Exchange Server 2007 and the Active Directory, Part 1

I’ve been looking at Microsoft Exchange Server 2007 Beta 2 today and the way it interoperates with the Active Directory. It won’t come as a surprise to see that Microsoft Exchange Server 2007 still relies on the Active Directory as its directory service (like Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003) but there are a lot of differences. I’ll be looking into them.

 

Disclaimer

Although I’m describing my experiences with Microsoft Exchange Server 2007 Beta 2 here, it by no means implies that my findings are relevant to the Release to Manufacturing (RTM) build of Microsoft Exchange Server 2007. I am convinced however that you will find most things to apply to the final product.

 

Active Directory mode

 

Domain Functional level

The Release Notes for Microsoft Exchange Server 2007 Beta 2 tells us that you will be required to use an Active Directory in Windows 2000 Native Mode.

Active Directory Domain Functional Level set to Windows 2000 Native or greater
This domain functional level is required to support the new Exchange Servers universal group.

I installed a new box with Microsoft Windows Server 2003 and ServicePack 1 and promoted it to an Active Directory Domain Controller. I didn’t change any settings for my active directory and tried to install Microsoft Exchange Server 2007 Beta 2. It gave a nice error. While installing Microsoft Exchange Server 2007 Beta 2 it looked like I needed to upgrade my Domain functional level to Windows 2003 Native Mode before setup could continue. The obvious reason for demanding a native Active Directory domain is to enable the use of Universal groups, which are added to the Active Directory in a new Organization Unit (OU) called ‘Microsoft Exchange Security’.
Paranoid as I am (or at least Paul thinks I am [;)] ) I immediately began doubting the possible migration scenario’s for Microsoft Exchange Server 2000 in Microsoft Windows 2000 Active Directory domains with Microsoft Windows 2000 Server Domain Controllers. Surely this doesn’t mean we’ll have to install a new Microsoft Windows Server 2003 Domain Controller, demote all Microsoft Windows 2000 Server Domain Controllers and then install Microsoft Exchange Server 2007 servers and migrate mailboxes? It sure does, just read along…

Schema Master must be Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1
The server that holds the Schema Master Flexible Single Master Operation (FSMO) role needs to have Windows Server 2003 or Windows Server 2003 with Service Pack 1 installed.

 

Forest functional level

Nowhere to be found in the release notes for Microsoft Exchange Server 2007, but certainly responsible for the error I received when I installed Microsoft Exchange server 2007 on my Microsoft Windows Server R2 box is the requirement for the forest functional level to be “Windows Server 2003”. You can find it however in the Planning Checklist in the Microsoft Exchange Server 2007 section of TechNet:

If you have a resource forest, or multiple forests that share an Exchange 2007 organization, then a trust relationship is required. If your topology includes multiple forests that contain Exchange 2007, or if your implementation requires a forest-to-forest trust between forests containing Exchange 2007, the minimum Active Directory forest functional level for each forest must be Windows Server 2003. For more information about raising the Active Directory forest functional level, see Raise the forest functional level

Raising the forest functional level to Microsoft Windows 2003 prohibits you from having or placing Microsoft Windows NT4 or Microsoft Windows 2000 Domain Controllers, but also brings you a couple of advantages that Microsoft Exchange Server 2007 might benefit from.

 

Exchange Organization mode

Your Exchange Organization (which is stored in Active Directory) will have to be native too.

Exchange Organization Operation mode set to Native Mode
The Exchange Operation mode for the organization must be Native Mode.

When I first read it I found it cryptic. The reason for this is when you install a new Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 it automatically created an Exchange Organization in compatible mode. Apparently when you install Microsoft Exchange Server 2007 Beta 2 it automatically creates a Native Mode Exchange Organization, but I couldn’t find any way of determining the Exchange Organization operation mode from within the new Microsoft Exchange Management Console.

I downloaded the updated Support Tools for Microsoft Windows Server 2003 and fired up adsiedit.msc to look for this within the Active Directory. I found it in the properties of the Exchange Organization.

After reading the Release Notes I didn’t expect anything else.

When upgrading the Microsoft Exchange Organization from mixed mode to native mode an administrator gains a few extras like the ability to create query-based distribution groups and InetOrgPerson objects, but also some routing group and administration group functions and the ability to rename the Exchange organization itself.

Because Microsoft states that Microsoft Exchange 5.5 servers and Microsoft Exchange 2007 do not coexist it is only obvious that the native mode / mixed mode stuff is being dropped, effectively dropping any remaining Microsoft Exchange 5.5 backward compatibility.

 

Active Directory Users and Computers

I’ve always been very relaxed with the way you could administer most Microsoft Exchange settings for users within the Active Directory Users and Computers MMC Snap-in (dsa.msc) but while reading the release notes and enjoying a nice basket of Ben & Jerry’s ice-cream I stumbled upon the next phrase:

Active Directory Users and Computers should not be used to created Exchange 2007 objects
If the Exchange System Manager is installed, Active Directory Users and Computers will allow you create mailboxes on Exchange 2007 servers. However, this action is not supported. Mailboxes created in this way will be treated as “Legacy” (Exchange 2003 or Exchange 2000) mailboxes, even though they are on an Exchange 2007 server. Exchange 2007 has no recipient update service to update user attributes. Users created in Active Directory Users and Computers would not be fully configured unless there was an Exchange Server 2003 server or Exchange 2000 Server server in the organization that had a recipient update service configured to configure the newly created mailbox.

I read this little piece of text twice before I understand what was meant: Microsoft wants us not to use the Active Directory Users and Computers MMC Snap-in (dsa.msc) with Microsoft Exchange Server 2007 Beta 2, and perhaps even in the final build of Microsoft Exchange Server 2007… I wondered how I should make new mailboxes for users, how I could make resource mailboxes and such so I fired up the new Exchange Management Console and behold: there are action panes all over the right side of the console to make all kinds of new Microsoft Exchange objects, like ‘New Address list…’ (under ‘Mailbox’ in ‘Organization Configuration’), ‘New Mailbox…’ (under ‘Mailbox’ in ‘Recipient Configuration’), ‘New Distribution Group’ and ‘New Dynamic Distribution Group…’ (under ‘Distribution Group’ in ‘Recipient Configuration’) and a ‘New Mail contact…’ (under ‘Mail Contact’ in ‘Recipient Configuration’)

When I started the ‘New Mailbox…’ wizard from within ‘Mailbox’ in ‘Recipient Configuration’ I found that from there I could make new mailboxes. In 4 different flavours:

  • User Mailbox
  • Room Mailbox
  • Equipment Mailbox
  • Linked Mailbox

This is more of a choice and a better choice compared to the Active Directory Users and Computers MMC Snap-in (dsa.msc). Before you start to this really cool wizard is the reason Microsoft wants you to leave the Active Directory Users and Computers MMC Snap-in (dsa.msc) I think you’ll have to look at the piece of text from the Release Notes I added earlier. The reason is the new way Microsoft Exchange updates Exchange objects.

When you make a new mailbox you can choose to make a mailbox for an existing Active Directory account or a new Active Directory account. When you choose the latter a new Active Directory user object is created in the ‘Users’ Organizational Unit (OU) within the Active Directory. Perhaps this is where the Windows Server 2003 Native mode kicks in again… it allows us to change the default container where accounts are created by using tools like redirusr.exe and redircomp.exe.

 

Concluding

Microsoft Exchange Server 2007 changes the way you administrator Microsoft Exchange objects within the Active Directory. Get ready by preparing your Active Directory by eliminating Microsoft Windows NT4 Server and Microsoft Windows 2000 Server Domain Controllers and raising your functional levels.

More reading Material

Download the Microsoft Exchange Server 2007 Beta 2 Release Notes here.
Read about the Windows Server 2003 ServicePack 1 Support Tools.
How to raise domain and forest functional levels in Windows Server 2003
Preparing a Mixed Mode Exchange Organization for conversion to Native Mode
Microsoft TechNet on Domain and forest functionality

Disclaimer Beta Software

The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

Series Navigation

Exchange Server 2007 and the Active Directory, Part 2 >>

4 Responses to Exchange Server 2007 and the Active Directory, Part 1

  1.  

    I’ve updated my post with some links to screenshots which I hadn’t been able to upload before. Thnx Carlos and Paul!

  2.  

    VERY NICE POST, Excellent great reading.

    Keep them coming man!
    no problem about helping you out especially if you post articles like these !!!!

    Carlos

  3.  

    I believe you’ve interpreted one important requirement of AD incorrectly. The Schema Master and Global Catalog need to be on Windows Server 2003, but that does not mean that you have to upgrade all Domain Controllers to 2003.

    You simple have to transfer the Schema Master FSMO role to a newly introduced W2003 DC in your W2000 domain and make this new DC the Global Catalog. Then you can install Exchange 2007 in your domain and transfer the mailboxes.

    Secondly, when you installed E2007 on a clean W2003R2 domain controller you received a message that the Forest Functional level should be 2003. If I remember correctly, i also received this message with Beta 2. I believe this message is presented because E2007 setup notices that there is no W2000 domain or other legacies and therefore no reason not to upgrade to 2003 forest functional level. And lets not forget this was with a beta product.

    But this is a speculation, i rather test this before relying on it 🙂

    Otherwise an excellent post, i’ve referred to it frequently.

  4.  

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.