Examining the Role of Domain Controllers in AD

Exchange has always relied on domain controllers for authentication of user accounts. Mailboxes in Exchange 5.5 were controlled through the application of security from Windows NT 4.0 and, later, Active Directory domain accounts. It should come as no surprise, consequently, that Exchange Server 2003 also relies on Active Directory domain controllers for authentication purposes. Proper placement of DCs is also important.

Examining Domain Controller Authentication in Active Directory

To understand how Exchange manages security, an analysis of Active Directory authentication is required. This information aids in troubleshooting the environment, as well as in gaining a better understanding of Exchange Server 2003 as a whole.

Each object in Exchange, including all mailboxes, can have security directly applied for the purposes of limiting and controlling access to those resources. For example, a particular administrator may be granted access to control a certain set of Exchange Servers, and users can be granted access to mailboxes. What makes Exchange particularly useful is that security rights can be assigned not only at the object level but at the attribute level too. This enables granular administration, by allowing such tasks as a Telecom group being able to modify only the phone number field of a user, for example.

When a user logs in to a domain, the domain controller performs a lookup to ensure a match between the username and password. If a match is made, the client is then authenticated and given the rights to gain access to resources, including Exchange Server 2003 mailboxes.

Because the domain controllers provide users with the keys to access the resources, it is important to provide local access to domain controllers for all Exchange servers. If a local domain controller became unavailable, for example, users would be unable to authenticate to their mailboxes in Exchange, effectively locking them out.

Domain Controller Placement with Exchange Server 2003

As previously identified, Exchange relies heavily on the security authentication performed by Active Directory domain controllers. This concept is important for Exchange Server 2003 design, because placement of domain controllers becomes an important concept. In general, at least one Active Directory domain controller must be within close proximity to any Exchange Server to enable quick authentication for local users and mailboxes. In some smaller sites, this might mean placing the domain controller role on the physical Exchange server itself. It is important to note, however, that the separation of the domain controller function from Exchange is more ideal, gives the greatest performance boost, and should be considered in all but the smallest sites.

Other sites may deploy more than one Active Directory domain controller for user authentication. This enables the distribution of domain controller tasks, but also builds redundancy into the design. Because each DC is multimaster , if one goes down the other will be able to take over domain controller responsibilities.