Planning Active Directory with Exchange Server in Mind


Topic Last Modified: 2005-05-16

Exchange 2003 uses the Active Directory® directory service to store and share directory information with Windows Server. Because the two are tightly integrated, your planning efforts need to include a thorough investigation of the impact that Exchange has on your Active Directory design, and vice versa.

If Active Directory is already deployed, it is important for you to understand the existing Active Directory structure and how Exchange fits into this structure. This topic describes the key considerations.

If you have not yet deployed Active Directory, you are in a better position to design your Active Directory infrastructure with Exchange in mind. For comprehensive Active Directory deployment information, use the following resources:

For more information about recommended ways to integrate Exchange 2003 with Active Directory, see "Planning Your Active Directory and Administrative Model."

The remainder of this topic discusses how to assess your existing Active Directory design as it relates to Exchange in the following areas:

  • Physical site structure

  • Domain and forest partitioning

  • Administration

  • Domain controller and global catalog server placement

Start with an assessment of the locations of Windows Server sites and the connections between them as discussed in "Understanding Your Current Network Environment." Exchange uses your Windows network infrastructure so you do not have to create and maintain a separate infrastructure for Exchange. An important factor to consider is how point-to-point routing is structured. For example, determine whether site A can communicate to site C through site B or whether there are routing restrictions.

Because of the tight integration between Exchange and Active Directory, the Active Directory forest structure directly affects your Exchange planning. There is a one-to-one relationship between an Active Directory forest and an Exchange organization. An Exchange organization can span only a single Active Directory forest. Likewise, an Active Directory forest can host only a single Exchange organization. Understanding your current forest structure and the reasoning behind those design decisions can help you to decide whether to use an existing forest to host Exchange or whether to create a new forest to host Exchange.

Although the recommended design for Active Directory consists of a single Active Directory forest for the entire organization. Your organization may contain multiple forests that represent separate business units. One reason this design may be necessary is if your organization needs strict security boundaries between the directories for each business unit.

In a multiple forest scenario, you need to determine which forest is to host Exchange. To reduce the administrative burden, you also need to implement a provisioning method so that changes made in one forest are propagated to the other forests, for example, by using Microsoft Identity Integration Manager (MIIS). Another option is to create a separate forest dedicated to running Exchange. For more information about reducing the administrative burden, see "Planning Your Active Directory and Administrative Model."

It is recommended that you establish a single Active Directory forest for your entire organization. However, if your company requires strict security boundaries between business units, multiple forests may be necessary. In Active Directory, a forest forms a strict security boundary, which means that administrators in the forest are isolated from other forests. Domains, however, are primarily administrative boundaries. For more information about Active Directory design and administration, see Best Practice Active Directory Design for Managing Windows Networks ( and Design Considerations for Delegation of Administration in Active Directory (

Start by documenting the forests, domains, and Windows sites that make up your organization. Note the servers that make up each domain and the operating system software each server is running. Also, note the groups or individuals who own each forest, domain, and Windows site.

Another key consideration is the administrative model that is in place in the organization. Because Exchange 2003 uses Active Directory, you administer Exchange in conjunction with the operating system. Active Directory provides a way for you to delegate administrative authority to directory objects through organizational units in Active Directory Users and Computers. You can delegate Windows administrative permissions at the organizational unit level in Active Directory. For Exchange server administration, you can group servers into an administrative group and delegate permissions to the administrative group.

When documenting the servers that make up each domain in a forest, also document the groups or individuals to whom Active Directory administrative permissions have been granted. Then, based on your business requirements, you can use this information to determine how the Exchange servers should be administered. For more information about planning your administrative model, see "Planning Your Active Directory and Administrative Model."

When documenting the servers in each domain, identify the domain controllers and global catalog servers. This information is critical for planning an Exchange organization because you need to know how users in various locations log on and how global address list information and Exchange objects will replicate throughout the forest. A domain controller is limited to the domain in which it is installed. The function of a global catalog server in Active Directory is to maintain a partial attribute set for user objects across all domains in the forest. You may need to make changes in the placement of these servers for Exchange. For more information about Active Directory server placement, see "Planning Your Active Directory and Administrative Model."


Community Additions