Why Active Directory?

Exchange Server 2003 relies heavily on the Microsoft Active Directory (AD) directory service for all its directory operations. Active Directory provides mailbox information, address lists information, and other recipient-related information. Active Directory also stores Exchange 2003 configuration information and acts as a security guard, ensuring that only authorized users can access mailboxes and only authorized administrators can modify the Exchange configuration in the organization.

Exchange 2003 also extends Active Directory to include a number of Exchange-specific attributes and classes by importing a series of .ldf files into Active Directory during the exchange setup process. A list of the .ldf files (Schema0.ldf to Schema9.ldf) are in the \Setup\i386\Exchange directory on the Exchange Server CD; Exschema.ldf is located in the \Setup\i386\Exchange\Bin directory. In addition to the schema changes, there are certain advantages that Active Directory brings to Exchange 2003.

Active Directory Advantages

Improvements in Active Directory deliver many key benefits for medium and large enterprises, enabling greater administrator and user productivity. Windows Server 2003 improves the versatility, manageability, and dependability of the Active Directory found in previous server versions. While benefiting from lower cost and higher productivity, organizations will also benefit from the following:

• Easier deployment and management

• Improved performance

• Greater security

Deployment and management is significantly easier with improved migration and management tools, such as Active Directory Migration Tool (ADMT) 2.0 and the Domain Rename feature, which gives you the capability to rename Active Directory domains. Another tool, the Microsoft Group Policy Management Console (GPMC), provides a single solution for managing all Group Policy-related tasks for multiple domains and sites within a given forest using a simple user interface with drag-and-drop support.

Performance has been significantly improved; administrators now have more control over AD replication and synchronization between domain controllers in the same domain and across domains. The replication process has been improved within Active Directory so administrators can intelligently select only changed information for replication, no longer requiring updating entire portions of the directory over slow WAN links. In addition, the capability to log on with cached credentials without having to contact a global catalog server improves system performance for remote offices over slow or problematic WAN links.

As a result of Microsoft's Trustworthy Computing Initiative, security has also been improved within Active Directory. Cross-forests trust provides an easy way for managing security between two forests and simplifies cross-forest administration and authentication. Not only do administrators benefit, but users benefit from single sign-on (SSO) capability when accessing resources residing outside their own forest. A new addition to Active Directory, the Credential Manager provides a secure store of user credentials, passwords, and X.509 certificates. Because all this information is contained in a single place, the new Credential Manager provides a consistent SSO experience for users, no matter where they access their network.

Requirements for Exchange Server 2003

Exchange 2003 works with Active Directory similar to Exchange 2000 and benefits from the same preparations and planning as with Exchange 2000. Prior to Exchange 2000, Exchange could be installed only in a Windows NT domain. Because of its dependence on Active Directory, Exchange Server 2003 can be deployed only in Windows 2000 and Windows Server 2003 environments.

Caution

Although Active Directory is a requirement for Exchange 2003, Exchange 2003 should not be installed on a domain controller because of security and performance issues.

A global catalog server, which holds information about users and mailboxes, is required in addition to Active Directory. The global catalog server must be at least Windows 2000 SP3 or later or Windows Server 2003 and must reside in each Active Directory site that contains an Exchange Server 2003.

The security boundary of Active Directory is called the forest. A one-to-one relationship exists between Active Directory forests and Exchange organizations; a forest can have only one Exchange organization, and an Exchange organization can span one forest but not multiple forests.

After preliminary Active Directory planning is complete, the directory must be extended to install Exchange. ForestPrep prepares Active Directory and extends the schema with additional object classes; the schema acts as the "governor," which enforces the rules and maintains the structure and content of Active Directory. To run ForestPrep, you must be logged in to the local machine with administrator rights and be a domain administrator. Similarly, you must be logged in to the domain as part of the Enterprise Admin and Schema Admin groups. After ForestPrep is completed, the domain must be prepped for Exchange 2003.

Tip

It can take a considerable amount of time to update the schema via ForestPrep. When the schema update is finished, the new changes are replicated from the computer on which they were made to every other domain controller in the AD forest. Because this can have a negative effect on the network, depending on the number of domain controllers, it is recommended that you run this tool during off hours or when network activity is minimal.

Like ForestPrep, DomainPrep is run during the Exchange installation process (or as a standalone process) and must be run in each domain that supports Exchange users or Exchange 2003 servers. DomainPrep prepares the domain for Exchange 2003 by creating security groups, containers, and setting permissions necessary for Exchange 2003. To run DomainPrep, you must be logged in to the local machine with administrator rights. Similarly, you must be logged in to the domain as a Domain Admin. After DomainPrep is completed, the Exchange 2003 installation process can continue.