Contents
Overview 1
Reviewing Active Directory Basics 2
Examining How Exchange 2000 Uses
Active Directory 8
Examining How Exchange 2000 Works
with DSAccess 20
Designing Active Directory Groups for an
Exchange 2000 Organization 28
Discussion: Planning Group Types and
Scopes 40
Lab A: Active Directory Design
Considerations 43
Lab B: Creating a UPN Suffix 50
Lab C: Modifying the Default Recipient
Policy 55
Lab D: Creating Groups for Northwind
Traders 58
Lab Discussion 62

Module 2: Analyzing
Active Directory for
Exchange 2000

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying

with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, BackOffice, FrontPage, NetMeeting, Outlook, PowerPoint,
SQL Server, Visio, Visual Studio, Win32, Windows, Windows Media, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 2: Analyzing Active Directory for Exchange 2000 iii

Instructor Notes
This module provides students with the knowledge required to analyze the
Microsoft
®
Windows
®
2000 Active Directory

™
directory service environment
for factors that influence the Microsoft Exchange 2000 organization.
After completing this module, students will be able to:
!"
Explain how Active Directory works.
!"
Evaluate how Exchange 2000 uses Active Directory.
!"
Explain how Exchange 2000 works with DSAccess.
!"
Design Active Directory groups for an Exchange 2000 organization.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need:
!"
The Microsoft PowerPoint
®
file 1573A_02.ppt.
!"
The Active Directory Groups job aid.
!"
The Northwind Traders Case Study.
!"
The Fourth Coffee Case Study.

Preparation Tasks

To prepare for this module, you should:
!"
Read all of the materials for this module.
!"
Complete the labs.
!"
Review the Northwind Traders Case Study.
!"
Read the Fourth Coffee Case Study.
!"
Review the Active Directory Groups job aid.
!"
Review the scenarios associated with the class discussions and prepare
questions to supplement the questions provided.


The job aids are in the Exchange 2000 Design Tool located at
C:\MOC\1573A\LabFiles\Exchange_2000_Design_Tool, and on the student
compact disc. The case studies are in the Appendices and on the student
compact disc.

Presentation:
90 Minutes

Lab:
75 Minutes
Note
iv Module 2: Analyzing Active Directory for Exchange 2000

Module Strategy

Use the following strategy to present this module:
!"
Reviewing Active Directory Basics
This topic provides a review of fundamental concepts in Active Directory.
Begin by discussing the role of Active Directory in an enterprise
environment. Continue by discussing the Active Directory schema,
domains, the global catalog, and the site topology of Active Directory.
!"
Examining How Exchange 2000 Uses Active Directory
This topic outlines the components in Active Directory that affect
Exchange 2000. Begin by discussing the Active Directory forest
environment; explain the design issues associated with a multiple forest
structure. Emphasize the importance of preparing the forest by using the
/forestprep switch. Next, explain how domain controllers affect
Exchange 2000. Emphasize the importance of preparing the domain by
using the /domainprep switch. Next, describe each type of partition in
which Active Directory stores Exchange 2000 data, explain how
Exchange 2000 data affects the Active Directory database, and then
complete this topic by explaining user principle names.
!"
Examining How Exchange 2000 Works with DSAccess
This topic outlines how Exchange 2000 works with DSAccess. Begin by
defining DSAccess, and then explain how Exchange 2000 uses DSAccess to
gain access to Active Directory domain controllers and global catalogs.
Continue by discussing how Exchange 2000 detects and defines domain
controllers and global catalogs. Finally, explain the DSProxy process and
the client referral process.
!"
Designing Active Directory Groups for an Exchange 2000 Organization
This topic outlines the design considerations associated with each type of

Active Directory group. Begin by reviewing the three scopes of groups
available, as well as the two types. Make sure students understand the
differences between universal groups, global groups, and domain local
groups. Discuss universal groups, including when to use them and the
design implications associated with using them. Emphasize that universal
groups are the preferred group type for an Exchange 2000 organization.
Continue by discussing domain local groups and global groups, including
when to use them, and the associated design issues. Next, discuss how to
use Active Directory groups with Exchange 2000. Finally, facilitate a
classroom discussion focusing on the three scenarios provided at the end of
the module.

Module 2: Analyzing Active Directory for Exchange 2000 v

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on the student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
Lab Setup
The following list describes the setup requirements for the labs in this module.
!"
For each student, a Microsoft Management Console (MMC) custom console
must be created. This custom console must include both the
Active Directory Users and Computers snap-in and the Exchange System
snap-in, and must be named your_firstname Console.
!"
For each student, a personalized user account must be created in the
appropriate domain. This user account must be added to the Domain
Admins group, and assigned a mailbox on the server running

Exchange 2000 that the student is using.
!"
For each student, a user profile must be created on the student’s computer
that enables the student to access their mailbox by using Microsoft
Outlook
®
2000.

Lab Results
Performing the labs in this module introduces the following configuration
changes:
!"
One additional user principal name (UPN) suffix is created for the entire
Windows 2000 forest. The UPN suffix that is used will vary as the students
determine the suffix they want to use.
!"
The personalized user account for each student is modified so that their
UPN suffix matches the suffix that was created during this lab.
!"
For each student, a new account is created to verify that the new UPN suffix
appears.
!"
The default recipient policy for the Exchange 2000 organization is modified
by the creation of an additional Simple Mail Transfer Protocol (SMTP)
address. The new SMTP address is given the format of
%g.%i.% The new SMTP address is set as the primary
address.
!"
A universal security group called Helpdesk is created for each domain. This
group is named your_domain Helpdesk. This group is mail-enabled.

!"
A universal security group called IT Group is created for each domain. This
group is named your_domain IT Group. This group is mail-enabled.
!"
A universal security group called HR is created for each domain. This group
is named your_domain HR Personnel. This group is mail-enabled.
!"
For each student, a universal security group is created for the executive
mailboxes located on each server. This group is named your_servername
Executives. Each student adds their personal account to their local
executives group. This group is mail-enabled.
!"
For each student, the your_servername Executives group is added to the All
Executives group.

Module 2: Analyzing Active Directory for Exchange 2000 1

Overview
!
Reviewing Active Directory Basics
!
Examining How Exchange 2000 Uses Active Directory
!
Examining How Exchange 2000 Works with DSAccess
!
Designing Active Directory Groups for an
Exchange 2000 Organization


Microsoft

®
Exchange 2000 depends on the Microsoft Active Directory
™
directory service. Directory services provide three functions: they store
information about network resources; they make these resources available to
users and applications; and they provide a consistent way to name, describe,
locate, access, manage, and secure resources.
Evaluating how Exchange 2000 uses Active Directory enables you to design
your Exchange 2000 organization more effectively. Exchange 2000 uses
Active Directory forests and domains to store and replicate data throughout the
Exchange 2000 organization. In addition, portions of Exchange data reside on
various Active Directory partitions.
Architects who are designing an Exchange 2000 organization for the enterprise
must understand both how Exchange 2000 uses Active Directory and the effects
of the Active Directory design on the Exchange 2000 environment. Architects
also need to understand how Exchange 2000 uses DSAccess and how to use
Active Directory groups most effectively in an Exchange 2000 organization.
After completing this module, you will be able to:
!"
Explain how Active Directory works.
!"
Explain how Exchange 2000 uses Active Directory.
!"
Explain how Exchange 2000 works with DSAccess.
!"
Design Active Directory Groups for an Exchange 2000 organization.

Topic Objective
To provide an overview of
the module topics and

objectives.
Lead-in
In this module, you will learn
about the Active Directory
components that
Exchange 2000 depends on
for directory services, and
how these components can
affect the design plan for an
Exchange 2000
organization.
2 Module 2: Analyzing Active Directory for Exchange 2000

#
##
#

Reviewing Active Directory Basics
!
Role of Active Directory in an Enterprise
!
Active Directory Schema
!
Domains
!
Global Catalog
!
Site Topology



Understanding how Active Directory works requires understanding both its
architectural elements and its role in an enterprise. Key architectural elements
include the schema, domains, the global catalog, and Active Directory sites.

Topic Objective
To outline the topics
covered in this review of
Active Directory.
Lead-in
Understanding how Active
Directory works requires
understanding both its
architectural elements and
its role in an enterprise.
For Your Information
This section provides a
review of Active Directory
fundamentals. If your
student group has met the
prerequisites for this course,
it may not be necessary to
cover this section.
Module 2: Analyzing Active Directory for Exchange 2000 3

Role of Active Directory in an Enterprise
!
Domains and OUs Form
Hierarchical Structures
!
Multiple Domains Can Form

$
Trees
$
Forests
Forest
Objects
Domain
Domain
Domain
Domain
Domain
Domain
Tree
Domain
Domain
Domain
Domain
Tree
Domain
Domain
OU
OU
OU
OU
OU
OU


In Windows 2000, Active Directory is a network directory service.
Administrators use Active Directory to define, arrange, and manage objects so

that those objects are available to users and applications throughout the
company. In Active Directory, objects are logically organized into a
hierarchical structure. The objects that create the overall structural hierarchy in
Active Directory are:
!"
Domains. This is the core unit of Active Directory. A domain is a container
of objects that share security requirements, replication processes, and
administration. Active Directory uses a multi-master replication model in
which all domain controllers are equal.
!"
Organizational units (OUs). An OU is a container object that is used to
organize the objects within a domain into groups for administrative
purposes. Within a domain, OUs form a hierarchical structure based on the
organization's administrative model.

Multiple domains within a single Active Directory can create additional
structures in the form of:
!"
Trees. A tree is a hierarchical arrangement of one or more domains that
share a common root domain name. Domains within a tree share
information through automatic trust relationships.
!"
Forests. A forest is a collection of one or more trees. Multiple trees within a
forest do not share a common root domain name, but they do share
information through automatic trust relationships. Multiple forests can share
information only through explicit trust relationships.

Topic Objective
To explain the role of Active
Directory in an enterprise

environment.
Lead-in
Administrators use Active
Directory to define, arrange,
and manage objects so that
those objects are available
to users and applications
throughout the company.
4 Module 2: Analyzing Active Directory for Exchange 2000

Active Directory Schema
Object
Class Examples
Object
Object
Class Examples
Class Examples
Printers
Printers
Computers
Computers
Users
Users
Attributes of Users
Might Contain:
Attributes of Users
Attributes of Users
Might Contain:
Might Contain:
accountExpires

department
distinguishedName
middleName
accountExpires
department
distinguishedName
middleName
List of Attributes
List of Attributes
List of Attributes
accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…
accountExpires
department
distinguishedName
directReports
dNSHostName
operatingSystem
repsFrom
repsTo
middleName
…

Attribute
Examples
Attribute
Attribute
Examples
Examples
Active Directory Schema Is:
!
Dynamically Available
!
Dynamically Updateable
!
Protected by DACLs


The Active Directory schema contains the definitions of all objects—such as
computers, users, and printers—that are stored in Active Directory. In
Windows 2000, there is only one schema for an entire forest, which means that
all objects created in Active Directory must conform to the same set of rules.
Object Classes and Attributes
The two types of definitions in the schema are object classes and attributes.
Object classes describe the possible directory objects that can be created. Each
object class is a collection of attributes. Attributes are defined separately from
object classes. Each attribute is defined only once and can be used in multiple
object classes. For example, the Description attribute is used in many object
classes, but to ensure consistency, it is defined only once in the schema.
Storing the Schema
The Active Directory database stores the schema. This means that the schema:
!"
Is dynamically available to user applications. User applications can read the

schema to discover which objects and properties are available for use.
!"
Is dynamically updateable, which enables an application to extend the
schema with new attributes and object classes, and then to use these schema
extensions immediately.
!"
Can use discretionary access control lists (DACLs) to protect all object
classes and attributes. The use of DACLs prevents unauthorized users from
making schema changes.

Topic Objective
To describe the Active
Directory schema.
Lead-in
The Active Directory
schema contains the
definitions of all objects that
are stored in Active
Directory.
Module 2: Analyzing Active Directory for Exchange 2000 5

Domains
!
A Domain Is a Security Boundary
$
A domain administrator can administer only within the
domain, unless explicitly granted administration rights
in other domains
!
A Domain Is a Unit of Replication

$
Domain controllers in a domain participate in replication
and contain a complete copy of the directory
information for their domain
Windows 2000
Domain
Windows 2000
Domain
User1
User2
User1
User2
Replication
Replication
Replication


The core unit of the logical structure in Active Directory is the domain. A
domain is a collection of computers defined by an administrator which share a
common directory database. Each domain has a unique name and provides
access to the centralized user accounts and group accounts maintained by the
domain administrator.
Security Boundary
In a Windows 2000 network, the domain serves as a security boundary. The
purpose of a security boundary is to ensure that an administrator of a domain
has the necessary permissions and rights to perform administration only within
that domain, unless the administrator is explicitly granted these rights in another
domain too. Every domain has its own security policies and security
relationships with other domains.
Unit of Replication

Domains are also units of replication. In each domain, computers called domain
controllers contain a replica of the Active Directory data for that domain. All of
the domain controllers in each domain can receive changes to information in
Active Directory, and they can replicate these changes to all of the other
domain controllers in that domain.
Topic Objective
To describe Active Directory
domains.
Lead-in
The core unit of the logical
structure in Active Directory
is the domain.
6 Module 2: Analyzing Active Directory for Exchange 2000

Global Catalog
Global Catalog Server
Global Catalog
Global Catalog
Global Catalog
Subset of the
Attributes of All
Objects
Subset of the
Attributes of All
Objects
DomainDomain
Domain
DomainDomain
Domain
Queries

Queries
Queries
Group membership
when user logs on
Group membership
Group membership
when user logs on
when user logs on


The global catalog is a repository of information that contains a subset of the
attributes of all objects in Active Directory. By default, the attributes that are
stored in the global catalog are those that are most frequently used in queries,
such as a user’s first name, last name, and logon name. The global catalog
contains the information that is necessary to determine the location of any
object in the directory.
The global catalog enables users to:
!"
Find Active Directory information at any location in the forest, regardless of
the location of the data.
!"
Use universal group membership information to log on to the network.

A global catalog server is a domain controller that stores copies of all queries
and processes the queries to the global catalog. The first domain controller that
you create in Active Directory automatically becomes the global catalog server.
To balance the traffic from logon authentication and queries, you can configure
additional global catalog servers.
The global catalog makes the directory structure within a forest transparent to
users who perform a search. For example, if you search for all of the printers in

a forest, a global catalog server processes the query in the global catalog and
then returns the results. Without a global catalog server, this query would
require a search of every domain in the forest.
The global catalog also contains the access permissions for each object and
attribute that is stored in the global catalog. If you are searching for an object
and you do not have the appropriate permissions to view that object, you will
not see the object in the list of search results. This ensures that users are able to
find only the objects to which they have been assigned access.
Topic Objective
To describe the Active
Directory global catalog.
Lead-in
The global catalog stores
information that contains a
subset of the attributes of all
objects in Active Directory.
Module 2: Analyzing Active Directory for Exchange 2000 7

Site Topology
Sites:
$
Optimize replication traffic
$
Enable users to log on to a domain controller by using
a reliable, high-speed connection
Site
IP subnet
IP subnet
IP subnet
IP subnet

Los Angeles
Seattle
Chicago
New York


Active Directory uses sites to define the physical structure of the network. A
site, based on Internet Protocol (IP) subnets, is a collection of reliably
connected machines. Collectively, all of the sites in an Active Directory forest
form a site topology. Because sites represent only the physical structure of your
network, they do not need to map to the logical structure of the Active
Directory.
The frequent exchange of large amounts of data and directory information
between remote locations can result in excessive network traffic. An effective
site topology optimizes the transfer of data and directory information, which
reduces network overhead.

Topic Objective
To review the site topology
of Active Directory.
Lead-in
Active Directory uses sites
to define the physical
structure of the network.
8 Module 2: Analyzing Active Directory for Exchange 2000

#

Examining How Exchange 2000 Uses Active Directory
!

Active Directory Forests
!
Preparing the Forest by Using /forestprep
!
Active Directory Domains
!
Preparing the Domain by Using /domainprep
!
Storing Exchange 2000 Data
!
Sizing the Active Directory Database
!
User Principle Names


Understanding how Exchange 2000 uses Active Directory enables you to
design your Exchange 2000 organization more effectively. In addition to
understanding how Exchange 2000 uses Active Directory forests and domains,
you must also understand the importance of preparing the forest and domain for
Exchange 2000, as well as how and where Active Directory stores
Exchange 2000 data, how Exchange 2000 affects the size of the Active
Directory database, and how to design user principle names for use with
Exchange 2000.
Because of the integration of Exchange 2000 with Active Directory, it is very
important that the architect who is designing the Exchange 2000 organization
communicates with the architect who is responsible for Active Directory
design.

Topic Objective
To introduce the Active

Directory components that
architects must consider
when designing an
Exchange 2000
organization.
Lead-in
Various portions of
Exchange 2000 reside on
various Active Directory
partitions.
Key Points
Because of the integration
of Exchange 2000 with
Active Directory, it is very
important that the architect
who is designing the
Exchange 2000 organization
communicates with the
architect who is responsible
for Active Directory design.
Module 2: Analyzing Active Directory for Exchange 2000 9

Active Directory Forests
Exchange
2000
Organization
contoso.msftcontoso.msft
nwtraders.msft
samerica.nwtraders.msft
Exchange

2000
Organization
Exchange
2000
Organization
nwtraders.msft
samerica.nwtraders.msftnamerica.nwtraders.msft
Northwind
Traders
Multiple Forests
One Forest


Exchange 2000 uses the Active Directory forest structure to store all
Exchange 2000 system information. Each Exchange 2000 object is represented
in the Active Directory global catalog and, as a result, is replicated throughout
the forest when the global catalog changes. The Active Directory forest
determines the boundaries of the Exchange 2000 organization. It is not possible
to have more than one Exchange 2000 organization running within the same
Active Directory forest.
Implementing Exchange 2000 with Active Directory
There are two ways to implement Exchange 2000 by using Active Directory:
!"
In a single forest, configured with transitive trust relationships between all
domains.
A single forest is the preferred environment for an Exchange 2000
organization. A single forest includes only one schema, one configuration,
and one global catalog.
!"
In a multiple forest structure, establishing coexistence between multiple

Active Directory forests and Exchange 2000 organizations.

Topic Objective
To discuss the design
considerations introduced
by the Active Directory
forest structure.
Lead-in
Exchange 2000 uses the
Active Directory forest
structure to store all
Exchange 2000 system
information.
Key Points
The Active Directory forest
determines the boundaries
of the Exchange 2000
organization. It is not
possible to have more than
one Exchange 2000
organization running within
the same Active Directory
forest.
10 Module 2: Analyzing Active Directory for Exchange 2000

Multiple Forest Design Considerations
When you are designing an Exchange 2000 organization for an environment in
which a multiple forest structure exists:
!"
You must create an Exchange 2000 organization for each forest because:

•
There is no automatic Active Directory replication between multiple
forests.
As a result of each forest having its own separate global address list,
both the servers running Exchange 2000, and the users in one forest are
not aware of the servers running Exchange 2000 and the users in any
other forest unless you configure coexistence.
•
It is not possible to configure routing group connectors between
Exchange 2000 organizations.
Each Exchange 2000 organization functions as a separate messaging
entity, which means you must use Simple Mail Transfer Protocol
(SMTP) or X.400 connectors instead. This means that no link state
information can be transferred between separate Exchange 2000
organizations, because routing group connectors cannot connect separate
Exchange 2000 organizations. As a result, if a server in one
Exchange 2000 organization is not working, the notification that the
server is not working will not be propagated across organizations, and
messages sent between these organizations may be transferred back and
forth between Exchange 2000 organizations without ever being
delivered.
!"
It is not possible to include all servers running Exchange 2000 in the same
administrative group or in the same routing group.
!"
You must synchronize the address lists that belong to each forest. Although
it is possible to synchronize multiple forests, users in each forest will only
be able to see the users in the other forests as mail-enabled contacts.
!"
It is not possible to replicate calendar information between forests. This

means that if a user in one forest is attempting to schedule a meeting with a
user in another forest, the first user will not be able to view calendar
information for the second user.

Key Points
There is no automatic Active
Directory replication
between multiple forests.

It is not possible to configure
routing group connectors
between separate
Exchange 2000
organizations, which means
that no link state information
can be transferred between
separate Exchange 2000
organizations.
Key Points
You must synchronize the
address lists belonging to
each forest. Although you
can synchronize multiple
forests, the users in each
forest will only be able to
see the users in the other
forests as mail-enabled
contacts.

You cannot replicate

calendar information
between forests.
Module 2: Analyzing Active Directory for Exchange 2000 11

Preparing the Forest by Using /forestprep
First server
in the forest
Forest
Setup /forestprep
Setup /forestprep
Windows 2000
Config
Config
Config
Schema
Schema
Schema
Modify
Modify
Modify
Modify
Modify
Modify
Install
Install
Install


Active Directory contains both a schema partition and a configuration partition.
These two partitions exist on every domain controller running Windows 2000

in the forest.
The Exchange 2000 directory requires more classes and attributes than
Active Directory provides. Therefore, administrators installing Exchange 2000
must extend the Active Directory schema during the installation process by
using the /forestprep switch. Extending the schema enables Active Directory to
accommodate all of the classes and attributes that are specific to
Exchange 2000.
How /forestprep Works
The command-line setup switch /forestprep prepares the Active Directory
forest for Exchange 2000 by making several modifications to the Active
Directory schema and configuration without installing Exchange 2000. The
/forestprep switch enables you to select the first Exchange 2000 administrator
(user or group), and then grants that user or group permissions for the
Exchange 2000 organization. You must run Setup with the /forestprep switch
in the domain where the Active Directory schema master is located. The
schema master is, by default, located in the root domain of the Active Directory
forest.
Topic Objective
To discuss how to prepare
the forest by using the
/forestprep switch.
Lead-in
During the installation
process, you must extend
the Active Directory schema
by using the /forestprep
switch.
Key Points
Exchange 2000 extends the
Active Directory schema to

accommodate the attributes
and objects that are specific
to Exchange 2000.
12 Module 2: Analyzing Active Directory for Exchange 2000

The /forestprep switch offers two main advantages for administrators who are
implementing Active Directory and Exchange 2000:
!"
By running Exchange 2000 Setup with /forestprep early in Active
Directory deployment, the changes made by /forestprep can be deployed
along with Active Directory.
!"
Changes made to the Active Directory schema and configuration partition
must be made by an administrator who is a member of the Enterprise
Admins and Schema Admins groups. This is usually a very small number of
administrators in the Windows 2000 organization, and usually does not
include any Exchange 2000 implementers. Using the /forestprep switch
enables an Active Directory administrator to prepare the Active Directory
forest without installing Exchange 2000.

Design Considerations
Consider the following design issues associated with preparing the forest:
!"
After you decide to install Exchange 2000, work with the Active Directory
team to run /forestprep. You will only need to prepare the forest once. It is
recommended that you run Exchange 2000 Setup on the Active Directory
schema master so that schema updates can be made locally.
!"
Instead of assigning Exchange 2000 administrator permissions to one
person, consider creating a dedicated group and assigning permissions to

this group. This solution reduces management overhead, because you only
have to assign this role once, and because you can add and remove users
from this group whenever you need to.
!"
Ensure that everyone on the planning team has agreed to the name of your
Exchange 2000 organization. After you run /forestprep, you will not be
able to change the name of the Exchange 2000 organization.

Module 2: Analyzing Active Directory for Exchange 2000 13

Active Directory Domains
User management and migration
Universal security groups
Global catalog services
Active Directory group memberships
Physical topology
Ways in which the design of the Active Directory
domain influences how you design your
Exchange 2000 organization
Ways in which the design of the Active Directory
Ways in which the design of the Active Directory
domain influences how you design your
domain influences how you design your
Exchange 2000 organization
Exchange 2000 organization


In Active Directory, the domain boundaries define the namespace. Each domain
must have one or more domain controllers.
The design of the Active Directory domain influences how you design your

Exchange 2000 organization in the following ways:
!"
User management and migration. The process of moving users from one
domain to another domain is not as transparent to the user as the process of
moving users from one server to another server within the same domain.
!"
Universal security groups. Running domains in native mode not only
provides the operating system with additional scalability, it also the
Exchange 2000 administration by making it possible to create and use
universal security groups. Universal security groups can span multiple
domains.
!"
Global catalog services. You must make sure that you have adequate global
catalog services available to Active Directory sites that contain servers
running Exchange 2000. Plan to place a global catalog server in each
Windows 2000 site that contains servers running Exchange 2000 or
Windows 2000 users or both.
!"
Active Directory group membership. Group membership affects logon
performance for the users. When a user attempts to log on to the Active
Directory, the authenticating domain controller retrieves the group
membership information (for the user that is logging on) from a global
catalog server.
!"
Physical topology. The location of the global catalog servers in the Active
Directory topology influences how efficiently Exchange 2000 can perform
directory lookups.

Topic Objective
To explain how Active

Directory domains influence
the design of an
Exchange 2000
organization.
Lead-in
There are several ways in
which Active Directory
domains influence how you
design your Exchange 2000
organization.
14 Module 2: Analyzing Active Directory for Exchange 2000

Preparing the Domain by Using /domainprep
Setup /forestprep
Setup /forestprep
Windows 2000
Domain Controller
Install
Install
Install
Group
Group
User
User









Create
Create
Create
Config
Config
Config
Schema
Schema
Schema
Forest
Group
Group
User
User





Config
Config
Config
Schema
Schema
Schema
Exchange 2000
Exchange 2000



You can prepare the Active Directory domain for Exchange 2000 by using the
/domainprep command-line setup switch. The /domainprep switch makes
several changes to the domain in order to prepare the domain for
Exchange 2000, but it does not install Exchange 2000. The user who runs Setup
with the /domainprep switch must be a member of the Domain Admins group
for that domain.
How /domainprep Works
The /domainprep switch:
!"
Creates an Exchange Domain Servers global group that will contain all
computers running Exchange 2000 in the domain.
!"
Creates an Exchange Enterprise Servers domain local group that will
contain all computers running Exchange 2000 in the company.
!"
Grants these two groups appropriate permissions to various containers in the
domain.
!"
Creates a user account named EUSER_EXSTOREEVENT to be used with
the script event host. This user account has minimal permissions, fewer than
the guest account; so it cannot access anything in the store, the file system,
or the directory.


Do not move the Exchange Enterprise Servers group or the
Exchange Domain Server group to a different Exchange 2000 organization.
Doing so will cause the server running Exchange 2000 in the local domain to
fail.


Topic Objective
To discuss how to prepare
the domain by using the
/domainprep switch.
Lead-in
The /domainprep switch
makes several changes to
the domain in order to
prepare the domain for
Exchange 2000 installation.
Important
Module 2: Analyzing Active Directory for Exchange 2000 15

Planning Considerations
When preparing the domain for an Exchange 2000 organization, plan to:
!"
Run /domainprep in any domain that will host a server running
Exchange 2000.
!"
Run /domainprep in any domain that will host users that have Exchange
mailboxes.

Key Points
Run /domainprep in any
domain that will host a
server running
Exchange 2000.

Run /domainprep in any
domain that will host users

that have Exchange 2000
mailboxes.
16 Module 2: Analyzing Active Directory for Exchange 2000

Storing Exchange 2000 Data
Users ComputersGroups











Domain
Partition
Configuration
Partition
Exchange
Configuration Sites
Replication
Topology
Schema Partition
CN=Schema, CN=Configuration, DC=nwtraders, DC=msft


Active Directory stores data for Exchange 2000 in partitions, which are also

referred to as naming contexts. Active Directory uses naming contexts to define
the boundaries for information that is stored within the database. The
information that is stored in Active Directory on every domain controller in the
forest is partitioned into three categories: domain, configuration, and schema.
All Active Directory partitions are stored on domain controllers. You will be
able to design your Exchange 2000 organization more effectively if you
understand where Active Directory stores each type of information.
Domain Partition
The Active Directory domain partition contains all of the objects (such as users,
groups, contacts, and computers) in the directory for the domain.
Exchange recipients are Active Directory objects that have been included in the
Exchange 2000 organization. Active Directory users, groups, and contacts can
all be Exchange 2000 recipients.
Windows 2000 replicates domain configuration data in each domain to every
domain controller in that domain, but not beyond that domain.
Configuration Partition
The Active Directory configuration partition contains the Exchange 2000
organization configuration. The configuration partition defines the topology,
connectors, protocols, and service settings of the Exchange 2000 organization.
Because Active Directory replicates the configuration partition across all
domains in the forest, the configuration of the Exchange 2000 organization is
replicated throughout the forest.
Topic Objective
To identify the Active
Directory partitions where
Exchange 2000 data is
stored.
Lead-in
Active Directory stores data
for Exchange 2000 on three

types of partitions.
Module 2: Analyzing Active Directory for Exchange 2000 17

Schema Partition
The Active Directory schema partition contains all object types that can be
created in Active Directory, as well as all attributes of such objects. This data is
common to all domains in the forest, and is replicated by Active Directory to all
domain controllers throughout the forest.
During the installation in the Active Directory forest of the first computer
running Exchange 2000, the Active Directory schema is extended with new
attributes for Exchange 2000—attributes that have names that start with
ms-Exch. The schema is extended by using LDAP Directory Interchange
Format (LDIF) files. You can examine which attributes have been added to
Active Directory by viewing the LDIP files on the Exchange 2000 compact
disc.

Installing the first computer running Exchange 2000 only extends the
Active Directory schema if you have not already run /forestprep. You can view
the Active Directory partitions by using Active Directory Service Interface
(ADSI) Edit, which is included in the Windows 2000 support tools.


Key Points
The Active Directory
schema is extended with
new attributes for
Exchange 2000—attributes
that have names that start
with ms-Exch.
Delivery Tip

Use ADSI Edit to show the
students the various Active
Directory partitions.
Note
18 Module 2: Analyzing Active Directory for Exchange 2000

Sizing the Active Directory Database
Active
Directory
Active
Directory
425 MB
425 MB
Active
Directory
Active
Directory
345 MB
345 MB
Active
Directory
Active
Directory
110 MB
110 MB
Active
Directory
Active
Directory
27 MB

27 MB
Active
Directory
Active
Directory
13 MB
13 MB
Install Windows 2000
Install Windows 2000
Install Windows 2000
Install Exchange 20000
Install Exchange 20000
Install Exchange 20000
Add 10,000 Mail-Enabled Users
Add 10,000 Mail
Add 10,000 Mail
-
-
Enabled Users
Enabled Users
Add 50,000 Non Mail-Enabled Users
Add 50,000 Non Mail
Add 50,000 Non Mail
-
-
Enabled Users
Enabled Users
Mail-Enable 50,000 Users
Mail
Mail

-
-
Enable 50,000 Users
Enable 50,000 Users


The Active Directory database stores the schema, which stores the definitions
of all objects that are stored in Active Directory. Exchange 2000 adds further
data to the Active Directory database, initially within the configuration and
schema partitions, and dynamically in the domain and global catalog partitions.
When you design your Exchange 2000 organization, it is important to plan
sufficient space for database expansion on the domain controllers.
The size of an Active Directory database depends on several factors, including
how many user attributes are populated, and the number, type, and size of
groups that are present. Consider the following metrics:
!"
A new Active Directory installation is about 13 megabytes (MB) in size. If
you install Exchange 2000, the Active Directory database will grow by
about 14 MB, to a total volume of 27 MB.
!"
If you add 10,000 mail-enabled users to this new Active Directory database,
the database will grow to approximately 110 MB.
!"
If you add 50,000 non-mail-enabled users to this new Active Directory
database, the database will grow to approximately 345 MB, or 6K per user.
!"
If you mail-enable those 50,000 users, the Active Directory database will
grow to approximately 425 MB, or 7K per user.

Topic Objective

To outline how the Active
Directory database grows
when Exchange 2000 users
are added.
Lead-in
When you design your
Exchange 2000
organization, it is important
to plan sufficient space for
database expansion on the
domain controllers.
Module 2: Analyzing Active Directory for Exchange 2000 19

User Principle Names
Tree
nwtraders.msft
namerica.nwtraders.msft
samerica.nwtraders.msft
UPN=
SMTP=
UPN=
SMTP=
UPN=
SMTP=


When designing an Exchange 2000 organization, you can design user principle
names (UPNs) to alleviate any confusion that might be generated by differences
between the domain namespace and the e-mail namespace. Typically,
administrators use a single user principle name suffix for each forest.

Designing a Single User Principle Name Suffix
Consider creating and assigning a single user principle name suffix as the
default for all users. For example, as shown in the illustration on this page, you
can create and assign a user principle name suffix of @nwtraders.msft as the
default for all users. Making the user principle name the same as the SMTP
address provides users with a single namespace that they can use for logging on
to the network and for gaining access to e-mail.
Separating User Principle Names From the Mail
Namespace
An organization might want to separate user principle names from the
namespace that is used for e-mail. Separating user principle names from
Internet e-mail addresses increases security by not affiliating user names with
publicly known e-mail addresses.

UPNs must be unique across the entire forest.


Topic Objective
To show how Exchange
utilizes user principle
names.
Lead-in
When designing your
Exchange 2000
organization, remember that
you can utilize user principle
names to reduce any
confusion between the
e-mail namespace and the
domain namespace

Note