Implement AD first, then layer Exchange 2000 on top

WINDOWS 2000 Active Directory (AD) and the Microsoft Exchange Server 5.5 Directory Store share many architectural features. (You can think of the Directory Store as AD 0.9: Many basic AD operational concepts originated in the Directory Store, which was Microsoft's first enterprisewide location for information about configuration and user objects. For a comparison of AD and the Directory Store, see the sidebar "More Alike than You Might Think," page 146.) The knowledge and experience you've gained from working with Exchange Server will be invaluable as we head into the AD era.

But despite the similarities, AD is more complex than the Directory Store. For example, AD's replication model lets any domain controller modify objects, whereas the Directory Store restricts object modification to an object's site rather than the object's domain. (For more information about the benefits of switching to AD, see the sidebar "Why the Switch?" page 150.) If you migrate to Win2K, you need to consider the interoperability changes between the Directory Store and AD. More important, if you plan to migrate to Exchange 2000 Server, you need to keep in mind the changes that Exchange 2000 makes to the AD schema, as well as AD replication's importance to Exchange 2000. (For more information about migrating to Exchange 2000, see "Planning an Exchange 2000 Migration Strategy," July 2000, and Jerry Cochran, "Preparing for Exchange 2000 Server, Part 4," http:// www.win2000mag.com/, InstantDoc ID 8538.) The best way to approach these challenges is to first determine your basic Win2K design, then layer your Exchange 2000 organization over AD.

Extending the AD Schema for Exchange 2000
Schemas define a database's structure, including the object classes and attributes for each object. Applications or enterprises can extend the AD schema, letting it hold additional information. For example, you can add a Birthday attribute for user objects, then write an Active Directory Service Interfaces (ADSI)-enabled application that runs when a user logs on, determines whether today is the user's birthday, and generates an appropriate message on the user's birthday. Exchange Server 5.5 and earlier versions provide custom mailbox attributes that you can use for similar purposes, but you can't extend or customize the Directory Store schema.

Exchange 2000 makes more than 1800 changes to the default AD schema. Exchange 2000 extends the AD schema by adding new attributes that you can associate with recipients (i.e., users, contacts, and groups) and by adding Exchange 2000 configuration information, such as administrative and routing groups. For example, Exchange 2000 adds storage attributes to the user object; these attributes let you associate users with the store and server on which their mailboxes reside and with any mailbox quotas. Exchange 2000 also changes index attributes so that they participate in address resolution.

Exchange 2000 extends the AD schema through commands within 10 Lightweight Directory Access Protocol Data Interchange Format (LDIF) files: schema0.ldf through schema9.ldf. These files reside in \setup\i386\exchange. Figure 1, page 150, shows an extract from an example schema update file.

Two sets of schema changes can occur during an Exchange 2000 deployment. The first set can occur when you install the Exchange 2000 Active Directory Connector (ADC), which adds attributes that synchronize AD and the Exchange Server 5.5 Directory Store. (Only deployments that must accommodate legacy Exchange servers require the ADC. For more information about the ADC, see "The Active Directory Connector," January 2000.) The ADC LDIF files (i.e., adcschema0.ldf through adcschema9.ldf) reside in the \adc directory on the Exchange 2000 CD-ROM. This set of changes also extends Global Catalog (GC) replication to meet Exchange 2000 requirements. The second set of changes can occur when you install Exchange 2000, which either performs a complete schema update or applies updates that are a superset of existing ADC updates. The installation process applies changes en masse to ensure that all necessary updates take place.

To give you an idea of the difference in scope between ADC and Exchange 2000 updates, the ADC installation applies 435 changes to the schema, whereas the first Exchange 2000 installation in a forest generates 1959 changes. Several phases occur during the schema update as the domain controller flushes changes to disk and applies changes in the directory AD. You must apply the changes in a staged manner to avoid problems that can occur if a schema update can't reference a previously applied change.

When the Exchange 2000 installation procedure begins, it checks the current schema against the ms-Exch-Schema-Version-Pt object, which holds the current schema number in its rangeUpper attribute, then determines whether to update the schema. Figure 2, page 150, shows an example segment of the schema9.ldf file; you can view this file on the Exchange 2000 CD-ROM to determine the schema version that the installation procedure will look for, then use the ADSIEDIT utility to check the current schema value. If the schema value is lower than the value that the schema9.ldf file specifies, Exchange 2000 will apply updates. (The ADC installation procedure checks a similar object named ms-Exch-Schema-Version-ADC.) The value (i.e., 4197) that Figure 2 shows is correct for Exchange 2000 Release Candidate 1 (RC1); this value will be different for the RC2 and release to manufacturing (RTM) kits.

Future Exchange 2000 versions, service packs, and hotfixes might include schema updates. The AD schema administrator might ask you to provide exact details of these updates before the administrator will agree to authorize upgrades. Predicting the exact form of the updates is difficult. Small updates might take the form of an isolated .ldf file, in which case you can easily determine the changes that the update will cause. But what if a schema update takes the form of a complete set of .ldf files, like the original set in the Exchange 2000 kit? You can combine each kit's .ldf files to form one large file for each kit, then use a utility such as Windiff to compare the contents. (You'll probably need to interpret and clean up the output before the changes are absolutely clear and the schema administrator is completely satisfied.)

Updating the Schema with an Installation
The easiest way to update the AD schema is to proceed with the first Exchange 2000 installation in a forest. But to update the schema before completing the installation, you can use the OrgPrep options in the Exchange 2000 setup.exe file. OrgPrep prepares AD for Exchange 2000. You must run OrgPrep from an Administrator account with full permission to modify AD. After AD is ready for Exchange 2000, you can perform subsequent Exchange 2000 installations from accounts with local administrative access but without permissions to change forestwide settings (e.g., updating the schema, adding the Exchange 2000 container to the configuration naming context). You can activate the options from the installation GUI or with two command-line switches: setup /forestprep and setup /domainprep.

Setup /forestprep. The /forestprep option runs in the AD forest domain that hosts the schema master (typically the root domain). The option updates the schema, instantiates the Exchange 2000 organization, adds the Exchange 2000 container to the configuration naming context, and creates the Domain EX Admins and All Exchange Servers universal groups. The /forestprep option is useful when you want to replicate schema updates throughout the forest before any server installations begin.

You can't execute this command unless you can log on with Enterprise and Schema Admin privileges. In addition, if you need to join an existing Exchange Server 5.5 organization, you must have Read access (at a minimum) to the Exchange Server 5.5 Directory Store. (This option replaced the /schema only command-line switch that was in the first Exchange 2000 public beta.) If you plan to run a mixed-mode Exchange server organization, you must install the ADC within the organization before you run /forestprep.

Setup /domainprep. The /domainprep option runs in every domain in which an Exchange 2000 server resides. The option performs tasks such as creating the global groups that Exchange administration uses. You must be a domain administrator to run this option.

Replication
When you apply schema updates early, you need to replicate the changes throughout the forest as quickly as possible to ensure that any new domain controllers pick up the updated schema. To force replication, you can use the Microsoft Windows 2000 Resource Kit Repadmin tool, or you can select each NT Directory Service (NTDS) connection object from the schema master and force replication.

The sheer number of changes that Exchange 2000 applies to the schema is a good reason to perform the first Exchange 2000 server installation (or schema update) close to the schema master (at least in network terms) to speed up processing of the schema changes. AD inserts the Exchange 2000 schema changes in the AD configuration container, then replicates the changes to the other controllers throughout the forest. You can use the ADSIEDIT utility to expose the AD configuration container properties. As Figure 3, page 150, shows, AD maintains and replicates to every GC in the forest a substantial number of subcontainers and data.

All AD objects, including containers, have distinguished names (DNs) for identification and to denote the objects' location in the directory hierarchy. The AD container is domain-name\Configuration\Services\Microsoft Exchange, and it holds several other containers that store details of entities such as routing and administrative groups, address lists, and connectors. AD replicates the configuration container around the forest so that every Exchange 2000 server in the organization can access information about other servers. This arrangement is similar to the data that the Exchange Server 5.5 Directory Store maintains in the Site Configuration container. However, unlike Exchange Server 5.5, which replicates on its own, Exchange 2000 depends totally on AD replication to transport configuration data throughout an organization. (For more information about AD replication, see "Exchange 2000 Server and Active Directory," December 1999.) If AD replication is broken or slow, important information, such as available message-routing paths, will be obscured. The potential for this type of simple yet serious problem underscores the necessity to pay close attention to AD replication as you prepare and implement Exchange 2000.

Bound to Succeed
The success of any Exchange 2000 implementation is tightly bound to AD. If AD replication doesn't work, the schema changes that Exchange 2000 implements—and that it needs to work properly—won't be available to all the GCs in a forest. If replication breaks after installation, the servers won't know how to route mail because the connector information will be incomplete. The close integration of Exchange 2000 and Win2K around AD means that AD design and replication must be high-priority items for all Exchange 2000 projects.