ADS ExServer03-07 QandA VasRao 02jul09

ACTIVE DIRECTORY / EXCHANGE SERVER 2003
QUESTIONS AND ANSWERS
COMPILED AND PREPARED BY
VASUDEVAN RAO ALIAS VAS RAO
References:
Various books, internet and research
ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 1 of 46
1. What is the Exchange Server 2007 server role?
Exchange Server 2007 introduces five roles to the Exchange Organization.
a) Edge Transport
b) Hub Transport
c) Client Access
d) Mailbox
e) Unified Messaging
2. How is Exchange Server 2007 integrated with Microsoft Office Outlook 2007?
1) Share information with other outlook clients
2) Scheduled meetings, Calendar and e-mail
3) Appointments and contacts like subscription
4) Outlook anywhere, Outlook web access and Outlook voice access
5) Simplify and integrate communications
6) Gain increased messages security and compliance
7) Share information and schedule meetings
8) Instant search scans attachments for key words or other criteria
9) Unified messaging capability can receive voicemail, faxes and e-mail
10) Location of meeting changes updates calendar reducing clutter and confusion
3. What are Exchange Server 2007 options?
1. Storage options
2. Replication options
3. Performance
4. Scalability
5. Backup
6. Disaster Recovery/Business Continuity
7. Archiving
8. Managed shared transport database configuration options
4. How 64 bit process planning has been set-up?
File system redirection is on a per-thread basis. Therefore, isolate operations that require disabling
redirection in a separate thread.
Reenable redirection as soon as possible after performing the task.
Be aware of interoperability when you install a 64-bit process alongside its 32-bit version.
When using interprocess communication methods such as sockets, pipes, remote procedure call (RPC),
and COM, test for bit-awareness in the way that you handle data.
Avoid accessing 64-bit processes from 32-bit processes
WOW64 has the following limitations:

 The address space is limited to 2 GB by default, and 4 GB if /LARGEADDRESSAWARE is used. For
more information, see “Memory Limits for Windows Releases” on MSDN®.
 A 32-bit process cannot load a 64-bit DLL (except for certain system DLLs).
 Running 16-bit processes is not supported. For information on 16-bit installer programs, see
“Running 32-bit Applications” on MSDN.
 The Virtual DOS Machine (VDM) API is disabled.
 Page-size dependent APIs such as Address Windowing Extension (AWE), scatter/gather I/O, and
write tracking are not available on the Intel Itanium processor family (IPF). For more information,
see “Running 32-bit Applications” on MSDN.
 The physical address extension (PAE) API is not available on IPF.
 Microsoft DirectX® hardware acceleration APIs are not supported on IPF.
5. Exchange Server core on Active Directory Domain Controller
Exchange Server 2003 communicates a lot with Active Directory. Nearly all communication information
is stored in the configuration partition of Active Directory. And the information on the store of the
users’ mailbox is saved as user property.
That means that if a message has to be routed; Exchange Server determines whether the mailbox is
on the local server by taking a look at the entries of the global address list (GAL). The GAL is created
using the recipient update service (RUS) which has a look at the directory information and creates
an entry for all objects that are email enabled. This process runs every minute. The RUS
communicates with the global catalog server via GC-LDAP (Port 3268).
If the recipient is not on the local server and the message needs to be routed to another server
Exchange recognizes this via the GAL entry. Exchange server then has a look in the configuration
partition and determines the way that server connections via connectors are available. This is done
via GC-LDAP, too.
If the server recognizes that the recipients SMTP domain is not one it is responsible for, it tries to
look for a way of sending the message outbound. This is generally done using the configured SMTP
connector. The configuration of the SMTP connector is saved in Active Directory, too.
If incoming messages are for an email enabled group, Exchange connects to the globalcatalog server to
determine the recipients of the message.
These are the most common connections between Exchange and Active Directory. That means it is
very important to design an Exchange environment that has good connectivity to a domain
controller or better, a global catalog server. This server should be placed near the Exchange server, in
the best way directly in its local subnet to make sure a high-speed connection is available.
6. Global catalog for Exchange Server 2007
As you can see above, Exchange communicates a lot with Active Directory, especially with global catalog
servers. That means within your Exchange Server Design you have to take care of where you place your
Active Directory Domain Controllers with global catalog.
In addition to this you need to determine the number of Exchange users that can be supported by a
global catalog server. Microsoft recommends a number of about 4000 users a global catalog server
can support. That means if you have more than this amount of users you must place more than one
server with global catalog role on it in your subnet. But generally for high availability reasons a second
GC is recommended. That means your environment theoretically can support up to 8000 users at a
time. But be careful, if one of your GCs goes down you only have support for up to 4000 users.
What does that mean for your design? Well, define what high availability means to you and your
company, define how many users access one Exchange server at a time and then calculate the number
of GCs you have to use. But do not forget to place your GCs near your Exchange server ideally within the
same subnet.
Global catalog server ratio and global catalog server placement
The ratio of servers to global catalog servers in your Exchange organization depends on all the following:
 The performance capabilities of the servers in your organization.

 The number of users in your organization.
 The message volume that you experience in your organization.
 The available network bandwidth in your organization.
 The other factors that affect computer processor load.
A general guideline is to deploy one global catalog server for every four Exchange
computer processors. Therefore, by using this general guideline, you might deploy your
global catalog servers as follows.
Note This general guideline assumes that all the computer processors are of the same type
and of the same speed.
 One single-processor global catalog server to support one four-processor Exchange 2000
Server computer or Exchange Server 2003 computer.
 Two single-processor global catalog servers to support one eight-processor Exchange 2000
Server computer or Exchange Server 2003 computer.
 Four quadruple-processor global catalog servers to support eight eight-processor Exchange
2000 Server computers or Exchange Server 2003 computers.
 You can adjust these guidelines to meet the specific requirements of your Exchange
organization.
 If your AD forest consists of a single domain, all domain controllers should be configured to
act as global catalog servers. Since the domain controllers have full knowledge of the domain
anyway, designating them to act as global catalog servers does not require a significant
amount of additional server resources.
 But if your Exchange Server organization contains multiple mailbox servers, you should plan
on having one global catalog server for ever four mailbox servers.
 A site does not require a global catalog server if it does not contain an Exchange server,
contains fewer than 100 users, and is connected to another network segment that has its
own global catalog server via a reliable network link.
 Organizations using Windows 2003 domain controllers with fewer than 100 users are often
discouraged from deploying global catalog servers. Microsoft recommends enabling
Universal Group Membership Caching as an alternative. But if you're using Exchange Server,
that is not an option -- you must use a true global catalog server.
http://www.microsoft.com/en/us/default.aspx
http://emailsolutions.searchexchange.com/kw;Global+Catalog+Server/exchange-content.htm
http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=218116&start=0
http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1198919,00.html
http://www.bing.com/search?q=adfs+on+windows+server+2000&form=STOHSS
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/5e399525-3968-4081-b46a-
82ce06946391
http://www.tech-
archive.net/Archive/Windows/microsoft.public.windows.server.active_directory/2007-
03/msg01543.html
http://technet.microsoft.com/en-us/library/bb727159.aspx
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1131154,00.html
http://en.wikipedia.org/w/index.php?title=Special:Search&search=ADAM+on+Windows+2000+and+200
3&ns0=1&redirs=0
7. Exchange updates from 2003 to 2007
General Preparation Tasks before the Transition
Before we start the Transition, you should review the event logs on all your Domain Controllers to make
sure that no errors or warnings are in there. If you find any, you should correct them first before you go
on. Additionally, you should make sure all Windows Updates are installed. DCDIAG.EXE from Windows
Support Tools may help you during this task.
Afterwards you should back up the system state of all your Domain Controllers to make sure you are
able to restore Active Directory in the event of a failure during the setup process.
Domain and Forest Preparation for Exchange Server 2007
In order to prepare the Active Directory Environment you will have to import some new schema entries.
This means you will have to log on locally to your Domain Controller on which the schema role resides.
Since this means a re-indexing of your Active Directory Database, I recommend doing this during non-
work hours and if possible when running Active Directory Native Server 2003 forest mode. This would
mean that we only have delta replications and no full replications like running on Windows Server 2000
mode. So you will have less replication traffic on your WAN links.
If you have trouble during the schema enhancement for Exchange Server 2007, your only chance to go
back to Exchange Server 2003 is to completely restore System State on your Schema Master Domain
Controller and hopefully it would not have replicated some entries during this phase, because this
would mean restoring System State on all your Domain Controllers in your network
environment. But don’t be angry, a restore of Active Directory is quite easy if you follow the
following procedures:
 Start your Domain Controller in Active Directory Restore Mode.
 Log on with your Active Directory Restore Mode Logon Credentials.
 Restore System State from backup.
 Configure Authoritative Restore using NTDSUTIL.EXE.
 Restart your Domain Controller.
 Follow the steps above for all your Domain Controllers.
Troubleshooting the Implementation of Hub Transport Servers
The first Exchange Server 2007 box you might implement is the one on which the Hub
Transport Role will reside. This box is quite easy to implement, you should move forward after
having a good system state backup ready in the event of a failure. If something unplanned
happens during the move of the general configuration settings to Exchange Server 2007, your
disaster recovery plan is to restore Active Directory from backup.
Troubleshooting the Implementation of Mailbox Servers
After having set up the mailbox or database role servers, which could be a single or multiple
server deployment, perhaps in addition with one of the high availability features of Exchange
Server 2007 (Local Continuous Replication, Standby Continuous Replication, Cluster Continuous
Replication, or Single Copy Cluster), we have to move the mailboxes from the old environment
to the new one. This mailbox move is quite easy, too.
In general there should be no problems unless the user whose mailbox is currently being
migrated is logged off. In general no problems should occur on the client systems, too: they
should discover that their mailbox has moved to another server while they were offline. To
insure this Exchange Server 2007 has a new functionality for automatic creation of MAPI
profiles, if you have Outlook 2007 deployed. So make sure to have Outlook 2007 deployed
before starting with the deployment of Exchange Server 2007 mailbox servers.
Troubleshooting the Implementation of Client Access Servers
The Client Access Server role provides functionalities like Outlook Web Access, Outlook Mobile
Access (Exchange Push), etc. When migrating from other Exchange Server releases this is the
first box you should implement (in general this will be your front end server machine), since
this will allow Outlook Web Access to work on mailboxes that reside on older versions of
Exchange and on Exchange Server 2007.
If anything failed during the implementation of this server, you just have to reinstall this
machine and try again.
Troubleshooting the Implementation of Unified Messaging Servers

When implementing the Unified Messaging role, your disaster recovery plan during your deployment of
Exchange Server 2007 is quite easy, because this is a new feature set that was not part of earlier
releases of the product. In the event of an unexpected error, you just have to take a second chance and
reinstall the server again.
Troubleshooting the Implementation of Edge Servers
The Exchange Server 2007 Edge Server Role is a solution that is placed in your DMZ to relay your emails
into your Exchange Organization or outside it, so it is responsible for incoming and outgoing emails and
is completely independent from your Active Directory, because it works with ADAM (Active Directory in
Application Mode). If you run into problems during its implementation, you will have to start over again.
If it is already running, you can run the ExportEdgeConfig.ps1 Powershell script to save the configuration
in a XML file and use this for import purposes on the new server.
Conclusion
As you have seen in the sections above the transition from Exchange Server 2003 to Exchange Server
2007 is not a big risk if you plan the project and each project phase should include a plan to revert if
something unplanned happens and there is no way to go on. These risk management procedures will
insure that you minimize unavailability times in case of an error and that your email environment will
work properly and be available most of the time.
Exchange Server 2007 with Service Pack 1 is a very stable and reliable solution. In my opinion, it is the
best release Microsoft has come out with yet. So I think there is no reason for you to wait to migrate.
Just create a project plan and your email server environment will survive the transition to Exchange
Server 2007.
8. Design consideration of systems
Active Directory structure

Domain Controllers / Roles / Forests / Domains / Trust Types /Organizational Units
DNS / DHCP / Wins / Sites / Replication / RRAS / Radius
Analyzing the existing infrastructure / Physical Layout / Infrastructure Devices

Addressing Schemes / Operating Systems / Hardware / Performance
Domain Structure / NT vs. W2K3 Server / Functional Levels
DNS / Zones / Server Roles /DNS Structure /Internal DNS vs. Public DNS
IP Addressing / Sub nets / Router Replacement / DMZ / DHCP
Security Infrastructure / Designing Internet Access / Designing a Remote Access Strategy
Designing Sites / Case study of the Existing Infrastructure
9. Map Exchange Server 2007 routing group to current Active Directory sites
One of the biggest changes between earlier versions of Exchange Server and Exchange 2007 is the
move to a routing topology that is based on Active Directory directory service sites and IP site links
instead of on routing groups and routing group connectors. Some Exchange administrators may feel
a loss of control over their routing topology, but there's no need to worry. And there are plenty
of reasons to celebrate. Exchange 2007 gives you the tools that you need to tweak the
Active Directory routing behaviour when it doesn't conform to the way that you want Exchange
mail to flow. Plus you benefit from the improved network utilization of Active Directory site-based
routing and no longer having to maintain a routing topology.
10. Should I dedicate current AD to Exchange Server 2007?
Exchange 2003 servers can benefit from an Active Directory design that utilizes site architecture to
isolate Exchange. This is best achieved through creating a dedicated Active Directory site which
contains both Exchange 2003 servers and Global Catalog servers that are dedicated to the
Exchange DSAccess process. The potential benefits of this architecture are as follows:
 Reduction of Global Catalog overload potential through isolating Exchange messaging traffic and
processes from the remainder of the environment by using dedicated Global Catalogs.
 Increased performance for Exchange LDAP queries through Global Catalogs that are dedicated to
the Exchange DSAccess process.
NB: This assumes that you have the right number of GC processors to Exchange processors and a
well connected network.
 Easier Management and monitoring of the Exchange environment due to segregating out of non-
Exchange processes.
NB: However, this segregation will increase the number total number of domain controllers in your
environment
 Increased performance for non-Exchange LDAP and directory services processes due to Exchange
process segregation.
NB: This assumes that you have enough GC’s to service non-Exchange traffic
 Excessive LDAP Read and Search Times can have a negative impact of the ability to service
messaging requests. This could include:
 Impact to mail routing (for mail bound internally and externally)
 Impact to Client Ambiguous Name Resolution requests (i.e. address lookups DL expansions etc)
 Impact other functional processes, login authentication for resources (i.e. calendar and PFs) DL
access Group Membership
11. What is Auto Discovery Service?
The Auto discovery service in Exchange Server 2007 uses users' e-mail address or a domain user account
to automatically configure a user’s Outlook 2007 profile. The Autodiscovery service provides the
following information to the Outlook client:
 User’s Display name

 Separate connection settings for internal and external connectivity
 The location of users Exchange Server 2007 with the Mailbox server role installed
 The Uniform Resource Locator (URL) for several Outlook 2007 features (Outlook availability
services) such as Outlook Free/busy or Offline address book (OAB) information
 Configuration for Outlook Anywhere
A web service integrated with Microsoft Exchange server 2007 that facilitates clients accessing their
mailboxes. It is used to automatically set up accounts in Outlook profiles. It is also used to determine
which Client Access Server a remote client should use based on where their mailbox server is located for
optimal performance.
12. Domain Controller on AD
A domain controller is a server that is running a version of the Microsoft Windows Server 2003 or
Windows 2000 Server operating system and has the Active Directory service installed.
A domain controller is a server that is running a version of the Microsoft Windows Server 2003 or
Windows 2000 Server operating system and has the Active Directory service installed.
Note
 Implementations of the Microsoft Windows NT 3.51 and Microsoft Windows NT 4.0 operating
systems also have domain controllers, but they do not support Active Directory.
When you install Windows Server 2003 or Windows 2000 Server on a computer, you can choose to
configure a specific server role for that computer. When you want to create a new forest, a new
domain, or an additional domain controller in an existing domain, you configure the server with the role
of domain controller by installing Active Directory.
By default, a domain controller stores one domain directory partition consisting of information about
the domain in which it is located, plus the schema and configuration directory partitions for the entire
forest. A Windows Server 2003 domain controller can also store one or more application directory
partitions. There are also specialized domain controller roles that perform specific functions in an Active
Directory environment. These specialized roles include global catalog servers and operations masters.
Global Catalog Servers
Every domain controller stores the objects for the domain in which it is installed. However, a domain
controller designated as a global catalog server stores the objects from all domains in the forest. For
each object that is not in the domain for which the global catalog server is authoritative as a domain
controller, a limited set of attributes is stored in a partial replica of the domain. Therefore, a global
catalog server stores itsown full, writable domain replica (all objects and all attributes) plus a partial,
read-only replica of every other domain in the forest. The global catalog is built and updated
automatically by the Active Directory replication system. The object attributes that are replicated to
global catalog servers are the attributes that are most likely to be used to search for the object in Active
Directory. The attributes that are replicated to the global catalog are identified in the schema as the
partial attribute set (PAS) and are defined by Microsoft. However, to optimize searching, you can edit
the schema by adding or removing attributes that are stored in the global catalog.
The global catalog makes it possible for clients to search Active Directory without having to be referred
from server to server until a domain controller that has the domain directory partition storing the
requested object is found. By default, Active Directory searches are directed to global catalog servers.
The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you
can designate other domain controllers to be global catalog servers if they are needed.
Operations Masters
Domain controllers that hold operations master roles are designated to perform specific tasks to ensure
consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active
Directory defines five operations master roles: the schema master, domain naming master, relative
identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master.
The following operations masters perform operations that must occur on only one domain controller in
the forest:
 Schema master
 Domain naming master
The following operations masters perform operations that must occur on only one domain controller in
the domain:
 Primary Domain Controller (PDC) emulator

 Infrastructure master
 Relative ID (RID) master
13. Purpose of Multiple Domains
Some reasons to create more than one domain are:

 Different password requirements between departments or divisions
 Massive numbers of objects
 Decentralized network administration
 More control of replication
14. Active Directory Disaster Recovery

1. Non-Authoritative restore and Authoritative restore
2. Require to know the exact path to an object to restore it authoritatively
3. Backups
4. Recovering deleted objects in Windows Server
5. SID/GUID/DN (Some changes can’t be undone)
6. Restoring user does not necessarily restore group membership
7. SYSVOL requires special restoration procedures
8. No need to backup every domain controller
9. Forest-level recovery is time-consuming and error-prone
10. Domain controller offline can allow you to recover deleted objects
15. DC Promo
dcpromo is command u have to write it in Run to create a new domain controller and create active
directory
16. AD Tools
1. Active Directory Users and Computers

2. Active Directory Domains and Trusts
3. Active Directory Sites and Services
4. DCPromo
5. LDIFDE
6. CSVDE
7. Active Directory Connector (ADC)
Active Directory Tools in Windows Server 2003:

1. adprep.exe /dsadd.exe/dsget.exe/dsmod.exe/dsmove.exe/dsrm.exe/dsquery.exe
2. gpmc.msc / rsop.msc /dcgprofix.exe / gpupdate.exe / rediruser.exe / rediruser.exe
3. redircmp.exe / random.exe
17. What is ADAM?
Active Directory Application Mode provides a location for the application data and satisfies the
dedicated store requirements of the application.
Active Directory Application Mode to modify local or targeted ADAM instances without making
changes to your organization’s directory infrastructure.
You can use Active Directory Application Mode effectively in the following scenarios:
 Application-specific directory scenarios

 Application developer scenarios
 Extranet access management (EAM) scenarios
 Migration scenarios
18. ADFS on 2000 and 2003
Active Directory Federation Services (ADFS) deployment can collaborate successfully; you must first
make sure that your corporate network infrastructure is configured to support ADFS requirements for
accounts, name resolution, and certificates. ADFS has the following types of requirements:
* Hardware/Software/Browser/Network/Account store/Authentication requirements
* Windows Server 2003 R2 features Active Directory Federation Service (ADFS) which extends Single
Sign-On to trusted resources on the Internet. Using ADFS, Organisations can extend their existing
Active Directory Infrastructure to provide access to trusted Internet resources, which can include third
parties as well as geographically separated units in the same organizations.
After you configure federated servers, users at the organization can sign on once to the organization’s
network and are then automatically logged on to trusted Web applications hosted by partners on the
Internet Federated Web Single Sign-On uses Federated Authorization for seamless access.
In addition to user identity and account information, security tokens in Federated Authorization
include authorization claims that detail user authorization and specific application entitlement.
19. What is SAN?
A SAN (Storage Area Network) is a network specifically dedicated to the task of transporting data for
storage and retrieval. SAN architectures are alternatives to storing data on disks directly attached to
servers or storing data on Network Attached Storage (NAS) devices which are connected through
general purpose networks.
Storage Area Networks traditionally connected over Fibre Channel networks. Storage Area Networks
have also been built using SCSI (Small Computer System Interface)technology. An Ethernet network
which was dedicated solely to storage purposes would also quality as a SAN. Internet Small
Computer systems Interface (iSCSI) is a SCSI variant which encapsulates SCSI data in TCP packets and
transits them over IP networks. Fibre channel over TCP/IP (FCIP) tunnels Fibre Channel over IP-based
networks. The Internet Fibre Channel Protocol (iFCP) transports Fibre Channel Layer 4 FCP on IP
networks.
20. RAID Volume
A logical representation of one or more physical disks configured to provide redundant and/or large
storage space for the system.
RAID stands for Redundant Array of Independent Disks and it basically involves combining two or more
drives together to improve the performance and the fault tolerance. Combining two or more drives
together also offers improved reliability and larger data volume sizes. A RAID distributes the data
across several disks and the operating system considers this array as a single disk.
RAID Levels
RAID 0 : Stripping No fault tolerance

RAID 1 : Mirroring Fault tolerance
RAID 2 : Stripping small stripes Multiple Parity disks
RAID 3 : Parity stripes Fault tolerance
RAID 4 : Block level stripping Error correction
RAID 5 : Block level stripping Boost performance
The above standard RAID levels can be combined together in different ways to create Nested
RAID Levels which offer improved performance. Some of the known Nested RAID Levels are
-
RAID 0+1
RAID 1+0
RAID 3+0
RAID 0+3
RAID 10+0
RAID 5+0
RAID 6+0
21. DNS Proxy on AD
The primary reason for the proxy is access control of DNS queries. The proxy's main purpose to block
DNS requests for, say, www.xxx.com. Or perhaps more appropriately, it allows me to block DNS
requests for doubleclick.net, etc - ie. advertising web sites and other sources of web page spam.
Controlling Access to DNS Servers Outside the Organization:

Restricting access to zone information allows you to specify which internal and external servers can
access the primary server. For external servers, this controls which servers can get in from the outside
world. You can also control which DNS servers within your organization can access servers outside it.
To do this, you need to set up DNS forwarding within the domain.
Within DNS forwarding, you configure DNS servers within the domain as:
Nonforwarders: Servers that must pass DNS queries they can’t resolve on to designated forwarding
servers. These servers essentially act like DNS clients to their forwarding servers.
Forwarding only: Servers that can only cache responses and pass requests on to forwarders. This is also
known as a caching-only DNS server.
Forwarders: Servers that receive requests from nonforwarders and forwarding-only servers.
Forwarders use normal DNS communication methods to resolve queries and to send
responses back to other DNS servers.
Conditional Servers that forward requests based on the DNS domain. Conditional forwarding is
forwarders: useful if your organization has multiple internal domains.
22. Capacity planning on Active Directory Service

 Overview of Planning Domain Controller Capacity
 Collecting Site Topology Design Information
 Determining the Number of Domain Controllers
 Assessing Disk Space and Memory Requirements
 Monitoring Domain Controller Performance
 Additional Resources
The Windows Server System Reference Architecture (WSSRA) addresses the followings:
 Availability
 Security
 Scalability
 Manageability
 Reliability
 Supportability
 Repeatability
 Standardization - Process, People and Technology
 Integration
 .NET ready
The Enterprise Model:
 Centralized Data Center - Employees

 Department - Partners
 Branch Office - Employees
 Extranet - Partners
 Internet Data Center - Customers
The services are a mixture of IT services and the end-user services they support.
 IT services
 Directory services (Active Directory)
 Certificate services
 Remote Access services
 Internet Protocol (IP) services (WINS, DNS, and DHCP)
 Firewall services
 End-user services
 File services
 Print services
 Messaging services
23. How many Global Catalog Servers per ADS
Global Catalog Server Placement:
All sites in the Contoso environment have at least 100 users. To facilitate user logon requests and
forest-wide searches, Contoso follows the general Windows Server 2003 deployment
recommendation for placing a global catalog server in any site where there are at least 100 users. Two
global catalog servers are placed in Chicago to accommodate the large number of users in that site.
For more information about global catalog server placement, see "Designing the Site Topology" in
Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit
(or see "Designing the Site Topology" on the Web at http://go.microsoft.com/fwlink/?LinkId=4724).
Global Catalog Processes and Interactions
In addition to its activities as a domain controller, the global catalog server supports the following
special activities in the forest:
 User logon: In a multidomain forest, domain controllers must contact a global catalog server to
retrieve any SIDs of universal groups that the user is a member of. Additionally, if the user
specifies a logon name in the form of a UPN, the domain controller contacts a global catalog
server to retrieve the domain of the user.
 Universal and global group caching and updates: In sites where Universal Group Membership
Caching is enabled, domain controllers that are running Windows Server 2003 cache group
memberships and keep the cache updated by contacting a global catalog server.
 Global catalog searches: Clients can search the global catalog by specifying port 3268 or by
using search applications that use this port. Search activities include:
o Validation of references to non-local directory objects. When a domain controller holds
a directory object with an attribute that references an object in another domain, this
reference is validated by contacting a global catalog server.
o Exchange Address Book lookups: Exchange 2000 Server and Exchange Server 2003 use
Active Directory as the address book store. Outlook clients query the global catalog to
locate Address Book information.
 Global catalo server creation and advertisement: Global catalog servers register global-catalog-
specific service (SRV) resource records in DNS so that clients can locate them according to site. If
no global catalog server is available in the site of the user, a global catalog server is located in
the next closest site, according to the cost matrix that is generated by the KCC from site link cost
settings.
 Global catalog replication: Global catalog servers must either have replication partners for all
domains or be able to replicate with another global catalog server. When changes to the PAS
occur on, and are replicated between, domain controllers that are running Windows
Server 2003, only the updated attributes are replicated. Changes to the PAS that occur on
domain controllers that are running Windows 2000 Server prompt a full synchronization of the
entire global catalog (all attributes in the PAS are replicated anew to all global catalog servers).
For more information about PAS replication, see “Global Catalog Replication” later in this
subject.
24. Active Directory Service Database location
The actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active
Directory including user accounts. Active Directory's database engine is the Extensible Storage Engine (
ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to
grow to 16 terabytes which would be large enough for 10 million objects. Back to the real world. Only
the Jet database can maniuplate information within the AD datastore.
The Active Directory ESE database, NTDS.DIT, consists of the following tables:
 Schema table
the types of objects that can be created in the Active Directory, relationships between them,
and the optional and mandatory attributes on each type of object. This table is fairly static and
much smaller than the data table.
 Link table
contains linked attributes, which contain values referring to other objects in the Active
Directory. Take the MemberOf attribute on a user object. That attribute contains values that
reference groups to which the user belongs. This is also far smaller than the data table.
 Data table
users, groups, application-specific data, and any other data stored in the Active Directory. The
data table can be thought of as having rows where each row represents an instance of an
object such as a user, and columns where each column represents an attribute in the schema
such as GivenName.
Active Directory is a transacted database system that uses log files to support rollback semantics to
ensure that transactions are committed to the database. The files associated with Active Directory are:
 Ntds.dit – the database.

 Edbxxxxx.log – transaction logs.
 Edb.chk – checkpoint file.
 Res1.log & Res2.log – reserved log files.
Ntds.dit grows as the database fills up. However, the logs are of fixed size (10 MB). Any change made to
the database is also appended to the current log file, and its disk image is always kept up to date.
Edb.log is the current log file. When a change is made to the database, it is written to the Edb.log file.
When the Edb.log file is full of transactions, it is renamed to Edbxxxxx.log. (It starts at 00001 and
continues to increment using hexadecimal notation.) Since Active Directory uses circular logging, old log
files are constantly deleted, once they have been written to the database. At any point in time, you will
find the edb.log file, and maybe one or more Edbxxxxx.log files.
Res1.log and Res2.log are "placeholders" — designed to reserve (in this case) the last 20 MB of disk
space on this drive. This is designed to give the log files sufficient room for a graceful shutdown if all
other disk space is consumed.
The Edb.chk file, stores the database checkpoint, which identifies the point where the database engine
needs to replay the logs, generally at the time of recovery or initialization.
For performance reasons, the log files should be located on a different disk than the database to reduce
disk contention.
At the time of taking a backup, a new log file may be created. This log file would be deleted (like regular
old log files) due to circular logging, as stated above.
25. Active Directory Performance
 Realtime alerting - proactive response for conditions impacting Active Directory service quality
 Performance monitoring and reporting - degradation detection and resource capacity planning
 SLA creation, monitoring and reporting - managing Active Directory QoS in line with business
requirements
 Web-based Active Directory Enterprise Console - intuitive display and event navigation
 Event log parsing for Active Directory "error" messages with prioritized alarm generation
 Flexible alarm notification options, i.e. pager, SMS, email, cell and more
 Active Directory alarm escalation for alerts that have not been handled within a designated time
 Active Directory process monitoring with automated stop/restart options
 Active Directory service core (CPU, Disk, Memory) resource utilization monitoring
 Active Directory service edge (LDAP, DNS, DHCP) response time monitoring
 File Replication Service Monitoring
 Active Directory Performance Counter monitoring
 Active Directory SLA 'rate-until-violation' calculation
 Web-based Performance, QoS and SLA Reporting
26. What are Universal groups and Global Group?

Universal Groups:
Groups that are used primarily to define sets of users or computers that should have wide
permissions throughout a domain or forest. Members of universal groups include accounts,
global groups, and other universal groups from any domain in the domain tree or forest.
Best Practices:
Universal groups are very useful in large enterprises where you have multiple domains. If
you plan properly, you can use universal groups to simplify system administration.
Members of universal groups shouldn’t change frequently. Each time you change the
members of universal group, you need to replicate these changes to all the global catalogs
in the domain tree or forest. To cut down on changes, assign other groups to the universal
group rather than user accounts.
Global Group:
Groups that are used primarily to define sets of users or computers in the same domain
that share a similar role, function, or job. Members of global groups can include only
accounts and groups from the domain in which they’re defined.
27. Replication of GP / SYSVOL

As Group Policy becomes more important for managing desktops and servers in Active Directory,
it makes sense that the details around Group Policy need to be understood more completely.
There are many moving parts to Group Policy, including client side extensions, ADM/ADMX files,
GPC, GPT, and much more. When a change occurs to a Group Policy object (GPO), that change
only occurs on one domain controller. Thus, the change to the GPO must be replicated to all of
the other domain controllers. This replication affects multiple replication mechanisms and can
cause odd effects if not completed properly. This article will discuss the replication of Group
Policy and what you can do to verify that all replication has occurred.
Triggering Replication
Replication is triggered when a setting in a GPO is changed. This can be any of the settings in the GPO
and with over 5000 in Windows Server 2008, there are plenty of opportunities to make changes now. A
change can occur on either the Computer Configuration side or User Configuration side of the GPO.
Either one will trigger replication to occur.
The system tracks this triggering by both the Computer and User changes for the GPO. If you look at the
details of a GPO in the Group Policy Management Console (GPMC), you will see that there is a listing of
both Computer and User version, as seen in Figure 1.
Figure 1: Details of a GPO in the GPMC show the version of both Computer and User portions of a GPO.
When a change occurs to either portion of the GPO, the version number for that portion is updated, as
can be seen in Figure 2.
Figure 2: Changes to settings in a GPO increment the version number
When a GPO is edited in the Group Policy Management Editor (GPME), the domain controller
running the PDC Emulator role is used by default. Therefore, all replication will stem from this
domain controller. If a different domain controller is selected, as can be done from the GPMC
(see Figure 3), the replication will stem from that domain controller.
Replication of the Group Policy Template
The portion of the GPO that stores the settings into one or more files is the Group Policy
Template (GPT). This portion of the GPO and the related files are stored on domain controllers
under the Sysvol. The default path for these files is
c:\Windows\Sysvol\Sysvol\<domainname>\Policies, as shown in Figure 3.
%systemroot%\SYSVOL is the folder which resides in every domain controllers to store the elements of
Group policies object defined in Active Directory and scripts, such as logon scripts. Change made in
SYSVOL in one domain controller is replicated to the entire domain controller by File replication service
(FRS)
Every domain controller has a shared folder in its local file system that is the file system component of
Active Directory. This shared folder, named SYSVOL, contains files and folders that must be available
and synchronized between domain controllers in a domain, including:
The NETLOGON shared folder, which includes system policies and user-based logon and logoff scripts
for non-Windows Server 2003 and non-Windows 2000 network clients, such as clients running Windows
95, Windows 98, and Windows NT 4.0.
Figure 3: All GPOs store settings in files under the Sysvol on domain controllers.
The Sysvol on domain controllers is used to deliver Group Policy settings and logon scripts to clients at
logon. Since Sysvol is used for authentication of users and computers, it must be up to date on all
domain controllers. When any information is changed under the Sysvol on one domain controller, it
triggers replication of the Sysvol to all other domain controllers.
The Sysvol is replicated using the File Replication System (FRS). FRS does not have a schedule associated
with it. FRS uses state-based replication instead. This means that as soon as there is a change to any file
under the Sysvol folder structure, replication is triggered. This creates a very efficient and fast
replication model for the GPT.
As a side note, FRS replication does not adhere to any site boundaries. Thus, replication will converge to
all of the domain controllers within only a few minutes, even to those domain controllers in remote
locations.
Note: Windows Server 2008 can use FRS or DFS-R to replicate the contents of the Sysvol.
Replication of the Group Policy Container
The Group Policy Container (GPC) potion of the GPO is stored in Active Directory. I refer to the GPC as
the glue of the GPO. There are no settings stored in the GPC, rather all of the settings that you make in a
GPO are stored in the GPT. The GPC contains all of the referential information for the GPO. This includes
the path to the GPT, including the GUID of the GPO, as well as all of the Active Directory path
information for the GPC.
You can view the GPC and its properties by accessing the Active Directory Users and Computers (ADUC).
When you open up the ADUC, you will most likely need to make a quick configuration change to see the
GPC data. To do this, click on the View from the toolbar, then select the Advanced Features menu
option, as seen in Figure 4. This will display many different details in the ADUC.
Figure 4: The Advanced Features option will display the GPC in the ADUC.
Now that you have configured the ADUC to show the GPC, expand the following nodes to see
them: <domainname>\System\Policies, as shown in Figure 5.
Figure 5: The list of GPCs can be seen under the System\Policies node.
Here you will see the full list of GUIDs that correspond to the GPCs of each GPO in the domain.
The replication of the GPC is also triggered by a change to any setting in a GPO, just like the GPT.
However, the replication of the GPC is not state-based and not based on FRS. Instead, like all other
Active Directory objects, all of the GPCs are driven by Active Directory replication.
Active Directory replication has two different replication schedules by default. There is the replication
between domain controllers that are in the same site and replication between domain controllers in
different sites.
The first replication schedule occurs every 15 seconds for domain controllers in the same site. This
interval should not be changed and is controlled by the Knowledge Consistency Checker (KCC).
The second replication schedule occurs every 3 hours be default and is controlled by the Intersite
Topology Generator (ISTG). This interval change, and in most instances, should be reduced to
accommodate a schedule that will optimize changes to domain controllers. To change this interval, you
will need to modify the site link and configure the schedule. This is done in the Active Directory Sites
and Services tool, As shown in Figure 6.
Figure 6: Intersite replication can be managed and reduced from the default 3 hours.
Verifying GPO Replication
The easiest tool to use to verify that both the GPC and GPT have replicated is GPOTool. This tool is free
and very easy to use. It comes with the operating system and can be run from a command prompt. Just
type gpotool <dcname> /verbose from the command prompt, like you see in Figure 7.
Figure 7: GPOTool provides information on the convergence of both parts of the GPO.
The results of running this command will display the GPT and GPC version numbers for each GPO on the
listed domain controller.
If a portion of the GPO has not replicated to the domain controller that you are authenticating to, there
is a chance that the new settings in the GPO will not apply. Thus, if you know a GPO has been changed,
yet the settings are not being delivered, it is a good idea to verify that the GPO has replicated to the
domain controller that you are authenticating too.
Summary
Group Policy replication is controlled by two different replication mechanisms: FRS and Active Directory
replication. In order for the GPO content to be up to date on all domain controllers, replication must
converge for both parts of the GPO, GPT and GPC, in order for Group Policy to function properly. By
using a tool like GPOTool, you can verify that all GPO data has replicated to each domain controller.
28. What is the difference between Windows Server 2000 and Windows Server 2003?
Note: Windows Server 2003 was released as an upgrade to Windows 2000 Server. Additional
features in Windows Server 2003 include. windows 2003 server support remote desktop
feature but in 2000 remote desktop feature was not supported. Window 2003 server includes
IIS server in it. That is the biggest advantage on top of better file system management.
One can change the domain name at any time with help of ntdsutil command, without
rebuilding the domain that is not possible in 2000.
1: Windows 2000 server give only 90 days trial version of Terminal server. but windows
server 2003 give 120 days’ trial version.
2: Windows server 2003 shared folder at a time only 65767 user access.
ID.No
. Windows Server 2000 Windows Server 2003
When installing terminal services for win2000 But in 2003 still distinguishes between
001 ur application and
prompted to select application server administrative services but installation and
functions or management are
administrative functions sets can be installed
sequently on now consolidated.
one server but it performs only one function
at one time.
In Win 2000 server we can apply 620 group

002 policies We can apply nearly 720 so Win2003 server is
more secure than win 2000 server.
003 Cannot rename domain Rename domain
004 Supports of 8 processors and 64 GB RAM Supports up to 64

(In 2000 Advance Server) processors and max of 512GB RAM.
005 2000 supports IIS 5.0 2003 supports IIS 6.0
006 2000 does not support Dot net 2003 supports Microsoft .NET 2.0
2003 has Standard, Enterprise, Datacenter and

007 2000 has Server and Advance Server editions Web server
Editions.
2000 Does not have any 64 bit server

008 operating system 2003 has 64 bit server operating systems
(Windows Server 2003 X64 Std and Enterprise
Edition)
2000 has basic concept of DFS (Distributed

009 File whereas 2003 has Enhanced DFS
systems) with defined roots support with multiple roots.
010 In 2000 there is complexality in administering whereas 2003 is easy administration in all
Complex networks & Complex networks.
011 In 2000 we can create 1 million users In 2003 we can create 1 billion users
In 2000 does not offer Volume Shadow copy In 2003 we have concept of Volume shadow
012 service copy
service which is used to create hard disk snap
shot which
is used in Disaster recovery
In 2000 we don’t have end user policy In 2003 we have a End user policy management
013 management which
is done in GPMC (Group policy management
console).
In 2000 we have cross domain trust relation

014 ship and 2003 we have Cross forest trust relationship.
015 4 Node clustering 8 Node clustering
Not such High HCL support has found in 2003 2003 has High HCL Support (Hardware
016 server Compatibility
List) issued by Microsoft.
Code name of Windows 2000 is Windows NT

017 5.0 Code name of Windows 2003 is Windows NT 5.1
018 ADFS found in Windows 2000 not robust 2003 has service called ADFS (Active Directory
Federation Services) which is used to
communicate between
branches with safe authentication.
In 2003 their is improved storage management

019 File Server Resource Manager not robust using
service File Server Resource Manager (FSRM).
No Share point service found in Windows

020 Server 2000 2003 has service called Windows Share point
Services (It is an integrated portfolio of
collaboration
and communication services designed to
connect people,
information, processes, and systems both within
and beyond
the organizational firewall).
2003 has Improved Print management compared

021 Print Management not robust to 2000
server.
022 No telnet sessions available 2003 has telnet sessions available.
023 2000 supports IPV4 2003 supports IPV4 and IPV6
29. Default policy of Windows Server 2003
The default domain policy GPO (Group Policy Objects) is not complete without the
inclusions of the following vital policies that are defined and practised as a standard under
Windows Server 2003 policies:
They are:
Passsword Policy : Password policies that include
a) Password history
b) Minimum password length
c) Complexities of password characters being used
http://www.microsoft.com/protect/yourself/password/checker.mspx?WT.mc_id=Ba
nner_Password_Checker
Account Lockout Policy: 1) Determines default account lockout policies for DC

2) Duration of lockout
3) Account lockout threshold
Kerberos Policy: 1) Determines default Kerberos polices for DC

2) Maximum tolerance for Kerberos
3) Computer clock synchronization
30. What is Universal Group caching
Windows Server 2003 includes a new feature called universal group membership caching (UGMC) to
locally cache a user's membership in universal groups on the domain controller authenticating the user.
This can be useful in branch office scenarios where you don't want to deploy a global catalog (GC)
because of the extra WAN traffic that the GC needs to replicate with other domain controllers in the
domain. The cached membership for UGMC is then refreshed every 8 hours to keep it up to date.
UGMC is enabled on a per-site basis in AD as follows: Open Active Directory Sites and Services, expand
the Sites node and select the site where you want to enable UGMC, right-click NTDS Site Settings, select
Properties, and select the Enable Universal Group Membership Caching check box. Then under Refresh
cache from click a different site from which the selected site will refresh its UG membership cache.
If UGMC can speed logons at remote sites then it sounds like a good idea. But when is it better to simply
deploy a GC at the remote office instead?
1. When you have lots of WAN bandwidth available

2. When the membership of universal groups frequently changes
3. When you have Exchange Server deployed at the remote site
4. When the branch office and headquarters both belong to the same AD site.
If any of these is true, it's best if you simply make one of the domain controllers at your remote office a
global catalog server.
31. What is Group Policy order
Local GPO
Site (GPO linked)
Domain (GPO linked)
Organizational Units (OUs)
32. Domain trust and forest trust
 Trust Scenarios
 Technologies Related to Trusts
Most organizations that have more than one domain have a legitimate need for users to access shared
resources located in a different domain. Controlling this access requires that users in one domain can
also be authenticated and authorized to use resources in another domain. To provide authentication
and authorization capabilities between clients and servers in different domains, there must be a trust
between the two domains. Trusts are the underlying technology by which secured Active Directory
communications occur, and are an integral security component of the Windows Server 2003 network
architecture.
When a trust exists between two domains, the authentication mechanisms for each domain trust the
authentications coming from the other domain. Trusts help provide for controlled access to shared
resources in a resource domain (the trusting domain) by verifying that incoming authentication requests
come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only
validated authentication requests to travel between domains.
How a specific trust passes authentication requests depends on how it is configured; trust relationships
can be one-way, providing access from the trusted domain to resources in the trusting domain, or two
way, providing access from each domain to resources in the other domain. Trusts are also either
nontransitive, in which case trust exists only between the two trust partner domains, or transitive, in
which case trust automatically extends to any other domains that either of the partners trusts.
In some cases, trust relationships are automatically established when domains are created; in other
cases, administrators must choose a type of trust and explicitly establish the appropriate relationships.
The specific types of trusts used and the structure of the resulting trust relationships in a given trust
implementation depend on such factors as how the Active Directory directory service is organized, and
whether different versions of Windows coexist on the network.
Trust Scenarios
It is possible to create a number of different domain and forest trust configurations, depending on the
Active Directory structure of the organization. Windows Server 2003 domains and forests can trust
other Windows Server 2003 domains and forests, as well as Windows 2000 and Windows NT 4.0
domains. For example, trust configurations vary in nature and complexity in each of the following
scenarios:
Trusts within a single Windows 2000 Server or Windows Server 2003 forest
By default, all domain trusts within a single Active Directory forest are two-way, transitive trusts. There
are three types of transitive trusts that are used within a single Windows 2000 Server or Windows
Server 2003 forest. The first is the tree-root trust, which is created by default when you create a new
domain tree by using the Active Directory Installation Wizard. The two-way transitive nature of intra-
forest trusts such as the tree-root trust allows all domains in one tree to trust all domains in any other
tree within the same forest.
The second type of trust is a parent-child trust. It is created automatically when you create a new
domain in an existing domain tree by using the Active Directory Installation Wizard. When a new child
domain is created, a parent-child trust is established between the new domain and the domain that
immediately precedes it in the namespace hierarchy.
The last type of trust that can be used between trees is a shortcut trust, and is used to speed up access
times to resources in a domain that is deep within the tree hierarchy of another domain.
Trusts between two Windows Server 2003 forests
It is possible to extend the transitivity of domain trusts within a single Windows Server 2003 forest to
another Windows Server 2003 forest by manually creating a one-way or two-way forest trust. A forest
trust is a transitive trust between a forest root domain and a second forest root domain. A one-way
forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust
forms a transitive trust relationship between every domain in both forests. The transitivity of forest
trusts is limited to the two forest partners; the forest trust does not extend to additional forests trusted
by either of the partners.
Trusts across Windows Server 2003 and Windows 2000 forests
Windows Server 2003 forest trusts cannot be created between a Windows Server 2003 forest and a
Windows 2000 forest. You can, however, manually create a trust relationship between any domain in a
Windows Server 2003 forest and any domain in a Windows 2000 forest by using one-way or two-way
external trusts. External trusts are nontransitive and provide for access to resources in another domain
outside the forest that is not already joined by a forest trust.
Trusts between Windows Server 2003 or Windows 2000 domains and Windows NT 4.0 domains
You can manually create a one-way or two-way external trust between Windows Server 2003 or
Windows 2000 domains and Windows NT 4.0 domains so that users from either domain can be
authenticated to access resources in the other domain.
Trusts between Windows 2000 or Windows Server 2003 domains and non-Windows Kerberos realms
Windows 2000 or Windows Server 2003 domains can be configured to trust non-Windows-brand
operating system Kerberos realms, and non-Windows Kerberos realms can be configured to trust
Windows Server 2003 domains by manually creating one-way or two-way realm trusts. Realm trusts can
also be configured to be either nontransitive or transitive, depending on the level of interoperability you
require with UNIX or Massachusetts Institute of Technology implementations of the Kerberos version 5
protocol.
When the direction of a one-way trust is from a non-Windows Kerberos realm to a Windows
Server 2003 domain, the user in the Windows Server 2003 domain can access resources in the non-
Windows Kerberos realm. When the direction of trust is from a Windows Server 2003 domain to a non-
Windows Kerberos realm, users in the non-Windows Kerberos realm can access the resources in the
Windows Server 2003 domain.
Technologies Related to Trusts
Trusts depend on the NTLM and Kerberos authentication protocols and on Windows-based
authorization and access control mechanisms to help provide a secured communications infrastructure
across Active Directory domains and forests. The following diagram illustrates how authentication and
authorization technologies relate to trusts and other components of the Windows distributed security
model.
Trusts and the Windows Distributed Security Model
Applications and Net Logon
Both applications and the Net Logon service are components of the Windows distributed security
channel model. Applications integrated with Windows Server 2003 and Active Directory use
authentication protocols to communicate with the Net Logon service so that a secured path can be
established over which authentication can occur.
Authentication Protocols
Active Directory domain controllers authenticate users and applications by using one of two protocols:
either the Kerberos version 5 authentication protocol or the NTLM authentication protocol. When two
Active Directory domains or forests are connected by a trust, authentication requests made using these
protocols can be routed to provide access to resources in both forests.
NTLM
The NTLM protocol is the default protocol used for network authentication in the Windows NT 4.0
operating system. For compatibility reasons, it is used by Active Directory domains to process network
authentication requests that come from earlier Windows-based clients and servers. Computers running
Windows 2000, Windows XP or Windows Server 2003 use NTLM only when authenticating to servers
running Windows NT 4.0 and when accessing resources in Windows NT 4.0 domains.
When the NTLM protocol is used between a client and a server, the server must contact a domain
authentication service on a domain controller to verify the client credentials. The server authenticates
the client by forwarding the client credentials to a domain controller in the client account domain. The
authentication protocol of choice for Active Directory authentication requests, when there is a choice, is
Kerberos version 5. When the Kerberos protocol is used, the server does not have to contact the
domain controller. Instead, the client gets a ticket for a server by requesting one from a domain
controller in the server account domain; the server validates the ticket without consulting any other
authority.
Kerberos Version 5 Protocol
The Kerberos version 5 protocol is the default authentication protocol used by computers running
Windows 2000, Windows XP Professional, or Windows Server 2003. This protocol is specified in RFC
1510 and is fully integrated with Active Directory, server message block (SMB), HTTP, and remote
procedure call (RPC), as well as the client and server applications that use these protocols. In Active
Directory domains, the Kerberos protocol is used to authenticate logons when any of the following
conditions is true:
 The user who is logging on uses a security account in an Active Directory domain.
 The computer that is being logged on to is a Windows 2000, Windows XP or Windows
Server 2003–based computer.
 The computer that is being logged on to is joined to an Active Directory domain.
 The computer account and the user account are in the same forest.
 The computer from which the user is trying to access resources is located in a non-Windows
Kerberos realm.
If any computer involved in a transaction does not support the Kerberos version 5 protocol, the NTLM
protocol is used.
Authorization and Access Control
Authorization and trust technologies work together to help provide a secured communications
infrastructure across Active Directory domains or forests. Authorization determines what level of access
a user has to resources in a domain. Trusts facilitate cross-domain authorization of users by providing a
path for authenticating users in other domains so their requests to shared resources in those domains
can be authorized.
Once an authentication request made to a resource in a trusting domain is validated by the trusted
domain, it is passed to the targeted resource computer, which determines, based on its access control
configuration, whether to authorize the specific request made by the user, service, or computer in the
trusted domain. In this way, trusts provide the mechanism by which validated authentication requests
are passed to a trusting domain, while access control mechanisms on the resource computer determine
the final level of access granted to the requestor in the trusted domain.
Note
 “Access to resources” in any discussion of trust relationships always assumes the limitations of
access control.
33. How do you force GPUpdate on Windows 2003 and Windows 2000?
Forcing Group Policy

The flipside of blocking Group Policy is to ensure that a GPO is not blocked at a lower level, also known
as forcing Group Policy. The idea here is that a domain-level administrator may need to ensure that
certain corporate requirements are always met and cannot be modified by an administrator at the
OUlevel. An example of this is the installation of antivirus software on all computers in the company or
the requirement that all computers have common desktop wallpaper. To do this, an administrator at a
higher level in Active Directory would create a GPO and configure it with the No Override option to
ensure its settings are never modified by lower-level GPOs. In essence, this means that if the same
setting is configured in a GPO at a lower-level OU, the OU setting is ignored and the higher-level setting
always wins.
Forcing Group Policy

1. From the Administrative Tools program group, start Active Directory Users And
Computers for your domain.
2. In Active Directory Users And Computers, right-click the domain name, and
select Properties.
3. On the domain Properties page, click the Group Policy tab.
4. Click a GPO whose settings you want to always apply (Default Domain Policy,
for example), and then click Options.
5. In the GPO Options dialog box, check the No Override check box, and then
click OK.
6. Click Apply, and then OK to save your settings.
7. Close Active Directory Users And Computers.
When deciding whether to force a GPO to lower levels, always make sure this is the best way of
accomplishing your goals. When a GPO is forced, its settings override all lower-level settings whether or
not they have been changed at the lower-level container.
There could be unexpected results if users or computers within an OU need to have some settings vary
from the corporate standard for valid reasons. Always ask yourself two questions: “Do all containers
below this level have to have these settings?” and “Should lower-level administrators be able to change
these settings?” If the answer to the first question is “Yes,” then you might want to consider forcing the
GPO. If the answer to the second question is “Yes,” then you might want to reconsider forcing the GPO.
An answer of “Yes” to the first question and of “No” to the second will mean that forcing the GPO is the
best route at that particular point in time.
34. What are Exchange Server 2007 licence
Exchange Server 2007 Licensing
Licensing Modes
Exchange Server is licensed in the Server / Client Access License (CAL) model. Under this
model, an Exchange Server license is required for each operating system environment
running Exchange Server. A CAL is required for each user or device accessing Exchange
Server.
Server and Client Access License Editions
Exchange Server 2007 is offered in two server editions:

Standard Edition
Enterprise Edition
Exchange Server 2007 is also offered in two CAL editions:

Standard CAL
Enterprise CAL
Either version of the CAL may be run against either version of the server.
To learn more about the server and CAL editions, see Exchange Server 2007 Editions and
Client Access Licenses.
The Exchange Server Standard and Exchange Server Enterprise CAL licenses are also
included in the Enterprise CAL Suite.
35. What are different versions of Exchange Server 2007

Exchange Server 2007 Editions
Exchange Server 2007 is offered in two server editions: Standard Edition and Enterprise
Edition.
Exchange Server 2007 Standard Edition is designed to meet the messaging and
collaboration needs of small and medium corporations; it may also be appropriate for
specific server roles or branch offices.
Exchange Server 2007 Enterprise Edition, designed for large enterprise corporations,
enables creation of multiple storage groups and databases.
36. Hub Transport Server and Edge Transport Server
The Hub Transport Server Role

The Hub Transport server role is a part of Exchange Server 2007’s internal messaging topology,
responsible for transferring mail and applying policies to messages on route to their destination.
Direct comparisons with Exchange Server 2000/2003’s Bridgehead Server role are inevitable and
not completely out of place. However, the HT performs a number of additional functions besides
simply transferring messages.
Before going any further, it’s essential that you clearly understand one important behaviour of
mail flow in Exchange Server 2007: Every e-mail message encounters at least one Hub Transport
server in its lifetime. Here’s a simplified recap of Exchange Server 2007 message routing
functionality:
• Messages between different Active Directory (AD) sites are sent from the source mailbox server
to a Hub Transport server in the same site. The HT server routes the message to an HT server in
the destination site, which delivers the message to the destination mailbox server.
• Messages to recipients in the same AD site are sent from the source mailbox server to an HT server
in the same site, which routes messages to the destination mailbox server. In other words, two
mailbox servers do not talk to each other directly, unlike in previous versions of Exchange.
• If a message is sent to a mailbox residing on the same mailbox server as the sender, the message
still hops through an HT server before making its way back to the mailbox server. (This is an
important part of our message routing recap.)
The Edge Transport Server Role

The Edge Transport server role is a new member of the Exchange messaging topology. It routes
messages between the Exchange organization and external mail systems. As such, it is meant to be a
mail gateway, in many ways similar to non-Exchange Message Transfer Agents (MTAs) MTAs such as
Sendmail and Postfix, or appliances from vendors such as IronPort and Barracuda that serve as mail
gateways in many organizations. Unlike other Exchange server roles that are designed to be domain-
joined members of the Exchange organization, the Edge is designed to be a standalone server.
Additionally, it is designed to be located in perimeter networks, also known as DMZs (demilitarized
zones), a term used for network segments located between an external or Internet-facing firewall and
the internal firewall. This allays some of the fears of security departments about exposing Windows
domain servers to the Internet and locating member servers in perimeter networks. Nevertheless, the
Edge server role can be installed on member servers and located behind firewalls on the internal
network, if required.
Unlike its internal counterpart (the Hub Transport server role), the ET is not a required server role. An
organization can expose its internal Hub Transport servers to the Internet, allowing these to directly
receive and send external/Internet e-mail. Alternatively, it can continue to use non-Exchange MTAs,
such as those mentioned earlier, as its mail gateways for inbound mail and deliver the mail to Hub
Transport servers. Whether an ET server becomes a part of your messaging topology will be
determined by a number of factors. Unlike the HT role, Exchange does not make it mandatory that you
have an Edge Transport server deployed.
Comparing the Hub and Edge Transport Server Roles

Conversations about Hub Transport and Edge Transport server roles often end up in a discussion about
the differences between the two roles. Although the general design decisions made by the Exchange
product team have been communicated often on the Microsoft website and the Exchange team blog
(msexchangeteam.com), a brief feature-by-feature comparison of each is in order so that you can
clearly understand what one gains by deploying the Edge Transport server role—or as is often a topic of
such discussions, what features are unavailable when one does not deploy the Edge Transport server role.
• Transport rules on the Hub and Edge Transport servers: Besides the general design considerations,
one of the more important differences that do not get as much airplay is the difference in the transport
rules functionality. Whereas both the Edge Transport and the Hub Transport can apply transport rules
to messages in transit, the Edge Transport server does not have access to Active Directory domain
controllers (DCs)/Global Catalog servers that the Hub Transport servers benefit from. This restricts its
ability to apply the kind of transport rules that can require Active Directory access, such as rules based
on an Exchange recipient or its membership in distribution lists. Instead, the Edge Transport can only
use SMTP e-mail addresses. Overall, the transport rules available to the Edge Transport server are for
the most part a subset of those available to its domain-joined counterpart—the Hub Transport server.
Additionally, the Edge Transport server can use transport rules to deliver messages to the spam
quarantine mailbox and to drop SMTP connections.
• Transport agents: The Hub and Edge Transport servers also have a small number of distinct transport
agents exclusive to them. The Hub Transport sports the Journaling agent and AD Rights Management
Services Pre-licensing agent. The Edge Transport has the Attachment Filtering agent and Address
Rewriting (Inbound and Outbound) agents. Transport rules are applied by the Transport Rule agent on
the Hub Transport and by the Edge Rule agent on the Edge Transport server.
Feature Hub Transport Edge Transport

Required server role Yes No
Coexists with other Exchange Server 2007 server roles Yes No
Designed to work in perimeter networks (a.k.a. “DMZs”) No Yes
Designed to work as a standalone (not a domain-joined) No Yes
server
Requires Active Directory Application Mode (ADAM) No Yes
Can send/receive Internet mail Yes Yes
Anti-spam agents Yes Yes
Safelist Aggregation Yes Yes
Attachment Filtering agent No Yes
Address Rewriting (Inbound and Outbound) agents No Yes
Journaling agent Yes No
AD RMS Pre-licensing agent Yes No
Number of transport rule conditions (a.k.a. “predicates”) 26 13
Transport rules based on Active Directory objects such as Yes No
recipients and distribution groups
Transport rules to apply message classification Yes No
Transport rules to apply disclaimers Yes No
Transport rules to deliver messages to the spam quarantine No Yes
mailbox
Transport rules to drop a connection No Yes
Sharing of SMTP address spaces (internal relay domains) Yes No
1. The Hub Transport server coexists with the Client Access Server (CAS), Unified Messaging, and Mailbox Server
roles, with the exception of the Clustered Mailbox Server (CMS).
2. The Edge Transport server is designed to work in perimeter networks (DMZs), but can be deployed on internal
networks as well.
3. The Edge Transport server role is designed to be deployed on standalone servers that are not part of an Active
Directory domain, but can be deployed on member servers.
4. The Hub Transport server role does not have anti-spam agents installed by default. These can be installed using
the install-AntispamAgents.ps1 script in the “Exchange Server\Scripts” folder.
5. Note: Sharing SMTP address spaces is not a feature as such, but the capability to share address spaces requires
a Hub Transport server. It’s something the Edge Transport server cannot do because it requires access to Active
Directory to look up recipients.
TABLE 7-1 A Comparison of the Features of the Hub Transport and Edge Transport Server Roles (Continued
37. Enterprise Exchange CAL and Standard Exchange CAL

Exchange Server 2007 Client Access Licenses
Exchange Server 2007 is offered in two client access license (CAL) editions: Standard CAL
and Enterprise CAL.
The Exchange Server Standard CAL provides access to e-mail, shared calendaring and
Outlook Web Access (OWA). In addition you will get advancements that reduce the cost and
complexity of the messaging system by giving IT Administrators the messaging protection
their company demands, the anywhere access their end users want and the reliability they
need.
The Exchange Server Enterprise CAL is an additive CAL and requires that a Standard CAL is
also purchased for each user or device. The Exchange Server Enterprise CAL provides access
to Unified Messaging and advanced compliance, as well as Forefront Security for Exchange
Server and Exchange Hosted Filtering for onsite and hosted antivirus and anti-spam
protection.
A CAL is required for each user or device (depending on the license) accessing the server.
Either version of the CAL may be run against either version of the server.
38. Why routing group not used in Exchange Server 2007?

 No more routing groups (except for legacy purposes)
 No more routing group connectors (except for legacy purposes)
 Uses AD sites and site links instead
 Uses least cost routing with no more rerouting over an alternate path (rely on network layer's OSPF
capabilities to do that for us; more diagnosable due to being deterministic)
 Queue closest to point of failure (back-off)
 Improved bifurcation algorithm
Exchange Management Shell to set an Exchange cost on an Active Directory directory service IP site link
in Microsoft Exchange Server 2007. By default, Microsoft Exchange uses the cost assigned to an IP site
link for Active Directory replication purposes to compute a routing topology. The existing IP site link
costs should work well for Exchange 2007 message routing because Active Directory IP site link costs are
based on relative network speed compared to all network connections in the WAN and are designed to
produce a reliable and efficient replication topology,. However, if after you document the existing
Active Directory site and IP site link topology, you determine that the Active Directory site link costs and
network traffic flow patterns are not optimal for Exchange 2007, you can make adjustments to the costs
that are used by Exchange routing. An Exchange administrator cannot and should not use
Active Directory tools to modify the cost that is assigned to the IP site link. Instead, use the Set-
ADSiteLink cmdlet in the Exchange Management Shell to assign an Exchange-specific cost to the IP site
link.
When an Exchange-specific cost is assigned to an IP site link, the Exchange cost effectively overrides the
Active Directory cost for message routing only, and routing only considers the Exchange cost when it
evaluates the least cost routing path.
To force relay of all message delivery through a hub site, you may find adjusting IP site link costs useful.
39. What will you do if Client Access Server not available on the internet?
Check out these articles:
http://technet.microsoft.com/en-us/library/bb310763.aspx
http://msexchangeteam.com/archive/2007/09/04/446918.aspx
40. What steps do you take to upgrade Exchange Server 2000 to Exchange Server 2003
Step-by-Step: Migrating Exchange 2000 to Exchange 2003 Using New Hardware Migrate
your mail system from Exchange 2000 Server running on a Windows 2000 Server system to
a new server running Exchange Server 2003 on Windows Server 2003. This scenario will
take you through all Exchange-related issues from adding your first Windows Server 2003
system to unplugging your old Exchange 2000 system when finished.
If you simply want to do an in-place upgrade of Exchange 2000 to Exchange 2003 using the
same server, you’ve got it made – Microsoft has explained the process of upgrading and made
it pretty simple. Even if you’re still using Exchange v5.5, Microsoft has you covered with a
wealth of documentation to peruse. But what if you’re an Exchange 2000 organization that
wants to bring in a new Exchange 2003 system alongside your existing machine, move all your
content over to it, and decommission the original box? Then you’re left scratching your head.
At the time of this writing, there is no guide I’ve been able to find that explains the process
with any detail.
This document will explain the process, combining information from numerous sources as well
as my own experience. It’s very easy to bring Exchange Server 2003 into your Exchange 2000
organization, with minimal disruption to your existing server or your users. This document
assumes you have an Exchange 2000 organization running in native mode.
Henceforth, the Exchange 2000 system will be referred to as the “old” server, and the Exchange
2003 system will be referred to as the “new” server.
Prepare your Network for Windows Server 2003
Regardless of how you intend to get to Exchange 2003, there are some basic steps that must be
done.
1. Begin by reviewing Microsoft’s 314649 – “Windows Server 2003 adprep /forestprep
Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000
Servers” This article explains that if you have Exchange 2000 installed in your organization,
and you proceed with installing your first Windows Server 2003 system (and its
accompanying schema modifications), you may end up with some mangled attributes in AD.
Preventing this from happening is simple enough: a script called Inetorgpersonfix.ldf will do
the trick.
2. Run adprep /forestprep from Windows Server 2003 CD on your Windows 2000 server that
holds the Schema master FSMO role. (Of course you’ll need to be a member of Schema
Admins). Be sure to replicate the changes throughout the forest before proceeding.
3. Run adprep /domainprep from Windows Server 2003 CD on your Windows 2000 server. I
ran it on the system holding the PDC Emulator FSMO role.
4. Before bringing a new Windows Server 2003 system online, it’s a good idea to review your
third-party server utilities and upgrade them to the latest versions to ensure compatibility.
In my installation, this included the latest versions of BackupExec, Symantec Antivirus Corp.
Edition, and Diskeeper.
5. Run setup /forestprep from the Exchange Server 2003 CD on the Windows 2000 server that
holds the Schema master FSMO role. Replicate the changes throughout the forest.
6. Run setup /domainprep from the Exchange Server 2003 CD on a Windows 2000 server.
Again, I ran it on the system holding the PDC Emulator role.
II. Install Windows Server 2003
1. Install Windows Server 2003 on the new server, join it to the domain, then apply all
hotfixes to the server to bring it up to date.
2. In AD, move the server object to the desired OU.
3. If you’re paranoid like me, you may be tempted to install antivirus (AV) software on your
new server at the earliest opportunity. Hold off on that for now.
4. Review Microsoft’s 815372 – “How to optimize memory usage in Exchange Server 2003”
which explains a number of settings required for Exchange Server 2003. Specifically, you
may need to add the /3GB and /userva=3030 switches to boot.ini, or you will have event
9665 in the event log. I also had to change the HeapDeCommitFreeBlockThreshold value in
the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\ to 0x00040000 as directed in the article.
5.Review Microsoft’s 831464 – “FIX: IIS 6.0 compression corruption causes access violations”.
I obtained the fix from Microsoft, and you should do the same, as it fixes some nasties that
may interfere with OWA.
III. Install Exchange Server 2003
1. If you have installed any AV software on the new server, stop all AV-related services
now, or you may experience a failed Exchange installation as I did.
2. Download the latest copy of the Exchange Server 2003 Deployment Tools, version
06.05.7226 as of this writing.
3. To begin the Exchange Server 2003 install on your new server, run Exdeploy.hta after
extracting the tools.
4. Choose “Deploy the First Exchange 2003 Server”
5. You’ll want to choose the item for your current environment, which in the context of
this article is “You are running Exchange 2000 in native mode and you want to
upgrade a server or install the first new Exchange 2003 server.” Choose “Upgrade
from Exchange 2000 Native Mode”.
6. Run through the entire checklist and perform all the steps and tests. When you get to
Step 9 in Exdeploy, you’ll need to specify the path to the Exchange Server 2003 CD
since you’re running Exdeploy from a location other than the CD.
7. Install all the Exchange components unless you have a compelling need to do
otherwise.
8. When the install is completed, install Exchange Server 2003 Service Pack 1.
9. When SP1 is completed, run the Exchange System Manager from the Windows Server
2003 system, and you will see your new server listed in the Exchange organization, as well
as your old server.
10. The POP3 and IMAP4 services aren’t set to start automatically, so configure them for
Automatic startup if desired.
11. If you want to install or enable antivirus software, it’s now safe to do so.
IV. Get Familiar with Exchange Server 2003
1. At this point, you now have an Exchange 2003 system running in your existing Exchange
organization. Microsoft has done a good job of allowing the two versions to coexist.
2. Before proceeding with your migration, there are a number of important tasks to consider at this
stage. For openers, communicate with your users about the migration if you haven’t already, brief
them on the new OWA interface, and by all means ask them to go through their mailboxes and
delete old, unneeded items. You’ll appreciate this later!
3. This is a good opportunity to spend some time reviewing your new Exchange server. Even if you
spent time learning the new product in a lab environment (as you should have), exploring the
system now before proceeding makes sense. Check out the new ESM, move a test mailbox to the
new server, and try OWA. Go through your old server and take note of any settings you want to
configure on the new system such as size limits on SMTP connectors or incoming/outgoing
messages, etc. You’ll find that Exchange Server 2003 is configured to block mail relaying by
default.
4. This is a good time to uninstall the Exchange 2000 version of the ESM remote management tools
(using the Exchange 2000 Server CD, run Setup, choose Remove) on any management
workstations and install the new Exchange 2003 ESM, which can be used to manage both
versions of Exchange server.
5. As you test message routing, you will find that any email coming into your organization from the
outside will be automatically routed to the appropriate Exchange server where the mailbox
resides. My test mailbox on the new server could send and receive mail, no problem. I could also
access the mailbox with Outlook or OWA from within the organization, no problem. However, I
was unable to access mailboxes on the new server from outside the organization.
6. In my configuration, an ISA Server 2000 system acts as the firewall, where web and server
publishing rules exist to redirect incoming traffic to the old mail server. There was no simple way
I could find to allow simultaneous access to both the old and the new servers. All incoming mail-
related traffic was directed to the old server. This limitation affected the rest of the migration as
you will see.
Note:
There is a way to have multiple Exchange servers, both 2000 and 2003, behind a firewall,
whereby mail is automatically directed to the appropriate server. This scenario involves installing
Exchange Server 2003 on a server and configuring it as a “front end” server, which allows it to act
as a proxy. Unfortunately, the front end server cannot hold any mailboxes on its own, so this isn’t
an option in the migration scenario in this article.
Note:
For a front end server to make any sense, a minimum of three servers would be needed: the front end
server itself, and at least two Exchange servers, to which the front end server would route messages,
based on the mailboxes homed on each. In our migration scenario, one could have a front end server
routing mail to the old Exchange 2000 server and the new Exchange 2003 server. As mailboxes are
moved from the old to the new server, the front end server would route messages to the correct
place. This is a nice option for those with the hardware and the desire to do a gradual transition.
V. Configure Exchange Server 2003 to Host Public folders and Other Roles
As you begin moving folders and roles to the new server, one thing I learned the hard way is that you
should use the ESM running on the new server. I used the ESM on a Windows XP remote management
workstation, and found that things reported on the workstations’s ESM weren’t always the same as the
Exchange server’s ESM.
1. Review Microsoft’s 307917 – “XADM: How to Remove the First Exchange 2000 Server Computer
from the Site”. This document contains most of what is needed to finish this migration, and
explains in detail how to setup replication of Public folders.
2. Using the instructions in 307917 as a guide, setup replication for all public folders that were
created by your organization on your old server. Do not setup replication for any folders you didn’t
create, as several of these will not be brought over to the new server. When the folders you
replicated are in sync, remove the old server from the replication tab. These folders now exist
solely on the new server. They are accessible to those within your WAN, but are inaccessible
outside your firewall.
3. You should find that the Public folders called default and ExchangeV1 are already replicated to the
new server. Using Step 2 and 3 in 307917, setup replication to the new server for the folders
Offline Address Book, OAB Version 2, and Schedule+ Free Busy Information. If you have a folder
called Internet Newsgroups, you should replicate that also. This folder is created by the Exchange
system, though your organization may not use it.
4. If you check the Properties, Replication tab on your administtrative group’s Folders node, you will
see the replication interval for the public folders. Unless you specifically changed the interval on
any individual public folders, they should follow this schedule. “Always run” means replication will
run every 15 minutes. There is no “replicate now” option.
5. Using Step 4 & 5 in 307917, rehome RUS and designate the new server as the routing group
master.
6. Step 6 and 7 in 307917 didn’t apply in my configuration; proceed with those as needed.
7. Using Microsoft’s 265293 – “How to Configure the SMTP Connector in Exchange”, add the new
server to the SMTP connector, remove the old server, then cycle the MS Exchange Routing
Engine service and the SMTP service for these changes to take effect. Send a test message to
verify the new server is sending the mail now.
8. There are a number of public folders on the Exchange 2000 server that do not need to be
replicated and moved to the new server, including several that are part of the Exchange 2000
version of OWA. On my system these included:
 Controls
 Event Config_<old server name>
 Events Root
 Exchweb
 Img
 Microsoft
 Offline Address Book – First Administrative Group
 Schema-root
 Views
Just leave these folders on the old server.
At this point, with the exception that your public folders are no longer accessible outside your firewall,
there shouldn’t be any noticeable difference to your users. You can accomplish all of the above during
normal working hours without much fuss. However, the next step isn’t as transparent.
VI. Move the Mailboxes to Exchange Server 2003
This is the moment we’ve all been waiting for, and it’s pretty straightforward. In order for this process
to go as smoothly as possible, you should make sure that no users inside your organization are accessing
the email system. You should also block all external access to your mail servers.
1. You can read a detailed description of moving mailboxes, see Henrik Walther’s “Moving Mailboxes
with the Exchange 2003 Move Mailbox Wizard” article for specifics.
2. Prevent outside access to your mail servers. In my case, this involved disabling the web and server
publishing rules for IMAP4, POP3, and SMTP in my ISA Server 2000 system.
3. Make sure no internal users are accessing the mail server.
4. Turn off AV on both the old and the new server. Moving mailboxes is a time-consuming, resource-
intensive process. AV scanning will slow this process down, and in some cases can cause problems
when large scale data is being moved.
5. The Move Mailbox Wizard will allow you to select many mailboxes at a time, but it will only process
four at a time. I chose the “Create a failure report” option, which won’t move the mailbox if there
are errors. I moved 75 mailboxes, 1.7GB of data, in 70 minutes, without a single error.
6. The key determining factor in the speed of the mailbox move process isn’t so much size as it is the
number of items in a mailbox. If your users deleted a lot of items per your request, the process will
go a lot quicker now.
7. If you want to test your new system before moving all the mailboxes, you can move a handful of
them, then turn on outside access (I would turn on AV as well). Keep in mind, you’ll need to
configure your firewall to point to the new mail server. You should be able to access the new
mailboxes with OWA and POP3 mail applications like Outlook. You can also test access to Public
folders in OWA if desired. Be sure to disable external access and AV before proceeding.
8. Move all the mailboxes, except SystemMailbox, System Attendant, and SMTP-ServerName, as
these should already exist on the new server.
9. When the process is finished, configure your firewall to point to the new mail server, turn on
AV, and enable external access. You are now running an Exchange Server 2003 mail system.
VII. Final Cleanup
1. Go through the public folders on the new server and remove the old server from the replication tab
for any public folders that are still replicating to it. On my system this included default and
ExchangeV1.
2. Have your clients logon to their email clients. Outlook will attempt to connect to the old mail server,
but as long as the Exchange services are still running on it, it will automatically redirect Outlook to
the new server.
3. Stop all the Exchange services on the old server. Stop IISAdmin, which should stop FTP, NNTP, SMTP,
and WWW.
4. Your old server will still appear in the Exchange organization in the ESM, but that’s OK for now. You
may also see an entry in the Queues node on the new server, destined for the old server. You can
ignore this also.
5. Allow your new server for run for a few days if desired, keeping the old system in its present state
for the time being. You may even want to turn it off.
6. When you’re satisfied that the migration is a success and the old server is no longer needed, insert
the Exchange 2000 Server CD into the old server, run setup, and remove/uninstall Exchange
2000. Make sure the server is still connected to the network when you do this, as this process will
remove the old server from the ESM.
Congratulations! Because you began with an Exchange 2000 organization in native mode, your Exchange
Server 2003 system is in native mode. Your migration is finished.
41. What steps do you take to upgrade Exchange Server 2003 to Exchange Server 2007?
General Preparation Tasks before the Transition

Before we start the Transition, you should review the event logs on all your Domain Controllers to make
sure that no errors or warnings are in there. If you find any, you should correct them first before you go
on. Additionally, you should make sure all Windows Updates are installed. DCDIAG.EXE from Windows
Support Tools may help you during this task.
Afterwards you should back up the system state of all your Domain Controllers to make sure you are
able to restore Active Directory in the event of a failure during the setup process.
Domain and Forest Preparation for Exchange Server 2007

In order to prepare the Active Directory Environment you will have to import some new schema entries.
This means you will have to log on locally to your Domain Controller on which the schema role resides.
Since this means a re-indexing of your Active Directory Database, I recommend doing this during non-
work hours and if possible when running Active Directory Native Server 2003 forest mode. This would
mean that we only have delta replications and no full replications like running on Windows Server 2000
mode. So you will have less replication traffic on your WAN links.
If you have trouble during the schema enhancement for Exchange Server 2007, your only chance to go
back to Exchange Server 2003 is to completely restore System State on your Schema Master Domain
Controller and hopefully it would not have replicated some entries during this phase, because this
would mean restoring System State on all your Domain Controllers in your network environment. But
don’t be angry, a restore of Active Directory is quite easy if you follow the following procedures:
 Start your Domain Controller in Active Directory Restore Mode.

 Log on with your Active Directory Restore Mode Logon Credentials.
 Restore System State from backup.
 Configure Authoritative Restore using NTDSUTIL.EXE.
 Restart your Domain Controller.
 Follow the steps above for all your Domain Controllers.
Troubleshooting the Implementation of Hub Transport Servers

The first Exchange Server 2007 box you might implement is the one on which the Hub Transport Role
will reside. This box is quite easy to implement, you should move forward after having a good system
state backup ready in the event of a failure. If something unplanned happens during the move of the
general configuration settings to Exchange Server 2007, your disaster recovery plan is to restore Active
Directory from backup.
Troubleshooting the Implementation of Mailbox Servers
After having set up the mailbox or database role servers, which could be a single or multiple server
deployment, perhaps in addition with one of the high availability features of Exchange Server 2007
(Local Continuous Replication, Standby Continuous Replication, Cluster Continuous Replication, or Single
Copy Cluster), we have to move the mailboxes from the old environment to the new one. This mailbox
move is quite easy, too.
In general there should be no problems unless the user whose mailbox is currently being migrated is
logged off. In general no problems should occur on the client systems, too: they should discover that
their mailbox has moved to another server while they were offline. To insure this Exchange Server 2007
has a new functionality for automatic creation of MAPI profiles, if you have Outlook 2007 deployed. So
make sure to have Outlook 2007 deployed before starting with the deployment of Exchange Server
2007 mailbox servers.
Troubleshooting the Implementation of Client Access Servers

The Client Access Server role provides functionalities like Outlook Web Access, Outlook Mobile Access
(Exchange Push), etc. When migrating from other Exchange Server releases this is the first box you
should implement (in general this will be your front end server machine), since this will allow Outlook
Web Access to work on mailboxes that reside on older versions of Exchange and on Exchange Server
2007.
If anything failed during the implementation of this server, you just have to reinstall this machine and
try again.
Troubleshooting the Implementation of Unified Messaging Servers

When implementing the Unified Messaging role, your disaster recovery plan during your deployment of
Exchange Server 2007 is quite easy, because this is a new feature set that was not part of earlier
releases of the product. In the event of an unexpected error, you just have to take a second chance and
reinstall the server again.
Troubleshooting the Implementation of Edge Servers
The Exchange Server 2007 Edge Server Role is a solution that is placed in your DMZ to relay your emails
into your Exchange Organization or outside it, so it is responsible for incoming and outgoing emails and
is completely independent from your Active Directory, because it works with ADAM (Active Directory in
Application Mode). If you run into problems during its implementation, you will have to start over again.
If it is already running, you can run the ExportEdgeConfig.ps1 Powershell script to save the configuration
in a XML file and use this for import purposes on the new server.
Conclusion
As you have seen in the sections above the transition from Exchange Server 2003 to Exchange Server
2007 is not a big risk if you plan the project and each project phase should include a plan to revert if
something unplanned happens and there is no way to go on. These risk management procedures will
insure that you minimize unavailability times in case of an error and that your email environment will
work properly and be available most of the time.
Exchange Server 2007 with Service Pack 1 is a very stable and reliable solution. In my opinion, it is the
best release Microsoft has come out with yet. So I think there is no reason for you to wait to migrate.
Just create a project plan and your email server environment will survive the transition to Exchange
Server 2007.
If you still have any questions, please do not hesitate to contact me.
42. What are the AD switch available on Exchange Server 2007

MMC (Microsoft Management Console) v 3.0
Windows PowerShell
Refer further tools from The Complete Reference Exchange Server 2007 McGraw Hill
Publisher
43. Can Windows Server 2003 be installed in the same physical hardware with Exchange
Server 2007?
64 bit version of Windows Server 2003 / Windows Server 2003 R2 is required to deploy
Exchange Server 2007. Previously held volume licensing customers can request for 64 bit
version Windows Server 2003 through media kits by exchanging 32 bit version of Windows
Server 2003.
44. Exchange Server Role Definition

Server Roles
Exchange Server 2000 was evolutionary in its architecture in many ways. It was the first native SMTP
messaging system from Microsoft. It was also the first version of Exchange Server to depend on Active
Directory Services and Internet Information Services (IIS) for both transport and client protocol support.
The separation of the storage engine from the Internet client services was the foundation for the front-
end/back-end architecture that defined Exchange Server 2000 and 2003.
Exchange Server 2007 does not change the messaging transport, but it does replace the front-end/back-
end architecture with a set of predefined server roles that administrators can deploy into a variety of
supported topologies (see Table 1-2). Server roles give administrators
Server Role Description

Server Role Description
Mailbox Server Used for hosting users’ mailbox and public folder stores, as well
as providing MAPI access for thick-client access
Client Access Server Provides users with mailbox access through IMAP, POP, Outlook
Web Access, and ActiveSync protocols
Hub Transport Server Handles mail routing and controls mail flow by utilizing Active
Directory site information
Unified Messaging Enables user mailbox access through a telephone, as well as
Server enables telephony services such as voicemail, fax, and VoIP
capabilities
Edge Transport Server Provides increased security by placing SMTP services, mail
quarantine, and smarthost capabilities on a perimeter network

ADS ExServer03-07 QandA VasRao 02jul09

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ADS ExServer03-07 QandA VasRao 02jul09

Uploaded by

Copyright:

Available Formats

ACTIVE DIRECTORY / EXCHANGE SERVER 2003

QUESTIONS AND ANSWERS

COMPILED AND PREPARED BY

VASUDEVAN RAO ALIAS VAS RAO

Avoid accessing 64-bit processes from 32-bit processes

WOW64 has the following limitations:

5. Exchange Server core on Active Directory Domain Controller

6. Global catalog for Exchange Server 2007

Global catalog server ratio and global catalog server placement

 The performance capabilities of the servers in your organization.

7. Exchange updates from 2003 to 2007

General Preparation Tasks before the Transition

Domain and Forest Preparation for Exchange Server 2007

Troubleshooting the Implementation of Hub Transport Servers

Troubleshooting the Implementation of Mailbox Servers

Troubleshooting the Implementation of Client Access Servers

Troubleshooting the Implementation of Unified Messaging Servers

Troubleshooting the Implementation of Edge Servers

8. Design consideration of systems

Active Directory structure

Analyzing the existing infrastructure / Physical Layout / Infrastructure Devices

IP Addressing / Sub nets / Router Replacement / DMZ / DHCP

Security Infrastructure / Designing Internet Access / Designing a Remote Access Strategy

Designing Sites / Case study of the Existing Infrastructure

10. Should I dedicate current AD to Exchange Server 2007?

11. What is Auto Discovery Service?

 User’s Display name

12. Domain Controller on AD

Global Catalog Servers

 Primary Domain Controller (PDC) emulator

13. Purpose of Multiple Domains

Some reasons to create more than one domain are:

14. Active Directory Disaster Recovery

1. Active Directory Users and Computers

Active Directory Tools in Windows Server 2003:

17. What is ADAM?

 Application-specific directory scenarios

18. ADFS on 2000 and 2003

* Hardware/Software/Browser/Network/Account store/Authentication requirements

19. What is SAN?

20. RAID Volume

RAID 0 : Stripping No fault tolerance

21. DNS Proxy on AD

Controlling Access to DNS Servers Outside the Organization:

22. Capacity planning on Active Directory Service

The Enterprise Model:

 Centralized Data Center - Employees

Global Catalog Server Placement:

Global Catalog Processes and Interactions

24. Active Directory Service Database location

 Ntds.dit – the database.

25. Active Directory Performance

26. What are Universal groups and Global Group?

27. Replication of GP / SYSVOL

Replication of the Group Policy Template

Replication of the Group Policy Container

Verifying GPO Replication

In Win 2000 server we can apply 620 group

003 Cannot rename domain Rename domain

004 Supports of 8 processors and 64 GB RAM Supports up to 64

005 2000 supports IIS 5.0 2003 supports IIS 6.0

2003 has Standard, Enterprise, Datacenter and