&RQWHQWV## Module 3: Exchange 2000 Integration with Active Directory 2YHUYLHZ# 4# $GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333# :LWK#$FWLYH#'LUHFWRU\# 5# 6WRUDJH#RI#([FKDQJH#5333#'DWD#LQ#$FWLYH# 'LUHFWRU\# 7# 2WKHU#6HUYLFHV#3URYLGHG#E\## :LQGRZV#5333# 47# ([FKDQJH#5333#'LUHFWRU\#$FFHVV# 4:# ,PSOHPHQWLQJ#*URXSV#LQ## $FWLYH#'LUHFWRU\# 58# /DE#$=#&UHDWLQJ#:LQGRZV#5333#8VHUV#DQG# *URXSV# 68# 5HYLHZ# # 74# Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property © 2000 Microsoft Corporation All rights reserved Microsoft, MS-DOS, MS, Windows, Windows NT, Active Directory directory service, ActiveX, BackOffice, FrontPage, Hotmail, MSN, Outlook, PowerPoint, SQL Server, Visual Studios, and Win32, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead: David Phillips Instructional Designers: Lance Morrison (Wasser), Janet Sheperdigian, Steve Thues Lead Program Manager: Mark Adcock Program Manager: Lyle Curry, Scott Hay, Janice Howd, Steve Schwartz (Implement.Com), Bill Wade (Wadeware LLC) Graphic Artist: Kimberly Jackson, Andrea Heuston (Artitudes Layout and Design) Editing Manager: Lynette Skinner Editor: Elizabeth Reese (Write Stuff) Copy Editor: Ed Casper (S&T Consulting), Carolyn Emory (S&T Consulting), Patricia Neff (S&T Consulting), Noelle Robertson (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aquent Partners) Online Support: Eric Brandt Multimedia Developer: Kelly Renner (Entex) Compact Disc Testing: Data Dimensions, Inc Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Bo Galford Manufacturing Support: Rick Terek Lead Product Manager, Development Services: Lead Product Manager: David Bramble Group Product Manager: Robert Stewart # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # ,QVWUXFWRU#1RWHV# 3UHVHQWDWLRQ=## 93#0LQXWHV# # /DE=# 53#0LQXWHV# This module describes how Microsoft® Exchange 2000 depends on Active Directory™ directory service for storage of Exchange 2000 data, such as recipient objects, configuration data, schema attributes, and the global address list At the end of this module, students will be able to: „# Explain how Exchange 2000 uses and benefits from integration with Active Directory „# Identify the Exchange 2000 Server components that rely on Active Directory „# Compare the directory objects in previous versions of Microsoft Exchange Server with the equivalent objects in Active Directory „# Compare how various Microsoft Exchange Server clients access Active Directory „# Explain how computers running Exchange 2000 access Active Directory „# Describe how groups in Microsoft Windows® 2000 are used as distribution lists and which group types work in different situations 0DWHULDOV#DQG#3UHSDUDWLRQ# This section provides you with the required materials and preparation tasks that are needed to teach this module 5HTXLUHG#0DWHULDOV# To teach this module, you need the following materials: ã Microsoft PowerPointđ file 1569A_03.ppt 3UHSDUDWLRQ#7DVNV# To prepare for this module, you should: „# Read all of the materials for this module „# Complete the lab L# LL# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# 0RGXOH#6WUDWHJ\# Use the following strategy to present this module: „# Advantages of Integrating Exchange 2000 With Active Directory Explain that Active Directory has replaced the dedicated directory that was used in previous versions of Exchange „# Storage of Exchange 2000 Data in Active Directory Describe the way data stored in Active Directory is divided into different partitions and the global catalog Compare terms and functions from Exchange Server 5.5 with the new terms and functions in Exchange 2000 „# Other Services Provided by Windows 2000 Describe the other Windows 2000 services used by Exchange 2000 Emphasize that Exchange 2000 is more efficient than previous versions of Exchange, in part because of the services provided by Windows 2000 „# Exchange 2000 Directory Access Describe how current and older mail clients access the directory Discuss registry entries only if students ask about them; otherwise leave them for the students to read on their own „# Implementing Groups in Active Directory Point out that the distribution lists that were an important part of earlier Exchange versions have been replaced by the Active Directory group feature „# Lab A: Creating Windows 2000 Users and Groups Students customize their Windows 2000-based servers in this lab The accounts and groups they create here are used in later labs # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 2YHUYLHZ# 6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#RYHUYLHZ#RI# WKH#PRGXOH#WRSLFV#DQG# REMHFWLYHV1# „ $GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333#ZLWK#$FWLYH# 'LUHFWRU\ „ 6WRUDJH#RI#([FKDQJH#5333#'DWD#LQ#$FWLYH#'LUHFWRU\ „ 2WKHU#6HUYLFHV#3URYLGHG#E\#:LQGRZV#5333 „ ([FKDQJH#5333#'LUHFWRU\#$FFHVV „ ,PSOHPHQWLQJ#*URXSV#LQ#$FWLYH#'LUHFWRU\ /HDG0LQ# ,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ# DERXW#WKH#YDULRXV#QHZ# IHDWXUHV#RI#([FKDQJH#5333# WKDW#DUH#OLQNHG#WR#WKH#$FWLYH# 'LUHFWRU\1# One of the major differences between Microsoft® Exchange 2000 and earlier versions of Exchange is how thoroughly Exchange 2000 links to the Active Directory™ directory service This module describes how Exchange 2000 uses and benefits from integration with Active Directory At the end of this module, you will be able to: „# Identify the Exchange 2000 Server components that rely on Active Directory „# Compare the directory objects in previous versions of Microsoft Exchange Server with the equivalent objects in Active Directory „# Compare how various Microsoft Exchange Server clients access Active Directory „# Explain how computers running Exchange 2000 access Active Directory „# Describe how groups in Microsoft Windows® 2000 are used as distribution lists and which group types work in different situations 4# 5# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# $GYDQWDJHV#RI#,QWHJUDWLQJ#([FKDQJH#5333#:LWK#$FWLYH# 'LUHFWRU\# 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#XVLQJ#$FWLYH#'LUHFWRU\# LQVWHDG#RI#WKH#GHGLFDWHG# GLUHFWRU\#WKDW#ZDV#XVHG#LQ# SUHYLRXV#YHUVLRQV#RI# ([FKDQJH1# Functionality Functionality Performance Performance Ease of Use Ease of Use Granular Access Control Reduced Replication Load Unification of Common Windows/Exchange Objects Improved LDAP Support ([FKDQJH#5333#XVHV#WKH# :LQGRZV#5333#$FWLYH# 'LUHFWRU\#VHUYLFH#LQVWHDG#RI# WKH#GHGLFDWHG#GLUHFWRU\#WKDW# ZDV#XVHG#LQ#SUHYLRXV# YHUVLRQV#RI#([FKDQJH1# Unified Administrative Framework Schema Extensibility /HDG0LQ# Removes Unused Directory Services Smarter Replication Tuning Move/Rename Object Flexibility Previous versions of Microsoft Exchange featured a dedicated directory that provided a single, central location where users and applications could look up and configure information about objects using Active Directory Service Interfaces (ADSI) with Lightweight Directory Access Protocol (LDAP) This directory stored all the information about an Exchange Server organization, such as addresses, mailboxes, distribution lists, and public folders, in addition to configuration information about sites and servers %HQHILWV#RI#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# Unlike previous versions of Exchange Server, Exchange 2000 no longer has a dedicated directory Instead, Exchange 2000 integrates with the Windows 2000 Active Directory service Unlike the Microsoft Windows NT® Security Accounts Manager (SAM), which was never designed to hold rich information about directory objects, such as telephone numbers, addresses, and certificates, Active Directory can hold the rich directory information required by Exchange 2000 Integration with Active Directory provides increased system performance and manageability while making directory management easier Some of the features of Active Directory include: „# Centralized object management Unified administration of Exchange 2000 and Windows NT directory objects allow an administrator to manage all user data in one place, with one set of tools „# Simplified security management The Exchange 2000 information store uses native Microsoft Windows 2000 SACLs so that changes to a single set of security groups will apply to data stored in both Exchange 2000 and Windows 2000 file shares # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# „# # Simplified creation of distribution lists Exchange 2000 automatically uses Windows 2000 security groups as distribution lists, removing the need to create a parallel set of distribution lists for each department or group „# Easier access to directory information Using LDAP as a native access protocol for directory information makes access and hierarchy reconfiguration easier than in previous versions of Exchange All Exchange 2000 directory information (including mailboxes, information about servers and sites, and custom recipients) is stored in the Active Directory Distribution lists are based on security groups in Active Directory, thus simplifying list administration Recognizing that customers will migrate to Exchange 2000 over time, Microsoft provides the Active Directory Connector, which you can use to replicate directory information between Exchange 2000 and existing Exchange Server 5.5 sites 6# 7# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# ‹# 6WRUDJH#RI#([FKDQJH#5333#'DWD#LQ#$FWLYH#'LUHFWRU\# 6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#RYHUYLHZ#RI# GDWD#VWRUDJH#LQ# ([FKDQJH#53331# „ 'DWD#3DUWLWLRQV#LQ#$FWLYH#'LUHFWRU\ /HDG0LQ# „ 'RPDLQ#3DUWLWLRQ „ &RQILJXUDWLRQ#3DUWLWLRQ „ 6FKHPD#3DUWLWLRQ „ *OREDO#$GGUHVV#/LVW „ 6HOHFWLQJ#$WWULEXWHV#WR#5HSOLFDWH#WR#WKH#*OREDO#&DWDORJ# ([FKDQJH#5333#VWRUHV#DOO#RI# LWV#GDWD#LQ#$FWLYH#'LUHFWRU\1# With the advent of Active Directory in Windows 2000, the directory database that the operating system provides is now used to store Exchange 2000 data, such as recipient objects, configuration data, schema attributes, and the global address list A separate directory for Exchange is no longer necessary; Exchange 2000 is fully integrated with Active Directory # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 'DWD#3DUWLWLRQV#LQ#$FWLYH#'LUHFWRU\# 6OLGH#2EMHFWLYH# 7R#LQWURGXFH#WKH#LGHD#RI# GDWD#SDUWLWLRQV#DQG#WKH#WKUHH# W\SHV#RI#SDUWLWLRQV1# 'RPDLQ 3DUWLWLRQ /HDG0LQ# $OO#GDWD#VWRUHG#LQ#$FWLYH# 'LUHFWRU\#LV#SDUWLWLRQHG#LQWR# WKUHH#FDWHJRULHV=#GRPDLQ/# FRQILJXUDWLRQ/#DQG#VFKHPD1# &RQILJXUDWLRQ 3DUWLWLRQ Groups Users Computers Replication Technology Exchange Configuration Sites CN=Schema, CN=Configuration, DC=nwtraders, DC=msft 6FKHPD#3DUWLWLRQ 'HOLYHU\#7LS# 7KLV#VOLGH#LV#OLNH#D#VXE0 GLDPRQG#LQVLGH#WKH#ODUJHU# WRSLF#EHFDXVH#LW#LQWURGXFHV# WKH#IROORZLQJ#WKUHH#VOLGHV1# ,QWURGXFH#WKH#LGHD#RI#GDWD# SDUWLWLRQV#EXW#VDYH#WKH# GHWDLOV#IRU#WKH#IROORZLQJ# VOLGHV1# The information stored in Active Directory on every domain controller in the forest is partitioned into three categories: domain, configuration, and schema data These directory partitions are the units of replication in Active Directory If the domain controller is also a global catalog server, it also holds a partial set of the attributes stored in the global catalog 1RWH# You can view the domain, configuration, and schema partitions by using ADSI Edit, which is included in the Windows 2000 Support Tools 8# 9# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# 'RPDLQ#3DUWLWLRQ# 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#QHZ#WHUPV# LQWURGXFHG#LQ#$FWLYH# 'LUHFWRU\#DQG#HTXDWH#WKHP# WR#VLPLODU#WHUPV#IURP# ([FKDQJH#6HUYHU#8181# 'RPDLQ 3DUWLWLRQ Groups Users Computers Replication Technology Exchange Configuration Sites /HDG0LQ# 0RVW#RI#WKH#REMHFW#FODVVHV# XVHG#LQ#([FKDQJH# 6HUYHU#818#VWLOO#H[LVW#LQ# ([FKDQJH#5333/#EXW#VRPH# RI#WKHLU#QDPHV#KDYH# FKDQJHG1# &RQILJXUDWLRQ 3DUWLWLRQ CN=Schema, CN=Configuration, DC=nwtraders, DC=msft 6FKHPD#3DUWLWLRQ The domain partition contains all of the objects in the directory for a domain Domain data in each domain is replicated to every domain controller in that domain, but not beyond its domain Domain objects include recipient objects such as users, contacts, and groups Because of the consolidation and redesign of the directory structure, the object classes and terms have changed between Exchange 2000 and previous versions of Exchange Server The following table compares the object classes and terms between Exchange 2000 and previous versions of Exchange Exchange 5.x Directory Object Equivalent Object in Active Directory Mailbox Mailbox-enabled User Comments Mailbox-enabled users are security principals in Active Directory These users can send and receive messages and have a Simple Mail Transfer Protocol (SMTP) address In addition, this type of user account will have more property pages than a standard account and more options on the right-click menu 5;# # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# The following table summarizes security group membership rules In Mixed Mode Can Contain In Native Mode Can Contain Can be a Member of Can be Granted Permissions for Domain local User accounts and global groups from any domain User accounts, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain Domain local groups in the same domain The domain in which the domain local group exists Global User accounts from the same domain User accounts and global groups from the same domain Universal and domain local groups in any domain and global groups in the same domain All domains in the forest Universal Not applicable User accounts, global groups, and other universal groups from any domain in the forest Domain local and universal groups in any domain All domains in the forest Group Scope H\#3RLQWV# /LPLW#WKH#XVH#RI#XQLYHUVDO# JURXSV#WR#JURXSV#WKDW#DUH# ZLGHO\#XVHG#LQ#\RXU# HQWHUSULVH#DQG#DUH#UHODWLYHO\# VWDWLF#DV#IDU#DV#PHPEHUVKLS# FKDQJHV1# 6HOHFWLQJ#D#*URXS#6FRSH# The global catalog maintains a list of universal group memberships Global and domain local groups are listed in the global catalog, but their membership is not Each change to the membership of a universal group is replicated to all global catalog servers By minimizing the use of universal groups, you will reduce the size of the global catalog, thereby reducing the amount of traffic on your network caused by replication of the global catalog /LPLW#0HPEHUVKLS#LQ#8QLYHUVDO#*URXSV#WR#2WKHU#*URXSV# Including only groups, not individual user accounts, in universal groups enables you to adjust the user accounts that are members of the universal group by adjusting the membership of the groups that are part of the universal group Because this does not directly affect the membership of the universal group, no replication traffic is generated /LPLW#WKH#8VH#RI#8QLYHUVDO#*URXSV# This can help you to reduce the size of access tokens when resources are in different domains If you use global and domain local groups, the access tokens contain the global and domain local groups that are applicable to the domain in which the resource exists If you use universal groups, the access tokens contain a list of all of the universal groups the user belongs to, even if those universal groups are not used in that domain # 0RGXOH#6=#([FKDQJH#5333#,QWHJUDWLRQ#ZLWK#$FWLYH#'LUHFWRU\# # 5