Selecting an Active Directory Administration Model


Topic Last Modified: 2005-05-13

Based on your administrative requirements, security requirements, and technical capabilities, you can design a centralized administrative model, a distributed administrative model, or a combination of the two. By deciding on whether your model will be centralized or distributed, you are essentially determining whether you will create one or more administrative groups.

Administrative groups provide a way to group objects together (such as servers, policies, routing groups, and public folder hierarchies) and define the scope of permissions for the group. For example, if your organization has two sets of administrators that manage two sets of Exchange servers, you can create two administrative groups that contain these two sets of servers. To establish permissions, you can add the appropriate Windows users and groups to the security settings on the two administrative groups. Then, Active Directory propagates these settings to all the configuration objects within the administrative group. To assign Exchange permissions to the administrative groups, you can use the Exchange Administration Delegation Wizard. This wizard simplifies assigning permissions and creating and maintaining access control lists (ACLs).


Administrative Model Details


  • One Exchange Administrative Group

  • Centralized server management

  • Centralized policy management

  • Though limited to one Administrative Group you can have many routing groups.


  • Allows business units to manage their Exchange infrastructure autonomously.

  • Use at least one Administrative Group for each autonomous unit.

  • If strict security between business units is needed use multiple forests instead of multiple administrative groups in the same forest.

  • Support costs can be significant in this model.


  • Uses elements of both centralized and distributed.

  • Provides a way for organizations to have centralized email policies but local administration.

  • Can be particularly useful in branch office scenarios.

A centralized Exchange administrative model is characterized by a single Exchange administrative group (the default administrative group), centralized server management, and centralized policy management. Recall that in Exchange 2003 the administrative model is completely independent of the physical infrastructure, so your Exchange administrative model can be centralized even if your company consists of several branch offices. Only one administrative group can exist, but there can be many routing groups. If your administrative model is highly centralized and does not require any strict security boundaries between business units, you can follow the single forest model.

If logical business divisions require autonomy in terms of Exchange server administration, you may need a distributed model. In this model, individual business units or regions have complete control over management of the Exchange organization, although a central group can manage standards and guidelines. In a distributed model, you create at least one administrative group for each region or division. This model is similar to the site model in earlier versions of Exchange and is often used by organizations that have branch offices operating independently. You must also consider whether separating business units by using administrative groups is sufficient, or whether you need to create strict security boundaries between them. If the latter is the case, the only way to create strict security boundaries is to place business units in separate forests.

Support costs can be very high for branch offices. For this reason, you should weigh these support costs against the cost of upgrading network connections and centralizing servers.

A combined model can separate the administrative responsibilities for different geographical locations into specialized administrative groups, but can assign a centralized administrative group that defines organization responsibilities. In this example, administrators of a centralized organization policies group are those who control system and recipient policies used across the organization. Regional groups define daily administrative tasks that administrators perform at different geographical locations. Each of these groups contains other objects, such as public folders and servers, which the local groups manage.

If your Exchange organization is mixed, which means it contains Exchange 2000 or Exchange 2003 and Exchange 5.5 servers, Exchange displays one administrative group and one routing group for each Exchange 5.5 site by default.

Community Additions