Experts Guide to Exchange 2003 Chapter 1 by smbutt

VIEWS: 213 PAGES: 18

									The Expert's Guide for Exchange 2003
Preparing for, Moving to, and Supporting Exchange Server 2003
by Steve Bryant


Chapter 1 Exchange 2003 and Active Directory . . . . . . . . . . . . . . . . . . . .
Sidebar: The Flood of Electronic Communications and You . . . . . . . . . . . . . .


Exchange Server 2003: New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Sign-on . . . . . . . . . . . . . . . . . . . . . . Sidebar: Exchange Licensing . . . . . . . Collaboration . . . . . . . . . . . . . . . . . . . . . . . Mobile and Remote Access . . . . . . . . . . . . . Microsoft Outlook Client . . . . . . . . . . . . . . . Sidebar: Outlook 2003 License for Free . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 5 6 6 7 7

Other Exchange 2003 Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Importance of Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AD Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sidebar: ADSI Edit and the Support Tools . . . . . . . . Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sidebar: Manually changing the Directory Access List Enabling GC Services on a DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7 7
10 13 13 15 16

Exchange 2003 and AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Next: Preparing for Exchange 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16


Chapter 1:

Exchange 2003 and Active Directory
Welcome to my world, a thriving terrain of technological wizardry where, for the past 6 years, I’ve engaged the synergies of Microsoft Exchange Server and Active Directory (AD) as a swash-buckling infrastructure architect. At least, that’s how I like to imagine it. It’s a world with which you’re probably familiar, given that you’re reading The Expert’s Guide for Exchange 2003. Or perhaps it’s a world you want to know better because you’re making the move from another messaging platform. Or perhaps you’re totally new to Exchange and want to begin learning about it. Whatever your reasons for reading this book, I believe I can offer some useful information and examples in the pages that follow. Each chapter will offer a short introduction to its main topics. After brief background information, I’ll move into more detailed discussions until you and I are swimming in VBScripts, useful charts, and other forms of techno-bliss. Finally, each chapter will offer references and links to other materials for your further research. The Expert’s Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003 educates email administrators and systems managers about the best methods for migrating to and managing an Exchange 2003 environment. Core concerns include configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management. The brief chapter notations that follow provide an overview of some of each chapter’s topics. Chapter 1: Exchange 2003 and Active Directory New features drive migration projects - Single sign-on (SSO), collaboration, mobile and remote access - New features in the Outlook client - Free with Exchange 2003 Client Access License (CAL) - Better performance over slow links Features introduced with Exchange 2000 Features new with Exchange 2003 The importance of Windows Server 2003 (Windows 2003) Exchange 2003 and AD Chapter 2: Preparing Your Domain Services Prerequisites you know Requirements you might not know AD planning Domain cleanup and consolidation options Why a cleaner AD gives you more options

Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

Chapter 3: Consolidating Your Exchange Services Why so many Exchange 5.5 sites exist Site consolidation - Site consolidation before Exchange 2003 migration - Site consolidation after Exchange 2003 migration - Strategies for and impact of each option Server placement strategies – remote and small offices - Outlook performance over slow links - Remote users Server sizing Cluster and fault-tolerance options Chapter 4: Database Strategies and Server Sizing Stores – Why you should have more - Strategies for stores Archives - Strategies and options Load balancing options Disaster recovery options - Volume Shadow Copy - Recovery Storage Group - Brick-Level Backup – Benefits and Issues - ExMerge, Offline Recovery and other Backup and Recovery options - IIS Metabase recovery options - Backup and Restore Performance - Best Practices Chapter 5: Multiple Directories Why you might need multiple directories - Need for high security - Merger, de-merger Microsoft Identity Integration Server 2003 - Interorg replication - Collaboration using Internet standards Co-existence and migration from other messaging environments - Lotus Notes - GroupWise Chapter 6: The Exchange Client Outlook Deployment Performance over slow links Installation scripting and profile management Mobile Implementation Collaborative integration with other applications.
Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


Chapter 7: Administration Best Practices Server maintenance Database maintenance Redundancy on various levels Antivirus and spam fighting tools and techniques Securing SMTP, POP, IMAP, LDAP - Securing Outlook client sessions Tracking tools and benefits of message tracking Monitoring and tracing SMTP messages Monitoring queues and verifying message routing Chapter 8: Security, Auditing, and Logging Allowing access while maintaining security - Securing the message stream - Securing account identity - Securing the message Monitoring the server for suspicious behavior Logging options and alerts Unlike many available Exchange 2003 books, The Expert’s Guide for Exchange 2003 is new, written from scratch, not “upgraded” from a previous Exchange book. The subject matter is fresh – you’ll find no “leftovers.” You already know that Microsoft has made improvements to the Exchange Server product. I want to get to the particulars, because I know the differences are incredible. My priority is to sway the remaining Exchange 5.5 shops toward Exchange 2003. In fact, if you are one of those considering the move, I feel compelled to offer you a little pep rally. You’ll find it in “The Flood of Electronic Communications and You.”

Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

The Flood of Electronic Communications and You
With our first foray into numbers, I hope you will indulge me a few comments about why your job is so vital. In September 2000, IDC predicted in report 23011 that by 2005 we would see nearly 35 billion email messages per day. The report compared the deluge of messages to “heavy rain.” In September 2003, researchers estimated that 31 billion messages were sent daily. This unexpected surge in volume growth occurred for a number of reasons: Most businesses quickly accepted email as a primary communication method; people soon began to send an unprecedented number of unsolicited messages; and, unfortunately, virus outbreaks swelled the number of messages. The idea that I can email my kid’s teachers and communicate with local government officials through email no longer feels strange. And it’s going to get even better (or worse, depending on how you look at it). A newer report from IDC indicates that we might see 60 billion email messages daily by 2006. From that number, only 31 billion are predicted to be person-to-person, while the balance will be from virus outbreaks, unsolicited mail and alerts. The IDC Doc #27975 (at also describes how email is used – and points out that browser-based access will continue to grow in popularity. The newer report likened the flow of messages to “water flowing out of a hose” and suggested that communications such as the Internet Mail Service (IMS), wireless, and alerts, will be used more often to help sort through the “growing currents of content.”

Exchange Server 2003: New Features
The single most important driving force behind migration is the set of new features that Exchange Server 2003 offers. They include single sign-on (SSO), collaboration, mobile and remote access, and the Outlook client.

Single Sign-On
One of the most important advantages you get with Exchange Server 2003 is the capability of single sign-on (SSO). Exchange Server 2003 doesn’t provide logon accounts or a security database; each Exchange Server 2003 mailbox is associated with a unique AD user object. Users who authenticate to the AD for logon scripts and access to files, printers, and the network need not logon again for email. Exchange mailboxes are stored in a database, and access to that database and access control lists (ACLs) that reference AD accounts control its folders. In simple terms: 1 Exchange mailbox = 1 AD user account. Microsoft has changed Exchange licensing over time, with the price of the Enterprise edition increasing. Microsoft has also restructured client licensing. “Exchange Licensing” gives you an overview of current licensing policies.

Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


Exchange Licensing
Exchange licensing has changed over the years. The price of the Standard edition continues to decrease while the price of the Enterprise edition increases. At the time of this writing, the cost of a Standard Exchange 2003 Server license is $699 and the cost of an Enterprise license is $3999. Both versions offer an “unlimited” number of mailboxes, Outlook Web Access (OWA), front-end server functionality, support for mobile devices and connectors for SMTP, GroupWise, and Lotus Notes. The Enterprise edition supports multiple message stores with limits above 16GB. Moreover, it provides support for clustering and X.400. Client licensing has also been restructured. An AD Client Access License (CAL) is still required for each mailbox (because Exchange requires an AD account), but you have a new alternative to User CALs for Exchange. In the past you had to have an AD CAL and an Exchange 2000 User CAL for each mailbox. This model is still the best approach if you expect your users to connect to the Exchange Server from their desktops or from mobile devices. If, however, your company or solution requires that people access their email from kiosks or centrally located terminals, you might be better off with the new Device CAL. The Device CAL retails for the same $67 as the User CAL, but you need to buy only one for each device. For example, suppose you run a company that has only 50 computers but 200 people. Everyone shares machines and OWA is your standard desktop. In this scenario, you could use one AD account for all 200 people and 50 Device CALs. In some cases, this approach could save quite a bit of money ($10,050, in this example.)

As you consider Exchange 2003, you’ll need to choose between the Standard and Enterprise editions. Table 1.1 compares the features of the two editions.
Table 1.1 Exchange Server 2003 versions Exchange 2003 Standard Up to 20 databases Clustering support X.400 connector Database Storage Limit Database snapshot Front-end server capability Outlook Mobile Access (OMA) and ActiveSync RPC compression Recovery Storage Group Exchange Management Pack (MOM) Exchange 2003 Enterprise ✓ ✓ ✓ 16TB ✓ ✓ ✓ ✓ ✓ ✓

16GB ✓ ✓ ✓ ✓ ✓ ✓

Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

Collaboration is one of the most broadly applied, if not abused, terms in our industry. I’d like to set a clear context for what I have to say. First, I think most of you will agree that Microsoft products generally work well with each other. Microsoft Office products interact well with Exchange Server. You can easily apply form letters in Microsoft Word to email messages and merge the results with entries from the contact list in Outlook. Nearly every Office product can “Send to Mail Recipient.” However, the real power of Microsoft collaboration comes in other, more advanced tools, such as SharePoint Portal Server 2003, Project Central, Business Contact Manager, and integration with Information Rights Management. Microsoft Project takes collaboration a step further with the ability to email updates to project teams. By implementing Microsoft Project Server 2003 with Exchange and Outlook, project team members can use the Outlook client to check tasks and report their time. SharePoint Portal Server 2003 supports Exchange with webparts. Therefore, you can build SharePoint sites with access to your inbox, calendar, and tasks applications. Even better is the option to use SPS as the file repository for email attachments. Outlook 2003 has built-in support to leverage SPS for sending attachments. Files stored by SPS are then indexed, categorized and secured outside the Exchange environment allowing for faster backup and restoration for the Exchange environment and better management of your business intelligence. Integration with CRM applications and Information Rights Management will be detailed later in the book with specific examples and features list. I will also provide a sample installation diagram and discuss both the integration and configuration.

Mobile and Remote Access
One of the interesting projections emerging from email trending statistics is that browsers will become the predominant method of access. Microsoft designed the Exchange 2003 (and Exchange 2000) store for access directly through WWW Distributed Authoring and Versioning (WebDAV) – to provide secured access to information without translation processes or message reformatting. Outlook Web Access (OWA) 2003 provides the same look and feel as Outlook 2003 through authentic implementation of a long list of familiar Outlook features. Examples include a spell-checker; calendar, tasks, and contacts access; access to junk email controls; right-click functionality; the ability to drag and drop email messages; message signature creation and editing; encryption; and even visual and audio alerts for messages and alarms. The most recent version of Exchange, with all its tools for mobile access, shows that Microsoft apparently listens to industry analysts’ predictions and customers’ requests. The subject of mobile access for Exchange will be discussed in detail for those interested in Smartphone and browser access from phones and PDAs. Microsoft’s Mobile Information Services have been incorporated into Exchange 2003 Standard and Enterprise editions. If your mobile device can get an IP address from a wireless network, then chances are good that device will be able to communicate with your Exchange 2003 server. There are two methods of access in respect to mobile access; Outlook Mobile Access or OMA provides a browser-based display of your mailbox that is specially formatted for mobile devices and Exchange Active-Sync or EAS provides synchronization of your Inbox, Calendar and Contacts folder over wireless network. Each of these configurations has their own requirements that we will cover in detail in this book.

Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


Microsoft Outlook Client
Not surprisingly, the Outlook client is typically the primary decision factor in moving to Exchange Server. In fact, many Exchange features, such as offline availability and PDA synchronization, are available only with the Outlook client. Outlook’s biggest improvements over past versions include new network optimization methods for communicating with Exchange 2003. Remote procedure call (RPC) over HTTP, Cached Exchange Mode, and the ability to leverage two-way message and attachment compression provide Outlook with more options for slow links. Later in this book, I use detailed network traffic analysis and statistics to demonstrate the benefits of the new client. This information, which represents many hours of simulation in the lab, also provides insights as to the number of remote Outlook sessions you can support over various links. The results of these tests should arm you with the knowledge necessary to design your Exchange environment and specify server locations. You should also be aware that you won’t pay an additional fee for Outlook 2003 if you’re licensed for Exchange 2003. Read “Outlook 2003 License for Free” for details.

Outlook 2003 License for Free
One of the Web pages you’ll discover if you follow the Microsoft Exchange site pricing and licensing links clearly indicates that you pay no additional fee to run Outlook 2003 – as long as you’re licensed for Exchange 2003. According to the page, which you’ll find at, “Each Exchange 2003 CAL also includes Microsoft Office Outlook® 2003 or Microsoft Entourage® X for Mac and permits access from Microsoft Office Outlook Web Access, Outlook Mobile Access, Exchange Server ActiveSync®, or any standard Internet-messaging client.”

Other Exchange 2003 Improvements
In addition to the improvements I’ve discussed, Microsoft has made changes in other areas of Exchange. For example, Microsoft has removed the rarelyused conferencing services and Instant Messaging components from Exchange in favor of new native support for mobile devices. This support is exciting for anyone who has a wireless phone that uses the Wireless Application Protocol (WAP) and for companies that contemplate deploying BlackBerry messaging PDAs or Smartphones. (HTML navigation has been virtually impossible with WAP phones accessing typical HTML pages.) Exchange 2003 supports Wireless Markup Language (WML), XHTML, and Compact HTML (cHTML), which in turn support presenting Web site text components on phones and PDAs. Even better is the new support for Exchange ActiveSync (EAS), which supports synchronization over wireless networks. The Exchange ActiveSync session is secured with Secure Sockets Layer (SSL) and can synchronize your Smartphone Windows-based PDA device from anywhere, providing that your device has an IP Address and can communicate with the Exchange 2003 server running EAS.

The Importance of Windows 2003
As business demands continue to increase, the quality, stability, and security of Windows Server increases as well. Windows Server has always provided the core services for Exchange. Windows

Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

Server 2003 (Windows 2003) packs greater scalability and functionality while supporting Microsoft’s Secure Connected Infrastructure initiative. Microsoft has worked to promote robust application development on its systems. The Win32 API, available since the mid 1990s, permits programmatic access to Windows clients and servers – just as Collaboration Data Objects (CDO) is well documented and available for Outlook programming. Only in recent years has the zeal for outside development led to serious compromises in security: More access equals less security. The possibility of compromise is why Outlook XP, Outlook 2003, and Windows 2003 install with many of their advanced programmatic features disabled. For example, Windows 2003, by default, doesn’t install Microsoft Internet Information Services (IIS). Should you decide to install IIS, many of the more powerful scripting functions remain disabled until you deem them necessary. The catch-phrase for this approach is “Secure by Default.” Installing Exchange 2003 on Windows 2003 offers distinct advantages. Some background information about the Windows 2003 editions will help set the context for this discussion. Windows 2003 has four versions, but because Windows 2003 Web Edition doesn’t support Exchange 2003, Table 1.2 presents the differences among the Standard, Enterprise, and Datacenter editions only.
Table 1.2 Windows 2003 Standard, Enterprise, and Datacenter editions feature comparison Standard Edition 64-bit support Hot Add Memory Maximum RAM 4-Way SMP 8-Way SMP 64-Way SMP Internet Connection Firewall (ICF) Network Load Balancing (NLB) Cluster Service VPN Support Internet Authentication Service (IAS) Network Bridge IPv6 Distributed File System (Dfs) Encrypted File System (EFS) Fax Service .NET Framework IIS 6.0 ASP .NET Enterprise UDDI P P P Enterprise Edition ✓ ✓ 32GB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Datacenter Edition ✓ ✓ 64GB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

4GB ✓

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


Two new modes of AD operation accompany these different versions of Windows 2003. Windows 2000 Mixed mode lets Windows NT 4.0 Backup Domain Controllers (BDCs) participate in the directory, but with limitations in functionality. Win2K Native mode provides added functionality but doesn’t offer the full benefits of Windows 2003’s modes. By upgrading all of your domain controllers (DCs) to Windows 2003, you can take advantage of the newest improvements in AD – including improved replication and the ability to rename DCs and domains. (Keep in mind that each raised level of functionality reduces the compatibility with legacy directory services.) Table 1.3 presents the features available in Win2K Mixed and Native modes and in Windows 2003.
Table 1.3 Windows 2003 AD modes and features Win2K Mixed mode SID history Converting Groups Universal Security Groups Group Nesting User password on InetOrgPerson object Update logon timestamp DC rename InetOrgPerson objectClass change Dynamic auxiliary classes Improved AD replication Linked value replication Defunct schema objects Global Catalog (GC) replication improvements Win2K Native mode ✓ ✓ ✓ ✓ Windows 2003 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

From a design perspective, the advantages of installing Exchange 2003 on a Windows 2003 server are clear. However, other circumstances, such as licensing restraints and hardware or software compatibility, might render this approach impractical for you. Table 1.4 presents the Exchange support available for the three Windows server platforms in use today.
Table 1.4 Windows server Exchange support Exchange 5.5 Exchange 2000 Service Pack 2 (SP2) Exchange 2000 SP3 Exchange 2003 NT 4.0 ✓ Win2K ✓ ✓ ✓ ✓ Windows 2003


Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

For more information about Exchange support, see “You Cannot Install Exchange 2000 on a Computer That Is Running Windows Server 2003,” at =kb;[LN];321648.

Exchange 2003 and AD
I’ll save many Exchange 2003 features for later discussion. The most important thing to understand is that to install Exchange 2003 (or Exchange 2000), you must have access to AD. (Microsoft’s competitors have tried to use this point to convince Exchange 5.5 shops to change platforms.) At the same time, IBM has acknowledged the importance of AD by making Notes/Domino 6.0 more compatible with AD. In fact, IBM now makes synchronization tools, such as the Active Directory Synchronization (Ad Sync) tool, to help Notes and Domino administrators manage users and groups. You don’t need synchronization tools with Exchange Server, because it uses the AD to store its information. The following background will clarify the importance of AD.

AD Domains
An AD domain is a collection of security objects that share a common directory database. AD stores, manages, and secures these objects. When you configure an AD DC, you must create a new AD forest or install your domain in an existing AD forest. Domains in the same forest have a fundamental relationship that permits the automatic replication of specific information – such as Exchange Server settings and mail routing tables. The general rule is that you have one AD forest for each Exchange organization. I’ll discuss other options later, but understanding this simple rule is critical to your Exchange design planning. Within AD domains, you can place objects into logical containers known as organizational units (OUs). This logical separation of objects helps to establish an administrative boundary within the domain. You can delegate OUs and their objects to others for administrative and management purposes. Whereas OUs serve as administrative boundaries, AD domains represent replication boundaries and, to a limited extent, security boundaries for AD objects. An AD forest represents an organizational and security boundary for domains. AD is in essence a database of information. It’s divided into partitions or naming contexts (NCs): Domain, Configuration, Schema, and RootDSE, which Figure 1.1 shows. Most AD administration occurs within the Domain NC because it contains the user objects. The Domain NC is replicated to all DCs within an AD domain. The other NCs are shared with other domains in your organization.

Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


Figure 1.1

If you understand how replication works, you can see why AD can function so well over slow links. For example, assume that you have a company with five large locations, each on a different continent. The user objects for your employees in Antarctica probably don’t need to be replicated to Europe. Moreover, the administration for employees in Antarctica will probably be localized. In other words, Antarctica should probably have its own AD domain. If you place AD domains in the same forest, however, users on each continent can have access to servers in other parts of the world. You can use a single Exchange organization to provide calendar sharing, meeting invitations, and delegation throughout the company. In this scenario just discussed, suppose that the company’s locations in North America and South America have a centralized administrative model and fast network connections. In their case, it makes sense to use a single domain to permit easier object moves and central administration. Another advantage is the fact that each DC in this domain serves as a peer or backup for the others in the same domain. If the server in Mexico fails, the server in the United States can authenticate users and provide access to the Global Address List (GAL) – assuming network connectivity is still available. The primary reason to create multiple domains in your organization is to provide replication boundaries because DCs in the same domain replicate information to each other more often and require RPC connectivity to replicate logon scripts and directory information. Replication between domains in the same forest involves far less information and can take place over SMTP.

Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

As I’ve discussed, the most common AD item you deal with is an object. User accounts, computer accounts, and printers are all examples of objects. Every object in the AD, including user objects, is categorized. The AD schema provides the class and object descriptions and is stored in the Schema NC that’s replicated throughout the forest. In this example, the user object Steve Bryant belongs to the ObjectCategory named Person, which the schema defines, as Figure 1.2 shows.

Figure 1.2
AD ObjectCategory

The importance of these distinctions becomes clear when you begin working with scripts and custom applications. For now, I want to provide some context for the AD structure as it relates to Exchange and basic AD design concepts. Before I proceed to discuss AD in general, however, I want to introduce you to a key tool – ADSI Edit – to which I’ll refer often throughout this book. For a brief introduction to ADSI Edit, read “ADSI Edit and the Support Tools.”

Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


ADSI Edit and the Support Tools
It’s a good idea to include the Windows Support Tools on every server you install because the tools are excellent troubleshooting resources. You can find them in the \support\ directory on the Win2K and Windows 2003 CD-ROMs. Be sure to install the appropriate version for the OS you run. In this book, I frequently use one of these tools – the Active Directory Services Interface (ADSI) Edit tool – to illustrate the specific characteristics and relationships of objects within the AD. ADSI Edit is a low-level administration tool that lets you access the core components of the AD. Access to core components means a high level of exposure for AD. At the same time ADSI Edit provides extensive power, it requires commensurate care and responsibility. An accidental deletion or a modification to the wrong object could cripple your domain.

Global Catalog
As its name implies, the Global Catalog (GC) contains information about every object in the AD forest. An AD forest could contain hundreds of domains, and searching those domains would be very difficult because objects in the Domain NC aren’t fully replicated to other domains. Instead, portions of the objects are copied to a read-only index, the GC. It’s against this GC that AD searches are performed. The GC is particularly important to Exchange and Outlook because it provides the GAL. Although all DCs support the Lightweight Directory Access Protocol (LDAP) protocol for access, only the Global Catalog Server supports the Name Service Provider Interface (NSPI), which Outlook 2000 and later clients use for the GAL. Outlook 95 and 98 clients expect their Exchange Server to provide the GAL and don’t “understand” NSPI. In these instances, Exchange 2003 and Exchange 2000 use a service called DSProxy (one of the several services that fall under the overall category of Directory Service) to query the GC on behalf of the client. The results are then proxied back to the client. Outlook 2000 and later clients use the DSProxy service on the Exchange Server on their first directory query to locate a GC. After the service locates the GC, the Fully Qualified Domain Name (FQDN) of the GC is made persistent on the client. Clients with persistent referrals won’t use DSProxy unless the GC they’re targeting is no longer available and they need a different GC.

n Note
In some cases, you might prefer to manually set the GC that an Outlook client would use. For more information about this approach (because it requires a registry change), go to “How to Specify the Closest or Specific Global Catalog Server,” at /default.aspx?scid=kb;[LN];319206. In other cases, you might choose to keep your Outlook clients from persisting their connections to the GC by force. Doing so would require the DSProxy service to perform the directory lookups on behalf of the client, but it could help alleviate problems associated with unstable GCs or a flux in the network topology. For more information about this setting, see “How Outlook 2000 Accesses Active Directory,” at;[LN];302914.
Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

As you can imagine, it’s important that the Exchange 2003 server “understand” the health and topology of the GC servers in the environment, so it can make good referrals to clients. Exchange 2003 and Exchange 2000 servers have an internal process – called DSAccess – that collects information about the AD and stores it for referrals, as well as for the Categorizer and System Attendant services. By default, an Exchange 2003 server dynamically detects the DCs, GC servers, and configuration DC in its topology. The server establishes LDAP sessions to each server in an effort to grade the connections as up, slow, or down. By default, the DSAccess process detects and adds GCs in the local AD site to the Directory Access List. In the event that DSAccess doesn’t find any local GCs, the process will look for GCs elsewhere in the network by enumerating the NTDS settings for the site, as Figure 1.3 shows.

Figure 1.3
NTDS settings

Servers placed in the Directory Access List are then used as referrals to DSProxy clients in a round-robin fashion to provide a level of load-balancing among the GCs. This list is dynamically updated when DCs are added or removed from the network, or when Kerberos tickets expire (by default, every 10 hours).

Brought to you by Aelita and Windows & .NET Magazine eBooks

Chapter 1 Exchange 2003 and Active Directory


Manually changing the Directory Access List
At times, you might need to manually set the Directory Access List to force either the use or exclusion of a particular GC for your Outlook users. You can select these settings on the clients, as indicated previously, or on the Exchange servers themselves. After you access the Exchange System Manager Microsoft Management Console (MMC), right-click on a server and choose Properties. On the Directory Access tab, you should see a list of DCs that the DSAccess service found, which Figure A shows. You can’t change the default list of DCs, but you can change the drop-down list to add or remove specific types of DCs. You can change the detection settings from automatic to static and ultimately remove or add specific servers to and from the list.

Figure A
Exchange Server Properties Directory Access tab

You can also assign DCs and GCs through the Exchange 2003 server’s registry. To do so, add the following registry subkeys and values: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default\UserDC1 IsGC = REG_DWORD 0x0 HostName = REG_SZ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default\UserGC1 IsGC = REG_DWORD 0x1 HostName = REG_SZ The usual warnings apply. Back up the registry key before you make changes and test the changes on a nonproduction server.


Use the System Manager to force these changes only if you have no other alternative.

Brought to you by Aelita and Windows & .NET Magazine eBooks


The Expert’s Guide for Exchange 2003

Manually changing the Directory Access List, continued
The DSAccess dynamic processes are quite clever and should work well in most installations. For more information about DSAccess, read “Directory Service Server Detection and DSAccess Usage,” at;[LN];250570.

Ultimately, the GC is critical to Exchange clients. In addition, Outlook clients access the GC quite regularly. Therefore, the placement of GCs within your network is especially important. A general rule is that at least one GC should be located near every Exchange 2003 and Exchange 2000 server in your organization.


Locate at least one GC near every Exchange 2003 and Exchange 2000 server.

Moreover, many people recommend that one GC is required for every four Exchange Server processors. For example, if you had two quad-processor Exchange Servers, you would need two GCs in that location.

Enabling GC Services on a DC
Fortunately, you’ll find it simple to enable GC services on a DC. With the Active Directory Sites and Services console, right-click the NTDS Settings object under the DC you want to change and select Properties. On the General tab, check the Global Catalog check box to enable GC services on the GC. You should reboot the DC after you change this setting. Be aware that the GC will be replicated to this server immediately following the reboot. Many other aspects of the Global Catalog Server fall outside the scope of this book. For example, in Windows 2003 AD, you can control the replication of GC information. You can view the specific object attributes available and even add more attributes as needed. If you wanted to write an application to query user objects for Social Security Numbers or birthdays, you could add those attributes to the schema, then instruct the GC to include those values. Your application could then query any GC for those fields. In the next chapter, I’ll explore AD further in respect to planning, designing, and deployment.

Next: Preparing for Exchange 2003
The demand for faster access and better “business intelligence” has spurred technology advances. Exchange 5.5 is a great product that has lasted since the late 1990s. However, evolution in security threats and the need for greater access, global systems, and better administration and management tools have necessitated change. In upcoming chapters, you’ll find in-depth discussions about AD that include the topics of multiple forests, design, administration, and management.

Brought to you by Aelita and Windows & .NET Magazine eBooks

To top