01 microsoft exchange server 2003 and active directory

Revision no.: PPT/2K403/02

Microsoft Exchange Server 2003 and Active Directory

(70-284)


CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

2

Lesson 1: Overview of Active Directory

Active Directory Forests and Domains

Active Directory Sites

Active Directory Schema

Organizational Units

Global Catalogs

Operation Masters



3

Active Directory Forests and Domains

Forest is the Primary Security Boundary.

Forest contain Domain Trees

Forest can have Multiple Trees

The First Domain is the Forest Root Domain

Domains in Active Directory are represented by DNS Names

rather than NetBIOS Names

Regardless of the number of domain trees in a forest, there is

centralized administration at the forest level with permissions

to all domain trees.



4

Contd

Each forest has an Enterprise Admins group as well as a

Schema Admins group. Members of these groups have

authority over all the domain trees in the forest.

Each domain has a Domain Admins group, and administrators

in a parent domain automatically have administrative

permissions to all child domains through automatic transitive

trust relationships.



5

Active Directory Sites

It is important for computers and services to have a way of identifying Active Directory resources that are located on the same LAN versus resources that are on a different LAN separated by a WAN connection.

Sites contain Active Directory resources that are all connected by reliable high-speed bandwidtha minimum of 10 megabytes (MB).

Site membership is used in the logon process as a computer attempts to locate a domain controller in its own site first; inreplication; in accessing global catalogs; and in the Exchange Server 2003 messaging infrastructure.



6

Active Directory Schema

The schema is a definition of the types of objects that are

allowed within a directory and the attributes that are

associated with those objects.

These definitions must be consistent across domains in order

for the security policies and access rights to function

correctly.

There are two types of definitions within the schema:

Attributes

Classes



7

Contd

Attributes are defined only once, and then can be applied to multiple classes as needed.

The object classes, or metadata, are used to define objects.

A class is simply a generic framework for objects. It is a collection of attributes, such as Logon Name and Home Directory for user accounts or Description and Network Address for computer accounts.

Active Directory comes standard with a predefined set of attributes and classes that fit the needs for many network environments.



8

Organizational Units

OUs Provide the Ability to organize the networks in a Logical

Manner and Hide Physical Structure of the Network from the end

Users

Active Directory uses a special container known as an OU to

organize objects within a domain for the purpose of

administration.

OUs can be used to split a domain into administrative divisions

that mirror the functional or physical separations within the

company.



9

Contd

An OU can contain user accounts, computers, printers, shared

folders, applications, and any other object within the domain.

OUs can be used to separate administrative functions within a

domain without granting administrative rights to the whole

domain.

An OU is the smallest element to which you can assign

administrative rights.

OUs can be used to delegate authority and control within a

domain.



10

Global Catalogs

Domain controllers keep a complete copy of the Active

Directory database for a domain, so that information about

each object in the domain is readily available to users and

services.

The global catalog stores partial replicas of the directories

of other domains.

The catalog is stored on domain controllers that have been

designated as global catalog servers.

These servers also maintain the normal database for their

domain.



11

Function Of Global Catalog

The global catalog has two primary functions within Active Directory.

These functions relate to the logon capability and queries within Active Directory.

Within a multi-domain environment that is running in Windows 2000 Native mode or the Windows Server 2003 functional level, a global catalog is required for logging on to the network.

The global catalog provides universal group membership information for the user account that is attempting to log on tothe network.

If the global catalog is not available during the logon attempt and the user account is external to the local domain, the user will only be allowed to log on to the local machine.



12

Contd

The global catalog maintains a subset of the directory

information available within every domain in the forest.

This allows queries to be handled by the nearest global

catalog, saving time and bandwidth.

If more than one domain controller is a global catalog server,

the response time for the queries improves.

The disadvantage is that each additional global catalog server

increases the amount of replication overhead within the

network.



13

Global Catalog Servers

Active Directory automatically creates a global catalog on the first domain controller within a forest

Each forest requires at least one global catalog. In an environment with multiple sites, it is good practice to

designate a domain controller in each site to function as a global catalog server.

While any domain controller can be configured as a global catalog server, a sense of balance is necessary when designating these servers.

As the number of global catalog servers increases, the response time to user inquiries decreases.

However, the replication requirements within the environment increase as the number of global catalog servers increases.



14

Operation Masters

Schema Master

Domain naming Master

PDC Emulator

RID Master

Infrastructure Master



15

Lesson 2: Exchange Server 2003 Integration with Active Directory

Naming Contexts

Global Catalog Integration

Active Directory Group Integration



16

Naming Contexts

Domain

Configuration

Schema



17

Domain

The domain naming context is where all the domain objects for

Exchange Server 2003 are stored.

Objects include recipient objects like users, groups, and

contacts.

Exchange Server 2003 extends the attributes

In Exchange Server 2003 mailboxes and Active Directory user

accounts are not separate objects.



18

Configuration

The configuration naming context stores information about the

physical structure of the Exchange organization, such as

routing groups and connectors.

Active Directory replicates this data to all domain controllers in

the forest, which marks the security boundary of an Exchange

organization.



19

Schema

The schema naming context contains information about all of

the object classes and their attributes that can be stored in

Active Directory.

This data is replicated to all domain controllers in a forest.

During the deployment of Exchange Server 2003,

Active Directory schema is extended to include the classes

and attributes specific to Exchange Server 2003.



20

Global Catalog Integration

Exchange Server 2003 uses two services to access Global

Catalog

DSProxy

DSAccess



21

DSProxy

While Microsoft Outlook 2000 and 2003 clients can access a global catalog directly, other clients cannot.

Exchange Server 2003 provides a proxy service called DSProxy to function as an intermediary between the client and the global catalog.

DSProxy works as a facilitator to allow Outlook clients to access information within Active Directory through the Name Service Provider Interface (NSPI).

DSProxy service supports older Messaging Application Programming Interface (MAPI) clients by forwarding requests directly from the client to the global catalog server.

DSProxy does not examine the request; instead, it blindly forwards the request and then returns the results.

The process is transparent to the user.



22

DSAccess

Exchange Server 2003 shares global catalog functionality with other Active Directory services, so it is important to reduce the impact of Exchange Server 2003 queries.

DSAccess implements a directory access cache that stores recently accessed information for a configurable length of time.

This reduces the number of queries made to global catalog servers.

Increasing the cache and timeout period too much can cause problems with out-of-date data, while a cache that is too small and a short timeout period can cause performance problems, as well.



23

Active Directory Group Integration

The use of security groups and distribution groups is another feature in which Exchange Server 2003 integrates with Active Directory.

Versions of Exchange Server prior to Exchange Server 2000 maintained their own distribution lists, which contained recipients that were members of the Exchange organization

These distribution lists existed only within Exchange and were unrelated to the Windows user accounts database.

Exchange Server 2003 does not maintain its own distribution lists.

Active Directory security groups and distribution groups are extended to support e-mail addresses.



24

Lesson 3: Exchange Server 2003 and Windows Server 2003 Protocols and Services Integration

Exchange Server 2003 and IIS 6

SMTP

NNTP

World Wide Web Service



25

SMTP

Unlike Exchange Server 5.5 and earlier versions, Exchange Server 2003 does not provide its own SMTP services.

Windows 2000 Server and Windows Server 2003 include a core SMTP service with IIS 5 and 6, respectively, and Exchange Server 2003 relies on this service to provide e-mail services.

Exchange simply extends the built-in SMTP service to provide the necessary additional functionality.

Windows Server 2003 also includes a Post Office Protocol 3 (POP3) service, which is listed in the Windows Components Wizard as Email Services.

Native support for Real-Time Blacklists (RBLs) and improved antivirus support.

Fighting spam and viruses is a timeconsuming process for administrators, and the enhanced functionality eases the administrative burden.



26

NNTP

Exchange Server 2003 also relies on the IIS built-in NNTP service.

The NNTP service provides user access to newsgroups either internally or on the Internet.

Access to newsgroups is made available through Exchange Server 2003 public folders, with security configured through the Exchange Server 2003 organization.

The NNTP service is also useful for sharing public folders between organizations.

Exchange Server 2003 does not modify or extend the IIS NNTP service, as it does the SMTP service.



27

World Wide Web Service

OWA integrates into IIS and doesnt even have to be installed

on the same server as Exchange Server 2003.

Because of the integration, services can be installed almost

anywhere within Active Directory, providing flexibility and a

very scalable messaging solution.

OWA provides client access to an Exchange mailbox through a

Web browser.

The HTTP protocol, which is part of the World Wide Web

Service, is the transport used for OWA functionality.



28

Contd

A new feature exclusive to Exchange Server 2003 running on Windows Server 2003 is the ability to use Outlook 2003 to connect to Exchange Server 2003 servers using the HTTP protocol.

This is known as RPC over HTTP. In previous versions of Exchange Server and IIS, if a remote

user needed to connect to a corporate Exchange server using the Outlook client rather than OWA, they would have to establish a virtual private network (VPN) connection first.

This was because the communication between the client and server took place only over remote procedure call (RPC).

Another requirement for client computers to use RPC over HTTP is that they must be running Windows XP Professional SP1 or later.



29

Design & Published by: CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,

MIDC, Marol, Andheri (E), Mumbai 400093, Tel: 91-22-28216511, 28329198

Email: [email protected]

www.cmsinstitute.co.in

01 microsoft exchange server 2003 and active directory

Documents

ppt2k40302 cms institute

domain trees forest

active directory resources

domains forest

cms institute4contd

cms institute2lesson

forest root domain domains

parent domain