Tài liệu Module 3: Exchange 2000 Integration with Active Directory pdf

# 0RGXOH#6=#[FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # L#,QVWUXFWRU#1RWHV# This module describes how Microsoft® Exchange 2000 depends on Active Directory™ directory service for st

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, MS, Windows, Windows NT, Active Directory directory service, ActiveX, BackOffice, FrontPage, Hotmail, MSN, Outlook, PowerPoint, SQL Server, Visual Studios, and Win32, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead: David Phillips

Instructional Designers: Lance Morrison (Wasser), Janet Sheperdigian, Steve Thues

Lead Program Manager: Mark Adcock

Program Manager: Lyle Curry, Scott Hay, Janice Howd, Steve Schwartz (Implement.Com),

Bill Wade (Wadeware LLC)

Graphic Artist: Kimberly Jackson, Andrea Heuston (Artitudes Layout and Design)

Editing Manager: Lynette Skinner

Editor: Elizabeth Reese (Write Stuff)

Copy Editor: Ed Casper (S&T Consulting), Carolyn Emory (S&T Consulting), Patricia Neff

(S&T Consulting), Noelle Robertson (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aquent Partners)

Online Support: Eric Brandt

Multimedia Developer: Kelly Renner (Entex)

Compact Disc Testing: Data Dimensions, Inc

Production Support: Ed Casper (S&T Consulting)

Manufacturing Manager: Bo Galford

Manufacturing Support: Rick Terek

Lead Product Manager, Development Services:

Lead Product Manager: David Bramble

Group Product Manager: Robert Stewart

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # L#

,QVWUXFWRU#1RWHV#

This module describes how Microsoft® Exchange 2000 depends on Active Directory™ directory service for storage of Exchange 2000 data, such as recipient objects, configuration data, schema attributes, and the global address list

At the end of this module, students will be able to:

„#Explain how Exchange 2000 uses and benefits from integration with Active Directory

„#Identify the Exchange 2000 Server components that rely on Active Directory

„#Compare the directory objects in previous versions of Microsoft Exchange Server with the equivalent objects in Active Directory

„#Compare how various Microsoft Exchange Server clients access Active Directory

„#Explain how computers running Exchange 2000 access Active Directory

„#Describe how groups in Microsoft Windows® 2000 are used as distribution lists and which group types work in different situations

0DWHULDOV#DQG#3UHSDUDWLRQ#

This section provides you with the required materials and preparation tasks that are needed to teach this module

5HTXLUHG#0DWHULDOV#

To teach this module, you need the following materials:

• Microsoft PowerPoint® file 1569A_03.ppt 3UHSDUDWLRQ#7DVNV#

To prepare for this module, you should:

„#Read all of the materials for this module

„#Complete the lab

Use the following strategy to present this module:

„#Advantages of Integrating Exchange 2000 With Active Directory Explain that Active Directory has replaced the dedicated directory that was used in previous versions of Exchange

„#Storage of Exchange 2000 Data in Active Directory Describe the way data stored in Active Directory is divided into different partitions and the global catalog Compare terms and functions from Exchange Server 5.5 with the new terms and functions in Exchange 2000

„#Other Services Provided by Windows 2000 Describe the other Windows 2000 services used by Exchange 2000

Emphasize that Exchange 2000 is more efficient than previous versions of Exchange, in part because of the services provided by Windows 2000

„#Exchange 2000 Directory Access Describe how current and older mail clients access the directory Discuss registry entries only if students ask about them; otherwise leave them for the students to read on their own

„#Implementing Groups in Active Directory Point out that the distribution lists that were an important part of earlier Exchange versions have been replaced by the Active Directory group feature

„#Lab A: Creating Windows 2000 Users and Groups Students customize their Windows 2000-based servers in this lab The accounts and groups they create here are used in later labs

At the end of this module, you will be able to:

„#Identify the Exchange 2000 Server components that rely on Active Directory

„#Compare the directory objects in previous versions of Microsoft Exchange Server with the equivalent objects in Active Directory

„#Compare how various Microsoft Exchange Server clients access Active Directory

„#Explain how computers running Exchange 2000 access Active Directory

„#Describe how groups in Microsoft Windows® 2000 are used as distribution lists and which group types work in different situations

$GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333#:LWK#$FWLYH# 'LUHFWRU\#

Functionality Performance Ease of Use

Granular Access Control

Schema Extensibility

Improved LDAP Support

Removes Unused Directory Services

Smarter Replication Tuning

Reduced Replication Load

Unified Administrative Framework

Move/Rename Object Flexibility

Unification of Common Windows/Exchange Objects

Previous versions of Microsoft Exchange featured a dedicated directory that provided a single, central location where users and applications could look up and configure information about objects using Active Directory Service Interfaces (ADSI) with Lightweight Directory Access Protocol (LDAP) This directory stored all the information about an Exchange Server organization, such as addresses, mailboxes, distribution lists, and public folders, in addition

to configuration information about sites and servers

%HQHILWV#RI#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\#

Unlike previous versions of Exchange Server, Exchange 2000 no longer has a dedicated directory Instead, Exchange 2000 integrates with the Windows 2000 Active Directory service Unlike the Microsoft Windows NT® Security

Accounts Manager (SAM), which was never designed to hold rich information about directory objects, such as telephone numbers, addresses, and certificates, Active Directory can hold the rich directory information required by

Exchange 2000 Integration with Active Directory provides increased system performance and manageability while making directory management easier Some of the features of Active Directory include:

„#Centralized object management

Unified administration of Exchange 2000 and Windows NT directory objects allow an administrator to manage all user data in one place, with one set of tools

„#Simplified security management

The Exchange 2000 information store uses native Microsoft Windows 2000 SACLs so that changes to a single set of security groups will apply to data stored in both Exchange 2000 and Windows 2000 file shares

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 6#

„#Simplified creation of distribution lists

Exchange 2000 automatically uses Windows 2000 security groups as distribution lists, removing the need to create a parallel set of distribution lists for each department or group

„#Easier access to directory information

Using LDAP as a native access protocol for directory information makes access and hierarchy reconfiguration easier than in previous versions of Exchange

All Exchange 2000 directory information (including mailboxes, information about servers and sites, and custom recipients) is stored in the Active Directory Distribution lists are based on security groups in Active Directory, thus

simplifying list administration Recognizing that customers will migrate to Exchange 2000 over time, Microsoft provides the Active Directory Connector, which you can use to replicate directory information between Exchange 2000 and existing Exchange Server 5.5 sites

Exchange 2000 is fully integrated with Active Directory

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 8#'DWD#3DUWLWLRQV#LQ#$FWLYH#'LUHFWRU\#

&RQILJXUDWLRQ

Configuration Sites

Replication Technology

The information stored in Active Directory on every domain controller in the forest is partitioned into three categories: domain, configuration, and schema data These directory partitions are the units of replication in Active Directory

If the domain controller is also a global catalog server, it also holds a partial set

of the attributes stored in the global catalog

You can view the domain, configuration, and schema partitions by using ADSI Edit, which is included in the Windows 2000 Support Tools

Exchange Configuration Sites

Replication Technology

&RQILJXUDWLRQ 3DUWLWLRQ

The domain partition contains all of the objects in the directory for a domain Domain data in each domain is replicated to every domain controller in that domain, but not beyond its domain Domain objects include recipient objects such as users, contacts, and groups

Because of the consolidation and redesign of the directory structure, the object classes and terms have changed between Exchange 2000 and previous versions

of Exchange Server The following table compares the object classes and terms between Exchange 2000 and previous versions of Exchange

Exchange 5.x Directory Object

Equivalent Object in Active Directory Comments

security principals in Active Directory These users can send and receive messages and have a Simple Mail Transfer Protocol (SMTP) address

In addition, this type of user account will have more property pages than a standard account and more options on the right-click menu

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # :#

(continued)

Exchange 5.x Directory Object

Equivalent Object in Active Directory Comments

not security principals in Active Directory All mail-enabled contacts will have

an SMTP address Users

on legacy messaging systems, such as Lotus cc:Mail and Lotus Notes, are also represented as contacts in Active Directory

exist in Active Directory

A group can either be a security or distribution group In addition, you can set the scope of the group

to Domain Local, Global,

or Universal

object types through the Exchange System Manager and Active Directory Connector (ADC)—not through the Active Directory Users and Computers snap-in

A user object in Active Directory could be mail-enabled only, and not have an Exchange 2000 mailbox This is similar to a mail-enabled contact, in that a mail-enabled user would have an e-mail address that is external to the company, except that a user object is a security principal and can be given access to resources

1RWH#

6FKHPD#3DUWLWLRQ

CN=Schema, CN=Configuration, DC=nwtraders, DC=msft

Exchange Configuration Sites

Replication Technology

&RQILJXUDWLRQ 3DUWLWLRQ

&RQILJXUDWLRQ 3DUWLWLRQ

Users Computers Groups

'RPDLQ 3DUWLWLRQ

The configuration of the Exchange 2000 organization is stored in the configuration partition of Active Directory Because Active Directory replicates the configuration partition between all domains in the forest, the configuration

of the Exchange 2000 organization is also replicated throughout the forest The configuration partition defines the topology, connectors, protocols, and service settings of the Exchange 2000 organization

The Exchange 2000 configuration is stored under the following path in the configuration partition:

CN=Microsoft Exchange, CN=Services, CN=Configuration

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # <#6FKHPD#3DUWLWLRQ##

Users Computers Groups

'RPDLQ 3DUWLWLRQ

6FKHPD#3DUWLWLRQ

CN=Schema, CN=Configuration, DC=nwtraders, DC=msft

Exchange Configuration Sites

Replication Technology

&RQILJXUDWLRQ 3DUWLWLRQ

The schema partition contains all object types (and their attributes) that can be created in Active Directory This data is common to all domains in the domain tree or forest, and is replicated by Active Directory to all domain controllers in the forest

During the installation of the first computer running Exchange 2000 in the forest, the Active Directory schema is extended with new attributes for

Exchange 2000 that start with ms-Exch The schema is extended using LDAP

Directory Interchange Format (LDIF) files

You can examine which attributes are added to the Active Directory by viewing the LDIF files on the Exchange 2000 CD-ROM disc

The following table lists the common attributes and LDAP names for a mailbox-enabled user object This table illustrates how these attributes differ between a standard installation of Active Directory and Active Directory that is enabled for Exchange 2000 The index column indicates whether the attribute is indexed in Active Directory The In Global Catalog column indicates whether the attribute has been tagged for global catalog server replication The Exchange 2000 installation adds those fields marked N/A in the Standard Active Directory The table may be helpful for planning purposes

Attribute LDAP Name

Standard Active Directory

After Exchange 2000 Installation Index

In Global Catalog Index

In Global Catalog

Office PhysicalDeliveryOff

iceName

Fax FacsimileTelephone

Number

Custom Attributes (all)

extensionAttribute-xx

Global Catalog

west.nwtraders.msft First Name Last Name Alias

Mailing Address

east.nwtraders.msft First Name Last Name Alias Mailing Address

What is the mailing address for a user in west.nwtraders.msft?

west.nwtraders.msft First Name Last Name Alias Mailing Address

west.nwtraders.msft First Name Last Name Alias Mailing Address

nwtraders.msft

east.nwtraders.msft First Name Last Name Alias Mailing Address

east.nwtraders.msft First Name Last Name Alias Mailing Address

The global catalog holds a partial replica of domain data directory partitions for all domains in the forest By default, the partial set of attributes stored in the global catalog includes those attributes most frequently used in search operations, because one of the primary functions of the global catalog is to support clients querying the directory

Selecting the attributes to replicate to the global catalog requires careful planning You need to preserve functionality that users of Outlook already have

if an earlier version of Exchange Server is already deployed, but you have to take into consideration the ramifications for replication traffic if you tag too many additional attributes

Because the global catalog holds a complete replica of its home domain and a partial replica of every other domain in the forest, users see all attributes for other users in the same domain However, they see only the attributes tagged for replication in the global catalog from other domains

Where very slow networks are involved, you may want to survey your Outlook users to find out which directory attributes they rely upon It is even more important to establish whether any custom Collaboration Data Objects (CDO) and/or ADSI applications rely on the presence of certain directory data For example, a workflow application may require access to a custom attribute that holds a manager’s sign-off limit

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 46#

From a technical standpoint, each additional attribute tagged for replication will incur an additional 100 bytes of replication data per object Many companies may need to reduce the number of attributes that are tagged for replication due

to bandwidth constraints; however, the replication traffic caused by an existing

Exchange Server 5.x network will be far greater than the traffic the Active

Directory produces This is based on the following assumptions:

„#Each computer running Exchange Server 5.5 in the organization must hold a full copy of Exchange Directory, whereas Active Directory only replicates

to domain controllers and global catalog servers

„#Any change to an Exchange Server 5.5 object will cause the entire object to

be re-replicated to the rest of the Exchange organization (roughly 5KB Site and 1KB inter-Site), whereas Active Directory uses per-property replication, so the amount of replication data is much smaller

intra-You can select attributes in the global catalog to replicate by using the Microsoft Management Console (MMC) Active Directory Schema snap-in

1RWH#

A DNS service must be running in the organization for Exchange 2000 Server

to function Outlook Web Access and Internet protocols, including SMTP, rely

on DNS for connectivity

In earlier versions of Windows NT, the preferred location service was Windows Internet Name Service (WINS) because it provides dynamic publishing and full name-to-network address mapping Windows 2000 Active Directory uses the DNS locator service The DNS naming scheme is standards-based and provides maximum interoperability with Internet technologies

1HWZRUN#1HZV#7UDQVIHU#3URWRFRO#+1173,#

The Network News Transfer Protocol that Exchange uses to access Newsgroups

is part of Internet Information Services 5 and Windows 2000

6HFXULW\#

Exchange 2000 has two aspects of security: authentication and permissions Users log on to Exchange 2000 and after they are authenticated, they have access to resources based on their permissions

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 48#

$XWKHQWLFDWLRQ#

Before users or processes can access Exchange 2000, they must log on to Windows 2000 Server by supplying a unique user name and password The system must validate or authenticate this logon information When a user logs

on, Windows 2000 Server identifies a security context The security context determines the user’s access to system services, including group membership

A user needs to log on only once to gain access to Exchange 2000 This contrasts with other security models that require separate passwords for different resources, such as printers, file servers, or messaging systems

For more detailed information on Windows 2000 Authentication, please refer to the Windows 2000 documentation

3HUPLVVLRQV#

Within an Exchange organization, permissions control access to resources Permissions provide specific authorization to perform an action Permissions are a key component of Exchange administration, and because they grant and deny access throughout an entire organization, they should be one of your first security considerations

Exchange 2000 now uses security descriptors of the Windows 2000 Active Directory to administer permissions on Exchange objects The Exchange objects are managed with the Exchange System Manager tool In addition to these Windows 2000 security descriptors, Exchange 2000 features Exchange-

specific extended permissions, which are permissions specific to Exchange

objects that are added to the standard Active Directory object schema

Permissions in Exchange 2000 are also inheritable, meaning that when you set permissions at the organization level, all objects within the organization will inherit the same permissions

In addition, you can set permissions for each property, providing administrators with much finer control over access to objects For example, you can set permissions on user objects so that users can change their telephone numbers but not their e-mail addresses

Security descriptors are known as access control lists (ACLs) in Windows NT® version 4.0 For more information on security descriptors, see

your Windows 2000 documentation on discretionary access control lists

(DACLs) and system access control lists (SACLs)

1RWH#

1RWH#

With earlier versions of Exchange, when attributes of directory objects are changed, the entire object, not just the changed attribute, is replicated throughout the organization This is because earlier versions of Exchange support only object-level replication, which results in greater network traffic With Exchange 2000 Server, directory replication occurs through Active Directory Active Directory has the capability to replicate each changed or updated attribute rather than the entire object For example, if a change is made

to an attribute, the attribute is replicated to other domain controllers in the domain If the attribute is global in scope, such as an office location or phone number change to an Exchange 2000 mailbox, the attribute is replicated to the other global catalog servers

Replicating specific attributes rather than entire objects has a number of benefits and implications in Exchange 2000 Users, groups, and contacts are objects in Active Directory Characteristics such as whether an object is mail-enabled (does not have an Exchange mailbox), mailbox-enabled (has an Exchange mailbox), or has the ability to receive mail, are now object attributes Describing objects with lists of attributes means that:

„#Changes to an object's description (for example, an office location) can be made more often

„#Changes can be targeted to specific items, such as changing a specific permission (for example, mailbox size)

as long as Exchange 2000 is configured to serve them

Proxy

Exchange 2000 Server

Global Catalog

Client

Referral

Exchange 2000 Server

Global Catalog

Client

Client talks to Exchange 2000 server And Windows 2000 directory

Forwards Client directory calls to Windows 2000

Older clients, such as the Exchange client, Outlook 97, Outlook 98, and Macintosh, make MAPI Directory Service (MAPI DS) requests to a server running Exchange Exchange 2000 clients communicate differently so some accommodations must be made to enable older clients to work with

Exchange 2000

%DFNZDUGV#&RPSDWLELOLW\#

To make Exchange 2000 backwards compatible with the existing MAPI client base, a computer running Exchange 2000 will proxy any MAPI DS requests through to a local global catalog server on the network The directory service proxy (DSProxy) process on the Exchange 2000 Server is responsible for this task Because Microsoft Active Directory supports a number of protocols, including LDAP and MAPI DS, an Outlook directory request is completely valid, even if it runs directly against an Active Directory-based server

After the global catalog server returns the result to the computer running Exchange 2000, the server proxies the result to the MAPI client This entire process is hidden from the user

4 The computer running Exchange 2000 returns the result to the MAPI client

5 The MAPI client returns an acknowledgement to the computer running Exchange 2000

6 The computer running Exchange 2000 proxies the acknowledgement to the local global catalog

The directory lookup process produces six frames on the network The decrease

in performance on the global catalog server is between one percent and two percent If multiple names need to be looked up in the directory, the name fragments are sent in one request packet

If the user chooses to browse the global address list, the same process takes place Other than sending a few extra frames over the network as the user scrolls through the address book, the overhead is minimal