&RQWHQWV##
2YHUYLHZ#4#
$GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333#
:LWK#$FWLYH#'LUHFWRU\#5#
6WRUDJH#RI#([FKDQJH#5333#'DWD#LQ#$FWLYH#
'LUHFWRU\#7#
2WKHU#6HUYLFHV#3URYLGHG#E\##
:LQGRZV#5333# 47#
([FKDQJH#5333#'LUHFWRU\#$FFHVV# 4:#
,PSOHPHQWLQJ#*URXSV#LQ##
$FWLYH#'LUHFWRU\# 58#
/DE#$=#&UHDWLQJ#:LQGRZV#5333#8VHUV#DQG#
*URXSV# 68#
5HYLHZ# 74#
#
Module 3:
Exchange 2000
Integration with Active
Directory


Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


2000 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, MS, Windows, Windows NT, Active Directory directory service, ActiveX,
BackOffice, FrontPage, Hotmail, MSN, Outlook, PowerPoint, SQL Server, Visual Studios, and
Win32, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A.
and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead:
David Phillips
Instructional Designers:
Lance Morrison (Wasser), Janet Sheperdigian, Steve Thues
Lead Program Manager:
Mark Adcock

Program Manager:
Lyle Curry, Scott Hay, Janice Howd, Steve Schwartz (Implement.Com),
Bill Wade (Wadeware LLC)

Graphic Artist:
Kimberly Jackson, Andrea Heuston (Artitudes Layout and Design)
Editing Manager:
Lynette Skinner
Editor:
Elizabeth Reese (Write Stuff)
Copy Editor:
Ed Casper (S&T Consulting), Carolyn Emory (S&T Consulting), Patricia Neff
(S&T Consulting), Noelle Robertson (S&T Consulting)
Online Program Manager:
Debbi Conger
Online Publications Manager:
Arlo Emerson (Aquent Partners)
Online Support:
Eric Brandt
Multimedia Developer
: Kelly Renner (Entex)
Compact Disc Testing:
Data Dimensions, Inc.
Production Support:
Ed Casper (S&T Consulting)
Manufacturing Manager:
Bo Galford
Manufacturing Support:
Rick Terek
Lead Product Manager, Development Services:


Lead Product Manager:
David Bramble
Group Product Manager:
Robert Stewart


# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\##L#


,QVWUXFWRU#1RWHV#

This module describes how Microsoft
®
Exchange 2000 depends on Active
Directory
™
directory service for storage of Exchange 2000 data, such as
recipient objects, configuration data, schema attributes, and the global address
list.
At the end of this module, students will be able to:
„# Explain how Exchange 2000 uses and benefits from integration with Active
Directory.
„# Identify the Exchange 2000 Server components that rely on Active
Directory.
„# Compare the directory objects in previous versions of Microsoft Exchange
Server with the equivalent objects in Active Directory.
„# Compare how various Microsoft Exchange Server clients access Active
Directory.
„# Explain how computers running Exchange 2000 access Active Directory.

„# Describe how groups in Microsoft Windows
®
2000 are used as distribution
lists and which group types work in different situations.

0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
•
Microsoft PowerPoint
®
file 1569A_03.ppt

3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„# Read all of the materials for this module.
„# Complete the lab.

3UHVHQWDWLRQ=##
93#0LQXWHV#
#
/DE=#
53#0LQXWHV#
LL##0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:

„# Advantages of Integrating Exchange 2000 With Active Directory
Explain that Active Directory has replaced the dedicated directory that was
used in previous versions of Exchange.
„# Storage of Exchange 2000 Data in Active Directory
Describe the way data stored in Active Directory is divided into different
partitions and the global catalog. Compare terms and functions from
Exchange Server 5.5 with the new terms and functions in Exchange 2000.
„# Other Services Provided by Windows 2000
Describe the other Windows 2000 services used by Exchange 2000.
Emphasize that Exchange 2000 is more efficient than previous versions of
Exchange, in part because of the services provided by Windows 2000.
„# Exchange 2000 Directory Access
Describe how current and older mail clients access the directory. Discuss
registry entries only if students ask about them; otherwise leave them for the
students to read on their own.
„# Implementing Groups in Active Directory
Point out that the distribution lists that were an important part of earlier
Exchange versions have been replaced by the Active Directory group
feature.
„# Lab A: Creating Windows 2000 Users and Groups
Students customize their Windows 2000-based servers in this lab. The
accounts and groups they create here are used in later labs.

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\##4#


2YHUYLHZ#
„
$GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333#ZLWK#$FWLYH#
'LUHFWRU\

„
6WRUDJH#RI#([FKDQJH#5333#'DWD#LQ#$FWLYH#'LUHFWRU\
„
2WKHU#6HUYLFHV#3URYLGHG#E\#:LQGRZV#5333
„
([FKDQJH#5333#'LUHFWRU\#$FFHVV
„
,PSOHPHQWLQJ#*URXSV#LQ#$FWLYH#'LUHFWRU\


One of the major differences between Microsoft
®
Exchange 2000 and earlier
versions of Exchange is how thoroughly Exchange 2000 links to the Active
Directory
™
directory service. This module describes how Exchange 2000 uses
and benefits from integration with Active Directory.
At the end of this module, you will be able to:
„# Identify the Exchange 2000 Server components that rely on Active
Directory.
„# Compare the directory objects in previous versions of Microsoft Exchange
Server with the equivalent objects in Active Directory.
„# Compare how various Microsoft Exchange Server clients access Active
Directory.
„# Explain how computers running Exchange 2000 access Active Directory.
„# Describe how groups in Microsoft Windows
®
2000 are used as distribution
lists and which group types work in different situations.


6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
/HDG0LQ#
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW#WKH#YDULRXV#QHZ#
IHDWXUHV#RI#([FKDQJH#5333#
WKDW#DUH#OLQNHG#WR#WKH#$FWLYH#
'LUHFWRU\1#
5# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


$GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333#:LWK#$FWLYH#
'LUHFWRU\#
Functionality
Functionality
Functionality
Performance
Performance
Performance
Ease of Use
Ease of Use
Ease of Use
Granular
Access Control
Schema Extensibility
Improved
LDAP Support

Removes Unused
Directory Services
Smarter Replication
Tuning
Reduced Replication
Load
Unified
Administrative
Framework
Move/Rename
Object Flexibility
Unification of Common
Windows/Exchange
Objects


Previous versions of Microsoft Exchange featured a dedicated directory that
provided a single, central location where users and applications could look up
and configure information about objects using Active Directory Service
Interfaces (ADSI) with Lightweight Directory Access Protocol (LDAP). This
directory stored all the information about an Exchange Server organization,
such as addresses, mailboxes, distribution lists, and public folders, in addition
to configuration information about sites and servers.
%HQHILWV#RI#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\#
Unlike previous versions of Exchange Server, Exchange 2000 no longer has a
dedicated directory. Instead, Exchange 2000 integrates with the Windows 2000
Active Directory service. Unlike the Microsoft Windows NT
®
Security
Accounts Manager (SAM), which was never designed to hold rich information

about directory objects, such as telephone numbers, addresses, and certificates,
Active Directory can hold the rich directory information required by
Exchange 2000. Integration with Active Directory provides increased system
performance and manageability while making directory management easier.
Some of the features of Active Directory include:
„# Centralized object management.
Unified administration of Exchange 2000 and Windows NT directory
objects allow an administrator to manage all user data in one place, with one
set of tools.
„# Simplified security management.
The Exchange 2000 information store uses native Microsoft Windows 2000
SACLs so that changes to a single set of security groups will apply to data
stored in both Exchange 2000 and Windows 2000 file shares.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSOLFDWLRQV#
RI#XVLQJ#$FWLYH#'LUHFWRU\#
LQVWHDG#RI#WKH#GHGLFDWHG#
GLUHFWRU\#WKDW#ZDV#XVHG#LQ#
SUHYLRXV#YHUVLRQV#RI#
([FKDQJH1#
/HDG0LQ#
([FKDQJH#5333#XVHV#WKH#
:LQGRZV#5333#$FWLYH#
'LUHFWRU\#VHUYLFH#LQVWHDG#RI#
WKH#GHGLFDWHG#GLUHFWRU\#WKDW#
ZDV#XVHG#LQ#SUHYLRXV#
YHUVLRQV#RI#([FKDQJH1#
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\##6#



„# Simplified creation of distribution lists.
Exchange 2000 automatically uses Windows 2000 security groups as
distribution lists, removing the need to create a parallel set of distribution
lists for each department or group.
„# Easier access to directory information.
Using LDAP as a native access protocol for directory information makes
access and hierarchy reconfiguration easier than in previous versions of
Exchange.
All Exchange 2000 directory information (including mailboxes, information
about servers and sites, and custom recipients) is stored in the Active Directory.
Distribution lists are based on security groups in Active Directory, thus
simplifying list administration. Recognizing that customers will migrate to
Exchange 2000 over time, Microsoft provides the Active Directory Connector,
which you can use to replicate directory information between Exchange 2000
and existing Exchange Server 5.5 sites.
7# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


‹‹
#
6WRUDJH#RI#([FKDQJH#5333#'DWD#LQ#$FWLYH#'LUHFWRU\#
„
'DWD#3DUWLWLRQV#LQ#$FWLYH#'LUHFWRU\
„
'RPDLQ#3DUWLWLRQ
„
&RQILJXUDWLRQ#3DUWLWLRQ
„
6FKHPD#3DUWLWLRQ
„

*OREDO#$GGUHVV#/LVW
„
6HOHFWLQJ#$WWULEXWHV#WR#5HSOLFDWH#WR#WKH #*OREDO#&DWDORJ#


With the advent of Active Directory in Windows 2000, the directory database
that the operating system provides is now used to store Exchange 2000 data,
such as recipient objects, configuration data, schema attributes, and the global
address list. A separate directory for Exchange is no longer necessary;
Exchange 2000 is fully integrated with Active Directory.
6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
GDWD#VWRUDJH#LQ#
([FKDQJH#53331#
/HDG0LQ#
([FKDQJH#5333#VWRUHV#DOO#RI#
LWV#GDWD#LQ#$FWLYH#'LUHFWRU\1#
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\##8#


'DWD#3DUWLWLRQV#LQ#$FWLYH#'LUHFWRU\#
6FKHPD#3DUWLWLRQ
CN=Schema, CN=Configuration, DC=nwtraders, DC=msft
Users ComputersGroups
'RPDLQ
3DUWLWLRQ
&RQILJXUDWLRQ
3DUWLWLRQ
Exchan
g

e
Confi
g
uration Sites
Replication
Technolo
gy


The information stored in Active Directory on every domain controller in the
forest is partitioned into three categories: domain, configuration, and schema
data. These directory partitions are the units of replication in Active Directory.
If the domain controller is also a global catalog server, it also holds a partial set
of the attributes stored in the global catalog.

You can view the domain, configuration, and schema partitions by using
ADSI Edit, which is included in the Windows 2000 Support Tools.

6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#LGHD#RI#
GDWD#SDUWLWLRQV#DQG#WKH#WKUHH#
W\SHV#RI#SDUWLWLRQV1#
/HDG0LQ#
$OO#GDWD#VWRUHG#LQ#$FWLYH#
'LUHFWRU\#LV#SDUWLWLRQHG#LQWR#
WKUHH#FDWHJRULHV=#GRPDLQ/#
FRQILJXUDWLRQ/#DQG#VFKHPD1#
'HOLYHU\#7LS#
7KLV#VOLGH#LV#OLNH#D#VXE0
GLDPRQG#LQVLGH#WKH#ODUJHU#

WRSLF#EHFDXVH#LW#LQWURGXFHV#
WKH#IROORZLQJ#WKUHH#VOLGHV1#
,QWURGXFH#WKH#LGHD#RI#GDWD#
SDUWLWLRQV#EXW#VDYH#WKH#
GHWDLOV#IRU#WKH#IROORZLQJ#
VOLGHV1#
1RWH#
9# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


'RPDLQ#3DUWLWLRQ#
6FKHPD#3DUWLWLRQ
CN=Schema, CN=Configuration, DC=nwtraders, DC=msft
Users ComputersGroups
'RPDLQ
3DUWLWLRQ
Exchan
g
e
Confi
g
uration Sites
Replication
Technolo
gy
&RQILJXUDWLRQ
3DUWLWLRQ


The domain partition contains all of the objects in the directory for a domain.

Domain data in each domain is replicated to every domain controller in that
domain, but not beyond its domain. Domain objects include recipient objects
such as users, contacts, and groups.
Because of the consolidation and redesign of the directory structure, the object
classes and terms have changed between Exchange 2000 and previous versions
of Exchange Server. The following table compares the object classes and terms
between Exchange 2000 and previous versions of Exchange.
Exchange 5.x Directory
Object
Equivalent Object in
Active Directory

Comments

Mailbox Mailbox-enabled User Mailbox-enabled users are
security principals in
Active Directory. These
users can send and receive
messages and have a
Simple Mail Transfer
Protocol (SMTP) address.
In addition, this type of
user account will have
more property pages than a
standard account and more
options on the right-click
menu.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#QHZ#WHUPV#
LQWURGXFHG#LQ#$FWLYH#

'LUHFWRU\#DQG#HTXDWH#WKHP#
WR#VLPLODU#WHUPV#IURP#
([FKDQJH#6HUYHU#8181#
/HDG0LQ#
0RVW#RI#WKH#REMHFW#FODVVHV#
XVHG#LQ#([FKDQJH#
6HUYHU#818#VWLOO#H[LVW#LQ#
([FKDQJH#5333/#EXW#VRPH#
RI#WKHLU#QDPHV#KDYH#
FKDQJHG1#
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\##:#


(
continued
)
Exchange 5.x Directory
Object
Equivalent Object in
Active Directory

Comments

Custom Recipient Mail-enabled Contact Mail-enabled contacts are
not security principals in
Active Directory. All mail-
enabled contacts will have
an SMTP address. Users
on legacy messaging
systems, such as Lotus

cc:Mail and Lotus Notes,
are also represented as
contacts in Active
Directory.
Distribution List Mail-enabled Group Different group classes
exist in Active Directory.
A group can either be a
security or distribution
group. In addition, you can
set the scope of the group
to Domain Local, Global,
or Universal.
Public Folder Public Folder You can only create these
object types through the
Exchange System
Manager and Active
Directory Connector
(ADC)—not through the
Active Directory Users
and Computers snap-in.


A user object in Active Directory could be mail-enabled only, and not
have an Exchange 2000 mailbox. This is similar to a mail-enabled contact, in
that a mail-enabled user would have an e-mail address that is external to the
company, except that a user object is a security principal and can be given
access to resources.


1RWH#

;# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


&RQILJXUDWLRQ#3DUWLWLRQ#
6FKHPD#3DUWLWLRQ
CN=Schema, CN=Configuration, DC=nwtraders, DC=msft
Exchan
g
e
Confi
g
uration Sites
Replication
Technolo
gy
&RQILJXUDWLRQ
3DUWLWLRQ
&RQILJXUDWLRQ
3DUWLWLRQ
Users ComputersGroups
'RPDLQ
3DUWLWLRQ



The configuration of the Exchange 2000 organization is stored in the
configuration partition of Active Directory. Because Active Directory replicates
the configuration partition between all domains in the forest, the configuration
of the Exchange 2000 organization is also replicated throughout the forest. The
configuration partition defines the topology, connectors, protocols, and service

settings of the Exchange 2000 organization.
The Exchange 2000 configuration is stored under the following path in the
configuration partition:
CN=Microsoft Exchange, CN=Services, CN=Configuration

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#NLQGV#RI#
LQIRUPDWLRQ#VWRUHG#LQ#WKH#
FRQILJXUDWLRQ#SDUWLWLRQ1#
/HDG0LQ#
7KH#FRQILJXUDWLRQ#SDUWLWLRQ#
GHILQHV#WKH#WRSRORJ\/#
FRQQHFWRUV/#SURWRFROV/#DQG#
VHUYLFH#VHWWLQJV#RI#WKH#
([FKDQJH#5333#
RUJDQL]DWLRQ1#
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\##<#


6FKHPD#3DUWLWLRQ##
Users ComputersGroups
'RPDLQ
3DUWLWLRQ
6FKHPD#3DUWLWLRQ
CN=Schema, CN=Configuration, DC=nwtraders, DC=msft
Exchan
g
e
Confi
g

uration Sites
Replication
Technolo
gy
&RQILJXUDWLRQ
3DUWLWLRQ


The schema partition contains all object types (and their attributes) that can be
created in Active Directory. This data is common to all domains in the domain
tree or forest, and is replicated by Active Directory to all domain controllers in
the forest.
During the installation of the first computer running Exchange 2000 in the
forest, the Active Directory schema is extended with new attributes for
Exchange 2000 that start with ms-Exch. The schema is extended using LDAP
Directory Interchange Format (LDIF) files.

You can examine which attributes are added to the Active Directory by
viewing the LDIF files on the Exchange 2000 CD-ROM disc.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#FRQWHQWV#RI#
WKH#VFKHPD#SDUWLWLRQ1#
/HDG0LQ#
7KH#VFKHPD#SDUWLWLRQ#
FRQWDLQV#DOO#REMHFW#W\SHV#WKDW#
FDQ#EH#FUHDWHG#LQ#$FWLYH#
'LUHFWRU\1#
1RWH#
43# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#



The following table lists the common attributes and LDAP names for a
mailbox-enabled user object. This table illustrates how these attributes differ
between a standard installation of Active Directory and Active Directory that is
enabled for Exchange 2000. The index column indicates whether the attribute is
indexed in Active Directory. The In Global Catalog column indicates whether
the attribute has been tagged for global catalog server replication. The
Exchange 2000 installation adds those fields marked N/A in the Standard
Active Directory. The table may be helpful for planning purposes.


Attribute


LDAP Name

Standard Active
Directory
After
Exchange 2000
Installation

Index
In Global
Catalog

Index
In Global
Catalog


First Name GivenName Yes No Yes Yes
Initials Initials No No No No
Last Name Sn Yes No Yes Yes
Display Name DisplayName Yes No Yes Yes
Alias MailNickname N/A N/A Yes Yes
Mailing Address StreetAddress No No No No
City L Yes No Yes Yes
State St No No No Yes
ZIP Code PostalCode No No No No
Country C No No No Yes
Job Title Title No No No Yes
Company Company No No No Yes
Department Department No No No No
Office PhysicalDeliveryOff
iceName
Yes No Yes Yes
Telephone TelephoneNumber No No No Yes
Fax FacsimileTelephone
Number
No No No No
Home Telephone HomePhone No No No No
Manager Manager No Yes No Yes
SMTP Address Mail Yes No Yes Yes
Custom Attributes
(all)
extensionAttribute-
xx
N/A N/A No No


# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\# # 44#


*OREDO#$GGUHVV#/LVW#
„
7KH#*OREDO#$GGUHVV#/LVW#LV#DQ#$JJUHJDWLRQ#RI#$OO#
0HVVDJH#5HFLSLHQWV#LQ#DQ#(QWHUSULVH
„
7KH#*OREDO#$GGUHVV#/LVW#LV#6WRUHG#RQ#*OREDO#&DWDORJ#
6HUYHUV



When Microsoft Outlook
®
users look up addresses of other users in their
company, the information comes from the global address list (GAL). The GAL
represents an aggregation of all messaging recipients in the enterprise. Because
computers running Exchange 2000 no longer host their own directory service,
you retrieve all data from the global catalog servers in Active Directory. A
global catalog server can support the Messaging Application Programming
Interface (MAPI) protocol in addition to LDAP, so Outlook clients can
communicate with Active Directory by using the same protocol that the
directory service in Exchange Server 5.5 uses.
6OLGH#2EMHFWLYH#
([SODLQ#WKH#UROH#RI#WKH#JOREDO#
DGGUHVV#OLVW1#
/HDG0LQ#
7KH#JOREDO#DGGUHVV#OLVW#KROGV#
DOO#WKH#DGGUHVVHV#LQ#DQ#

([FKDQJH#RUJDQL]DWLRQ1#
45# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


6HOHFWLQJ#$WWULEXWHV#WR#5HSOLFDWH#WR#WKH#*OREDO#&DWDORJ#
Global Catalo
g
Global Catalo
g
west.nwtraders.msft
First Name
Last Name
Alias
Mailing Address
east.nwtraders.msft
First Name
Last Name
Alias
Mailing Address
What is the mailin
g

address for a user in
west.nwtraders.msft?
west.nwtraders.msft
First Name
Last Name
Alias
Mailing Address
west.nwtraders.msft

First Name
Last Name
Alias
Mailing Address
nwtraders.msft
nwtraders.msft
east.nwtraders.msft
First Name
Last Name
Alias
Mailing Address
east.nwtraders.msft
First Name
Last Name
Alias
Mailing Address


The global catalog holds a partial replica of domain data directory partitions for
all domains in the forest. By default, the partial set of attributes stored in the
global catalog includes those attributes most frequently used in search
operations, because one of the primary functions of the global catalog is to
support clients querying the directory.
Selecting the attributes to replicate to the global catalog requires careful
planning. You need to preserve functionality that users of Outlook already have
if an earlier version of Exchange Server is already deployed, but you have to
take into consideration the ramifications for replication traffic if you tag too
many additional attributes.
Because the global catalog holds a complete replica of its home domain and a
partial replica of every other domain in the forest, users see all attributes for

other users in the same domain. However, they see only the attributes tagged
for replication in the global catalog from other domains.
Where very slow networks are involved, you may want to survey your Outlook
users to find out which directory attributes they rely upon. It is even more
important to establish whether any custom Collaboration Data Objects (CDO)
and/or ADSI applications rely on the presence of certain directory data. For
example, a workflow application may require access to a custom attribute that
holds a manager’s sign-off limit.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSRUWDQFH#RI#
FDUHIXOO\#VHOHFWLQJ#WKH#
DWWULEXWHV#WKDW#ZLOO#EH#
UHSOLFDWHG#WR#WKH#JOREDO#
FDWDORJ1#
/HDG0LQ#
&KRRVLQJ#WKH#ULJKW#DWWULEXWHV#
WR#UHSOLFDWH#UHTXLUHV#FDUHIXO#
EDODQFLQJ#RI#WKH#XVHU¶V#
ORRNXS#QHHGV#DQG#WKH#
UHSOLFDWLRQ#WUDIILF#RQ#WKH#
QHWZRUN1#
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\# # 46#


From a technical standpoint, each additional attribute tagged for replication will
incur an additional 100 bytes of replication data per object. Many companies
may need to reduce the number of attributes that are tagged for replication due
to bandwidth constraints; however, the replication traffic caused by an existing
Exchange Server 5.x network will be far greater than the traffic the Active
Directory produces. This is based on the following assumptions:

„# Each computer running Exchange Server 5.5 in the organization must hold a
full copy of Exchange Directory, whereas Active Directory only replicates
to domain controllers and global catalog servers.
„# Any change to an Exchange Server 5.5 object will cause the entire object to
be re-replicated to the rest of the Exchange organization (roughly 5KB intra-
Site and 1KB inter-Site), whereas Active Directory uses per-property
replication, so the amount of replication data is much smaller.

You can select attributes in the global catalog to replicate by using the
Microsoft Management Console (MMC) Active Directory Schema snap-in.

1RWH#
47# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


2WKHU#6HUYLFHV#3URYLGHG#E\#:LQGRZV#5333#
„
6LPSOH#0DLO#7UDQVIHU#3URWRFRO
„
'RPDLQ#1DPH#6\VWHP
„
1HWZRUN#1HZV#7UDQVIHU#3URWRFRO
„
6HFXULW\
z
$XWKHQWLFDWLRQ
z
3HUPLVVLRQV
„
$FWLYH#'LUHFWRU\#5HSOLFDWLRQ



Exchange 2000 depends on Windows 2000 for more than just Active Directory.
6LPSOH#0DLO#7UDQVIHU#3URWRFRO#+6073,#
The core SMTP services that Exchange 2000 relies upon to transfer messages
are part of Internet Information Services 5 and Windows 2000.
'RPDLQ#1DPH#6\VWHP#+'16,#
A DNS service must be running in the organization for Exchange 2000 Server
to function. Outlook Web Access and Internet protocols, including SMTP, rely
on DNS for connectivity.
In earlier versions of Windows NT, the preferred location service was Windows
Internet Name Service (WINS) because it provides dynamic publishing and full
name-to-network address mapping. Windows 2000 Active Directory uses the
DNS locator service. The DNS naming scheme is standards-based and provides
maximum interoperability with Internet technologies.
1HWZRUN#1HZV#7UDQVIHU#3URWRFRO#+1173,#
The Network News Transfer Protocol that Exchange uses to access Newsgroups
is part of Internet Information Services 5 and Windows 2000.
6HFXULW\#
Exchange 2000 has two aspects of security: authentication and permissions.
Users log on to Exchange 2000 and after they are authenticated, they have
access to resources based on their permissions.
6OLGH#2EMHFWLYH#
7R#OLVW#WKH#RWKHU#PDMRU#
:LQGRZV#5333#VHUYLFHV#WKDW#
([FKDQJH#5333#XVHV1#
/HDG0LQ#
$FWLYH#'LUHFWRU\#LVQ¶W#WKH#
RQO\#:LQGRZV#5333#VHUYLFH#
WKDW#([FKDQJH#5333#

GHSHQGV#XSRQ1#
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\# # 48#


$XWKHQWLFDWLRQ#
Before users or processes can access Exchange 2000, they must log on to
Windows 2000 Server by supplying a unique user name and password. The
system must validate or authenticate this logon information. When a user logs
on, Windows 2000 Server identifies a security context. The security context
determines the user’s access to system services, including group membership.
A user needs to log on only once to gain access to Exchange 2000. This
contrasts with other security models that require separate passwords for
different resources, such as printers, file servers, or messaging systems.

For more detailed information on Windows 2000 Authentication, please
refer to the Windows 2000 documentation.

3HUPLVVLRQV#
Within an Exchange organization, permissions control access to resources.
Permissions provide specific authorization to perform an action. Permissions
are a key component of Exchange administration, and because they grant and
deny access throughout an entire organization, they should be one of your first
security considerations.
Exchange 2000 now uses security descriptors of the Windows 2000 Active
Directory to administer permissions on Exchange objects. The Exchange
objects are managed with the Exchange System Manager tool. In addition to
these Windows 2000 security descriptors, Exchange 2000 features Exchange-
specific extended permissions, which are permissions specific to Exchange
objects that are added to the standard Active Directory object schema.
Permissions in Exchange 2000 are also inheritable, meaning that when you set

permissions at the organization level, all objects within the organization will
inherit the same permissions.
In addition, you can set permissions for each property, providing administrators
with much finer control over access to objects. For example, you can set
permissions on user objects so that users can change their telephone numbers
but not their e-mail addresses.

Security descriptors are known as access control lists (ACLs) in
Windows NT
®
version 4.0. For more information on security descriptors, see
your Windows 2000 documentation on discretionary access control lists
(DACLs) and system access control lists (SACLs).

1RWH#
1RWH#
49# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


$FWLYH#'LUHFWRU\#5HSOLFDWLRQ#
With earlier versions of Exchange, when attributes of directory objects are
changed, the entire object, not just the changed attribute, is replicated
throughout the organization. This is because earlier versions of Exchange
support only object-level replication, which results in greater network traffic.
With Exchange 2000 Server, directory replication occurs through Active
Directory. Active Directory has the capability to replicate each changed or
updated attribute rather than the entire object. For example, if a change is made
to an attribute, the attribute is replicated to other domain controllers in the
domain. If the attribute is global in scope, such as an office location or phone
number change to an Exchange 2000 mailbox, the attribute is replicated to the

other global catalog servers.
Replicating specific attributes rather than entire objects has a number of
benefits and implications in Exchange 2000. Users, groups, and contacts are
objects in Active Directory. Characteristics such as whether an object is mail-
enabled (does not have an Exchange mailbox), mailbox-enabled (has an
Exchange mailbox), or has the ability to receive mail, are now object attributes.
Describing objects with lists of attributes means that:
„# Changes to an object's description (for example, an office location) can be
made more often.
„# Changes can be targeted to specific items, such as changing a specific
permission (for example, mailbox size).

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\# # 4:#


‹‹
#
([FKDQJH#5333#'LUHFWRU\#$FFHVV#
„
&OLHQW#$FFHVV#WR#WKH#'LUHFWRU\
„
([FKDQJH#5333#'LUHFWRU\#$FFHVV
„
([FKDQJH#5333#'LUHFWRU\#$FFHVV#&DFKH


Exchange Directory access for servers has changed significantly from Exchange
Server 5.5. Client access has also changed, but only for Outlook 2000 and later
clients; older clients can communicate in the same ways that they always have,
as long as Exchange 2000 is configured to serve them.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#KRZ#GLIIHUHQW#
FOLHQWV#DQG#FRPSRQHQWV#
DFFHVV#$FWLYH#'LUHFWRU\1##
/HDG0LQ#
7KLV#VHFWLRQ#FRYHUV#GLIIHUHQW#
ZD\V#WR#DFFHVV#$FWLYH#
'LUHFWRU\1#
4;# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


&OLHQW#$FFHVV#WR#WKH#'LUHFWRU\#
Proxy
Proxy
Exchange 2000
Server
Global
Catalog
Client
Referral
Referral
Exchange 2000
Server
Global
Catalog
Client
Client talks to
Exchange 2000 server
And Windows 2000
directory

Forwards Client
directory calls to
Windows 2000


Older clients, such as the Exchange client, Outlook 97, Outlook 98, and
Macintosh, make MAPI Directory Service (MAPI DS) requests to a server
running Exchange. Exchange 2000 clients communicate differently so some
accommodations must be made to enable older clients to work with
Exchange 2000.
%DFNZDUGV#&RPSDWLELOLW\#
To make Exchange 2000 backwards compatible with the existing MAPI client
base, a computer running Exchange 2000 will proxy any MAPI DS requests
through to a local global catalog server on the network. The directory service
proxy (DSProxy) process on the Exchange 2000 Server is responsible for this
task. Because Microsoft Active Directory supports a number of protocols,
including LDAP and MAPI DS, an Outlook directory request is completely
valid, even if it runs directly against an Active Directory-based server.
After the global catalog server returns the result to the computer running
Exchange 2000, the server proxies the result to the MAPI client. This entire
process is hidden from the user.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#KRZ#
([FKDQJH#5333#
FRPPXQLFDWHV#ZLWK#PDLO#
FOLHQWV/#ERWK#QHZ#DQG#ROG1#
/HDG0LQ#
7KHUH#DUH#VHYHUDO#ZD\V#IRU#
FOLHQWV#WR#DFFHVV#$FWLYH#
'LUHFWRU\1#

# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\# # 4<#


7UDIILF#DQG#/RDG#*HQHUDWHG#7KURXJK#WKH#'63UR[\#3URFHVV#
The actual communication for looking up the name of one recipient is as
follows:
1. The MAPI client sends one network packet to the computer running
Exchange 2000. The packet contains the name for the lookup in plain text.
2. The computer running Exchange 2000 proxies the request and sends it to a
local global catalog.
3. The local global catalog returns the result to the computer running
Exchange 2000.
4. The computer running Exchange 2000 returns the result to the MAPI client.
5. The MAPI client returns an acknowledgement to the computer running
Exchange 2000.
6. The computer running Exchange 2000 proxies the acknowledgement to the
local global catalog.

The directory lookup process produces six frames on the network. The decrease
in performance on the global catalog server is between one percent and two
percent. If multiple names need to be looked up in the directory, the name
fragments are sent in one request packet.
If the user chooses to browse the global address list, the same process takes
place. Other than sending a few extra frames over the network as the user
scrolls through the address book, the overhead is minimal.
53# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFW RU\#


2XWORRN#5333#
The first time an Outlook 2000 client connects to a computer running Exchange

server, it will look for the Directory Service on the home Exchange server.
Because the version of the Exchange Server being used at the back-end is
determined for the client when emsmdb32.dll loads, Outlook 2000 will go
through the DSProxy process for the very first session. After the client has
contacted the DSProxy service (it will try all available transport protocols), a
referral will be passed back to the client informing it that all future directory
requests should be sent to the global catalog.
Outlook will set the referral in the MAPI profile:
+.(<B&855(17B86(5#?#6RIWZDUH#?#0LFURVRIW#?#:LQGRZV#17#?#
&XUUHQW9HUVLRQ#?##
:LQGRZV#0HVVDJLQJ#6XEV\VWHP#?#3URILOHV#?#SURILOH#QDPH#?#
GFD:73«5IH4;5#
#
9DOXH#QDPH=#334H9935#
9DOXH#W\SH=#6WULQJ#
9DOXH#GDWD=#??'LUHFWRU\6HUYHU1GRPDLQ## #
#
+([DPSOH=#??&+226<1FDWIRRG1PLFURVRIW1FRP,#

The referral mechanism will reduce the load on the computer running
Exchange 2000 and will reduce the latency for address book lookups. If an
explicit server name is entered into the profile, Outlook will need to be restarted
in the event that the Active Directory-based server fails. In this event, the
computer running Exchange 2000 will pass Outlook a new referral for it to use.
In some scenarios, it is desirable to force Outlook clients, even the latest
versions, to always go through the DSProxy process without being referred.
You can do this by configuring the computer running Exchange 2000 not to
give out referrals. Implement this by using the following registry parameter:
+.(<B/2&$/B0$&+,1(#?#6\VWHP#?#&XUUHQW&RQWURO6HW#?#6HUYLFHV#?#
06([FKDQJH6$#?#3DUDPHWHUV#

#
9DOXH#QDPH=#1R#5)5#6HUYLFH#
9DOXH#W\SH=#':25'#
9DOXH#GDWD=#3[4# # #
# 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FW LYH#'LUHFWRU\# # 54#


([FKDQJH#5333#'LUHFWRU\#$FFHVV#
Server
Server
Etc.
MTA
DS Access API
IMAP4
Store
Windows 2000 Site
GC
DC DC GC


Depending upon the type of query, a computer running Exchange 2000 may go
to different Active Directory-based servers. A computer running
Exchange 2000 usually establishes a number of LDAP connections to domain
controllers and global catalog servers that are close-by. There are two main
directory activities that a computer running Exchange 2000 has to perform:
address book and configuration data lookups.
$GGUHVV#%RRN#/RRNXS#
When a computer running Exchange 2000 needs to look up address book
information, to resolve a user name in the directory for example, the server may
choose to forward the request to a local domain controller if the resolution can

be handled within the domain. Exchange 2000 uses DNS to find the collection
of domain controllers, and then uses them in a round-robin fashion. If a local
domain controller cannot service the request, it is sent to a global catalog server
where it will be resolved. If there is more than one global catalog server in the
site, Exchange 2000 will also use these on a round-robin basis.
&RQILJXUDWLRQ#'DWD#/RRNXS#
When a computer running Exchange 2000 needs to read configuration data,
such as routing information, it can connect to any domain controller within the
local domain to retrieve this information because the configuration naming
context is replicated to every domain controller within the forest.
Through the following registry values, it is possible to hard-code the names of
the directory servers that Exchange 2000 will use to obtain its data. Doing this
communicates a preference to the Exchange server. If the name given does not
exist or cannot communicate, the server will resort to using standard DNS
lookups.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#WZR#PDLQ#
DFWLYLWLHV#WKDW#
([FKDQJH#5333#SHUIRUPV#
ZLWK#$FWLYH#'LUHFWRU\0EDVHG#
VHUYHUV1#
/HDG0LQ#
7KHUH#DUH#WZR#PDLQ#
GLUHFWRU\#DFWLYLWLHV#WKDW#D#
FRPSXWHU#UXQQLQJ#
([FKDQJH#5333#KDV#WR#
SHUIRUP=#DGGUHVV#ERRN#DQG#
FRQILJXUDWLRQ#GDWD#ORRNXSV1#