Answers for Module 1: Overview of

Microsoft Exchange Server 2007 and

the Active Directory Directory Service

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or
should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft
makes no representations and warranties, either expressed, implied, or statutory, regarding these
manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or
product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to
third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the
contents of any linked site or any link contained in a linked site, or any changes or updates to such sites.
Microsoft is not responsible for webcasting or any other form of transmission received from any linked site.
Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
2008 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Active Directory, ActiveSync, BizTalk, Forefront, Internet Explorer, Outlook,
PowerPoint, SharePoint, SQL Server, Visual Studio, Windows, Windows Media, Windows Mobile, Windows NT,
Windows PowerShell, Windows Server and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Version 1.2

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory Service 1

Lesson 1: Review of Active Directory

Discussion: Review of Active Directory Components
Q What is the definition of a domain?
A An Active Directory domain is a collection of computers defined by the administrator
of a Windows network. These computers share a common directory database, security
policies, and security relationships with other domains. An Active Directory domain
provides access to the centralized user accounts and group accounts maintained by the
domain administrator. Computer accounts and user accounts within an Active Directory
domain can be organized into a hierarchy based on organizational units (OUs).

Discussion: Review of Active Directory Components

Q What is the definition of a tree?
A A tree is set of domains that share the same Domain Name System (DNS) namespace
and have automatic trust relationships between them. The trust relationships allow
administrators to grant users in one domain access to resources in another domain.
Q What is the definition of a forest?
A A forest is a set of one or more trees that share common configuration and schema
information. When multiple trees exist in a forest, there is an automatic trust
relationship between the trees, which enables users in one tree to access resources in
another tree. There can be only one Exchange Server organization per forest.
Q Where do user accounts exist?
A User accounts are stored in each domain.
Q What type of information is shared between domains in a forest?
A All domains in a forest share the same Active Directory configuration information,
Active Directory schema information, and a common global catalog.
Q What type of information is shared among forests?
A By default, no information is shared among forests. However, you can configure forest
trusts to share resources among forests. In addition, you can use Microsoft Identity
Integration Server (MIIS), the Identity Integration Feature Pack (IIFP), or the Microsoft
Identity Lifecycle Manager (ILM) 2007 to synchronize information among forests.

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory

Service

Q What tasks does a domain controller perform?

A A domain controller holds a copy of the local domain database (including user accounts
and computer accounts) and is responsible for authenticating users and computers.
Additionally, domain controllers respond to queries for information in Active Directory.
Q What are the differences between a domain controller and a global catalog server?
A A domain controller has directory information only for the domain of which it is a
member. A domain controller does not have information about users in other domains.
A global catalog server is a domain control that also holds a subset of information from
other domains in the forest. For example, a global catalog server has limited
information about all users in a forest.
Q What is the role of DNS in Active Directory?
A DNS is used to find domain controllers and global catalog servers. Service resource
records (SRV) in DNS contain information about the domain controllers and global
catalog servers for the entire forest.

Discussion: Review of Active Directory Components

Q What is Active Directory replication?
A Active Directory replicates information between domain controllers. Domain
information is replicated between domain controllers in the same domain and to global
catalog servers in the forest. Configuration data and the schema are replicated between
all domain controllers in the same forest.
Q What is the definition of an Active Directory site?
A Active Directory sites are defined as one or more Internet Protocol (IP) subnets.
Typically all of the IP subnets in a given physical location are part of the same
site. Sites do not typically encompass more than one physical location. All of the
computers within a single site must have a fast network connection (typically 10 Mbps
or more) between them.
Q How do Active Directory sites affect replication?
A Active Directory sites are defined as one or more Internet Protocol (IP) subnets.
Typically all of the IP subnets in a given physical location are part of the same site.
Sites do not typically encompass more than one physical location because fast network
connections are required between all subnets that are part of the same site.
Q What Active Directory functional level is required to support Exchange Server 2007?
A To support Exchange Server 2007, the domain functional level must be Windows 2000
Server native or above. This enables some Active Directory features that are required
by Exchange Server 2007. Active Directory in Windows Server 2008 also supports a
minimum of Windows Server 2000 native functional level.

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory Service 3

Demonstration: Viewing Active Directory Partitions and

Replication
Q How can you tell when replication is not working?
A On a day-to-day basis, the most common indicator is replication errors that produce
inconsistent results when querying a domain controller or global catalog. For example,
the list of users in the Microsoft Office Outlook address book is different depending
on the global catalog server that the client is using. The Repadmin tool can identify
replication errors and report them to you. Repadmin also will identify the last time that
a replication completed successfully between two replication partners.
Q How do you monitor replication in your organization?
A Many people will not monitor replication in their organizations. However, they can
monitor replication by selecting a consistent time each week to run Replmon and check
for errors. Repadmin, a command-line utility, also can be used to verify replication
within an Active Directory forest.
Q What steps do you take when Active Directory replication is not working?
A Some of the steps you can take to troubleshoot and repair replication problems are:

View error messages in Event Viewer.

Verify network connectivity.

Verify network configuration.

Verify DNS configuration.

Verify correct DNS records.

Attempt to force replication by using Replmon or Repadmin.

Try configuring a direct connection between domain controllers in Active Directory

Sites and Services or by using RepAdmin.

Remove and reinstall Active Directory from the server. (This step should be used as
a last resort and only if a server will not replicate with other domain controllers in
the forest.)

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory

Service

Lesson 2: Introduction to the Integration of Active

Directory and Exchange Server 2007
Demonstration: Active Directory and Exchange Server
Permissions
Q How would you give a user full administrative permissions for both Active Directory
and Exchange Server?
A Most Exchange Server configuration information is stored in Active Directory. Making
users a member of the Domain Admins group will allow them to manage all aspects of
both Active Directory and Exchange Server within a domain. For example, a member
of the Domain Admins group can create mailboxes for users within the domain, as well
as create and delete users. Enterprise Admins can manage Active Directory and
Exchange Server for the entire forest.

Demonstration: Active Directory and Exchange Server

Permissions
Q How would you give a user as few Active Directory rights as possible, but with full
Exchange Server permissions?
A Making users Exchange Server administrators is not dependent on giving them full
rights to Active Directory. You can give users rights to Exchange Server by making
them members of the appropriate Exchange Server administration group. To give users
full Exchange Server rights, place them in the Exchange Organization Administrators
group.

Demonstration: Understanding the Integration of Active Directory

and Exchange Server 2007
Q How will you use ADSI Edit in your workplace?
A ADSI Edit is not used often. It is used only to configure specific Exchange Server
or Active Directory characteristics that cannot be accessed by using a graphical
administration tool. The risk of making an incorrect edit using ADSI is much higher
than when using an administrative tool specifically designed for managing Exchange
Server.

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory Service 5

Demonstration: Understanding the Integration of Active Directory

and Exchange Server 2007
Q Did you see any information in Active Directory that you did not expect to find?
A The configuration partition stores the vast majority of Exchange Server configuration
information to ensure that all computers running Exchange Server can query the
characteristics of other computers running it. Many students might expect that
information to be in the domain partition instead.

Lab: Overview of How Exchange Server 2007 and

Active Directory Work Together
Exercise: Explaining How Exchange Server 2007 and Active
Directory Work Together
Q What are the components that Exchange Server relies on and which need to be in place?
A Exchange Server relies on Active Directory to function properly, such as the required
correct placement of domain controllers and global catalog servers. DNS must also be
properly implemented to allow Exchange servers and clients to query information for
Active Directory.
Q For scenario 1, what Active Directory changes should be made?
A The two existing Active Directory forests should be merged into a single forest. This
enables them to have a single Exchange Server organization with a single global
address list. They may also consider migrating into a single domain with multiple OUs,
but this would not affect the Exchange Server deployment.
Q For scenario 1, what Active Directory sites should be configured?
A A site should be configured for each physical location. Three Active Directory sites
should be created for Miami, Vancouver Tailspin Toys, and Vancouver Adventure
Works. If network links are fast enough, it may be possible to combine both Vancouver
locations into a single site.
Q For scenario 1, where should deployment of domain controllers and global catalog
servers occur?
A Domain controllers and global catalog servers should be implemented at each site with
a computer running Exchange Server. The current configuration has a separate domain
for each site and should have a domain controller and global catalog server for each site.

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory

Service

Q For scenario 2, what Active Directory changes should be made?

A No Active Directory changes are required, although consideration could be given to
migrating to a single domain.
Q For scenario 2, what Active Directory sites should be configured?
A A site should be configured for each physical location. Five Active Directory sites
should be created for Miami and the four other states.

Exercise: Explaining How Exchange Server 2007 and Active

Directory Work Together
Q For scenario 2, where should domain controllers and global catalog servers be
deployed?
A Domain controllers and global catalog servers should be implemented at each site with
a computer running Exchange Server. The current configuration has a separate domain
for each site and should have a domain controller and global catalog server for each site.
Q For scenario 3, what Active Directory changes should be made?
A No Active Directory changes are required.
Q For scenario 3, what Active Directory sites should be configured?
A A: A site should be configured for each physical location. Three Active Directory sites
should be created. The current slow logon problem is indicative of sites not being
configured.
Q For scenario 3, where should domain controllers and global catalog servers be
deployed?
A Domain controllers and global catalog servers should be implemented at each site with
a computer running Exchange Server. The domain controller at each site should also be
configured as a global catalog server.
Q When scaled out, why does routing become critical?
A In a small organization with a single site, routing is relatively unimportant because
communication among all of the servers is fast and reliable. In a larger organization,
with many physical sites, routing is important. When the large organizations physical
sites are poorly implemented, such as when site links are configured with incorrect
costs (causing inefficient routing), unnecessary network traffic is created that
overwhelms network links. In addition, incorrectly configured routing may result in
unreliable message delivery.

Answers for Module 1: Overview of Microsoft Exchange Server 2007 and the Active Directory Directory Service 7

Q Will your organization need to make changes to your Active Directory configuration
before deploying Exchange Server 2007?
A Answers will vary. However, in most cases, students will already have a well defined
Active Directory structure implemented. This structure will likely have been in place
for some time. The most common change would be to refine the sites and site links.