420 likes | 699 Views
Exchange and the Active Directory. MSG 300. Eileen Brown IT Pro Evangelist Microsoft UK eileenb@microsoft.com http://blogs.technet.com/eileen_brown. Agenda. Internals of Exchange AD management Active Directory 101 Storing Exchange data in AD
E N D
Exchange and the Active Directory MSG 300 Eileen Brown IT Pro Evangelist Microsoft UK eileenb@microsoft.com http://blogs.technet.com/eileen_brown
Agenda • Internals of Exchange AD management • Active Directory 101 • Storing Exchange data in AD • Creating, managing and maintaining Exchange information in AD • Permissions needed to run Exchange • Reading information from AD • DSAccess • DSProxy • Three common problems
Active Directory 101The Storage • Active Directory is a database • Easy to locate, access, and read information • Common set of objects • Hierarchy and Permission Model for accessing and managing objects • Integrated with Windows security
Active Directory 101Naming Contexts Available on: Contains: Schema Objects Definitions All AD Controllers (DCs/GCs) Schema NC Replication Topology, Domains, Servers All DCs in forest Configuration NC All DCs in the same domain Users, Groups, Contacts Domain NC Specific DCs in forest Application Data Application NC
Config Config DC DC Config Config Config Config DC DC DC DC GC GC Active Directory 101Makeup of a forest dom1.contoso.com dom2.contoso.com
Active Directory 101Windows sites Site Connector • Group of servers with good connectivity • One site can span multiple domains • One domain can have multiple sites
Active Directory 101What’s New in Windows 2003? • Schema deactivation • Deactivation of core Exchange attributes is not supported • When in forest and domain functional level 2 • Group membership replication improvements • Inter Site Replication Topology Generator • Domain Rename • Application naming context
Where Exchange data is stored in AD • Domain NC for Recipients • Mailboxes, DLs, and Contacts • Most Exchange information placed in this container is replicated to GCs • Configuration NC for everything else • Exchange System Objects (Stores, Connectors, Etc.) • Active Directory Connector (ADC) settings • Configuration container is replicated to every DC
Storing Exchange data in the AD • Exchange extends AD schema to store information • Extends existing classes • Users, InetOrg-Person,... • Creates new classes • Connectors, Admin Groups,... • Extension done during: • Forest prep, Exchange Setup, and ADC setup
3> showInAddressBook: (Link to address books); 1> msExchHomeServerName: (Dn of home server); 1> msExchMailboxGuid: <ldp: Binary blob>; 1> msExchMailboxSecurityDescriptor: <ldp: Binary blob>; 1> msExchPoliciesIncluded: (Link to recipient policies); 1> msExchUserAccountControl: 0; Additional Core Storing Exchange Data in the AD >> Dn: CN=Eileen Brown,CN=Users,DC=Eileen, DC=Contoso,DC=com 1> displayName: Eileen Brown; … 1> mail: eileen@contoso.com; 1> homeMDB: (Dn of home store); 1> homeMTA: (Dn of MTA on home server); 1> legacyExchangeDN: /o=contoso/ou=MAIN-SITE/cn=Recipients/cn=eileen; 1> mailNickname: eileen; 4> proxyAddresses: SMTP:eileen@contoso.com; Primary
Creating, Managing, and MaintainingExchange information in AD
How Is Exchange data populated? • From Existing systems • Active Directory Connector (5.5) • Imports information from Exchange 5.5 into AD • Provides ongoing two-way mapping between Exchange 5.5 and Active Directory Objects • ADC Inter-Org mode to create contacts from external Exchange systems • Foreign Connectors (Foreign Systems) • Foreign Connectors (Notes, ccMail, GroupWise) for other systems • MIIS • GALSynch tool to enable cross forest scenarios
How Is Exchange Data Populated? (2) • By Exchange setup • Initial Configuration • By Administrators • When creating objects in AD • Recipient provisioning (Mailboxes, DLs, Contacts) • Use Active Directory Users and Computers • Exchange Configuration • Use Exchange Server Manager • Using scripts • CDOEXM recipient and configuration data
Object ManagementThe Recipient Update Service (RUS) • Monitor and updates recipient information • Enforces Recipient policies • Sets proxy addresses • Ensure Core attributes exist (home MTA, home MDB, etc.) • Monitor and updates address lists • Monitor server membership • Manage and maintain membership of Exchange special groups
Permissions needed • To complete setup • Forest prep • First time in the forest (updates the schema) - Member of Enterprise Admin group and Schema Admin group • Run ForestPrep thereafter - Exchange Full Administrator at the organisation level • Domain prep - Domain Administrator • Server setup • Install the first server in a domain - Exchange Full Administrator at organisation level • Install additional servers in the domain - Exchange Full Administrator at administrative group level • To manage recipients • Permissions to read and write the Exchange attributes - Account Operator • To manage configuration • Permissions to read and write to objects in the Exchange container for management - Exchange Admin
Permissions neededGranting admins permissions • The Exchange Delegation Wizard • Tool to set appropriate permissions within the Exchange configuration container • Allows for three levels • Exchange Full Administrator • Exchange Administrator • View Only Administrator • Active Directory Users and Computers • Tool to grant admins permissions to manage accounts
Permissions Needed… By Servers • To Access and manage recipients • Permissions to read and write to the Exchange attributes to route mail, and update account information • To Access Configuration • Permissions to read and write to objects in the Config Naming Context for lookup and reporting
Permissions Needed… Granting Server Permissions • Uses two groups together to provide forest-wide access • Exchange Domain Servers (EDS) • Global Group in each domain • Contains the Exchange Servers in that domain • Permissions to the Exchange container • Exchange Enterprise Servers (EES) • Local Group in each domain • Contains the “Exchange Domain Servers” from all domains • Has permissions to recipient objects for that domain Issue: Is permission overlap between AD and Exchange administrators ok?
Split AD and Exchange Admin resource forest Resource ForestOption • Account forest for managing user accounts • AD admins in charge of managing user accounts • No schema extension • Exchange resource forest for managing Exchange • Exchange recipient information • Exchange configuration data • Setting up mailbox • Use Exchange task ‘Associate External Account’ to setup mailbox AccountForest User A trust ExchangeResourceForest Disabled placeholderaccount for User A
Reading Information from AD Information needed in AD • Exchange needs to deliver messages and access configuration • Domain Controllers (DC): System/Server configuration • Global Catalogs (GC): Mailbox/Recipient information • Messaging clients need an address book • Outlook (MAPI) clients interface directly into Global Catalogs address book information • Other clients use LDAP access to search Active Directory
Reading Information from AD DSAccess Overview • Shared API to Access Active Directory • Provides access to both configuration and recipient data • Provides a shared memory cache • Reduces load on Active Directory • Increases performance for messaging operations • Automatic topology discovery
Reading Information From the AD Building Topologies - DSAccess Roles • Working DC’s list • List of Domain Controllers that can accept Domain Naming Context queries for the local domain • Selection criteria • Domain Prepped Domain, Local AD site over remote site • Configuration DC • Domain Controller used for reading and writing configuration • Re-evaluation every 8 hours • Working GC’s List • List of Global Catalog servers for forest-wide look-ups • Detected servers used by DSAccess, DSProxy and Categorizer • Re-evaluation every 15 minutes
E2k E DC F GC/DC Reading Information From The AD Roles Example DOM 1 DOM 2 • If Exchange server is in Site A and DOM2 • Configuration DC: A, B, C, or D • Working DCs: C, D, A, and B • Working GCs: D, and A Site A A GC/DC D GC/DC B DC C DC Site B
E2k GC GC GC GC GC GC GC GC GC Reading Information from AD Failing out of site IP Link Cost = 15 IP Link Cost = 5 X X IP Link Cost = 5 SMTP Link Cost = 5 Use all GCs from out-of-site group and load-balance Topology re-evaluation every 5 minutes to see if fail-back can occur
Reading Information From The AD DSProxy overview • Helps Clients find Active Directory: (RFR interface) • Outlook 98 SR2 and above • Provides Directory data: (NSPI Proxy) • Outlook 98 SR1 and older clients • Obtains list of servers to use • from DSAccess
Forwarded Address Book Query/Logon Address Book Query/Logon Results Results MAPI Clients – Proxy ServicePrior to Outlook 98 SR1 • Outlook 98 (SR1 and before), Outlook 97, Exchange 4.0 and 5.0 • Forwards clients address book RPC packets to Windows 2000 GC in same domain as the server • Transparent to client Exchange 2003 Server Client Global Catalog
GC Referral Request at Logon or Profile GC Referral Address Book Query Results MAPI Clients – Referral ServiceOutlook 98 SR2, 2000 And XP • Client requests the name of the GC to use from an Exchange server • GC is used for all Address Book queries • Outlook 98 SR2, and 2000 only requests GC at profile creation time or after a restart (GC failure) • Outlook 2000 SR2, XP requests GC at each logon Exchange 2003 Server Client Global Catalog
AD Load Breakdown • Slice by Active Directory server role • 80/20 GC to DC Loading • Slice by process – DSAccess – 60% • 30% to Config DC • 5% to Working DCs • 65% to Working GCs • Slice by process – Categorizer – 30% • 100% to Working GCs • Slice by process – DSProxy – 10% • 100% to Working GCs
Three common problems (1)Basic GC/DC misplacements • Examples • Customer places all GCs/DCs in Windows “Default” site • Customer places Exchange in a remote locations with no GC/DC • Possible Symptoms • Service failures, slow message handling/routing, large message queues, poor performance, etc. • Solution • Education, understanding of GC placement so that GCs are close to client/server
Three common problems (2)Incorrect GC/DC failover • Example • Exchange in a site with no connected sites and a single GC • Not setting site links appropriately • Possible Symptoms • Overload of a single GC, overload of network bandwidth, failure to find a GC, causing service failures, slow lookups, message queues, etc. • Solution • Understand site link costs effect, and set accordingly • Plan for GC redundancy
Three common problems (3)DNS To AD mismatches • Examples • Customer creates 2 GCs in a site, but DNS only has one entry • Symptoms • Overload of other GCs, failover to out-of-site GC/DS even when GC/DC in site is available • Solution • NetDiag can help determine what is broken and update DNS
In summary • Internals of Exchange AD management • Active Directory 101 • Storing Exchange data in AD • Creating, managing and maintaining Exchange information in AD • Permissions needed to run Exchange • Reading information from AD • DSAccess • DSProxy • Three common problems
Community Resources • Community Resources • http://www.microsoft.com/communities/default.mspx • Most Valuable Professional (MVP) • http://www.microsoft.com/communities/mvp • Newsgroups • Converse online with Microsoft Newsgroups,including Worldwide • http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx • User Groups - Meet and learn with your peers • http://www.microsoft.com/communities/usergroupsdefault.mspx
Knowledge Needed. Knowledge Applied. Microsoft Products and Services for Lifelong Learning • Assess your skills • Take an eLearning course • Subscribe to Microsoft TechNet • Get the latest information on IT Pro and Developer Books to purchase online or at your local bookstore • Find the course right for you and a Microsoft Certified Partner for Learning Solutionsin your area • Learn about the Microsoft certifications that can enable and advance your careerwww.microsoft.com/learning - Learn more. Go Further
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.