Revision no.

: PPT/2K403/02

Microsoft Exchange Server

2003 and Active Directory
(70-284)

Revision no.: PPT/2K403/02

Lesson 1: Overview of Active Directory

2

Active Directory Forests and Domains

Active Directory Sites

Active Directory Schema

Organizational Units

Global Catalogs

Operation Masters

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Active Directory Forests and Domains

3

Forest is the Primary Security Boundary.

Forest contain Domain Trees

Forest can have Multiple Trees

The First Domain is the Forest Root Domain

Domains in Active Directory are represented by DNS Names

rather than NetBIOS Names

Regardless of the number of domain trees in a forest, there is

centralized administration at the forest level with permissions
to all domain trees.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Contd
4

Each forest has an Enterprise Admins group as well as a

Schema Admins group. Members of these groups have
authority over all the domain trees in the forest.

Each domain has a Domain Admins group, and administrators

in a parent domain automatically have administrative
permissions to all child domains through automatic transitive
trust relationships.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Active Directory Sites

5

It is important for computers and services to have a way of

identifying Active Directory resources that are located on the
same LAN versus resources that are on a different LAN
separated by a WAN connection.

Sites contain Active Directory resources that are all connected

by reliable high-speed bandwidtha minimum of 10
megabytes (MB).

Site membership is used in the logon process as a computer

attempts to locate a domain controller in its own site first; in
replication; in accessing global catalogs; and in the Exchange
Server 2003 messaging infrastructure.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Active Directory Schema

6

The schema is a definition of the types of objects that are

allowed within a directory and the attributes that are
associated with those objects.

These definitions must be consistent across domains in order

for the security policies and access rights to function
correctly.

There are two types of definitions within the schema:

Attributes
Classes

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Contd
7

Attributes are defined only once, and then can be applied to

multiple classes as needed.

The object classes, or metadata, are used to define objects.

A class is simply a generic framework for objects. It is a

collection of attributes, such as Logon Name and Home
Directory for user accounts or Description and Network
Address for computer accounts.

Active Directory comes standard with a predefined set of

attributes and classes that fit the needs for many network
environments.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Organizational Units
8

OUs Provide the Ability to organize the networks in a Logical

Manner and Hide Physical Structure of the Network from the end
Users

Active Directory uses a special container known as an OU to

organize objects within a domain for the purpose of
administration.

OUs can be used to split a domain into administrative divisions

that mirror the functional or physical separations within the
company.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Contd
9

An OU can contain user accounts, computers, printers, shared

folders, applications, and any other object within the domain.

OUs can be used to separate administrative functions within a

domain without granting administrative rights to the whole
domain.

An OU is the smallest element to which you can assign

administrative rights.

OUs can be used to delegate authority and control within a

domain.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Global Catalogs
10

Domain controllers keep a complete copy of the Active

Directory database for a domain, so that information about
each object in the domain is readily available to users and
services.

The global catalog stores partial replicas of the directories

of other domains.

The catalog is stored on domain controllers that have been

designated as global catalog servers.

These servers also maintain the normal database for their

domain.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Function Of Global Catalog

11

The global catalog has two primary functions within Active

Directory.

These functions relate to the logon capability and queries

within Active Directory.

Within a multi-domain environment that is running in Windows

2000 Native mode or the Windows Server 2003 functional level,
a global catalog is required for logging on to the network.

The global catalog provides universal group membership

information for the user account that is attempting to log on to
the network.

If the global catalog is not available during the logon attempt

and the user account is external to the local domain, the user
will only be allowed to log on to the local machine.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Contd
12

The global catalog maintains a subset of the directory

information available within every domain in the forest.

This allows queries to be handled by the nearest global

catalog, saving time and bandwidth.

If more than one domain controller is a global catalog server,

the response time for the queries improves.

The disadvantage is that each additional global catalog server

increases the amount of replication overhead within the
network.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Global Catalog Servers

13

Active Directory automatically creates a global catalog on the

first domain controller within a forest

Each forest requires at least one global catalog.

In an environment with multiple sites, it is good practice to

designate a domain controller in each site to function as a
global catalog server.

While any domain controller can be configured as a global

catalog server, a sense of balance is necessary when
designating these servers.

As the number of global catalog servers increases, the

response time to user inquiries decreases.

However, the replication requirements within the environment

increase as the number of global catalog servers increases.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Operation Masters
14

Schema Master

Domain naming Master

PDC Emulator

RID Master

Infrastructure Master

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Lesson 2: Exchange Server 2003 Integration

with Active Directory

15

Naming Contexts

Global Catalog Integration

Active Directory Group Integration

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Naming Contexts
16

Domain

Configuration

Schema

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Domain
17

The domain naming context is where all the domain objects for
Exchange Server 2003 are stored.

Objects include recipient objects like users, groups, and

contacts.

Exchange Server 2003 extends the attributes

In Exchange Server 2003 mailboxes and Active Directory user

accounts are not separate objects.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Configuration
18

The configuration naming context stores information about the

physical structure of the Exchange organization, such as
routing groups and connectors.

Active Directory replicates this data to all domain controllers in

the forest, which marks the security boundary of an Exchange
organization.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Schema
19

The schema naming context contains information about all of

the object classes and their attributes that can be stored in
Active Directory.

This data is replicated to all domain controllers in a forest.

During the deployment of Exchange Server 2003,

Active Directory schema is extended to include the classes

and attributes specific to Exchange Server 2003.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Global Catalog Integration

20

Exchange Server 2003 uses two services to access Global

Catalog
DSProxy
DSAccess

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

DSProxy
21

While Microsoft Outlook 2000 and 2003 clients can access a

global catalog directly, other clients cannot.
Exchange Server 2003 provides a proxy service called
DSProxy to function as an intermediary between the client and
the global catalog.
DSProxy works as a facilitator to allow Outlook clients to
access information within Active Directory through the Name
Service Provider Interface (NSPI).
DSProxy service supports older Messaging Application
Programming Interface (MAPI) clients by forwarding requests
directly from the client to the global catalog server.
DSProxy does not examine the request; instead, it blindly
forwards the request and then returns the results.
The process is transparent to the user.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

DSAccess
22

Exchange Server 2003 shares global catalog functionality with

other Active Directory services, so it is important to reduce the
impact of Exchange Server 2003 queries.

DSAccess implements a directory access cache that stores

recently accessed information for a configurable length of
time.

This reduces the number of queries made to global catalog

servers.

Increasing the cache and timeout period too much can cause
problems with out-of-date data, while a cache that is too small
and a short timeout period can cause performance problems,
as well.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Active Directory Group Integration

23

The use of security groups and distribution groups is another

feature in which Exchange Server 2003 integrates with Active
Directory.

Versions of Exchange Server prior to Exchange Server 2000

maintained their own distribution lists, which contained
recipients that were members of the Exchange organization

These distribution lists existed only within Exchange and were

unrelated to the Windows user accounts database.

Exchange Server 2003 does not maintain its own distribution

lists.

Active Directory security groups and distribution groups are

extended to support e-mail addresses.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Lesson 3: Exchange Server 2003 and Windows Server

2003 Protocols and Services Integration
24

Exchange Server 2003 and IIS 6

SMTP
NNTP
World Wide Web Service

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

SMTP
25

Unlike Exchange Server 5.5 and earlier versions, Exchange

Server 2003 does not provide its own SMTP services.
Windows 2000 Server and Windows Server 2003 include a core
SMTP service with IIS 5 and 6, respectively, and Exchange
Server 2003 relies on this service to provide e-mail services.
Exchange simply extends the built-in SMTP service to provide
the necessary additional functionality.
Windows Server 2003 also includes a Post Office Protocol 3
(POP3) service, which is listed in the Windows Components
Wizard as Email Services.
Native support for Real-Time Blacklists (RBLs) and improved
antivirus support.
Fighting spam and viruses is a timeconsuming process for
administrators, and the enhanced functionality eases the
administrative burden.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

NNTP
26

Exchange Server 2003 also relies on the IIS built-in NNTP

service.

The NNTP service provides user access to newsgroups either

internally or on the Internet.

Access to newsgroups is made available through Exchange

Server 2003 public folders, with security configured through
the Exchange Server 2003 organization.

The NNTP service is also useful for sharing public folders

between organizations.

Exchange Server 2003 does not modify or extend the IIS NNTP
service, as it does the SMTP service.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

World Wide Web Service

27

OWA integrates into IIS and doesnt even have to be installed

on the same server as Exchange Server 2003.

Because of the integration, services can be installed almost

anywhere within Active Directory, providing flexibility and a
very scalable messaging solution.

OWA provides client access to an Exchange mailbox through a

Web browser.

The HTTP protocol, which is part of the World Wide Web

Service, is the transport used for OWA functionality.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Contd
28

A new feature exclusive to Exchange Server 2003 running on

Windows Server 2003 is the ability to use Outlook 2003 to
connect to Exchange Server 2003 servers using the HTTP
protocol.

This is known as RPC over HTTP.

In previous versions of Exchange Server and IIS, if a remote

user needed to connect to a corporate Exchange server using
the Outlook client rather than OWA, they would have to
establish a virtual private network (VPN) connection first.

This was because the communication between the client and

server took place only over remote procedure call (RPC).

Another requirement for client computers to use RPC over

HTTP is that they must be running Windows XP Professional
SP1 or later.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

29

Design & Published by:

CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,
MIDC, Marol, Andheri (E), Mumbai 400093, Tel: 91-22-28216511, 28329198
Email: courseware.inst@cmail.cms.co.in
www.cmsinstitute.co.in

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute