|
|
| | |
|
|
Lesson 2: Exchange Server 2003 Integration
with Active Directory
Exchange Server 2003 is tightly integrated with Active Directory, in that Exchange
Server 2003 uses Active Directory as the storage mechanism for its data (although
Exchange Server 2003 still uses its own databases for storing the content of messages
and transaction logs). This is different from Exchange Server 5.5 (and earlier versions),
which maintained its own directory and databases independent of the operating system
and even maintained its own replication infrastructure. In order to deploy
Exchange Server 2003 effectively in an Active Directory environment, you must first
understand how Exchange Server 2003 stores data in Active Directory.
After this lesson, you will be able to
■ Understand how Active Directory is partitioned into naming contexts
■ Understand how Exchange Server 2003 uses global catalog servers
■ Understand how Exchange Server 2003 leverages Active Directory groups
Estimated lesson time: 15 minutes
Naming Contexts
Active Directory is partitioned into naming contexts. The three naming contexts are
■ Domain
■ Configuration
■ Schema
These naming contexts provide boundaries for and structure to the Active Directory
database and can have their own replication and permissions configuration.
Domain Naming Context
The domain naming context is where all the domain objects for Exchange Server 2003
are stored. These objects include recipient objects like users, groups, and contacts.
Exchange Server 2003 extends the attributes Active Directory includes for these types
of objects, meaning that, in contrast to Exchange Server 5.5, Exchange Server 2003
mailboxes and Active Directory user accounts are not separate objects. For example,
with Exchange Server 2003, you mailbox-enable a user account rather than create a
mailbox object in Exchange Server and associate a user account with the mailbox.
Configuration Naming Context
The configuration naming context stores information about the physical structure of
the Exchange organization, such as routing groups and connectors. Active Directory
replicates this data to all domain controllers in the forest, which marks the security
boundary of an Exchange organization.
Schema Naming Context
The schema naming context contains information about all of the object classes and
their attributes that can be stored in Active Directory. This data is replicated to all
domain controllers in a forest. During the deployment of Exchange Server 2003, the
Active Directory schema is extended to include the classes and attributes specific to
Exchange Server 2003. A visible example of the schema extensions is in the Exchangespecific
options that are available in a user account in the Active Directory Users And
Computers console after the installation of Exchange Server 2003.
Global Catalog Integration
Exchange Server 2003 uses two services—DSProxy and DSAccess—to access the
global catalog.
DSProxy
While Microsoft Outlook 2000 and 2003 clients can access a global catalog directly,
other clients cannot. So Exchange Server 2003 provides a proxy service called DSProxy
to function as an intermediary between the client and the global catalog. DSProxy
works as a facilitator to allow Outlook clients to access information within Active
Directory through the Name Service Provider Interface (NSPI). In addition, the
DSProxy service supports older Messaging Application Programming Interface (MAPI)
clients by forwarding requests directly from the client to the global catalog server.
DSProxy does not examine the request; instead, it blindly forwards the request and
then returns the results. The process is transparent to the user.
DSAccess
Exchange Server 2003 shares global catalog functionality with other Active Directory
services, so it is important to reduce the impact of Exchange Server 2003 queries.
DSAccess implements a directory access cache that stores recently accessed information
for a configurable length of time. This reduces the number of queries made to
global catalog servers. Increasing the cache and timeout period too much can cause
problems with out-of-date data, while a cache that is too small and a short timeout
period can cause performance problems, as well.
Active Directory Group Integration
The use of security groups and distribution groups is another feature in which
Exchange Server 2003 integrates with Active Directory. Versions of Exchange Server
prior to Exchange Server 2000 maintained their own distribution lists, which contained
recipients that were members of the Exchange organization (mailboxes, custom recipients,
and other distribution lists). These distribution lists existed only within Exchange
and were unrelated to the Windows user accounts database. Exchange Server 2003
does not maintain its own distribution lists. Instead, Active Directory security groups
and distribution groups are extended to support e-mail addresses. In this way, the
group can be used as a mail recipient, with the message being distributed to each
member of the group.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and then try
the question again. You can find answers to the questions in the “Questions and
Answers” section at the end of this chapter.
1. You are an Exchange Server 2003 consultant that has been contacted by Contoso,
Ltd., to help analyze their network environment and make recommendations as
they prepare to migrate from Windows NT Server 4 and Exchange Server 5.5 to
Windows Server 2003 Active Directory and Exchange Server 2003. They are concerned
about total cost of ownership (TCO), especially as it concerns having to
duplicate user information between Windows and Exchange. What advice can you
give them about this concern?
2. Which Active Directory naming context is responsible for the storage of Exchange
Server 2003 recipient objects?
a. The domain naming context
b. The schema naming context
c. The configuration naming context
3. What is the primary function of the DSAccess service?
a. To provide access to Active Directory information for Microsoft Outlook and
MAPI clients.
b. To store information about all Active Directory objects and their attributes.
c. To store information about routing groups and connectors used to access
other sites in the Exchange organization.
d. To implement a directory cache to reduce the number of global catalog queries.
Lesson Summary
■ The domain naming context stores information about Exchange Server 2003 recipient
objects.
■ The configuration naming context stores information about Exchange Server 2003
routing groups and connectors.
■ The schema naming context stores information about all Active Directory objects
and their attributes.
■ Exchange Server 2003 uses Active Directory security groups and distribution
groups rather than maintaining its own distribution lists.
Lesson 3: Exchange Server 2003 and Windows Server
2003 Protocols and Services Integration
In addition to being designed to integrate with Active Directory, Exchange Server 2003
is designed to integrate with services provided by the Windows server operating systems.
Exchange Server 2003 can be installed on computers running Windows 2000
Server, but to take advantage of all of the new functionality, you must use Windows
Server 2003. Because Windows 2000 Server and Windows Server 2003 include messaging
transport capabilities such as Simple Mail Transport Protocol (SMTP), Network
News Transfer Protocol (NNTP), and Hypertext Transfer Protocol (HTTP), Exchange
Server 2003 uses these Windows services rather than duplicating the services with its
own. This is in contrast to Exchange Server 5.5 (and earlier versions), which used Internet
Information Services (IIS) for Outlook Web Access (OWA) and newsgroup access,
but not for much else.
After this lesson, you will be able to
■ Understand how Exchange Server 2003 uses the features of IIS 6
Estimated lesson time: 15 minutes
Exchange Server 2003 and IIS 6
IIS is included with Windows operating systems for servers and provides some core
services for Exchange Server 2003. Windows Server 2003 includes Internet Information
Services (IIS) 6. This new version of IIS introduces Worker Process Isolation Mode,
which offers greater reliability and security to Web servers. Worker Process Isolation
Mode ensures that all of the authentication, authorization, Web application processes,
and Internet Server Application Programming Interface (ISAPI) extensions that are
associated with a particular application are isolated from all other applications. When
you install Exchange Server 2003 on a computer running Windows Server 2003, the
Exchange Server 2003 Setup program automatically sets IIS 6 to Worker Process Isolation
Mode. Setup also enables certain ISAPI extensions. By default, during Windows
Server 2003 installation, ISAPI extensions are not allowed to load. This is different from
previous versions of Windows and IIS, which were less secure in their default configurations.
Exchange Server 2003 requires certain ISAPI extensions, however, for features
such as OWA, WebDAV, and Exchange Web Forms. Exchange Server 2003 Setup
enables and configures the required ISAPI extensions, with no intervention required.
The integration of Exchange Server 2003 with IIS services includes the following:
■ SMTP
■ NNTP
■ World Wide Web Service
Lesson 3 Exchange Server 2003 and Windows Server 2003 Protocols and Services Integration 1-13
The SMTP Service
Unlike Exchange Server 5.5 and earlier versions, Exchange Server 2003 does not provide
its own SMTP services. Windows 2000 Server and Windows Server 2003 include a
core SMTP service with IIS 5 and 6, respectively, and Exchange Server 2003 relies on
this service to provide e-mail services. Exchange simply extends the built-in SMTP service
to provide the necessary additional functionality.
Windows Server 2003 also includes a Post Office Protocol 3 (POP3) service, which is
listed in the Windows Components Wizard as Email Services. This service is not used
by Exchange Server 2003 and should not be installed if you are deploying Exchange
Server 2003, which includes more robust POP3 support as well as Internet Message
Access Protocol 4 (IMAP4) support.
There are a number of new enhancements in the Exchange Server 2003 SMTP service,
with the most exciting for network administrators being native support for Real-Time
Blacklists (RBLs) and improved antivirus support. Fighting spam and viruses is a timeconsuming
process for administrators, and the enhanced functionality eases the
administrative burden.
The NNTP Service
Exchange Server 2003 also relies on the IIS built-in NNTP service. The NNTP service
provides user access to newsgroups either internally or on the Internet. Access to
newsgroups is made available through Exchange Server 2003 public folders, with security
configured through the Exchange Server 2003 organization. The NNTP service is
also useful for sharing public folders between organizations. Exchange Server 2003
does not modify or extend the IIS NNTP service, as it does the SMTP service.
The World Wide Web Service
OWA integrates into IIS and doesn’t even have to be installed on the same server as
Exchange Server 2003. Because of the integration, services can be installed almost anywhere
within Active Directory, providing flexibility and a very scalable messaging
solution. OWA provides client access to an Exchange mailbox through a Web browser.
The HTTP protocol, which is part of the World Wide Web Service, is the transport used
for OWA functionality.
Users running Microsoft Internet Explorer 5 or later can take advantage of a number of
new enhancements to OWA. A common complaint with previous versions of OWA was
regarding the lack of basic Outlook features, such as spell checker, support for mail
rules, support for digital signatures, marking messages as read/unread, and public
folder support. These features have been included with the Exchange Server 2003 version
of OWA. Some features, such as digital signatures, specifically require Internet
Chapter 1 Microsoft Exchange Server 2003 and Active Directory
Explorer 6 SP1 or greater, but most features work with Internet Explorer 5, as well.
There is still a basic version of OWA that can be used by other Web browsers.
A new feature exclusive to Exchange Server 2003 running on Windows Server 2003 is
the ability to use Outlook 2003 to connect to Exchange Server 2003 servers using the
HTTP protocol. This is known as “RPC over HTTP.” In previous versions of Exchange
Server and IIS, if a remote user needed to connect to a corporate Exchange server
using the Outlook client rather than OWA, they would have to establish a virtual private
network (VPN) connection first. This was because the communication between
the client and server took place only over remote procedure call (RPC). Another
requirement for client computers to use RPC over HTTP is that they must be running
Windows XP Professional SP1 or later.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and then try
the question again. You can find answers to the questions in the “Questions and
Answers” section at the end of this chapter.
1. You are the Exchange administrator for Contoso, Ltd. You are planning the
deployment of Exchange Server 2003 into your Windows Server 2003 Active
Directory domain. The IT director questions you about the effect that Exchange
Server 2003 will have on IIS security, concerned that installing Exchange Server
2003 will cause IIS to be less secure. How do you address his concerns?
2. Which of the following Windows Server 2003 services is not used by Exchange
Server 2003 to support the messaging infrastructure?
a. SMTP
b. POP3
c. World Wide Web Service
d. NNTP
Lesson Summary
■ Exchange Server 2003 leverages several Windows Server 2003 protocols and services
rather than duplicating them.
■ The new Worker Process Isolation Mode feature of IIS 6 provides better security and
reliability by isolating an application’s authentication, processes, and extensions.
Chapter 1 Microsoft Exchange Server 2003 and Active Directory 1-15
■ Outlook Web Access (OWA) has been greatly enhanced when used with Internet
Explorer 6 SP1 or later, providing much of the functionality previously found only
in the Outlook client.
Case Scenario Exercise
Wide World Importers is a company that operates under different names in different
countries. In addition to the wideworldimporters.com domain name, they also operate
under contoso.com, fabrikam.com, adatum.com, and litwareinc.com.
The consortium of companies has been operating in a Windows NT 4 domain environment
running Exchange Server 5.5 SP4. Each company has its own domain, with all
domains trusting the wideworldimporters.com domain for the parent company. The
present arrangement has led to a lot of duplication of administrative effort, and the
support costs of maintaining five distinct Windows NT domains and Exchange organizations
have increased to unacceptable levels. As a result, the decision has been made
to migrate to Windows Server 2003 and Active Directory, and to migrate from
Exchange Server 5.5 to Exchange Server 2003. You have been hired as a consultant in
order to facilitate the entire project.
■ Requirement 1 Management has determined that by reducing the duplication
of resources and administrative effort, it will reduce the support costs for the
organization. One of your key responsibilities is to ensure that the network administrators
for wideworldimporters.com can administer all of the domains effectively
without a network of complex trust relationships in place. Furthermore, they want
all the companies to share a common global address list rather than having five
separate lists.
■ Requirement 2 Some of the companies that comprise Wide World Importers
are located in countries where there are toll charges for accessing the Internet. So,
even though there are VPN connections between company locations, it is important
to minimize the usage of the WAN connections for non-user-generated
network traffic during business hours, when toll charges are the highest.
Requirement 1
The first requirement involves planning the Active Directory infrastructure to support
the company’s needs.
1. Describe the forest and domain infrastructure you would recommend that would
result in the most efficient level of administration.
Chapter 1 Microsoft Exchange Server 2003 and Active Directory
2. Explain how the number of Active Directory forests would affect the deployment
of Exchange Server 2003.
Requirement 2
The second requirement involves minimizing the usage of toll-based WAN connections
during business hours.
1. Describe a feature of Active Directory that you can use to organize resources in a
way that will allow you to minimize usage of WAN bandwidth for non-usergenerated
network traffic during business hours.
2. How would the use of sites in this situation affect the placement of global catalog
servers?
Chapter Summary
■ Active Directory is a hierarchical database that provides directory services to users
and client computers within the directory.
■ The Active Directory schema defines the types of objects allowed in Active Directory,
as well as their attributes.
■ Active Directory logically groups resources into a forest, which can contain multiple
domain trees.
■ Sites are used to define resources that are connected by high-speed LAN bandwidth
versus resources connected by lower-speed WAN bandwidth.
■ Global catalog servers provide an efficient means of querying for resources across
domains within a forest.
■ Active Directory is partitioned into three naming contexts: schema, domain, and
configuration.
■ DSProxy and DSAccess function as intermediaries between a global catalog server
and an Exchange Server 2003 client.
■ Exchange Server 2003 integrates with the SMTP, NNTP, and World Wide Web services
of Windows Server 2003 and IIS.
Chapter 1 Microsoft Exchange Server 2003 and Active Directory 1-17
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this
chapter. You need to know this information.
Key Points
■ RPC over HTTP works only when the client computer is running Windows XP Professional
SP1 or later and Outlook 2003, and the Exchange Server 2003 server is
running on Windows Server 2003.
■ You can have only a single Exchange Server 2003 organization in an Active Directory
forest, and an organization cannot span forests.
Key Terms
naming context Active Directory is partitioned into three naming contexts: the
schema naming context, the domain naming context, and the configuration naming
context. Each naming context is responsible for storing different types of
Active Directory data.
operations master Active Directory functions mostly in a multimaster manner,
where each domain controller is a peer. However, some functions cannot be reliably
performed in a multimaster manner, so Active Directory implements them as
single-master roles. The Schema Master role and the Domain Naming Master role
exist only once in a forest. The Infrastructure Master role, the RID Master role, and
the PDC Emulator role exist on a domain controller in each domain in the forest
Chapter 1 Microsoft Exchange Server 2003 and Active Directory
Questions and Answers
Page
1-6
Lesson 1 Review
1. You are developing a deployment plan for Exchange Server 2003. You have been
asked to ensure that the contoso.com and fabrikam.com domain trees that are part
of the same forest can be included in the same Exchange Server 2003 organization.
Is this possible with the existing Active Directory structure, or will you need to
change the Active Directory structure first?
The security boundary for an Exchange Server 2003 organization is the forest rather than the
domain, so you will be able to include the two domain trees in the same Exchange Server 2003
organization. If the domain trees were in separate forests, you would have to first migrate one
domain into the other forest in order to be able to place them both in the same organization.
2. You are an Exchange Server 2003 administrator. You regularly create new user
accounts for contractors, but periodically you receive an error that the object cannot
be created. Usually you are able to cancel the process and try again later or to
create the new account from another server. Since the process works most of the
time, you know it isn’t a configuration problem or permissions problem. What else
might be causing the problem?
a. The PDC Emulator is unavailable
b. The RID Master is unavailable
c. The Schema Master is unavailable
d. The Infrastructure Master is unavailable
The correct answer is b.
3. The CIO for your company returns from a Windows Server 2003 seminar and is
anxious to share his new knowledge. He says you should make all of the servers
in your Active Directory forest global catalog servers because it will improve the
response time to user queries, especially with Exchange Server 2003. He feels that
this will help significantly since your organization has four domain trees with multiple
child domains in each. Do you agree with him? Why or why not?
While more global catalog servers would theoretically improve the response time to user queries,
replication traffic on the network would increase. Depending on the network, this
additional traffic could have a detrimental effect that outweighs the benefits of using additional
global catalog servers. There is a balance between too few and too many global catalog
servers.
Lesson 2 Review
1. You are an Exchange Server 2003 consultant that has been contacted by Contoso,
Ltd., to help analyze their network environment and make recommendations as
they prepare to migrate from Windows NT Server 4 and Exchange Server 5.5 to
Windows Server 2003 Active Directory and Exchange Server 2003. They are concerned
about total cost of ownership (TCO), especially as it concerns having to
duplicate user information between Windows and Exchange. What advice can you
give them about this concern?
In contrast to Exchange Server 5.5, which maintained its own directory, Exchange Server 2003
integrates with Active Directory. As a result, there is no need to maintain separate user databases.
Exchange Server 2003 extends the Active Directory schema so that user objects can be
configured with Exchange-specific information, such as e-mail addresses, mailboxes, and so
on. The end result is a single point of user management with no duplication of effort between
the Windows environment and the Exchange environment.
2. Which Active Directory naming context is responsible for the storage of Exchange
Server 2003 recipient objects?
a. The domain naming context
b. The schema naming context
c. The configuration naming context
The correct answer is a.
3. What is the primary function of the DSAccess service?
a. To provide access to Active Directory information for Microsoft Outlook and
MAPI clients.
b. To store information about all Active Directory objects and their attributes.
c. To store information about routing groups and connectors used to access
other sites in the Exchange organization.
d. To implement a directory cache to reduce the number of global catalog queries.
The correct answer is d. |
|
|
| |
|
