Revision no.

: PPT/2K403/02
Microsoft Exchange Server
2003 and Active Directory
(70-284)
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
2
Lesson 1: Overview of Active Directory
• Active Directory Forests and Domains
• Active Directory Sites
• Active Directory Schema
• Organizational Units
• Global Catalogs
• Operation Masters
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
3
Active Directory Forests and Domains
• Forest is the Primary Security Boundary.
• Forest contain Domain Trees
• Forest can have Multiple Trees
• The First Domain is the Forest Root Domain
• Domains in Active Directory are represented by DNS Names
rather than NetBIOS Names
• Regardless of the number of domain trees in a forest, there is
centralized administration at the forest level with permissions
to all domain trees.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
4
Contd…
• Each forest has an Enterprise Admins group as well as a
Schema Admins group. Members of these groups have
authority over all the domain trees in the forest.
• Each domain has a Domain Admins group, and administrators
in a parent domain automatically have administrative
permissions to all child domains through automatic transitive
trust relationships.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
5
Active Directory Sites
• It is important for computers and services to have a way of
identifying Active Directory resources that are located on the
same LAN versus resources that are on a different LAN
separated by a WAN connection.
• Sites contain Active Directory resources that are all connected
by reliable high-speed bandwidth—a minimum of 10
megabytes (MB).
• Site membership is used in the logon process as a computer
attempts to locate a domain controller in its own site first; in
replication; in accessing global catalogs; and in the Exchange
Server 2003 messaging infrastructure.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
6
Active Directory Schema
• The schema is a definition of the types of objects that are
allowed within a directory and the attributes that are
associated with those objects.
• These definitions must be consistent across domains in order
for the security policies and access rights to function
correctly.
• There are two types of definitions within the schema:
– Attributes
– Classes
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
7
Contd…
• Attributes are defined only once, and then can be applied to
multiple classes as needed.
• The object classes, or metadata, are used to define objects.
• A class is simply a generic framework for objects. It is a
collection of attributes, such as Logon Name and Home
Directory for user accounts or Description and Network
Address for computer accounts.
• Active Directory comes standard with a predefined set of
attributes and classes that fit the needs for many network
environments.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
8
Organizational Units
• OUs Provide the Ability to organize the networks in a Logical
Manner and Hide Physical Structure of the Network from the end
Users
• Active Directory uses a special container known as an OU to
organize objects within a domain for the purpose of
administration.
• OUs can be used to split a domain into administrative divisions
that mirror the functional or physical separations within the
company.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
9
Contd…
• An OU can contain user accounts, computers, printers, shared
folders, applications, and any other object within the domain.
• OUs can be used to separate administrative functions within a
domain without granting administrative rights to the whole
domain.
• An OU is the smallest element to which you can assign
administrative rights.
• OUs can be used to delegate authority and control within a
domain.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
10
Global Catalogs
• Domain controllers keep a complete copy of the Active
Directory database for a domain, so that information about
each object in the domain is readily available to users and
services.
• The global catalog stores partial replicas of the directories
• of other domains.
• The catalog is stored on domain controllers that have been
designated as global catalog servers.
• These servers also maintain the normal database for their
domain.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
11
Function Of Global Catalog
• The global catalog has two primary functions within Active
Directory.
• These functions relate to the logon capability and queries
within Active Directory.
• Within a multi-domain environment that is running in Windows
2000 Native mode or the Windows Server 2003 functional level,
a global catalog is required for logging on to the network.
• The global catalog provides universal group membership
information for the user account that is attempting to log on to
the network.
• If the global catalog is not available during the logon attempt
and the user account is external to the local domain, the user
will only be allowed to log on to the local machine.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
12
Contd…
• The global catalog maintains a subset of the directory
information available within every domain in the forest.
• This allows queries to be handled by the nearest global
catalog, saving time and bandwidth.
• If more than one domain controller is a global catalog server,
the response time for the queries improves.
• The disadvantage is that each additional global catalog server
increases the amount of replication overhead within the
network.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
13
Global Catalog Servers
• Active Directory automatically creates a global catalog on the
first domain controller within a forest
• Each forest requires at least one global catalog.
• In an environment with multiple sites, it is good practice to
designate a domain controller in each site to function as a
global catalog server.
• While any domain controller can be configured as a global
catalog server, a sense of balance is necessary when
designating these servers.
• As the number of global catalog servers increases, the
response time to user inquiries decreases.
• However, the replication requirements within the environment
increase as the number of global catalog servers increases.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
14
Operation Masters
• Schema Master
• Domain naming Master
• PDC Emulator
• RID Master
• Infrastructure Master
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
15
Lesson 2: Exchange Server 2003 Integration
with Active Directory
• Naming Contexts
• Global Catalog Integration
• Active Directory Group Integration
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
16
Naming Contexts
• Domain
• Configuration
• Schema
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
17
Domain
• The domain naming context is where all the domain objects for
Exchange Server 2003 are stored.
• Objects include recipient objects like users, groups, and
contacts.
• Exchange Server 2003 extends the attributes
• In Exchange Server 2003 mailboxes and Active Directory user
accounts are not separate objects.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
18
Configuration
• The configuration naming context stores information about the
physical structure of the Exchange organization, such as
routing groups and connectors.
• Active Directory replicates this data to all domain controllers in
the forest, which marks the security boundary of an Exchange
organization.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
19
Schema
• The schema naming context contains information about all of
the object classes and their attributes that can be stored in
Active Directory.
• This data is replicated to all domain controllers in a forest.
During the deployment of Exchange Server 2003,
• Active Directory schema is extended to include the classes
and attributes specific to Exchange Server 2003.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
20
Global Catalog Integration
• Exchange Server 2003 uses two services to access Global
Catalog
– DSProxy
– DSAccess
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
21
DSProxy
• While Microsoft Outlook 2000 and 2003 clients can access a
global catalog directly, other clients cannot.
• Exchange Server 2003 provides a proxy service called
DSProxy to function as an intermediary between the client and
the global catalog.
• DSProxy works as a facilitator to allow Outlook clients to
access information within Active Directory through the Name
Service Provider Interface (NSPI).
• DSProxy service supports older Messaging Application
Programming Interface (MAPI) clients by forwarding requests
directly from the client to the global catalog server.
• DSProxy does not examine the request; instead, it blindly
forwards the request and then returns the results.
• The process is transparent to the user.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
22
DSAccess
• Exchange Server 2003 shares global catalog functionality with
other Active Directory services, so it is important to reduce the
impact of Exchange Server 2003 queries.
• DSAccess implements a directory access cache that stores
recently accessed information for a configurable length of
time.
• This reduces the number of queries made to global catalog
servers.
• Increasing the cache and timeout period too much can cause
problems with out-of-date data, while a cache that is too small
and a short timeout period can cause performance problems,
as well.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
23
Active Directory Group Integration
• The use of security groups and distribution groups is another
feature in which Exchange Server 2003 integrates with Active
Directory.
• Versions of Exchange Server prior to Exchange Server 2000
maintained their own distribution lists, which contained
recipients that were members of the Exchange organization
• These distribution lists existed only within Exchange and were
unrelated to the Windows user accounts database.
• Exchange Server 2003 does not maintain its own distribution
lists.
• Active Directory security groups and distribution groups are
extended to support e-mail addresses.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
24
Lesson 3: Exchange Server 2003 and Windows Server
2003 Protocols and Services Integration
• Exchange Server 2003 and IIS 6
– SMTP
– NNTP
– World Wide Web Service
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
25
SMTP
• Unlike Exchange Server 5.5 and earlier versions, Exchange
Server 2003 does not provide its own SMTP services.
• Windows 2000 Server and Windows Server 2003 include a core
SMTP service with IIS 5 and 6, respectively, and Exchange
Server 2003 relies on this service to provide e-mail services.
• Exchange simply extends the built-in SMTP service to provide
the necessary additional functionality.
• Windows Server 2003 also includes a Post Office Protocol 3
(POP3) service, which is listed in the Windows Components
Wizard as Email Services.
• Native support for Real-Time Blacklists (RBLs) and improved
antivirus support.
• Fighting spam and viruses is a timeconsuming process for
administrators, and the enhanced functionality eases the
administrative burden.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
26
NNTP
• Exchange Server 2003 also relies on the IIS built-in NNTP
service.
• The NNTP service provides user access to newsgroups either
internally or on the Internet.
• Access to newsgroups is made available through Exchange
Server 2003 public folders, with security configured through
the Exchange Server 2003 organization.
• The NNTP service is also useful for sharing public folders
between organizations.
• Exchange Server 2003 does not modify or extend the IIS NNTP
service, as it does the SMTP service.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
27
World Wide Web Service
• OWA integrates into IIS and doesn’t even have to be installed
on the same server as Exchange Server 2003.
• Because of the integration, services can be installed almost
anywhere within Active Directory, providing flexibility and a
very scalable messaging solution.
• OWA provides client access to an Exchange mailbox through a
Web browser.
• The HTTP protocol, which is part of the World Wide Web
Service, is the transport used for OWA functionality.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
28
Contd…
• A new feature exclusive to Exchange Server 2003 running on
Windows Server 2003 is the ability to use Outlook 2003 to
connect to Exchange Server 2003 servers using the HTTP
protocol.
• This is known as “RPC over HTTP.”
• In previous versions of Exchange Server and IIS, if a remote
user needed to connect to a corporate Exchange server using
the Outlook client rather than OWA, they would have to
establish a virtual private network (VPN) connection first.
• This was because the communication between the client and
server took place only over remote procedure call (RPC).
• Another requirement for client computers to use RPC over
HTTP is that they must be running Windows XP Professional
SP1 or later.
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
29
Design & Published by:
CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,
MIDC, Marol, Andheri (E), Mumbai –400093, Tel: 91-22-28216511, 28329198
Email: courseware.inst@cmail.cms.co.in
www.cmsinstitute.co.in