Understanding AD Functionality Modes and Their Relationship to Exchange Groups

Exchange Server 2003 and Active Directory functionality was designed to break through the constraints that limited Exchange 5.5 implementations . In order to accomplish this, however, levels of compatibility with downlevel NT domains and Exchange 5.5 organizations was required. These requirements stipulated the creation of several functional modes for AD and Exchange that limit the application of new functionality. Several of the limitations of the AD functional modes in particular impact Exchange Server 2003 itself, specifically Active Directory group functionality. Consequently, a firm grasp of these concepts is warranted.

Understanding Windows Group Types

Groups in Windows Server 2003 come in two flavors; security and distribution. In addition, groups can be organized into different scopes; machine local, domain local, global, and universal. It might seem complex, but the concept, once defined, is simple.

Defining Security Groups

The type of group that administrators are most familiar with is the security group. This type of group is used to apply permissions to resources en masse, so that large groups of users can be administered more easily. Security groups could be established for each department in an organization. For example, users in the marketing department could be given membership in a marketing security group. This group would then have permissions on specific directories in the environment. This concept should be familiar to anyone who has administered downlevel Windows networks, such as NT or Windows 2000.

Defining Distribution Groups in Exchange Server 2003

The concept of distribution groups in Windows Server 2003 was introduced in Windows 2000 with its implementation of Active Directory. Essentially , a distribution group is a group whose members are able to receive SMTP mail messages that are sent to the group. Any application that has the capability of using Active Directory for address book lookups can use this functionality in Windows Server 2003.

Distribution groups are often confused with mail-enabled groups, a concept in environments with Exchange 2000/2003. In addition, in most cases distribution groups are not used in environments without Exchange 2000/2003, because their functionality is limited to infrastructure that can support them.

Mail-Enabled Groups in Exchange Server 2003

Exchange Server 2003 utilizes Active Directory mail-enabled groups to their full-extent. These groups are essentially security groups that are referenced by an email address, and can be used to send SMTP messages to the members of the group. This type of functionality becomes possible only with the inclusion of Exchange 2000 or greater. Exchange 2000 actually extends the forest schema to enable Exchange- related information, such as SMTP addresses, to be associated with each group.

Most organizations will find that the concept of mail-enabled security groups satisfies most of the needs, both security and email, in an organization. For example, a single group called Marketing, which contains all users in that department, could also be mail-enabled to allow users in Exchange to send emails to everyone in the department.

Explaining Group Scope

Groups in Active Directory work the way that previous group structures, particularly in Windows NT, have worked, but with a few modifications to their design. As mentioned earlier, group scope in Active Directory is divided into several groups:

• Machine Local Groups Machine local groups, also known as local groups, previously existed in Windows NT 4.0 and can theoretically contain members from any trusted location. Users and groups in the local domain, as well as in other trusted domains and forests can be included in this type of group. However, local groups allow resources only on the machine they are located on to be accessed, which greatly reduces their useability. Machine local groups are not used by Exchange Server 2003 for security.

• Domain Local Groups Domain local groups are essentially the same as local groups in Windows NT, and are used to administer resources located only on their own domain. They can contain users and groups from any other trusted domain and are typically used to grant access to resources for groups in different domains.

• Global Groups Global groups are on the opposite side of domain local groups. They can contain only users in the domain in which they exist, but are used to grant access to resources in other trusted domains. These types of groups are best used to supply security membership to user accounts who share a similar function, such as the sales global group.

• Universal Groups Universal groups can contain users and groups from any domain in the forest, and can grant access to any resource in the forest. With this added power come a few caveats: First, universal groups are available only in Windows 2000 or 2003 AD Native Mode domains. Second, all members of each universal group are stored in the Global Catalog, increasing the replication load. Universal group membership replication has been noticeably streamlined and optimized in Windows Server 2003, however, because the membership of each group is incrementally replicated.

Universal groups are particularly important for Exchange Server 2003. When migrating from Exchange 5.5 to Exchange 2003, for example, Exchange 5.5 distribution lists are converted into universal groups for the proper application of public folder and calendaring permissions. An AD domain that contains accounts that access Exchange 5.5 mailboxes must be in AD Native Mode before performing the migration. For more information on this concept, see Chapter 15, "Migrating from Exchange 5.5 to Exchange Server 2003."

Functional Levels in Windows Server 2003 Active Directory

Active Directory was designed to be backward-compatible . This helps to maintain backward compatibility with Windows NT domain controllers. Four separate functional levels exist at the domain level in Windows Server 2003, and three separate functional levels exist at the forest level:

• Windows Server 2003 Mixed When Windows Server 2003 is installed in a Windows 2000 Active Directory forest that is running in Mixed Mode, Windows Server 2003 domain controllers will be able to communicate with Windows NT and Windows 2000 domain controllers throughout the forest. This is the most limiting of the functional levels, however, because certain functionalitysuch as universal groups, group nesting, and enhanced securityis absent from the domain. This is typically a temporary level to run in, because it is seen more as a path toward eventual upgrade.

• Windows Server 2003 Native Installed into a Windows 2000 Active Directory that is running in Windows 2000 Native Mode, Windows Server 2003 runs itself at a Windows 2000/2003 functional level. Only Windows 2000 and Windows Server 2003 domain controllers can exist in this environment.

• Windows Server 2003 Interim Windows Server 2003 interim mode gives Active Directory the capability of interoperating with a domain composed of Windows NT 4.0 domain controllers only. Although a confusing concept at first, the Windows Server 2003 interim functional level does serve a purpose. In environments that seek to upgrade directly from NT 4.0 to Windows Server 2003 Active Directory, interim mode enables Windows Server 2003 to manage large groups more efficiently than if an existing Windows 2000 Active Directory exists. After all NT domain controllers have been removed or upgraded, the functional levels can be raised.

• Windows Server 2003 The most functional of all the various levels, Windows Server 2003 functionality is the eventual goal of all Windows Server 2003 Active Directory implementations. Functionality on this level opens the environment to features such as schema deactivation , domain rename, domain controller rename, and cross-forest trusts. To get to this level, first all domain controllers must be updated to Windows Server 2003. Only after this can the domains, and then the forest, be updated to Windows Server 2003 functionality.

As previously mentioned, it is preferable to convert AD domains into Windows Server 2003 Native Mode, or Windows Server 2003 Functional Mode before migrating Exchange 5.5 Servers that use those domains. The universal group capabilities that these modes provide for make this necessary.

To change domain or forest functional levels in Active Directory to the highest level for Windows Server 2003, follow these steps:

1. Open Active Directory Domains and Trusts from Administrative Tools.

2. In the left scope pane, right-click Active Directory Domains and Trusts and then click Raise Domain Functional Level.

3. In the box labeled Select an available domain functional level, select Windows Server 2003 and then choose Raise.

4. Click OK, and then OK again to complete the task.

5. Repeat the steps for all domains in the forest.

6. Perform the same steps on the forest root, except this time click Raise Forest Functional Level and follow the prompts.

After the domains and the forest have been upgraded, the Functional Mode will indicate Windows Server 2003, as shown in Figure 8.8.

Exchange Server 2003 Functional Modes

Not to be confused with Windows Server 2003 functional modes, Exchange can be run under two operations modes:

• Mixed Mode An Exchange Server 2003 Organization running in Mixed Mode can support Exchange 5.5 Servers as part of the organization. Exchange routing groups and administrative groups cannot be separated when running in this mode, however.

• Native Mode Native Mode in Exchange Server 2003 supports both Exchange 2000 and Exchange 2003 servers. In addition, Native Mode Exchange organizations support multiple routing groups within the same administrative group.

To make the change from Exchange Mixed Mode to Native Mode, click the Change Mode button in the properties of the organization, as illustrated in Figure 8.9.