Directory Integration
The Exchange Server 2003 information in Active Directory includes information about recipients in the messaging system, as well as configuration information about the messaging organization. Active Directory also provides the security subsystem for Exchange Server 2003. Active Directory security ensures that only authorized users can access mailboxes and that only authorized administrators can modify the Exchange configuration in the organization.
Recipient Objects in the Directory
Recipients in an Exchange Server 2003 organization are represented by recipient objects in Active Directory. The following five types of recipient objects are contained in an Exchange Server 2003 organization:
Mailbox-enabled user accounts A mailbox-enabled user is the most common recipient object in an Exchange Server 2003 organization. A mailbox-enabled user is a Windows user with a mailbox on a server running Exchange Server. A mailbox-enabled user account is an Active Directory object that has a unique security identifier (SID) assigned to it. This identifier enables the user to access resources in the Active Directory domain. When a user account is mailbox-enabled, it has a mailbox on a server running Exchange Server, which enables the user to send and receive e-mail messages using a supported client, such as Microsoft Office Outlook.
Mail-enabled user accounts A mail-enabled user has an e-mail address but does not have a mailbox on a server running Exchange Server. A mail-enabled user account has a SID and can access resources in the Active Directory domain, but the e-mail address that is used to mail-enable the user account refers to a mailbox in a non-Exchange or external messaging system. Mail-enabled user accounts are listed in the global address list.
Mail-enabled contacts A mail-enabled contact does not have a SID and thus does not have an Exchange mailbox in the Exchange organization. This means that a mail-enabled contact cannot access resources in the domain, but the recipient object is visible in the global address list. E-mail messages sent to a contact are routed to the e-mail address associated with the contact object.
Mail-enabled groups A mail-enabled group is a collection of users, groups, and contacts that are configured with e-mail addresses. Both universal and security groups can be mail-enabled, but universal groups are recommended for e-mail purposes. A mail-enabled group is often called a distribution list, because it is assigned an e-mail address. When a message is sent to the group, Exchange Server 2003 expands the group membership and delivers the message to each individual recipient. Exchange Server 2003 supports the use of query-based distribution groups, which are distribution lists that have their membership determined by a Lightweight Directory Access Protocol (LDAP) query.
Mail-enabled Public Folders A mail-enabled public folder is a public folder to which you can send e-mail messages. A mail-enabled public folder has a unique e-mail address and can be displayed in the global address list.
Note
Exchange recipient objects are stored in the domain partition in Active Directory (Active Directory partitions are also referred to as directory partitions). The domain partition contains all of the objects in a specific domain and is replicated to every domain controller in that domain, but not beyond that domain. The domain partition is shown in Figure 1.3. For more information about the replication of domain information, see the product documentation in the Windows Server 2003 Technology Centers.
Configuration Information in the Directory
Exchange Server 2003 stores most of the configuration information for the Exchange organization in Active Directory. Active Directory contains detailed information on server objects, containers for administrative and routing groups, and all of the Exchange connectors. This information specifies how each server running Exchange Server is configured, the number of storage groups and stores on each server, and the Internet Information Services (IIS) server configuration.
Exchange configuration information is stored in the configuration directory partition in Active Directory. Some of the information that is stored in the configuration partition is show in the following figure. Because Active Directory replicates the configuration partition between all domains in the forest, the Exchange organization is also replicated throughout the forest. However, the configuration partition cannot be replicated outside the forest. This means that an Exchange organization cannot span multiple forests. However, it is possible to implement multi-forest topologies in an Exchange organization. For more information about Exchange multi-forest topologies, see the Exchange Server 2003 Deployment Guide.
Viewing Exchange information in Active Directory by using adsiedit.msc
.gif "7452b350-b366-4dcf-8d3f-feded705355e")
Exchange Classes and Attributes in Active Directory
In addition to the information stored in domain and configuration partitions, Exchange Server 2003 also stores information in the schema partition. The Active Directory schema defines all of the object classes that can be created in the directory, as well as the attributes that can be assigned to each of the class objects. Before an Exchange Server 2003 server can be installed in a forest, the Active Directory schema must be extended to include Exchange-specific objects and attributes. The Active Directory schema partition and some of the Exchange-specific objects are shown in the figure above.
Directory Access Architecture
The connection between Exchange Server 2003 and Active Directory is critical for reliable server operation. Exchange Server 2003 uses the following two primary components to locate and communicate to Active Directory domain controllers:
DSAccess This component controls how other Exchange components access Active Directory. DSAccess reads the Active Directory topology, detects domain controllers and global catalog servers, and maintains a list of valid directory servers that are suitable for use by Exchange components. In addition, DSAccess contains a memory cache, which reduces the load on Active Directory by reducing the number of LDAP requests that individual components must send to Active Directory servers. For example, in order to route messages, the transport process uses DSAccess to obtain information about the connector arrangement. The SMTP transport engine also uses DSAccess to resolve recipient information. This enables messages to be routed to the servers on which the mailboxes reside.
DSProxy This component provides an address book service for MAPI clients running Outlook 2002 Service Release 1 (SR-1) and earlier versions. Exchange versions 5.5 and earlier implemented a directory service so that clients could view the global address list by querying the server running Exchange Server. In Exchange 2000 Server and Exchange Server 2003, DSProxy emulates this address book service.
Note
Directory Service Proxy (DSProxy) refers Microsoft Outlook 2003 directly to a global catalog server. Unlike earlier versions of Outlook, Outlook 2003 does not require a directory proxy component on the server running Exchange Server itself.
For detailed information about DSAccess and DSProxy, see Exchange Server 2003 and Active Directory.