Exchange Server 2010 and Active Directory

As far as Active Directory is concerned, its minimum level needs to be on a Windows Server 2003 level, both for the domain functional level as well as the forest functional level. This might be confusing, since Exchange Server 2010 only runs on Windows Server 2008 or Windows Server 2008 R2, but that's just the actual server which Exchange Server 2010 is running on!

The Schema Master in the forest needs to be Windows Server 2003 SP2 server (Standard or Enterprise Edition) or higher. Likewise, in each Active Directory Site where Exchange Server 2010 will be installed, there must be at least one Standard or Enterprise Windows Server 2003 SP2 (or higher) server configured as a Global Catalog server.

From a performance standpoint, as with Exchange Server 2007, the ratio of 4:1 for Exchange Server processors to Global Catalog server processors still applies to Exchange Server 2010. Using a 64-bit version of Windows Server for Active Directory will naturally also increase the system performance.

NOTE

It is possible to install Exchange Server 2010 on an Active Directory Domain Controller. However, for performance and security reasons it is recommended not to do this, and instead to install Exchange Server 2010 on a member server in a domain.

1 Active Directory partitions

A Windows Server Active Directory consists of one forest, one or more domains and one or more sites. Exchange Server 2010 is bound to a forest, and therefore one Exchange Server 2010 Organization is connected to one Active Directory forest. The actual information in an Active Directory forest is stored in three locations, also called partitions:

• Schema partition – this contains a "blue print" of all objects and properties in Active Directory. In a programming scenario this would be called a class. When an object, like a user, is created, it is instantiated from the user blueprint in Active Directory.

• Configuration partition – this contains information that's used throughout the forest. Regardless of the number of domains that are configured in Active Directory, all domain controllers use the same Configuration Partition in that particular Active Directory forest. As such, it is replicated throughout the Active Directory forest, and all changes to the Configuration Partition have to be replicated to all Domain Controllers. All Exchange Server 2010 information is stored in the Configuration Partition.

• Domain Partition – this contains information regarding the domains installed in Active Directory. Every domain has its own Domain Partition, so if there are 60 domains installed there will be 60 different Domain Partitions. User information, including Mailbox information, is stored in the Domain Partition.

2 Delegation of control

Figure 1. The Configuration partition in Active Directory holds all information regarding Exchange Server 2010 in an Administrative Group.

In Exchange Server 2003 the concept of "Administrative Groups" was used to delegate control between different groups of administrators. A default "First Administrative Group" was created during installation, and subsequent Administrative Groups could be created to install more Exchange 2003 servers and delegate control of these servers to other groups. The Administrative Groups were stored in the Configuration Partition so all domains and thus all domain controllers and Exchange servers could see them.

Exchange Server 2007 used Active Directory Security Groups for delegation of control, and only one Administrative Group is created during installation of Exchange Server 2007, called "Exchange Administrative Group – FYDIBOHF23SPDLT."^[1] All servers in the organization are installed in this Administrative Group. Permissions are assigned to Security Groups and Exchange administrators are member of these Security Groups.

^[1] 1 Just shift all letters in the word FYDIBOHF23SPDLT to the left and you get EXCHANGE12ROCKS.

3 Active Directory Sites

Exchange Server 2010 uses Active Directory Sites for routing messages. But what is an Active Directory site?

When a network is separated into multiple physical locations, connected with "slow" links and separated into multiple IP subnets then, in terms of Active Directory, we're talking about sites. Say, for example, there's a main office located in Amsterdam with an IP subnet of 10.10.0.0/16. There's a branch office located in London, and this location has an IP subnet of 10.11.0.0/16. Both locations have their own Active Directory Domain Controller, handling authentication for clients in their own subnet. Active Directory site links are created to control replication traffic between sites. Clients in each site use DNS to find services like Domain Controllers in their own site, thus preventing using services over the WAN link.

Figure 2. Two subnets in Active Directory, one for the main office and one for the Amsterdam Datacenter.

Exchange Server 2010 uses Active Directory sites for routing messages between sites. Using our current example, if there is an Exchange Server 2010 Hub Transport Server in Amsterdam and an Exchange Server 2010 Hub Transport Server in London, then the IP Site Links in Active Directory are used to route messages from Amsterdam to London. This concept was first introduced in Exchange Server 2007, and nothing has changed in Exchange Server 2010.

Exchange Server 2003 used the concept of Routing Groups, where Active Directory already used Active Directory Sites; Active Directory Sites and Exchange Server Routing Groups are not compatible with each other. To have Exchange Server 2003 and Exchange Server 2010 work together in one Exchange organization, some special connectors have to be created – the so-called Interop Routing Group Connector.