Begin by defining DSAccess, and then explain how Exchange 2000 uses DSAccess to gain access to Active Directory domain controllers and global catalogs.. !"Designing Active Directory Grou
Trang 1Contents
Overview 1
Examining How Exchange 2000 Uses
Lab C: Modifying the Default Recipient
Trang 2to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2001 Microsoft Corporation All rights reserved
Microsoft, Active Directory, BackOffice, FrontPage, NetMeeting, Outlook, PowerPoint,
SQL Server, Visio, Visual Studio, Win32, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners
Trang 3Instructor Notes
This module provides students with the knowledge required to analyze the Microsoft® Windows® 2000 Active Directory™ directory service environment for factors that influence the Microsoft Exchange 2000 organization
After completing this module, students will be able to:
!"Explain how Active Directory works
!"Evaluate how Exchange 2000 uses Active Directory
!"Explain how Exchange 2000 works with DSAccess
!"Design Active Directory groups for an Exchange 2000 organization
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach this module
Required Materials
To teach this module, you need:
!"The Microsoft PowerPoint® file 1573A_02.ppt
!"The Active Directory Groups job aid
!"The Northwind Traders Case Study
!"The Fourth Coffee Case Study
Preparation Tasks
To prepare for this module, you should:
!"Read all of the materials for this module
!"Complete the labs
!"Review the Northwind Traders Case Study
!"Read the Fourth Coffee Case Study
!"Review the Active Directory Groups job aid
!"Review the scenarios associated with the class discussions and prepare questions to supplement the questions provided
The job aids are in the Exchange 2000 Design Tool located at C:\MOC\1573A\LabFiles\Exchange_2000_Design_Tool, and on the student compact disc The case studies are in the Appendices and on the student compact disc
Trang 4Module Strategy
Use the following strategy to present this module:
!"Reviewing Active Directory Basics This topic provides a review of fundamental concepts in Active Directory Begin by discussing the role of Active Directory in an enterprise
environment Continue by discussing the Active Directory schema, domains, the global catalog, and the site topology of Active Directory
!"Examining How Exchange 2000 Uses Active Directory This topic outlines the components in Active Directory that affect Exchange 2000 Begin by discussing the Active Directory forest environment; explain the design issues associated with a multiple forest structure Emphasize the importance of preparing the forest by using the
/forestprep switch Next, explain how domain controllers affect
Exchange 2000 Emphasize the importance of preparing the domain by
using the /domainprep switch Next, describe each type of partition in
which Active Directory stores Exchange 2000 data, explain how Exchange 2000 data affects the Active Directory database, and then complete this topic by explaining user principle names
!"Examining How Exchange 2000 Works with DSAccess This topic outlines how Exchange 2000 works with DSAccess Begin by defining DSAccess, and then explain how Exchange 2000 uses DSAccess to gain access to Active Directory domain controllers and global catalogs Continue by discussing how Exchange 2000 detects and defines domain controllers and global catalogs Finally, explain the DSProxy process and the client referral process
!"Designing Active Directory Groups for an Exchange 2000 Organization This topic outlines the design considerations associated with each type of Active Directory group Begin by reviewing the three scopes of groups available, as well as the two types Make sure students understand the differences between universal groups, global groups, and domain local groups Discuss universal groups, including when to use them and the design implications associated with using them Emphasize that universal groups are the preferred group type for an Exchange 2000 organization Continue by discussing domain local groups and global groups, including when to use them, and the associated design issues Next, discuss how to use Active Directory groups with Exchange 2000 Finally, facilitate a classroom discussion focusing on the three scenarios provided at the end of the module
Trang 5Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware
Lab Setup
The following list describes the setup requirements for the labs in this module
!"For each student, a Microsoft Management Console (MMC) custom console must be created This custom console must include both the
Active Directory Users and Computers snap-in and the Exchange System
snap-in, and must be named your_firstname Console
!"For each student, a personalized user account must be created in the appropriate domain This user account must be added to the Domain Admins group, and assigned a mailbox on the server running Exchange 2000 that the student is using
!"For each student, a user profile must be created on the student’s computer that enables the student to access their mailbox by using Microsoft Outlook® 2000
!"The personalized user account for each student is modified so that their UPN suffix matches the suffix that was created during this lab
!"For each student, a new account is created to verify that the new UPN suffix appears
!"The default recipient policy for the Exchange 2000 organization is modified
by the creation of an additional Simple Mail Transfer Protocol (SMTP) address The new SMTP address is given the format of
%g.%i.%s@nwtraders.msft The new SMTP address is set as the primary address
!"A universal security group called Helpdesk is created for each domain This
group is named your_domain Helpdesk This group is mail-enabled
!"A universal security group called IT Group is created for each domain This
group is named your_domain IT Group This group is mail-enabled
!"A universal security group called HR is created for each domain This group
is named your_domain HR Personnel This group is mail-enabled
!"For each student, a universal security group is created for the executive
mailboxes located on each server This group is named your_servername
Executives Each student adds their personal account to their local
executives group This group is mail-enabled
!"For each student, the your_servername Executives group is added to the All
Executives group
Trang 7Overview
! Reviewing Active Directory Basics
! Examining How Exchange 2000 Uses Active Directory
! Examining How Exchange 2000 Works with DSAccess
! Designing Active Directory Groups for an Exchange 2000 Organization
Microsoft® Exchange 2000 depends on the Microsoft Active Directory™
directory service Directory services provide three functions: they store information about network resources; they make these resources available to users and applications; and they provide a consistent way to name, describe, locate, access, manage, and secure resources
Evaluating how Exchange 2000 uses Active Directory enables you to design your Exchange 2000 organization more effectively Exchange 2000 uses Active Directory forests and domains to store and replicate data throughout the Exchange 2000 organization In addition, portions of Exchange data reside on various Active Directory partitions
Architects who are designing an Exchange 2000 organization for the enterprise must understand both how Exchange 2000 uses Active Directory and the effects
of the Active Directory design on the Exchange 2000 environment Architects also need to understand how Exchange 2000 uses DSAccess and how to use Active Directory groups most effectively in an Exchange 2000 organization After completing this module, you will be able to:
!"Explain how Active Directory works
!"Explain how Exchange 2000 uses Active Directory
!"Explain how Exchange 2000 works with DSAccess
!"Design Active Directory Groups for an Exchange 2000 organization
In this module, you will learn
about the Active Directory
components that
Exchange 2000 depends on
for directory services, and
how these components can
affect the design plan for an
Exchange 2000
organization
Trang 8# Reviewing Active Directory Basics
! Role of Active Directory in an Enterprise
! Active Directory Schema
Topic Objective
To outline the topics
covered in this review of
Active Directory
Lead-in
Understanding how Active
Directory works requires
understanding both its
architectural elements and
its role in an enterprise
For Your Information
This section provides a
review of Active Directory
fundamentals If your
student group has met the
prerequisites for this course,
it may not be necessary to
cover this section
Trang 9Role of Active Directory in an Enterprise
! Domains and OUs Form Hierarchical Structures
! Multiple Domains Can Form
In Windows 2000, Active Directory is a network directory service
Administrators use Active Directory to define, arrange, and manage objects so that those objects are available to users and applications throughout the company In Active Directory, objects are logically organized into a hierarchical structure The objects that create the overall structural hierarchy in Active Directory are:
!"Domains This is the core unit of Active Directory A domain is a container
of objects that share security requirements, replication processes, and administration Active Directory uses a multi-master replication model in which all domain controllers are equal
!"Organizational units (OUs) An OU is a container object that is used to
organize the objects within a domain into groups for administrative purposes Within a domain, OUs form a hierarchical structure based on the organization's administrative model
Multiple domains within a single Active Directory can create additional structures in the form of:
!"Trees A tree is a hierarchical arrangement of one or more domains that
share a common root domain name Domains within a tree share information through automatic trust relationships
!"Forests A forest is a collection of one or more trees Multiple trees within a
forest do not share a common root domain name, but they do share information through automatic trust relationships Multiple forests can share information only through explicit trust relationships
Administrators use Active
Directory to define, arrange,
and manage objects so that
those objects are available
to users and applications
throughout the company
Trang 10Active Directory Schema
Object Class Examples
Object Class Examples
Printers
Computers
Users
Attributes of Users Might Contain:
Attributes of Users Might Contain:
accountExpires department distinguishedName middleName
accountExpires department distinguishedName middleName
List of Attributes
accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName
…
accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName
…
Attribute Examples
Attribute Examples
Active Directory Schema Is:
! Dynamically Available
! Dynamically Updateable
! Protected by DACLs
The Active Directory schema contains the definitions of all objects—such as
computers, users, and printers—that are stored in Active Directory In Windows 2000, there is only one schema for an entire forest, which means that all objects created in Active Directory must conform to the same set of rules
Object Classes and Attributes
The two types of definitions in the schema are object classes and attributes Object classes describe the possible directory objects that can be created Each object class is a collection of attributes Attributes are defined separately from object classes Each attribute is defined only once and can be used in multiple object classes For example, the Description attribute is used in many object classes, but to ensure consistency, it is defined only once in the schema
Storing the Schema
The Active Directory database stores the schema This means that the schema:
!"Is dynamically available to user applications User applications can read the schema to discover which objects and properties are available for use
!"Is dynamically updateable, which enables an application to extend the schema with new attributes and object classes, and then to use these schema extensions immediately
!"Can use discretionary access control lists (DACLs) to protect all object classes and attributes The use of DACLs prevents unauthorized users from making schema changes
Topic Objective
To describe the Active
Directory schema
Lead-in
The Active Directory
schema contains the
definitions of all objects that
are stored in Active
Directory
Trang 11Domains
! A Domain Is a Security Boundary
$ A domain administrator can administer only within the domain, unless explicitly granted administration rights
in other domains
! A Domain Is a Unit of Replication
$ Domain controllers in a domain participate in replication and contain a complete copy of the directory
information for their domain
Windows 2000 Domain
Windows 2000 Domain
User1User2
User1User2
Replication
The core unit of the logical structure in Active Directory is the domain A
domain is a collection of computers defined by an administrator which share a common directory database Each domain has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator
Security Boundary
In a Windows 2000 network, the domain serves as a security boundary The
purpose of a security boundary is to ensure that an administrator of a domain has the necessary permissions and rights to perform administration only within that domain, unless the administrator is explicitly granted these rights in another domain too Every domain has its own security policies and security
relationships with other domains
Unit of Replication
Domains are also units of replication In each domain, computers called domain
controllers contain a replica of the Active Directory data for that domain All of
the domain controllers in each domain can receive changes to information in Active Directory, and they can replicate these changes to all of the other domain controllers in that domain
Topic Objective
To describe Active Directory
domains
Lead-in
The core unit of the logical
structure in Active Directory
is the domain
Trang 12Global Catalog
Global Catalog Server
Global Catalog
Subset of the Attributes of All Objects
Subset of the Attributes of All Objects
Domain Domain
Domain Domain
Domain Domain
Queries
Group membership when user logs on
Group membership when user logs on
The global catalog is a repository of information that contains a subset of the
attributes of all objects in Active Directory By default, the attributes that are stored in the global catalog are those that are most frequently used in queries, such as a user’s first name, last name, and logon name The global catalog contains the information that is necessary to determine the location of any object in the directory
The global catalog enables users to:
!"Find Active Directory information at any location in the forest, regardless of the location of the data
!"Use universal group membership information to log on to the network
A global catalog server is a domain controller that stores copies of all queries
and processes the queries to the global catalog The first domain controller that you create in Active Directory automatically becomes the global catalog server
To balance the traffic from logon authentication and queries, you can configure additional global catalog servers
The global catalog makes the directory structure within a forest transparent to users who perform a search For example, if you search for all of the printers in
a forest, a global catalog server processes the query in the global catalog and then returns the results Without a global catalog server, this query would require a search of every domain in the forest
The global catalog also contains the access permissions for each object and attribute that is stored in the global catalog If you are searching for an object and you do not have the appropriate permissions to view that object, you will not see the object in the list of search results This ensures that users are able to find only the objects to which they have been assigned access
Topic Objective
To describe the Active
Directory global catalog
Lead-in
The global catalog stores
information that contains a
subset of the attributes of all
objects in Active Directory
Trang 13Site Topology
Sites:
$ Optimize replication traffic
$ Enable users to log on to a domain controller by using
a reliable, high-speed connection
Chicago New York
Active Directory uses sites to define the physical structure of the network A
site, based on Internet Protocol (IP) subnets, is a collection of reliably connected machines Collectively, all of the sites in an Active Directory forest form a site topology Because sites represent only the physical structure of your network, they do not need to map to the logical structure of the Active
Directory
The frequent exchange of large amounts of data and directory information between remote locations can result in excessive network traffic An effective site topology optimizes the transfer of data and directory information, which reduces network overhead
Topic Objective
To review the site topology
of Active Directory
Lead-in
Active Directory uses sites
to define the physical
structure of the network
Trang 14# Examining How Exchange 2000 Uses Active Directory
! Active Directory Forests
! Preparing the Forest by Using /forestprep
! Active Directory Domains
! Preparing the Domain by Using /domainprep
! Storing Exchange 2000 Data
! Sizing the Active Directory Database
! User Principle Names
Understanding how Exchange 2000 uses Active Directory enables you to design your Exchange 2000 organization more effectively In addition to understanding how Exchange 2000 uses Active Directory forests and domains, you must also understand the importance of preparing the forest and domain for Exchange 2000, as well as how and where Active Directory stores
Exchange 2000 data, how Exchange 2000 affects the size of the Active Directory database, and how to design user principle names for use with Exchange 2000
Because of the integration of Exchange 2000 with Active Directory, it is very important that the architect who is designing the Exchange 2000 organization communicates with the architect who is responsible for Active Directory design
Topic Objective
To introduce the Active
Directory components that
architects must consider
Active Directory, it is very
important that the architect
who is designing the
Exchange 2000 organization
communicates with the
architect who is responsible
for Active Directory design
Trang 15Active Directory Forests
Exchange 2000 Organization contoso.msft contoso.msft
nwtraders.msft
samerica.nwtraders.msft
Exchange 2000 Organization
Exchange 2000 Organization nwtraders.msft
samerica.nwtraders.msft namerica.nwtraders.msft
Northwind Traders
to have more than one Exchange 2000 organization running within the same Active Directory forest
Implementing Exchange 2000 with Active Directory
There are two ways to implement Exchange 2000 by using Active Directory:
!"In a single forest, configured with transitive trust relationships between all domains
A single forest is the preferred environment for an Exchange 2000 organization A single forest includes only one schema, one configuration, and one global catalog
!"In a multiple forest structure, establishing coexistence between multiple Active Directory forests and Exchange 2000 organizations
Exchange 2000 uses the
Active Directory forest
structure to store all
Exchange 2000 system
information
Key Points
The Active Directory forest
determines the boundaries
of the Exchange 2000
organization It is not
possible to have more than
one Exchange 2000
organization running within
the same Active Directory
forest
Trang 16Multiple Forest Design Considerations
When you are designing an Exchange 2000 organization for an environment in which a multiple forest structure exists:
!"You must create an Exchange 2000 organization for each forest because:
• There is no automatic Active Directory replication between multiple forests
As a result of each forest having its own separate global address list, both the servers running Exchange 2000, and the users in one forest are not aware of the servers running Exchange 2000 and the users in any other forest unless you configure coexistence
• It is not possible to configure routing group connectors between Exchange 2000 organizations
Each Exchange 2000 organization functions as a separate messaging entity, which means you must use Simple Mail Transfer Protocol (SMTP) or X.400 connectors instead This means that no link state information can be transferred between separate Exchange 2000 organizations, because routing group connectors cannot connect separate Exchange 2000 organizations As a result, if a server in one
Exchange 2000 organization is not working, the notification that the server is not working will not be propagated across organizations, and messages sent between these organizations may be transferred back and forth between Exchange 2000 organizations without ever being
delivered
!"It is not possible to include all servers running Exchange 2000 in the same administrative group or in the same routing group
!"You must synchronize the address lists that belong to each forest Although
it is possible to synchronize multiple forests, users in each forest will only
be able to see the users in the other forests as mail-enabled contacts
!"It is not possible to replicate calendar information between forests This means that if a user in one forest is attempting to schedule a meeting with a user in another forest, the first user will not be able to view calendar information for the second user
Key Points
There is no automatic Active
Directory replication
between multiple forests
It is not possible to configure
routing group connectors
between separate
Exchange 2000
organizations, which means
that no link state information
can be transferred between
separate Exchange 2000
organizations
Key Points
You must synchronize the
address lists belonging to
each forest Although you
can synchronize multiple
forests, the users in each
forest will only be able to
see the users in the other
Trang 17Preparing the Forest by Using /forestprep
Modify Modify
using the /forestprep switch Extending the schema enables Active Directory to
accommodate all of the classes and attributes that are specific to Exchange 2000
How /forestprep Works
The command-line setup switch /forestprep prepares the Active Directory
forest for Exchange 2000 by making several modifications to the Active Directory schema and configuration without installing Exchange 2000 The
/forestprep switch enables you to select the first Exchange 2000 administrator
(user or group), and then grants that user or group permissions for the
Exchange 2000 organization You must run Setup with the /forestprep switch
in the domain where the Active Directory schema master is located The schema master is, by default, located in the root domain of the Active Directory forest
Topic Objective
To discuss how to prepare
the forest by using the
/forestprep switch
Lead-in
During the installation
process, you must extend
the Active Directory schema
by using the /forestprep
switch
Key Points
Exchange 2000 extends the
Active Directory schema to
accommodate the attributes
and objects that are specific
to Exchange 2000
Trang 18The /forestprep switch offers two main advantages for administrators who are
implementing Active Directory and Exchange 2000:
!"By running Exchange 2000 Setup with /forestprep early in Active Directory deployment, the changes made by /forestprep can be deployed
along with Active Directory
!"Changes made to the Active Directory schema and configuration partition must be made by an administrator who is a member of the Enterprise Admins and Schema Admins groups This is usually a very small number of administrators in the Windows 2000 organization, and usually does not
include any Exchange 2000 implementers Using the /forestprep switch
enables an Active Directory administrator to prepare the Active Directory forest without installing Exchange 2000
Design Considerations
Consider the following design issues associated with preparing the forest:
!"After you decide to install Exchange 2000, work with the Active Directory
team to run /forestprep You will only need to prepare the forest once It is
recommended that you run Exchange 2000 Setup on the Active Directory schema master so that schema updates can be made locally
!"Instead of assigning Exchange 2000 administrator permissions to one person, consider creating a dedicated group and assigning permissions to this group This solution reduces management overhead, because you only have to assign this role once, and because you can add and remove users from this group whenever you need to
!"Ensure that everyone on the planning team has agreed to the name of your
Exchange 2000 organization After you run /forestprep, you will not be
able to change the name of the Exchange 2000 organization
Trang 19Active Directory Domains
User management and migration Universal security groups Global catalog services Active Directory group memberships Physical topology
Ways in which the design of the Active Directory domain influences how you design your Exchange 2000 organization
Ways in which the design of the Active Directory domain influences how you design your Exchange 2000 organization
In Active Directory, the domain boundaries define the namespace Each domain must have one or more domain controllers
The design of the Active Directory domain influences how you design your Exchange 2000 organization in the following ways:
!"User management and migration The process of moving users from one domain to another domain is not as transparent to the user as the process of moving users from one server to another server within the same domain
!"Universal security groups Running domains in native mode not only provides the operating system with additional scalability, it also the Exchange 2000 administration by making it possible to create and use universal security groups Universal security groups can span multiple domains
!"Global catalog services You must make sure that you have adequate global catalog services available to Active Directory sites that contain servers running Exchange 2000 Plan to place a global catalog server in each Windows 2000 site that contains servers running Exchange 2000 or Windows 2000 users or both
!"Active Directory group membership Group membership affects logon performance for the users When a user attempts to log on to the Active Directory, the authenticating domain controller retrieves the group membership information (for the user that is logging on) from a global catalog server
!"Physical topology The location of the global catalog servers in the Active Directory topology influences how efficiently Exchange 2000 can perform directory lookups
Topic Objective
To explain how Active
Directory domains influence
the design of an
Exchange 2000
organization
Lead-in
There are several ways in
which Active Directory
domains influence how you
design your Exchange 2000
organization
Trang 20Preparing the Domain by Using /domainprep
Setup /forestprep
Windows 2000 Domain Controller
Install
Group User
Create
Config Schema
Forest
Group User
Config
Schema
Exchange 2000
You can prepare the Active Directory domain for Exchange 2000 by using the
/domainprep command-line setup switch The /domainprep switch makes
several changes to the domain in order to prepare the domain for Exchange 2000, but it does not install Exchange 2000 The user who runs Setup
with the /domainprep switch must be a member of the Domain Admins group
for that domain
How /domainprep Works
The /domainprep switch:
!"Creates an Exchange Domain Servers global group that will contain all computers running Exchange 2000 in the domain
!"Creates an Exchange Enterprise Servers domain local group that will contain all computers running Exchange 2000 in the company
!"Grants these two groups appropriate permissions to various containers in the domain
!"Creates a user account named EUSER_EXSTOREEVENT to be used with the script event host This user account has minimal permissions, fewer than the guest account; so it cannot access anything in the store, the file system,
or the directory
Do not move the Exchange Enterprise Servers group or the Exchange Domain Server group to a different Exchange 2000 organization Doing so will cause the server running Exchange 2000 in the local domain to fail
Topic Objective
To discuss how to prepare
the domain by using the
/domainprep switch
Lead-in
The /domainprep switch
makes several changes to
the domain in order to
prepare the domain for
Exchange 2000 installation
Important
Trang 21Planning Considerations
When preparing the domain for an Exchange 2000 organization, plan to:
!"Run /domainprep in any domain that will host a server running
Exchange 2000
!"Run /domainprep in any domain that will host users that have Exchange
mailboxes
Key Points
Run /domainprep in any
domain that will host a
server running
Exchange 2000
Run /domainprep in any
domain that will host users
that have Exchange 2000
mailboxes
Trang 22Storing Exchange 2000 Data
Groups
Domain Partition
Configuration
Replication Topology
Schema Partition
CN=Schema, CN=Configuration, DC=nwtraders, DC=msft
Active Directory stores data for Exchange 2000 in partitions, which are also referred to as naming contexts Active Directory uses naming contexts to define the boundaries for information that is stored within the database The
information that is stored in Active Directory on every domain controller in the forest is partitioned into three categories: domain, configuration, and schema All Active Directory partitions are stored on domain controllers You will be able to design your Exchange 2000 organization more effectively if you understand where Active Directory stores each type of information
Domain Partition
The Active Directory domain partition contains all of the objects (such as users,
groups, contacts, and computers) in the directory for the domain
Exchange recipients are Active Directory objects that have been included in the Exchange 2000 organization Active Directory users, groups, and contacts can all be Exchange 2000 recipients
Windows 2000 replicates domain configuration data in each domain to every domain controller in that domain, but not beyond that domain
Configuration Partition
The Active Directory configuration partition contains the Exchange 2000 organization configuration The configuration partition defines the topology, connectors, protocols, and service settings of the Exchange 2000 organization Because Active Directory replicates the configuration partition across all domains in the forest, the configuration of the Exchange 2000 organization is replicated throughout the forest
Topic Objective
To identify the Active
Directory partitions where
Exchange 2000 data is
stored
Lead-in
Active Directory stores data
for Exchange 2000 on three
types of partitions
Trang 23Schema Partition
The Active Directory schema partition contains all object types that can be created in Active Directory, as well as all attributes of such objects This data is common to all domains in the forest, and is replicated by Active Directory to all domain controllers throughout the forest
During the installation in the Active Directory forest of the first computer running Exchange 2000, the Active Directory schema is extended with new attributes for Exchange 2000—attributes that have names that start with
ms-Exch The schema is extended by using LDAP Directory Interchange
Format (LDIF) files You can examine which attributes have been added to Active Directory by viewing the LDIP files on the Exchange 2000 compact disc
Installing the first computer running Exchange 2000 only extends the
Active Directory schema if you have not already run /forestprep You can view
the Active Directory partitions by using Active Directory Service Interface (ADSI) Edit, which is included in the Windows 2000 support tools
Key Points
The Active Directory
schema is extended with
new attributes for
Exchange 2000—attributes
that have names that start
with ms-Exch
Delivery Tip
Use ADSI Edit to show the
students the various Active
Directory partitions
Note
Trang 24Sizing the Active Directory Database
Active Directory Active
Directory
425 MB
Active Directory Active Directory
345 MB
Active Directory Active Directory
110 MB
Active Directory Active Directory
27 MB
Active Directory
Active Directory
13 MB
Install Windows 2000 Install Exchange 20000
Add 10,000 Mail-Enabled Users
Add 10,000 Mail-Enabled Users
Add 50,000 Non Mail-Enabled Users
Add 50,000 Non Mail-Enabled Users
Mail-Enable 50,000 Users
Mail-Enable 50,000 Users
The Active Directory database stores the schema, which stores the definitions
of all objects that are stored in Active Directory Exchange 2000 adds further data to the Active Directory database, initially within the configuration and schema partitions, and dynamically in the domain and global catalog partitions When you design your Exchange 2000 organization, it is important to plan sufficient space for database expansion on the domain controllers
The size of an Active Directory database depends on several factors, including how many user attributes are populated, and the number, type, and size of groups that are present Consider the following metrics:
!"A new Active Directory installation is about 13 megabytes (MB) in size If you install Exchange 2000, the Active Directory database will grow by about 14 MB, to a total volume of 27 MB
!"If you add 10,000 mail-enabled users to this new Active Directory database, the database will grow to approximately 110 MB
!"If you add 50,000 non-mail-enabled users to this new Active Directory database, the database will grow to approximately 345 MB, or 6K per user
!"If you mail-enable those 50,000 users, the Active Directory database will grow to approximately 425 MB, or 7K per user
Topic Objective
To outline how the Active
Directory database grows
when Exchange 2000 users
to plan sufficient space for
database expansion on the
domain controllers
Trang 25User Principle Names
Tree nwtraders.msft
namerica.nwtraders.msft samerica.nwtraders.msft
UPN=Joeb@nwtraders.msft SMTP=Joeb@nwtraders.msft
UPN=Jamesw@nwtraders.msft
When designing an Exchange 2000 organization, you can design user principle names (UPNs) to alleviate any confusion that might be generated by differences between the domain namespace and the e-mail namespace Typically,
administrators use a single user principle name suffix for each forest
Designing a Single User Principle Name Suffix
Consider creating and assigning a single user principle name suffix as the default for all users For example, as shown in the illustration on this page, you can create and assign a user principle name suffix of @nwtraders.msft as the default for all users Making the user principle name the same as the SMTP address provides users with a single namespace that they can use for logging on
to the network and for gaining access to e-mail
Separating User Principle Names From the Mail Namespace
An organization might want to separate user principle names from the namespace that is used for e-mail Separating user principle names from Internet e-mail addresses increases security by not affiliating user names with publicly known e-mail addresses
UPNs must be unique across the entire forest
Topic Objective
To show how Exchange
utilizes user principle
names
Lead-in
When designing your
Exchange 2000
organization, remember that
you can utilize user principle
names to reduce any
confusion between the
e-mail namespace and the
domain namespace
Note
Trang 26# Examining How Exchange 2000 Works with DSAccess
! Exchange 2000 Access to Active Directory
! Detecting and Defining Directory Service Servers
! The Client Referral Process
All Exchange 2000 services that require Active Directory access, either for reading configuration information or for writing new entries to the directory, use the DSAccess API (Directory Service Access Application Programming Interface), also referred to as DSAccess Understanding how DSAccess functions enables you to determine the number of domain controllers and global catalog servers that your Exchange 2000 organization requires, and where to place each of them
In addition to understanding how Exchange 2000 gains access to Active Directory, you should also understand the DS Proxy process, the client referral process, and how Exchange 2000 detects and defines servers running Active Directory
All Exchange 2000 services
that require Active Directory
access use DSAccess for
this purpose
Trang 27Exchange 2000 Access to Active Directory
Exchange 2000
Global Catalog
Domain Controller
Global Catalog
Windows
2000 Site 2
Domain Controller
Global Catalog
Windows
2000 Site 2
Global Catalog
Global Catalog Access
For access to the global catalog, DSAccess first queries the Windows 2000 site
to which the server running Exchange 2000 belongs If all global catalog servers in that site are unavailable, DSAccess queries other sites
Domain Controller Access
For access to a domain controller, DSAccess first queries domain controllers within the same site and domain as the server running Exchange 2000 If no such domain controller is available, DSAccess queries domain controllers outside the site but still within the same domain If more than one domain controller is available, DSAccess selects one by using the round-robin method
If the desired information is not stored on one of the domain controllers, DSAccess makes a Domain Name System (DNS) query for the nearest global catalog server and then requests the information again
Topic Objective
To explain how
Exchange 2000 uses the
DSAccess process to gain
access to Active Directory
Lead-in
DSAccess uses one
common set of commands
to access the Active
Directory Exchange 2000
queries Active Directory for
both user and configuration
information
Trang 28Detecting and Defining Directory Service Servers
Cache List
1 Domain Controller 1
2 Domain Controller 2
3 Domain Controller 3
10.
DNS
DS Access Exchange 2000
10.
DS Access Exchange 2000
LDAP
Domain Controller
During initialization, DSAccess dynamically detects available directory service servers within the domain, unless you manually configure static entries There are two kinds of detection algorithms, one for domain controllers and one for global catalog servers
Detecting Domain Controllers
DSAccess uses DNS to provide a list of all of the domain controllers in the local domain and the local Active Directory site DSAccess saves up to ten domain controller names in its cache; it load balances the usage of these domain controllers in a round robin fashion
Detecting Global Catalog Servers
Global catalog server detection is different from traditional service detection
To detect global catalog servers, DSAccess uses the Lightweight Directory Access Protocol (LDAP) connection to the domain controller that DSAccess is
currently bound to On the domain controller, DSAccess reads the Options
attribute of the MicrosoftWindows NT® Directory Service Settings object for each directory service server, if any, in the site that contains the server running Exchange 2000 DSAccess detects which of the listed domain controllers are also global catalog servers The global catalog servers are added to the DSAccess profile, and load balancing takes place
If DSAccess does not find any global catalog servers in the local domain and site, a remote global catalog server is selected Using a global catalog server in
a remote site is not an optimal solution, however, because the global catalog servers in other Active Directory sites may be located across slow links and may not be load balanced
DSAccess performs a full network redetection whenever either the Kerberos version 5 authentication protocol ticket times out (there is a default period of 10 hours) or a configuration change is made, such as the addition of a new domain controller or global catalog server
Topic Objective
To explain how DS Access
automatically detects
domain controllers and
global catalog servers, and
to explain how to define
domain controllers and
global catalog servers
Lead-in
During initialization, unless
you manually configure
static entries, DSAccess
dynamically detects
available directory service
servers within the domain
Trang 29Defining Domain Controllers and Servers
The DSAccess process communicates with Active Directory servers to look up information in the address book and to read configuration data You can configure DSAccess to send directory queries to specific Active Directory domain controllers and servers
DSAccess contacts an Active Directory server by making a DNS query You can require a server running Exchange 2000 to always use the same Active Directory server by changing the registry settings
If you manually configure global catalog servers, but do not specify domain controllers in the registry, DSAccess dynamically detects and uses any available domain controller Similarly, if you manually configure domain controllers but do not specify any global catalog servers in the registry, DSAccess dynamically detects and uses any available global catalog servers The following registry keys are required to statically configure domain controller and global catalog servers for use by DSAccess Multiple domain controllers and global catalog servers can be specified for load balancing, but only one Configuration-Context Domain Controller can be configured
User-Context Domain Controller
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang eDSAccess\Profiles\Default\UserDC1 (UserDC2, and so on) IsGC = REG_DWORD 0x0
HostName = REG_SZ DC_ComputerName.DomainName.com
PortNumber = REG_DWORD (0x185 by default or 0x27C for SSL)
User-Context Global Catalog Server
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang eDSAccess\Profiles\Default\UserGC1 (UserGC2 and so on)
IsGC = REG_DWORD 0x1
HostName = REG_SZ GC_ComputerName.DomainName.com
PortNumber = REG_DWORD (0xCC4 by default or 0xCC5 for SSL)
Configuration-Context Domain Controller
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang eDSAccess\Instance0
ConfigDCHostName = REG_SZ configDC_ComputerName.DomainName.com
ConfigDCPortNumber = REG_DWORD (0x185 by default or 0x27C for SSL)
If these registry entries are configured so that a server running Exchange 2000 only queries specific domain controllers and global catalog servers, that server running Exchange 2000 will no longer dynamically detect domain controllers and global catalogs This means that if none of the servers in
a specific list are working, Exchange 2000 will be unable to perform any directory lookups
Important
Trang 30DSProxy
Exchange 2000 forwards client directory calls to Windows 2000
ProxyExchange 2000
Server
Global Catalog
Exchange 2000
To make Exchange 2000 backward compatible with the existing MAPI client base, a server running Exchange 2000 will proxy any MAPI DS requests to a local global catalog server on the network DSProxy on the server running Exchange 2000 performs this task When the Exchange System Attendant starts, it locates a global catalog server by using DNS and passes the name of the global catalog server to DSProxy After the global catalog server returns a result, the server passes the result to the MAPI client
If the user chooses to browse the global address list, the same process takes place Aside from the extra frames sent over the network as the user scrolls through the address book, the overhead is minimal
Trang 31POP3 and IMAP4 Clients
Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4 (IMAP4) clients both retrieve directory information, such as addresses, by using the Lightweight Directory Access Protocol (LDAP) During setup, a POP3 or IMAP4 user specifies which directory service they want to use
by machine name or by TCP/IP address, and then contacts the specified service through the standard LDAP port 389
A server running either Windows 2000 Active Directory or Exchange 2000 can accept these LDAP requests If the client computer is configured with the name
or address of a server running Exchange 2000, and if this server is installed as a member server, then that server running Exchange 2000 uses DSProxy to proxy the LDAP requests
Outlook Web Access Clients
Outlook Web Access clients make directory requests by using Hypertext Transfer Protocol (HTTP) Because the server running Windows 2000 Active Directory cannot accept these HTTP requests directly, the server running Exchange 2000 acts as a translator The DSProxy service intercepts the HTTP requests and translates them into LDAP queries When the results are returned from the server running Active Directory, they are again translated and passed back to the browser client by using HTTP
Trang 32The Client Referral Process
Client contacts Exchange 2000 and Windows 2000 directory
ReferralExchange 2000
Global Catalog
DSProxy service, a referral will be passed back to the client, informing it that
all future directory requests should be sent directly to the global catalog
Setting Referrals
Outlook will set the referral in the MAPI profile:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \
Windows Messaging Subsystem \ Profiles \ profile name \
dca740…2fe182 Value name: 001e6602 Value type: String
Value data: \\DirectoryServer.domain
Topic Objective
To explain the client referral
process
Lead-in
Outlook 2000 clients also
gain access to information in
Active Directory by using a
client referral process
Trang 33Denying Referrals
In some circumstances, it is desirable to force Outlook clients to always use the DSProxy process without being referred You can configure the computer running Exchange 2000 not to give out referrals by using the following registry parameter:
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ MSExchangeSA \ Parameters
Value name: No RFR Service Value type: DWORD
Value data: 0x1
Trang 34# Designing Active Directory Groups for an
Exchange 2000 Organization
! Review of Groups in Active Directory
! Designing Universal Groups
! When to Use Universal Groups
! Designing Domain Local Groups
! When to Use Domain Local Groups
! Designing Global Groups
! When to Use Global Groups
! Using Active Directory Groups with Exchange 2000
Exchange 2000 uses Active Directory groups to organize user accounts The type and scope of the groups that you use in your Exchange 2000 organization depends on your business requirements and user requirements
Active Directory provides support for different scopes of groups, and also provides options for defining each group’s scope with a specific type, which defines the way in which each group is used in multiple domains
Topic Objective
To outline the topics related
to designing Active Directory
groups for an
Exchange 2000
organization
Lead-in
Exchange 2000 uses Active
Directory groups to organize
user accounts
Trang 35Review of Groups in Active Directory
!Groups Can Be Nested Inside Other Groups
!Groups Can Be Nested Inside Other Groups
!Users Can Be Members of Multiple Groups
!Users Can Be Members of Multiple Groups
Group
Group
!Groups Simplify Assigning Permission to Resources
!Groups Simplify Assigning Permission to Resources
Group
Group Group Group
Group
Group
Active Directory supports three scopes of groups (universal, global, and domain local) and two types (security and distribution) Groups simplify the process of assigning permissions to resources and enable more effective administration by allowing administrators to include each user in more than one group Groups can also be nested inside other groups
Assigning Permissions
Groups in Active Directory simplify the management of access to domain resources by allowing you to assign permissions just once to a specified group, rather than multiple times to individual users
There are two group types in Active Directory: security and distribution Both
of these types support one of the three group scopes: domain local, global, and universal The group type and group scope that you can choose depends, in each case, on the domain mode
Using Multiple Groups
Each user can be included in more than one group Use security groups to assign permissions to groups of users and computers so that they can gain access to resources You cannot use distribution groups to assign permissions Each security group and distribution group has a scope attribute The scope of each group determines who can be a member of that group, and where you can use that group in the network
Topic Objective
To review the roles of
various types of groups in
Active Directory
Lead-in
Active Directory supports
universal, global, and
domain local groups