Planning for Access to Active Directory
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-13
Microsoft Exchange Server 2007 stores all configuration and recipient information in the Active Directory directory service database. When a computer that is running Exchange 2007 requires information about recipients and information about the configuration of the Exchange organization, it must query Active Directory to access the information. Active Directory servers must be available for Exchange 2007 to function correctly. This topic explains how Exchange 2007 stores and retrieves information in Active Directory so that you can plan access to Active Directory.
The Active Directory database stores information in three types of logical partitions that are described in the following sections:
The schema partition
The configuration partition
The domain partition
The schema partition stores two types of information: schema classes and schema attributes. Schema classes define all the types of objects that can be created and stored in Active Directory. Schema attributes define all the properties that can be used to describe the objects that are stored in Active Directory.
When you install the first Exchange 2007 server role in the forest or run the Active Directory preparation process, the Active Directory preparation process adds many classes and attributes to the Active Directory schema. The classes that are added to the schema are used to create Exchange-specific objects, such as agents and connectors. The attributes that are added to the schema are used to configure the Exchange-specific objects and the mail-enabled users and groups. These attributes include properties, such as Microsoft Office Outlook Web Access settings and Microsoft Exchange Unified Messaging (UM) settings. Every domain controller and global catalog server in the forest contains a complete replica of the schema partition.
For more information about schema modifications in Exchange 2007, see Active Directory Schema Changes.
The configuration partition stores information about the forest-wide configuration. This configuration information includes the configuration of Active Directory sites, Exchange global settings, transport settings, mailbox policies, and UM dial plans. Each type of configuration information is stored in a container in the configuration partition. Exchange configuration information is stored in a subfolder under the configuration partition's Services container. The information that is stored in this container includes the following:
Address and display templates
Client access settings
Messaging records management, mobile, and UM mailbox policies
E-mail address policies
Every domain controller and global catalog server in the forest contains a complete replica of the configuration partition.
The domain partition stores information in default containers and in organizational units that are created by the Active Directory administrator. These containers hold the domain-specific objects. This data includes Exchange system objects and information about the computers, users, and groups in that domain. When Exchange 2007 is installed, Exchange updates the objects in this partition to support Exchange functionality. This functionality affects how recipient information is stored and accessed. Each domain controller contains a complete replica of the domain partition for the domain for which it is authoritative. Every global catalog server in the forest contains a subset of the information in every domain partition in the forest.
Exchange 2007 uses an Active Directory API to access information that is stored in Active Directory. The Active Directory Topology service runs on all Exchange 2007 server roles. This service reads information from all Active Directory partitions. The data that is retrieved is cached and is used by Exchange 2007 servers to discover the Active Directory site location of all Exchange services in the organization. For more information about topology and service discovery, see Planning to Use Active Directory Sites for Routing Mail.
Exchange 2007 is an Active Directory site-aware application that prefers to communicate with the directory servers that are located in the same site as the Exchange server to optimize network traffic. Each Exchange 2007 organizational server role must communicate with Active Directory to retrieve information about recipients and information about the other Exchange 2007 server roles. The data that each server role obtains is described in the following sections.
By default, whenever an Exchange 2007 server starts it binds to a randomly selected domain controller and global catalog server in its own site. You can view the selected directory servers by viewing the properties of the Exchange 2007 server in the Exchange Management Console or by using the Get-ExchangeServer cmdlet in the Exchange Management Shell. You can also use the Set-ExchangeServer cmdlet to configure a static list of domain controllers to which an Exchange 2007 server should bind or a list of domain controllers that should be excluded.
|A Windows Server 2008 domain controller can be configured as a read-only directory server. This configuration is useful when you want to deploy a domain controller or global catalog server in a remote site for authentication and authorization purposes but do not want to allow administrators in that site to write changes to Active Directory. However, you cannot deploy an Exchange 2007 server in any site that contains only read-only directory servers.|
The Hub Transport server role contacts Active Directory when it performs message categorization. The categorizer must query Active Directory to perform recipient lookup and routing resolution. The information that the categorizer retrieves during recipient lookup includes the location of the recipient's mailbox and any restrictions or permissions that may apply to the recipient. The categorizer must also query Active Directory to expand the membership of distribution lists and to perform the Lightweight Directory Access Protocol (LDAP) query processing that is required when mail is sent to a dynamic distribution list.
During routing resolution, the categorizer uses the topology information that is cached by the Active Directory Topology service to discover the routing path for a message. The Hub Transport server uses Active Directory site configuration information to determine the location of other servers and connectors in the topology. When the Hub Transport server has resolved the location of the recipient's mailbox, it uses Active Directory site information to locate the mailbox store. If the mailbox store is in the same Active Directory site as the Hub Transport server, the Hub Transport server delivers the message directly to the user's mailbox. If the mailbox store is in a different Active Directory site than the Hub Transport server, the Hub Transport server delivers the message to a Hub Transport server in the remote Active Directory site.
The Hub Transport server stores all configuration information in Active Directory and accesses Active Directory to retrieve this information. The configuration information includes the details of any transport rules, journal rules, and connectors.
The Client Access server role receives connections from the Internet for users who access their mailbox by using Outlook Web Access, Post Office Protocol version 3 (POP3), Internet Message Access Protocol Version 4rev1 (IMAP4), or Microsoft Exchange ActiveSync. When a user connection is received, the Client Access server contacts Active Directory to authenticate the user and to determine the location of the user's mailbox server. If the user's mailbox is in the same Active Directory site as the Client Access server, the user is connected directly to their mailbox. If the user's mailbox is in a different Active Directory site than the Client Access server that received the initial connection, the connection is redirected to a Client Access server in the remote Active Directory site.
The Unified Messaging server role accesses Active Directory to retrieve global configuration information, such as dial plans, IP gateways, and hunt groups. When a message is received by the Unified Messaging server, it searches for Active Directory recipients to match the telephone number to a recipient address. When it has resolved this information, the Unified Messaging server can determine the location of the recipient's mailbox store and then submit the message to a Hub Transport server for routing to the mailbox.
The Mailbox server role stores configuration information about mailbox users and stores in Active Directory. Additionally, the configuration for agents, address lists, and policies is stored in Active Directory. The Mailbox server retrieves this information to enforce mailbox policies and global settings.
The Edge Transport server role is deployed in the perimeter network and is not a domain member. The Edge Transport server does not have access to Active Directory and uses Active Directory Application Mode (ADAM) to store schema and configuration information. You can create an Edge Subscription to subscribe the Edge Transport server to an Active Directory site. The Hub Transport servers in that Active Directory site use the Microsoft Exchange EdgeSync service to synchronize Active Directory data to ADAM. We recommend that you create an Edge Subscription for each Edge Transport server. This process will automatically provision the Send connectors that are required for end-to-end mail flow. You must create an Edge Subscription if you will be using the recipient lookup or safe list aggregation anti-spam features.
|Exchange 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.|