual private network (VPN) connection first.
This was because the communication between the client and server took place only over remote procedure call (RPC).
Another requirement for client computers to use RPC over HTTP is that they must be running Windows XP Professional SP1 or later.
-
Revision no.: PPT/2K403/02
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
29
Design & Published by: CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,
MIDC, Marol, Andheri (E), Mumbai 400093, Tel: 91-22-28216511, 28329198
Email: [email protected]
www.cmsinstitute.co.in