Configuring the Active Directory Organizational Unit Hierarchy
When you run Exchange in a Windows Server 2003 cluster, the Exchange Virtual Server (EVS) computer account that is created must be configured such that no security policies are directly applied to it. Because the EVS computer account is a byproduct of the Windows® Cluster configuration, applying security policies to the EVS computer account is unnecessary. In fact, applying security policies to the EVS computer object will likely result in malfunction. Therefore, you must move the EVS computer account such that it does not inherit any of the security Group Policy Objects (GPOs) from either the Windows or the Exchange GPO security policies. In addition, to manage the computer account properties, the Cluster service accounts in your organization must have full control on the EVS computer account. To achieve this, you must perform the following steps:
Create the EVS organizational unit (OU).
Turn off GPO inheritance on the EVS OU.
Grant the Cluster service account full control on the EVS OU.
Either move the EVS computer account into the new OU, or if the EVS computer account does not already exist, create it in the new OU.
Note
For detailed steps about how to create and configure the EVS OU, see How to Configure and Run Exchange Server 2003 Clusters in a Security-Hardened Environment.
If you followed the OU structure recommended by the Windows Server 2003 Security Guide and the Exchange Server 2003 Security Hardening Guide, then you can make the changes that are recommended in this topic by applying the Exchange 2003 Cluster Node GPO templates. The Exchange 2003 Cluster Node GPO templates are available with the Exchange Server 2003 Security Hardening Guide download package.
The following figure illustrates how the OU structure is updated when the additional clustering OUs are added.
Organizational unit structure after clustering OUs are added
.gif "Organizational Unit Hierarchy with Exchange Cluste")
The following two new OUs are added:
Exchange Virtual Servers is the OU that will contain the EVS instances.
Exchange Cluster Nodes is the OU that will contain the Exchange cluster nodes.
The Exchange Cluster Nodes OU inherits the GPO security configurations from both the Windows Member Server (included with the Windows Server 2003 Security Guide) and Exchange 2003 Backend security policies. To run Exchange clusters in this environment, you must apply the Exchange 2003 Cluster Node Base GPO template to the Exchange Cluster Nodes OU. For a description of the configuration changes made by the Exchange 2003 Cluster Node Base GPO template, see Configuring the Exchange 2003 Cluster Nodes.
Note
For detailed steps about how to create the Exchange Cluster Nodes OU and Policy GPO (including how to import the Exchange 2003 Cluster Node Base GPO template), see How to Configure and Run Exchange Server 2003 Clusters in a Security-Hardened Environment.
By applying the Exchange 2003 Cluster Node Base GPO template to the Exchange Cluster Node OU, you can consistently configure your Exchange clusters to run in the hardened environment.
For more information about creating the Active Directory OU hierarchy to support Exchange server roles, see "Security-Hardening Exchange 2003 Servers" in the Exchange Server 2003 Security Hardening Guide.
Important
If your OU structure does not mirror the recommended hierarchy in the Windows Server 2003 Security Guide and the Exchange Server 2003 Security Hardening Guide, do not manually apply the recommendations in this topic on each computer in your organization. Instead, it is recommended that you harden your Exchange and Windows infrastructure by applying GPOs to the OUs in your environment. This method provides for a consistent configuration across your organization. Use the recommendations in this topic to configure your OU hierarchy by applying the security templates to your corresponding OUs or by creating your own GPO security templates.