ADS Ex Server 0307 QandA VasRao 02jul09

ACTIVE DIRECTORY / EXCHANGE SERVER 2003
QUESTIONS AND ANSWERS COMPILED AND PREPARED BY
VASUDEVAN RAO ALIAS VAS RAO
References: Various books, internet and research

ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 1 of 46
1. What is the Exchange Server 2007 server role? Exchange Server 2007 introduces five roles to the Exchange Organization. a) Edge Transport b) Hub Transport c) Client Access d) Mailbox e) Unified Messaging 2. How is Exchange Server 2007 integrated with Microsoft Office Outlook 2007? 1) Share information with other outlook clients 2) Scheduled meetings, Calendar and e-mail 3) Appointments and contacts like subscription 4) Outlook anywhere, Outlook web access and Outlook voice access 5) Simplify and integrate communications 6) Gain increased messages security and compliance 7) Share information and schedule meetings 8) Instant search scans attachments for key words or other criteria 9) Unified messaging capability can receive voicemail, faxes and e-mail 10) Location of meeting changes updates calendar reducing clutter and confusion 3. What are Exchange Server 2007 options? 1. Storage options 2. Replication options 3. Performance 4. Scalability 5. Backup 6. Disaster Recovery/Business Continuity 7. Archiving 8. Managed shared transport database configuration options 4. How 64 bit process planning has been set-up? File system redirection is on a per-thread basis. Therefore, isolate operations that require disabling redirection in a separate thread. Reenable redirection as soon as possible after performing the task. Be aware of interoperability when you install a 64-bit process alongside its 32-bit version. When using interprocess communication methods such as sockets, pipes, remote procedure call (RPC), and COM, test for bit-awareness in the way that you handle data. Avoid accessing 64-bit processes from 32-bit processes WOW64 has the following limitations: The address space is limited to 2 GB by default, and 4 GB if /LARGEADDRESSAWARE is used. For more information, see Memory Limits for Windows Releases on MSDN. A 32-bit process cannot load a 64-bit DLL (except for certain system DLLs). Running 16-bit processes is not supported. For information on 16-bit installer programs, see Running 32-bit Applications on MSDN. The Virtual DOS Machine (VDM) API is disabled.
ADS_Exserver03-07_Qanda_Vasrao_02Jul09
Page 2 of 46
Page-size dependent APIs such as Address Windowing Extension (AWE), scatter/gather I/O, and write tracking are not available on the Intel Itanium processor family (IPF). For more information, see Running 32-bit Applications on MSDN. The physical address extension (PAE) API is not available on IPF. Microsoft DirectX hardware acceleration APIs are not supported on IPF.
5. Exchange Server core on Active Directory Domain Controller

Exchange Server 2003 communicates a lot with Active Directory. Nearly all communication information is stored in the configuration partition of Active Directory. And the information on the store of the users mailbox is saved as user property. That means that if a message has to be routed; Exchange Server determines whether the mailbox is on the local server by taking a look at the entries of the global address list (GAL). The GAL is created using the recipient update service (RUS) which has a look at the directory information and creates an entry for all objects that are email enabled. This process runs every minute. The RUS communicates with the global catalog server via GC-LDAP (Port 3268). If the recipient is not on the local server and the message needs to be routed to another server Exchange recognizes this via the GAL entry. Exchange server then has a look in the configuration partition and determines the way that server connections via connectors are available. This is done via GC-LDAP, too. If the server recognizes that the recipients SMTP domain is not one it is responsible for, it tries to look for a way of sending the message outbound. This is generally done using the configured SMTP connector. The configuration of the SMTP connector is saved in Active Directory, too. If incoming messages are for an email enabled group, Exchange connects to the globalcatalog server to determine the recipients of the message. These are the most common connections between Exchange and Active Directory. That means it is very important to design an Exchange environment that has good connectivity to a domain controller or better, a global catalog server. This server should be placed near the Exchange server, in the best way directly in its local subnet to make sure a high-speed connection is available.
6.
Global catalog for Exchange Server 2007
As you can see above, Exchange communicates a lot with Active Directory, especially with global catalog servers. That means within your Exchange Server Design you have to take care of where you place your Active Directory Domain Controllers with global catalog. In addition to this you need to determine the number of Exchange users that can be supported by a global catalog server. Microsoft recommends a number of about 4000 users a global catalog server can support. That means if you have more than this amount of users you must place more than one server with global catalog role on it in your subnet. But generally for high availability reasons a second GC is recommended. That means your environment theoretically can support up to 8000 users at a time. But be careful, if one of your GCs goes down you only have support for up to 4000 users. ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 3 of 46
What does that mean for your design? Well, define what high availability means to you and your company, define how many users access one Exchange server at a time and then calculate the number of GCs you have to use. But do not forget to place your GCs near your Exchange server ideally within the same subnet. Global catalog server ratio and global catalog server placement The ratio of servers to global catalog servers in your Exchange organization depends on all the following:

The performance capabilities of the servers in your organization. The number of users in your organization. The message volume that you experience in your organization. The available network bandwidth in your organization. The other factors that affect computer processor load.
A general guideline is to deploy one global catalog server for every four Exchange computer processors. Therefore, by using this general guideline, you might deploy your global catalog servers as follows. Note This general guideline assumes that all the computer processors are of the same and of the same speed. type
One single-processor global catalog server to support one four-processor Exchange 2000
Server computer or Exchange Server 2003 computer.

Two single-processor global catalog servers to support one eight-processor Exchange 2000
Server computer or Exchange Server 2003 computer.

Four quadruple-processor global catalog servers to support eight eight-processor Exchange
2000 Server computers or Exchange Server 2003 computers. You can adjust these guidelines to meet the specific requirements of your Exchange
organization.
If your AD forest consists of a single domain, all domain controllers should be configured to
act as global catalog servers. Since the domain controllers have full knowledge of the domain anyway, designating them to act as global catalog servers does not require a significant amount of additional server resources. But if your Exchange Server organization contains multiple mailbox servers, you should plan on having one global catalog server for ever four mailbox servers. A site does not require a global catalog server if it does not contain an Exchange server, contains fewer than 100 users, and is connected to another network segment that has its own global catalog server via a reliable network link. Organizations using Windows 2003 domain controllers with fewer than 100 users are often discouraged from deploying global catalog servers. Microsoft recommends enabling Universal Group Membership Caching as an alternative. But if you're using Exchange Server, that is not an option -- you must use a true global catalog server.
http://www.microsoft.com/en/us/default.aspx http://emailsolutions.searchexchange.com/kw;Global+Catalog+Server/exchange-content.htm ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 4 of 46
http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=218116&start=0 http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1198919,00.html http://www.bing.com/search?q=adfs+on+windows+server+2000&form=STOHSS http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/5e399525-3968-4081-b46a82ce06946391 http://www.techarchive.net/Archive/Windows/microsoft.public.windows.server.active_directory/200703/msg01543.html http://technet.microsoft.com/en-us/library/bb727159.aspx http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1131154,00.html http://en.wikipedia.org/w/index.php?title=Special:Search&search=ADAM+on+Windows+2000+and+200 3&ns0=1&redirs=0
7. Exchange updates from 2003 to 2007 General Preparation Tasks before the Transition
Before we start the Transition, you should review the event logs on all your Domain Controllers to make sure that no errors or warnings are in there. If you find any, you should correct them first before you go on. Additionally, you should make sure all Windows Updates are installed. DCDIAG.EXE from Windows Support Tools may help you during this task. Afterwards you should back up the system state of all your Domain Controllers to make sure you are able to restore Active Directory in the event of a failure during the setup process.
Domain and Forest Preparation for Exchange Server 2007

In order to prepare the Active Directory Environment you will have to import some new schema entries. This means you will have to log on locally to your Domain Controller on which the schema role resides. Since this means a re-indexing of your Active Directory Database, I recommend doing this during nonwork hours and if possible when running Active Directory Native Server 2003 forest mode. This would mean that we only have delta replications and no full replications like running on Windows Server 2000 mode. So you will have less replication traffic on your WAN links. If you have trouble during the schema enhancement for Exchange Server 2007, your only chance to go back to Exchange Server 2003 is to completely restore System State on your Schema Master Domain Controller and hopefully it would not have replicated some entries during this phase, because this
would mean restoring System State on all your Domain Controllers in your network environment. But dont be angry, a restore of Active Directory is quite easy if you follow the following procedures:
Start your Domain Controller in Active Directory Restore Mode. Log on with your Active Directory Restore Mode Logon Credentials. Restore System State from backup. Configure Authoritative Restore using NTDSUTIL.EXE. Restart your Domain Controller. Follow the steps above for all your Domain Controllers.
Troubleshooting the Implementation of Hub Transport Servers The first Exchange Server 2007 box you might implement is the one on which the Hub Transport Role will reside. This box is quite easy to implement, you should move forward after having a good system state backup ready in the event of a failure. If something unplanned happens during the move of the general configuration settings to Exchange Server 2007, your disaster recovery plan is to restore Active Directory from backup. Troubleshooting the Implementation of Mailbox Servers After having set up the mailbox or database role servers, which could be a single or multiple server deployment, perhaps in addition with one of the high availability features of Exchange Server 2007 (Local Continuous Replication, Standby Continuous Replication, Cluster Continuous Replication, or Single Copy Cluster), we have to move the mailboxes from the old environment to the new one. This mailbox move is quite easy, too. In general there should be no problems unless the user whose mailbox is currently being migrated is logged off. In general no problems should occur on the client systems, too: they should discover that their mailbox has moved to another server while they were offline. To insure this Exchange Server 2007 has a new functionality for automatic creation of MAPI profiles, if you have Outlook 2007 deployed. So make sure to have Outlook 2007 deployed before starting with the deployment of Exchange Server 2007 mailbox servers. Troubleshooting the Implementation of Client Access Servers The Client Access Server role provides functionalities like Outlook Web Access, Outlook Mobile Access (Exchange Push), etc. When migrating from other Exchange Server releases this is the first box you should implement (in general this will be your front end server machine), since this will allow Outlook Web Access to work on mailboxes that reside on older versions of Exchange and on Exchange Server 2007. If anything failed during the implementation of this server, you just have to reinstall this machine and try again.
Troubleshooting the Implementation of Unified Messaging Servers

When implementing the Unified Messaging role, your disaster recovery plan during your deployment of Exchange Server 2007 is quite easy, because this is a new feature set that was not part of earlier releases of the product. In the event of an unexpected error, you just have to take a second chance and reinstall the server again. Troubleshooting the Implementation of Edge Servers The Exchange Server 2007 Edge Server Role is a solution that is placed in your DMZ to relay your emails into your Exchange Organization or outside it, so it is responsible for incoming and outgoing emails and is completely independent from your Active Directory, because it works with ADAM (Active Directory in Application Mode). If you run into problems during its implementation, you will have to start over again. If it is already running, you can run the ExportEdgeConfig.ps1 Powershell script to save the configuration in a XML file and use this for import purposes on the new server.
Conclusion
As you have seen in the sections above the transition from Exchange Server 2003 to Exchange Server 2007 is not a big risk if you plan the project and each project phase should include a plan to revert if something unplanned happens and there is no way to go on. These risk management procedures will insure that you minimize unavailability times in case of an error and that your email environment will work properly and be available most of the time. Exchange Server 2007 with Service Pack 1 is a very stable and reliable solution. In my opinion, it is the best release Microsoft has come out with yet. So I think there is no reason for you to wait to migrate. Just create a project plan and your email server environment will survive the transition to Exchange Server 2007.
8. Design consideration of systems

Active Directory structure Domain Controllers / Roles / Forests / Domains / Trust Types /Organizational Units DNS / DHCP / Wins / Sites / Replication / RRAS / Radius Analyzing the existing infrastructure / Physical Layout / Infrastructure Devices Addressing Schemes / Operating Systems / Hardware / Performance Domain Structure / NT vs. W2K3 Server / Functional Levels DNS / Zones / Server Roles /DNS Structure /Internal DNS vs. Public DNS IP Addressing / Sub nets / Router Replacement / DMZ / DHCP Security Infrastructure / Designing Internet Access / Designing a Remote Access Strategy Designing Sites / Case study of the Existing Infrastructure
9. Map Exchange Server 2007 routing group to current Active Directory sites
One of the biggest changes between earlier versions of Exchange Server and Exchange 2007 is the move to a routing topology that is based on Active Directory directory service sites and IP site links ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 7 of 46
instead of on routing groups and routing group connectors. Some Exchange administrators may feel a loss of control over their routing topology, but there's no need to worry. And there are plenty of reasons to celebrate. Exchange 2007 gives you the tools that you need to tweak the Active Directory routing behaviour when it doesn't conform to the way that you want Exchange mail to flow. Plus you benefit from the improved network utilization of Active Directory site-based routing and no longer having to maintain a routing topology.
10. Should I dedicate current AD to Exchange Server 2007?

Exchange 2003 servers can benefit from an Active Directory design that utilizes site architecture to isolate Exchange. This is best achieved through creating a dedicated Active Directory site which contains both Exchange 2003 servers and Global Catalog servers that are dedicated to the Exchange DSAccess process. The potential benefits of this architecture are as follows: Reduction of Global Catalog overload potential through isolating Exchange messaging traffic and processes from the remainder of the environment by using dedicated Global Catalogs. Increased performance for Exchange LDAP queries through Global Catalogs that are dedicated to the Exchange DSAccess process. NB: This assumes that you have the right number of GC processors to Exchange processors and a well connected network. Easier Management and monitoring of the Exchange environment due to segregating out of nonExchange processes. NB: However, this segregation will increase the number total number of domain controllers in your environment Increased performance for non-Exchange LDAP and directory services processes due to Exchange process segregation. NB: This assumes that you have enough GCs to service non-Exchange traffic Excessive LDAP Read and Search Times can have a negative impact of the ability to service messaging requests. This could include: Impact to mail routing (for mail bound internally and externally) Impact to Client Ambiguous Name Resolution requests (i.e. address lookups DL expansions etc) Impact other functional processes, login authentication for resources (i.e. calendar and PFs) DL access Group Membership
11. What is Auto Discovery Service?

The Auto discovery service in Exchange Server 2007 uses users' e-mail address or a domain user account to automatically configure a users Outlook 2007 profile. The Autodiscovery service provides the following information to the Outlook client:

Users Display name Separate connection settings for internal and external connectivity The location of users Exchange Server 2007 with the Mailbox server role installed The Uniform Resource Locator (URL) for several Outlook 2007 features (Outlook availability services) such as Outlook Free/busy or Offline address book (OAB) information Configuration for Outlook Anywhere
Page 8 of 46
A web service integrated with Microsoft Exchange server 2007 that facilitates clients accessing their mailboxes. It is used to automatically set up accounts in Outlook profiles. It is also used to determine which Client Access Server a remote client should use based on where their mailbox server is located for optimal performance.
12. Domain Controller on AD

A domain controller is a server that is running a version of the Microsoft Windows Server 2003 or Windows 2000 Server operating system and has the Active Directory service installed. A domain controller is a server that is running a version of the Microsoft Windows Server 2003 or Windows 2000 Server operating system and has the Active Directory service installed.
Note
Implementations of the Microsoft Windows NT 3.51 and Microsoft Windows NT 4.0 operating systems also have domain controllers, but they do not support Active Directory.
When you install Windows Server 2003 or Windows 2000 Server on a computer, you can choose to configure a specific server role for that computer. When you want to create a new forest, a new domain, or an additional domain controller in an existing domain, you configure the server with the role of domain controller by installing Active Directory. By default, a domain controller stores one domain directory partition consisting of information about the domain in which it is located, plus the schema and configuration directory partitions for the entire forest. A Windows Server 2003 domain controller can also store one or more application directory partitions. There are also specialized domain controller roles that perform specific functions in an Active Directory environment. These specialized roles include global catalog servers and operations masters.
Global Catalog Servers
Every domain controller stores the objects for the domain in which it is installed. However, a domain controller designated as a global catalog server stores the objects from all domains in the forest. For each object that is not in the domain for which the global catalog server is authoritative as a domain controller, a limited set of attributes is stored in a partial replica of the domain. Therefore, a global catalog server stores itsown full, writable domain replica (all objects and all attributes) plus a partial, read-only replica of every other domain in the forest. The global catalog is built and updated automatically by the Active Directory replication system. The object attributes that are replicated to global catalog servers are the attributes that are most likely to be used to search for the object in Active Directory. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog. The global catalog makes it possible for clients to search Active Directory without having to be referred from server to server until a domain controller that has the domain directory partition storing the requested object is found. By default, Active Directory searches are directed to global catalog servers. ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 9 of 46
The first domain controller in a forest is automatically created as a global catalog server. Thereafter, you can designate other domain controllers to be global catalog servers if they are needed. Operations Masters Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active Directory defines five operations master roles: the schema master, domain naming master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master. The following operations masters perform operations that must occur on only one domain controller in the forest:

Schema master Domain naming master
The following operations masters perform operations that must occur on only one domain controller in the domain:

Primary Domain Controller (PDC) emulator Infrastructure master Relative ID (RID) master
13. Purpose of Multiple Domains

Some reasons to create more than one domain are: Different password requirements between departments or divisions Massive numbers of objects Decentralized network administration More control of replication
14. Active Directory Disaster Recovery

1. Non-Authoritative restore and Authoritative restore 2. Require to know the exact path to an object to restore it authoritatively 3. Backups 4. Recovering deleted objects in Windows Server 5. SID/GUID/DN (Some changes cant be undone) 6. Restoring user does not necessarily restore group membership 7. SYSVOL requires special restoration procedures 8. No need to backup every domain controller 9. Forest-level recovery is time-consuming and error-prone 10. Domain controller offline can allow you to recover deleted objects
Page 10 of 46
15. DC Promo
dcpromo is command u have to write it in Run to create a new domain controller and create active directory
16. AD Tools
1. 2. 3. 4. 5. 6. 7. Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services DCPromo LDIFDE CSVDE Active Directory Connector (ADC)
Active Directory Tools in Windows Server 2003: 1. adprep.exe /dsadd.exe/dsget.exe/dsmod.exe/dsmove.exe/dsrm.exe/dsquery.exe 2. gpmc.msc / rsop.msc /dcgprofix.exe / gpupdate.exe / rediruser.exe / rediruser.exe 3. redircmp.exe / random.exe
17. What is ADAM?

Active Directory Application Mode provides a location for the application data and satisfies the dedicated store requirements of the application. Active Directory Application Mode to modify local or targeted ADAM instances without making changes to your organizations directory infrastructure. ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 11 of 46
You can use Active Directory Application Mode effectively in the following scenarios:
Application-specific directory scenarios Application developer scenarios Extranet access management (EAM) scenarios Migration scenarios
18. ADFS on 2000 and 2003

Active Directory Federation Services (ADFS) deployment can collaborate successfully; you must first make sure that your corporate network infrastructure is configured to support ADFS requirements for accounts, name resolution, and certificates. ADFS has the following types of requirements: * Hardware/Software/Browser/Network/Account store/Authentication requirements * Windows Server 2003 R2 features Active Directory Federation Service (ADFS) which extends Single Sign-On to trusted resources on the Internet. Using ADFS, Organisations can extend their existing Active Directory Infrastructure to provide access to trusted Internet resources, which can include third parties as well as geographically separated units in the same organizations. After you configure federated servers, users at the organization can sign on once to the organizations network and are then automatically logged on to trusted Web applications hosted by partners on the Internet Federated Web Single Sign-On uses Federated Authorization for seamless access. In addition to user identity and account information, security tokens in Federated Authorization include authorization claims that detail user authorization and specific application entitlement.
19. What is SAN?

A SAN (Storage Area Network) is a network specifically dedicated to the task of transporting data for storage and retrieval. SAN architectures are alternatives to storing data on disks directly attached to servers or storing data on Network Attached Storage (NAS) devices which are connected through general purpose networks. Storage Area Networks traditionally connected over Fibre Channel networks. Storage Area Networks have also been built using SCSI (Small Computer System Interface)technology. An Ethernet network which was dedicated solely to storage purposes would also quality as a SAN. Internet Small Computer systems Interface (iSCSI) is a SCSI variant which encapsulates SCSI data in TCP packets and transits them over IP networks. Fibre channel over TCP/IP (FCIP) tunnels Fibre Channel over IP-based networks. The Internet Fibre Channel Protocol (iFCP) transports Fibre Channel Layer 4 FCP on IP networks.
20. RAID Volume

A logical representation of one or more physical disks configured to provide redundant and/or large storage space for the system. RAID stands for Redundant Array of Independent Disks and it basically involves combining two or more drives together to improve the performance and the fault tolerance. Combining two or more drives ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 12 of 46
together also offers improved reliability and larger data volume sizes. A RAID distributes the data across several disks and the operating system considers this array as a single disk.
RAID Levels
RAID 0 RAID 1 RAID 2 RAID 3 RAID 4 RAID 5 : : : : : : Stripping Mirroring Stripping small stripes Parity stripes Block level stripping Block level stripping No fault tolerance Fault tolerance Multiple Parity disks Fault tolerance Error correction Boost performance
The above standard RAID levels can be combined together in different ways to create Nested RAID Levels which offer improved performance. Some of the known Nested RAID Levels are RAID 0+1 RAID 1+0 RAID 3+0 RAID 0+3 RAID 10+0 RAID 5+0 RAID 6+0
21. DNS Proxy on AD

The primary reason for the proxy is access control of DNS queries. The proxy's main purpose to block DNS requests for, say, www.xxx.com. Or perhaps more appropriately, it allows me to block DNS requests for doubleclick.net, etc - ie. advertising web sites and other sources of web page spam. Controlling Access to DNS Servers Outside the Organization: Restricting access to zone information allows you to specify which internal and external servers can access the primary server. For external servers, this controls which servers can get in from the outside world. You can also control which DNS servers within your organization can access servers outside it. To do this, you need to set up DNS forwarding within the domain. Within DNS forwarding, you configure DNS servers within the domain as: Nonforwarders: Servers that must pass DNS queries they cant resolve on to designated forwarding servers. These servers essentially act like DNS clients to their forwarding servers. Forwarding only: Servers that can only cache responses and pass requests on to forwarders. This is also known as a caching-only DNS server. Forwarders: Servers that receive requests from nonforwarders and forwarding-only servers. Forwarders use normal DNS communication methods to resolve queries and to send responses back to other DNS servers.
Page 13 of 46
Conditional forwarders:
Servers that forward requests based on the DNS domain. Conditional forwarding is useful if your organization has multiple internal domains.
22. Capacity planning on Active Directory Service

Overview of Planning Domain Controller Capacity Collecting Site Topology Design Information Determining the Number of Domain Controllers Assessing Disk Space and Memory Requirements Monitoring Domain Controller Performance Additional Resources
The Windows Server System Reference Architecture (WSSRA) addresses the followings: Availability Security Scalability Manageability Reliability Supportability Repeatability Standardization - Process, People and Technology Integration .NET ready The Enterprise Model: Centralized Data Center Department Branch Office Extranet Internet Data Center Employees Partners Employees Partners Customers
The services are a mixture of IT services and the end-user services they support.
IT services Directory services (Active Directory) Certificate services Remote Access services Internet Protocol (IP) services (WINS, DNS, and DHCP) Firewall services File services Print services Messaging services
End-user services
Page 14 of 46
23. How many Global Catalog Servers per ADS

Global Catalog Server Placement: All sites in the Contoso environment have at least 100 users. To facilitate user logon requests and forest-wide searches, Contoso follows the general Windows Server 2003 deployment recommendation for placing a global catalog server in any site where there are at least 100 users. Two global catalog servers are placed in Chicago to accommodate the large number of users in that site. For more information about global catalog server placement, see "Designing the Site Topology" in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see "Designing the Site Topology" on the Web at http://go.microsoft.com/fwlink/?LinkId=4724). Global Catalog Processes and Interactions In addition to its activities as a domain controller, the global catalog server supports special activities in the forest:
the
following
User logon: In a multidomain forest, domain controllers must contact a global catalog server to retrieve any SIDs of universal groups that the user is a member of. Additionally, if the user specifies a logon name in the form of a UPN, the domain controller contacts a global catalog server to retrieve the domain of the user. Universal and global group caching and updates: In sites where Universal Group Membership Caching is enabled, domain controllers that are running Windows Server 2003 cache group memberships and keep the cache updated by contacting a global catalog server. Global catalog searches: Clients can search the global catalog by specifying port 3268 or by using search applications that use this port. Search activities include: o Validation of references to non-local directory objects. When a domain controller holds a directory object with an attribute that references an object in another domain, this reference is validated by contacting a global catalog server. o Exchange Address Book lookups: Exchange 2000 Server and Exchange Server 2003 use Active Directory as the address book store. Outlook clients query the global catalog to locate Address Book information. Global catalo server creation and advertisement: Global catalog servers register global-catalogspecific service (SRV) resource records in DNS so that clients can locate them according to site. If no global catalog server is available in the site of the user, a global catalog server is located in the next closest site, according to the cost matrix that is generated by the KCC from site link cost settings. Global catalog replication: Global catalog servers must either have replication partners for all domains or be able to replicate with another global catalog server. When changes to the PAS occur on, and are replicated between, domain controllers that are running Windows Server 2003, only the updated attributes are replicated. Changes to the PAS that occur on domain controllers that are running Windows 2000 Server prompt a full synchronization of the entire global catalog (all attributes in the PAS are replicated anew to all global catalog servers). For more information about PAS replication, see Global Catalog Replication later in this subject.
24. Active Directory Service Database location

The actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts. Active Directory's database engine is the Extensible Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to grow to 16 terabytes which would be large enough for 10 million objects. Back to the real world. Only the Jet database can maniuplate information within the AD datastore. The Active Directory ESE database, NTDS.DIT, consists of the following tables:
Schema table the types of objects that can be created in the Active Directory, relationships between them, and the optional and mandatory attributes on each type of object. This table is fairly static and much smaller than the data table. Link table contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table. Data table users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be thought of as having rows where each row represents an instance of an object such as a user, and columns where each column represents an attribute in the schema such as GivenName.
Active Directory is a transacted database system that uses log files to support rollback semantics to ensure that transactions are committed to the database. The files associated with Active Directory are:

Ntds.dit the database. Edbxxxxx.log transaction logs. Edb.chk checkpoint file. Res1.log & Res2.log reserved log files.
Ntds.dit grows as the database fills up. However, the logs are of fixed size (10 MB). Any change made to the database is also appended to the current log file, and its disk image is always kept up to date. Edb.log is the current log file. When a change is made to the database, it is written to the Edb.log file. When the Edb.log file is full of transactions, it is renamed to Edbxxxxx.log. (It starts at 00001 and continues to increment using hexadecimal notation.) Since Active Directory uses circular logging, old log files are constantly deleted, once they have been written to the database. At any point in time, you will find the edb.log file, and maybe one or more Edbxxxxx.log files. Res1.log and Res2.log are "placeholders" designed to reserve (in this case) the last 20 MB of disk space on this drive. This is designed to give the log files sufficient room for a graceful shutdown if all other disk space is consumed. The Edb.chk file, stores the database checkpoint, which identifies the point where the database engine needs to replay the logs, generally at the time of recovery or initialization. For performance reasons, the log files should be located on a different disk than the database to reduce disk contention. ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 16 of 46
At the time of taking a backup, a new log file may be created. This log file would be deleted (like regular old log files) due to circular logging, as stated above.
25. Active Directory Performance

Realtime alerting - proactive response for conditions impacting Active Directory service quality Performance monitoring and reporting - degradation detection and resource capacity planning SLA creation, monitoring and reporting - managing Active Directory QoS in line with business
requirements
Web-based Active Directory Enterprise Console - intuitive display and event navigation Event log parsing for Active Directory "error" messages with prioritized alarm generation Flexible alarm notification options, i.e. pager, SMS, email, cell and more Active Directory alarm escalation for alerts that have not been handled within a designated time Active Directory process monitoring with automated stop/restart options Active Directory service core (CPU, Disk, Memory) resource utilization monitoring Active Directory service edge (LDAP, DNS, DHCP) response time monitoring File Replication Service Monitoring Active Directory Performance Counter monitoring Active Directory SLA 'rate-until-violation' calculation Web-based Performance, QoS and SLA Reporting
26. What are Universal groups and Global Group?

Universal Groups:
Groups that are used primarily to define sets of users or computers that should have wide permissions throughout a domain or forest. Members of universal groups include accounts, global groups, and other universal groups from any domain in the domain tree or forest. Best Practices: Universal groups are very useful in large enterprises where you have multiple domains. If you plan properly, you can use universal groups to simplify system administration. Members of universal groups shouldnt change frequently. Each time you change the members of universal group, you need to replicate these changes to all the global catalogs in the domain tree or forest. To cut down on changes, assign other groups to the universal group rather than user accounts.
Global Group: Groups that are used primarily to define sets of users or computers in the same domain that share a similar role, function, or job. Members of global groups can include only accounts and groups from the domain in which theyre defined. 27. Replication of GP / SYSVOL
As Group Policy becomes more important for managing desktops and servers in Active Directory, it makes sense that the details around Group Policy need to be understood more completely. There are many moving parts to Group Policy, including client side extensions, ADM/ADMX files, GPC, GPT, and much more. When a change occurs to a Group Policy object (GPO), that change only occurs on one domain controller. Thus, the change to the GPO must be replicated to all of ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 17 of 46
the other domain controllers. This replication affects multiple replication mechanisms and can cause odd effects if not completed properly. This article will discuss the replication of Group Policy and what you can do to verify that all replication has occurred.
Triggering Replication Replication is triggered when a setting in a GPO is changed. This can be any of the settings in the GPO and with over 5000 in Windows Server 2008, there are plenty of opportunities to make changes now. A change can occur on either the Computer Configuration side or User Configuration side of the GPO. Either one will trigger replication to occur. The system tracks this triggering by both the Computer and User changes for the GPO. If you look at the details of a GPO in the Group Policy Management Console (GPMC), you will see that there is a listing of both Computer and User version, as seen in Figure 1.
Figure 1: Details of a GPO in the GPMC show the version of both Computer and User portions of a GPO. When a change occurs to either portion of the GPO, the version number for that portion is updated, as can be seen in Figure 2.
Page 18 of 46
Figure 2: Changes to settings in a GPO increment the version number
When a GPO is edited in the Group Policy Management Editor (GPME), the domain controller running the PDC Emulator role is used by default. Therefore, all replication will stem from this domain controller. If a different domain controller is selected, as can be done from the GPMC (see Figure 3), the replication will stem from that domain controller.
Replication of the Group Policy Template

The portion of the GPO that stores the settings into one or more files is the Group Policy Template (GPT). This portion of the GPO and the related files are stored on domain controllers under the Sysvol. The default path for these files is c:\Windows\Sysvol\Sysvol\<domainname>\Policies, as shown in Figure 3.
%systemroot%\SYSVOL is the folder which resides in every domain controllers to store the elements of Group policies object defined in Active Directory and scripts, such as logon scripts. Change made in SYSVOL in one domain controller is replicated to the entire domain controller by File replication service (FRS) Every domain controller has a shared folder in its local file system that is the file system component of Active Directory. This shared folder, named SYSVOL, contains files and folders that must be available and synchronized between domain controllers in a domain, including:
Page 19 of 46
The NETLOGON shared folder, which includes system policies and user-based logon and logoff scripts for non-Windows Server 2003 and non-Windows 2000 network clients, such as clients running Windows 95, Windows 98, and Windows NT 4.0.
Figure 3: All GPOs store settings in files under the Sysvol on domain controllers. The Sysvol on domain controllers is used to deliver Group Policy settings and logon scripts to clients at logon. Since Sysvol is used for authentication of users and computers, it must be up to date on all domain controllers. When any information is changed under the Sysvol on one domain controller, it triggers replication of the Sysvol to all other domain controllers. The Sysvol is replicated using the File Replication System (FRS). FRS does not have a schedule associated with it. FRS uses state-based replication instead. This means that as soon as there is a change to any file under the Sysvol folder structure, replication is triggered. This creates a very efficient and fast replication model for the GPT. As a side note, FRS replication does not adhere to any site boundaries. Thus, replication will converge to all of the domain controllers within only a few minutes, even to those domain controllers in remote locations. Note: Windows Server 2008 can use FRS or DFS-R to replicate the contents of the Sysvol. Replication of the Group Policy Container The Group Policy Container (GPC) potion of the GPO is stored in Active Directory. I refer to the GPC as the glue of the GPO. There are no settings stored in the GPC, rather all of the settings that you make in a GPO are stored in the GPT. The GPC contains all of the referential information for the GPO. This includes the path to the GPT, including the GUID of the GPO, as well as all of the Active Directory path information for the GPC.
Page 20 of 46
You can view the GPC and its properties by accessing the Active Directory Users and Computers (ADUC). When you open up the ADUC, you will most likely need to make a quick configuration change to see the GPC data. To do this, click on the View from the toolbar, then select the Advanced Features menu option, as seen in Figure 4. This will display many different details in the ADUC.
Figure 4: The Advanced Features option will display the GPC in the ADUC. Now that you have configured the ADUC to show the GPC, expand the following nodes to see them: <domainname>\System\Policies, as shown in Figure 5.
Page 21 of 46
Figure 5: The list of GPCs can be seen under the System\Policies node. Here you will see the full list of GUIDs that correspond to the GPCs of each GPO in the domain. The replication of the GPC is also triggered by a change to any setting in a GPO, just like the GPT. However, the replication of the GPC is not state-based and not based on FRS. Instead, like all other Active Directory objects, all of the GPCs are driven by Active Directory replication. Active Directory replication has two different replication schedules by default. There is the replication between domain controllers that are in the same site and replication between domain controllers in different sites. The first replication schedule occurs every 15 seconds for domain controllers in the same site. This interval should not be changed and is controlled by the Knowledge Consistency Checker (KCC). The second replication schedule occurs every 3 hours be default and is controlled by the Intersite Topology Generator (ISTG). This interval change, and in most instances, should be reduced to accommodate a schedule that will optimize changes to domain controllers. To change this interval, you will need to modify the site link and configure the schedule. This is done in the Active Directory Sites and Services tool, As shown in Figure 6.
Page 22 of 46
Figure 6: Intersite replication can be managed and reduced from the default 3 hours. Verifying GPO Replication The easiest tool to use to verify that both the GPC and GPT have replicated is GPOTool. This tool is free and very easy to use. It comes with the operating system and can be run from a command prompt. Just type gpotool <dcname> /verbose from the command prompt, like you see in Figure 7.
Page 23 of 46
Figure 7: GPOTool provides information on the convergence of both parts of the GPO. The results of running this command will display the GPT and GPC version numbers for each GPO on the listed domain controller. If a portion of the GPO has not replicated to the domain controller that you are authenticating to, there is a chance that the new settings in the GPO will not apply. Thus, if you know a GPO has been changed, yet the settings are not being delivered, it is a good idea to verify that the GPO has replicated to the domain controller that you are authenticating too. Summary Group Policy replication is controlled by two different replication mechanisms: FRS and Active Directory replication. In order for the GPO content to be up to date on all domain controllers, replication must converge for both parts of the GPO, GPT and GPC, in order for Group Policy to function properly. By using a tool like GPOTool, you can verify that all GPO data has replicated to each domain controller.
28. What is the difference between Windows Server 2000 and Windows Server 2003? Note: Windows Server 2003 was released as an upgrade to Windows 2000 Server. Additional features in Windows Server 2003 include. windows 2003 server support remote desktop feature but in 2000 remote desktop feature was not supported. Window 2003 server includes IIS server in it. That is the biggest advantage on top of better file system management. One can change the domain name at any time with help of ntdsutil command, without rebuilding the domain that is not possible in 2000.
1: Windows 2000 server give only 90 days trial version of Terminal server. but windows server 2003 give 120 days trial version. 2: Windows server 2003 shared folder at a time only 65767 user access.
ID.No . 001 Windows Server 2000 When installing terminal services for win2000 ur prompted to select application server functions or administrative functions sets can be installed sequently on one server but it performs only one function at one time. In Win 2000 server we can apply 620 group policies Windows Server 2003 But in 2003 still distinguishes between application and administrative services but installation and management are now consolidated.
002
We can apply nearly 720 so Win2003 server is more secure than win 2000 server.
003 004
Cannot rename domain Supports of 8 processors and 64 GB RAM (In 2000 Advance Server)
Rename domain Supports up to 64 processors and max of 512GB RAM. 2003 supports IIS 6.0 2003 supports Microsoft .NET 2.0 2003 has Standard, Enterprise, Datacenter and Web server Editions.
005 006
2000 supports IIS 5.0 2000 does not support Dot net
007
2000 has Server and Advance Server editions
008
2000 Does not have any 64 bit server operating system
2003 has 64 bit server operating systems (Windows Server 2003 X64 Std and Enterprise Edition)
009
2000 has basic concept of DFS (Distributed File systems) with defined roots
whereas 2003 has Enhanced DFS support with multiple roots. whereas 2003 is easy administration in all & Complex networks. In 2003 we can create 1 billion users In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot which
010
In 2000 there is complexality in administering Complex networks
011
In 2000 we can create 1 million users In 2000 does not offer Volume Shadow copy service
012
Page 25 of 46
is used in Disaster recovery In 2000 we dont have end user policy management In 2003 we have a End user policy management which is done in GPMC (Group policy management console).
013
014 015
In 2000 we have cross domain trust relation ship 4 Node clustering Not such High HCL support has found in 2003 server
and 2003 we have Cross forest trust relationship. 8 Node clustering 2003 has High Compatibility HCL Support (Hardware
016
List) issued by Microsoft. Code name of Windows 2000 is Windows NT 5.0 ADFS found in Windows 2000 not robust
017 018
Code name of Windows 2003 is Windows NT 5.1 2003 has service called ADFS (Active Directory Federation Services) which is used to communicate between branches with safe authentication. In 2003 their is improved storage management using service File Server Resource Manager (FSRM).
019
File Server Resource Manager not robust
020
No Share point service found in Windows Server 2000
2003 has service called Windows Share point Services (It is an integrated portfolio of collaboration and communication services designed to connect people, information, processes, and systems both within and beyond the organizational firewall). 2003 has Improved Print management compared to 2000 server.
021
Print Management not robust
022 023
No telnet sessions available 2000 supports IPV4
2003 has telnet sessions available. 2003 supports IPV4 and IPV6
29. Default policy of Windows Server 2003
Page 26 of 46
The default domain policy GPO (Group Policy Objects) is not complete without the inclusions of the following vital policies that are defined and practised as a standard under Windows Server 2003 policies:
They are: Passsword Policy
: Password policies that include a) Password history b) Minimum password length c) Complexities of password characters being used
http://www.microsoft.com/protect/yourself/password/checker.mspx?WT.mc_id=Ba nner_Password_Checker Account Lockout Policy: 1) Determines default account lockout policies for DC 2) Duration of lockout 3) Account lockout threshold Kerberos Policy: 1) Determines default Kerberos polices for DC 2) Maximum tolerance for Kerberos 3) Computer clock synchronization
30. What is Universal Group caching

Windows Server 2003 includes a new feature called universal group membership caching (UGMC) to locally cache a user's membership in universal groups on the domain controller authenticating the user. This can be useful in branch office scenarios where you don't want to deploy a global catalog (GC) because of the extra WAN traffic that the GC needs to replicate with other domain controllers in the domain. The cached membership for UGMC is then refreshed every 8 hours to keep it up to date. UGMC is enabled on a per-site basis in AD as follows: Open Active Directory Sites and Services, expand the Sites node and select the site where you want to enable UGMC, right-click NTDS Site Settings, select Properties, and select the Enable Universal Group Membership Caching check box. Then under Refresh cache from click a different site from which the selected site will refresh its UG membership cache. If UGMC can speed logons at remote sites then it sounds like a good idea. But when is it better to simply deploy a GC at the remote office instead? 1. When you have lots of WAN bandwidth available 2. When the membership of universal groups frequently changes 3. When you have Exchange Server deployed at the remote site 4. When the branch office and headquarters both belong to the same AD site. If any of these is true, it's best if you simply make one of the domain controllers at your remote office a global catalog server. ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 27 of 46
31. What is Group Policy order

Local GPO Site (GPO linked) Domain (GPO linked) Organizational Units (OUs)
32. Domain trust and forest trust

Trust Scenarios Technologies Related to Trusts
Most organizations that have more than one domain have a legitimate need for users to access shared resources located in a different domain. Controlling this access requires that users in one domain can also be authenticated and authorized to use resources in another domain. To provide authentication and authorization capabilities between clients and servers in different domains, there must be a trust between the two domains. Trusts are the underlying technology by which secured Active Directory communications occur, and are an integral security component of the Windows Server 2003 network architecture. When a trust exists between two domains, the authentication mechanisms for each domain trust the authentications coming from the other domain. Trusts help provide for controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains. How a specific trust passes authentication requests depends on how it is configured; trust relationships can be one-way, providing access from the trusted domain to resources in the trusting domain, or two way, providing access from each domain to resources in the other domain. Trusts are also either nontransitive, in which case trust exists only between the two trust partner domains, or transitive, in which case trust automatically extends to any other domains that either of the partners trusts. In some cases, trust relationships are automatically established when domains are created; in other cases, administrators must choose a type of trust and explicitly establish the appropriate relationships. The specific types of trusts used and the structure of the resulting trust relationships in a given trust implementation depend on such factors as how the Active Directory directory service is organized, and whether different versions of Windows coexist on the network. Trust Scenarios It is possible to create a number of different domain and forest trust configurations, depending on the Active Directory structure of the organization. Windows Server 2003 domains and forests can trust other Windows Server 2003 domains and forests, as well as Windows 2000 and Windows NT 4.0 domains. For example, trust configurations vary in nature and complexity in each of the following scenarios: Trusts within a single Windows 2000 Server or Windows Server 2003 forest By default, all domain trusts within a single Active Directory forest are two-way, transitive trusts. There are three types of transitive trusts that are used within a single Windows 2000 Server or Windows ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 28 of 46
Server 2003 forest. The first is the tree-root trust, which is created by default when you create a new domain tree by using the Active Directory Installation Wizard. The two-way transitive nature of intraforest trusts such as the tree-root trust allows all domains in one tree to trust all domains in any other tree within the same forest. The second type of trust is a parent-child trust. It is created automatically when you create a new domain in an existing domain tree by using the Active Directory Installation Wizard. When a new child domain is created, a parent-child trust is established between the new domain and the domain that immediately precedes it in the namespace hierarchy. The last type of trust that can be used between trees is a shortcut trust, and is used to speed up access times to resources in a domain that is deep within the tree hierarchy of another domain. Trusts between two Windows Server 2003 forests It is possible to extend the transitivity of domain trusts within a single Windows Server 2003 forest to another Windows Server 2003 forest by manually creating a one-way or two-way forest trust. A forest trust is a transitive trust between a forest root domain and a second forest root domain. A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between every domain in both forests. The transitivity of forest trusts is limited to the two forest partners; the forest trust does not extend to additional forests trusted by either of the partners. Trusts across Windows Server 2003 and Windows 2000 forests Windows Server 2003 forest trusts cannot be created between a Windows Server 2003 forest and a Windows 2000 forest. You can, however, manually create a trust relationship between any domain in a Windows Server 2003 forest and any domain in a Windows 2000 forest by using one-way or two-way external trusts. External trusts are nontransitive and provide for access to resources in another domain outside the forest that is not already joined by a forest trust. Trusts between Windows Server 2003 or Windows 2000 domains and Windows NT 4.0 domains You can manually create a one-way or two-way external trust between Windows Server 2003 or Windows 2000 domains and Windows NT 4.0 domains so that users from either domain can be authenticated to access resources in the other domain. Trusts between Windows 2000 or Windows Server 2003 domains and non-Windows Kerberos realms Windows 2000 or Windows Server 2003 domains can be configured to trust non-Windows-brand operating system Kerberos realms, and non-Windows Kerberos realms can be configured to trust Windows Server 2003 domains by manually creating one-way or two-way realm trusts. Realm trusts can also be configured to be either nontransitive or transitive, depending on the level of interoperability you require with UNIX or Massachusetts Institute of Technology implementations of the Kerberos version 5 protocol. When the direction of a one-way trust is from a non-Windows Kerberos realm to a Windows Server 2003 domain, the user in the Windows Server 2003 domain can access resources in the nonWindows Kerberos realm. When the direction of trust is from a Windows Server 2003 domain to a nonADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 29 of 46
Windows Kerberos realm, users in the non-Windows Kerberos realm can access the resources in the Windows Server 2003 domain. Technologies Related to Trusts Trusts depend on the NTLM and Kerberos authentication protocols and on Windows-based authorization and access control mechanisms to help provide a secured communications infrastructure across Active Directory domains and forests. The following diagram illustrates how authentication and authorization technologies relate to trusts and other components of the Windows distributed security model. Trusts and the Windows Distributed Security Model
Applications and Net Logon Both applications and the Net Logon service are components of the Windows distributed security channel model. Applications integrated with Windows Server 2003 and Active Directory use authentication protocols to communicate with the Net Logon service so that a secured path can be established over which authentication can occur. Authentication Protocols Active Directory domain controllers authenticate users and applications by using one of two protocols: either the Kerberos version 5 authentication protocol or the NTLM authentication protocol. When two Active Directory domains or forests are connected by a trust, authentication requests made using these protocols can be routed to provide access to resources in both forests. NTLM The NTLM protocol is the default protocol used for network authentication in the Windows NT 4.0 operating system. For compatibility reasons, it is used by Active Directory domains to process network authentication requests that come from earlier Windows-based clients and servers. Computers running Windows 2000, Windows XP or Windows Server 2003 use NTLM only when authenticating to servers running Windows NT 4.0 and when accessing resources in Windows NT 4.0 domains. When the NTLM protocol is used between a client and a server, the server must contact a domain authentication service on a domain controller to verify the client credentials. The server authenticates the client by forwarding the client credentials to a domain controller in the client account domain. The authentication protocol of choice for Active Directory authentication requests, when there is a choice, is Kerberos version 5. When the Kerberos protocol is used, the server does not have to contact the ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 30 of 46
domain controller. Instead, the client gets a ticket for a server by requesting one from a domain controller in the server account domain; the server validates the ticket without consulting any other authority. Kerberos Version 5 Protocol The Kerberos version 5 protocol is the default authentication protocol used by computers running Windows 2000, Windows XP Professional, or Windows Server 2003. This protocol is specified in RFC 1510 and is fully integrated with Active Directory, server message block (SMB), HTTP, and remote procedure call (RPC), as well as the client and server applications that use these protocols. In Active Directory domains, the Kerberos protocol is used to authenticate logons when any of the following conditions is true:

The user who is logging on uses a security account in an Active Directory domain. The computer that is being logged on to is a Windows 2000, Windows XP or Windows Server 2003based computer. The computer that is being logged on to is joined to an Active Directory domain. The computer account and the user account are in the same forest. The computer from which the user is trying to access resources is located in a non-Windows Kerberos realm.
If any computer involved in a transaction does not support the Kerberos version 5 protocol, the NTLM protocol is used. Authorization and Access Control Authorization and trust technologies work together to help provide a secured communications infrastructure across Active Directory domains or forests. Authorization determines what level of access a user has to resources in a domain. Trusts facilitate cross-domain authorization of users by providing a path for authenticating users in other domains so their requests to shared resources in those domains can be authorized. Once an authentication request made to a resource in a trusting domain is validated by the trusted domain, it is passed to the targeted resource computer, which determines, based on its access control configuration, whether to authorize the specific request made by the user, service, or computer in the trusted domain. In this way, trusts provide the mechanism by which validated authentication requests are passed to a trusting domain, while access control mechanisms on the resource computer determine the final level of access granted to the requestor in the trusted domain. Note
Access to resources in any discussion of trust relationships always assumes the limitations of access control.
33. How do you force GPUpdate on Windows 2003 and Windows 2000?
Forcing Group Policy The flipside of blocking Group Policy is to ensure that a GPO is not blocked at a lower level, also known as forcing Group Policy. The idea here is that a domain-level administrator may need to ensure that ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 31 of 46
certain corporate requirements are always met and cannot be modified by an administrator at the OUlevel. An example of this is the installation of antivirus software on all computers in the company or the requirement that all computers have common desktop wallpaper. To do this, an administrator at a higher level in Active Directory would create a GPO and configure it with the No Override option to ensure its settings are never modified by lower-level GPOs. In essence, this means that if the same setting is configured in a GPO at a lower-level OU, the OU setting is ignored and the higher-level setting always wins.
Forcing Group Policy 1. From the Administrative Tools program group, start Active Directory Users And Computers for your domain. 2. In Active Directory Users And Computers, right-click the domain name, and select Properties. 3. On the domain Properties page, click the Group Policy tab. 4. Click a GPO whose settings you want to always apply (Default Domain Policy, for example), and then click Options. 5. In the GPO Options dialog box, check the No Override check box, and then click OK. 6. Click Apply, and then OK to save your settings. 7. Close Active Directory Users And Computers.
When deciding whether to force a GPO to lower levels, always make sure this is the best way of accomplishing your goals. When a GPO is forced, its settings override all lower-level settings whether or not they have been changed at the lower-level container. There could be unexpected results if users or computers within an OU need to have some settings vary from the corporate standard for valid reasons. Always ask yourself two questions: Do all containers below this level have to have these settings? and Should lower-level administrators be able to change these settings? If the answer to the first question is Yes, then you might want to consider forcing the GPO. If the answer to the second question is Yes, then you might want to reconsider forcing the GPO. An answer of Yes to the first question and of No to the second will mean that forcing the GPO is the best route at that particular point in time.
34. What are Exchange Server 2007 licence

Exchange Server 2007 Licensing Licensing Modes Exchange Server is licensed in the Server / Client Access License (CAL) model. Under this model, an Exchange Server license is required for each operating system environment running Exchange Server. A CAL is required for each user or device accessing Exchange Server. Server and Client Access License Editions Exchange Server 2007 is offered in two server editions: Standard Edition Enterprise Edition Exchange Server 2007 is also offered in two CAL editions: Standard CAL Enterprise CAL Either version of the CAL may be run against either version of the server. To learn more about the server and CAL editions, see Exchange Server 2007 Editions and Client Access Licenses. The Exchange Server Standard and Exchange Server Enterprise CAL licenses are also included in the Enterprise CAL Suite. 35. What are different versions of Exchange Server 2007 Exchange Server 2007 Editions Exchange Server 2007 is offered in two server editions: Standard Edition and Enterprise Edition. Exchange Server 2007 Standard Edition is designed to meet the messaging and collaboration needs of small and medium corporations; it may also be appropriate for specific server roles or branch offices. Exchange Server 2007 Enterprise Edition, designed for large enterprise corporations, enables creation of multiple storage groups and databases. 36. Hub Transport Server and Edge Transport Server
The Hub Transport Server Role The Hub Transport server role is a part of Exchange Server 2007s internal messaging topology, responsible for transferring mail and applying policies to messages on route to their destination. Direct comparisons with Exchange Server 2000/2003s Bridgehead Server role are inevitable and not completely out of place. However, the HT performs a number of additional functions besides simply transferring messages.
Page 33 of 46
Before going any further, its essential that you clearly understand one important behaviour of mail flow in Exchange Server 2007: Every e-mail message encounters at least one Hub Transport server in its lifetime. Heres a simplified recap of Exchange Server 2007 message routing functionality: Messages between different Active Directory (AD) sites are sent from the source mailbox server to a Hub Transport server in the same site. The HT server routes the message to an HT server in the destination site, which delivers the message to the destination mailbox server. Messages to recipients in the same AD site are sent from the source mailbox server to an HT server in the same site, which routes messages to the destination mailbox server. In other words, two mailbox servers do not talk to each other directly, unlike in previous versions of Exchange. If a message is sent to a mailbox residing on the same mailbox server as the sender, the message still hops through an HT server before making its way back to the mailbox server. (This is an important part of our message routing recap.) The Edge Transport Server Role The Edge Transport server role is a new member of the Exchange messaging topology. It routes messages between the Exchange organization and external mail systems. As such, it is meant to be a mail gateway, in many ways similar to non-Exchange Message Transfer Agents (MTAs) MTAs such as Sendmail and Postfix, or appliances from vendors such as IronPort and Barracuda that serve as mail gateways in many organizations. Unlike other Exchange server roles that are designed to be domainjoined members of the Exchange organization, the Edge is designed to be a standalone server. Additionally, it is designed to be located in perimeter networks, also known as DMZs (demilitarized zones), a term used for network segments located between an external or Internet-facing firewall and the internal firewall. This allays some of the fears of security departments about exposing Windows domain servers to the Internet and locating member servers in perimeter networks. Nevertheless, the Edge server role can be installed on member servers and located behind firewalls on the internal network, if required. Unlike its internal counterpart (the Hub Transport server role), the ET is not a required server role. An organization can expose its internal Hub Transport servers to the Internet, allowing these to directly receive and send external/Internet e-mail. Alternatively, it can continue to use non-Exchange MTAs, such as those mentioned earlier, as its mail gateways for inbound mail and deliver the mail to Hub Transport servers. Whether an ET server becomes a part of your messaging topology will be determined by a number of factors. Unlike the HT role, Exchange does not make it mandatory that you have an Edge Transport server deployed. Comparing the Hub and Edge Transport Server Roles Conversations about Hub Transport and Edge Transport server roles often end up in a discussion about the differences between the two roles. Although the general design decisions made by the Exchange product team have been communicated often on the Microsoft website and the Exchange team blog (msexchangeteam.com), a brief feature-by-feature comparison of each is in order so that you can clearly understand what one gains by deploying the Edge Transport server roleor as is often a topic of
such discussions, what features are unavailable when one does not deploy the Edge Transport server role.
Transport rules on the Hub and Edge Transport servers: Besides the general design considerations, one of the more important differences that do not get as much airplay is the difference in the transport rules functionality. Whereas both the Edge Transport and the Hub Transport can apply transport rules ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 34 of 46
to messages in transit, the Edge Transport server does not have access to Active Directory domain controllers (DCs)/Global Catalog servers that the Hub Transport servers benefit from. This restricts its ability to apply the kind of transport rules that can require Active Directory access, such as rules based on an Exchange recipient or its membership in distribution lists. Instead, the Edge Transport can only use SMTP e-mail addresses. Overall, the transport rules available to the Edge Transport server are for the most part a subset of those available to its domain-joined counterpartthe Hub Transport server. Additionally, the Edge Transport server can use transport rules to deliver messages to the spam quarantine mailbox and to drop SMTP connections. Transport agents: The Hub and Edge Transport servers also have a small number of distinct transport agents exclusive to them. The Hub Transport sports the Journaling agent and AD Rights Management Services Pre-licensing agent. The Edge Transport has the Attachment Filtering agent and Address Rewriting (Inbound and Outbound) agents. Transport rules are applied by the Transport Rule agent on the Hub Transport and by the Edge Rule agent on the Edge Transport server. Feature Required server role Coexists with other Exchange Server 2007 server roles Designed to work in perimeter networks (a.k.a. DMZs) Designed to work as a standalone (not a domain-joined) server Requires Active Directory Application Mode (ADAM) Can send/receive Internet mail Anti-spam agents Safelist Aggregation Attachment Filtering agent Address Rewriting (Inbound and Outbound) agents Journaling agent AD RMS Pre-licensing agent Number of transport rule conditions (a.k.a. predicates) Transport rules based on Active Directory objects such as recipients and distribution groups Transport rules to apply message classification Transport rules to apply disclaimers Transport rules to deliver messages to the spam quarantine mailbox Transport rules to drop a connection Sharing of SMTP address spaces (internal relay domains) Hub Transport Yes Yes No No No Yes Yes Yes No No Yes Yes 26 Yes Yes Yes No No Yes Edge Transport No No Yes Yes Yes Yes Yes Yes Yes Yes No No 13 No No No Yes Yes No
1. The Hub Transport server coexists with the Client Access Server (CAS), Unified Messaging, and Mailbox Server roles, with the exception of the Clustered Mailbox Server (CMS). 2. The Edge Transport server is designed to work in perimeter networks (DMZs), but can be deployed on internal networks as well. 3. The Edge Transport server role is designed to be deployed on standalone servers that are not part of an Active Directory domain, but can be deployed on member servers. 4. The Hub Transport server role does not have anti-spam agents installed by default. These can be installed using the install-AntispamAgents.ps1 script in the Exchange Server\Scripts folder.
Page 35 of 46
5. Note: Sharing SMTP address spaces is not a feature as such, but the capability to share address spaces requires a Hub Transport server. Its something the Edge Transport server cannot do because it requires access to Active Directory to look up recipients. TABLE 7-1 A Comparison of the Features of the Hub Transport and Edge Transport Server Roles (Continued
37. Enterprise Exchange CAL and Standard Exchange CAL Exchange Server 2007 Client Access Licenses Exchange Server 2007 is offered in two client access license (CAL) editions: Standard CAL and Enterprise CAL. The Exchange Server Standard CAL provides access to e-mail, shared calendaring and Outlook Web Access (OWA). In addition you will get advancements that reduce the cost and complexity of the messaging system by giving IT Administrators the messaging protection their company demands, the anywhere access their end users want and the reliability they need. The Exchange Server Enterprise CAL is an additive CAL and requires that a Standard CAL is also purchased for each user or device. The Exchange Server Enterprise CAL provides access to Unified Messaging and advanced compliance, as well as Forefront Security for Exchange Server and Exchange Hosted Filtering for onsite and hosted antivirus and anti-spam protection. A CAL is required for each user or device (depending on the license) accessing the server. Either version of the CAL may be run against either version of the server. 38. Why routing group not used in Exchange Server 2007?
No more routing groups (except for legacy purposes) No more routing group connectors (except for legacy purposes) Uses AD sites and site links instead Uses least cost routing with no more rerouting over an alternate path (rely on network layer's OSPF capabilities to do that for us; more diagnosable due to being deterministic) Queue closest to point of failure (back-off) Improved bifurcation algorithm Exchange Management Shell to set an Exchange cost on an Active Directory directory service IP site link in Microsoft Exchange Server 2007. By default, Microsoft Exchange uses the cost assigned to an IP site link for Active Directory replication purposes to compute a routing topology. The existing IP site link costs should work well for Exchange 2007 message routing because Active Directory IP site link costs are based on relative network speed compared to all network connections in the WAN and are designed to produce a reliable and efficient replication topology,. However, if after you document the existing Active Directory site and IP site link topology, you determine that the Active Directory site link costs and network traffic flow patterns are not optimal for Exchange 2007, you can make adjustments to the costs that are used by Exchange routing. An Exchange administrator cannot and should not use Active Directory tools to modify the cost that is assigned to the IP site link. Instead, use the SetADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 36 of 46
ADSiteLink cmdlet in the Exchange Management Shell to assign an Exchange-specific cost to the IP site link. When an Exchange-specific cost is assigned to an IP site link, the Exchange cost effectively overrides the Active Directory cost for message routing only, and routing only considers the Exchange cost when it evaluates the least cost routing path. To force relay of all message delivery through a hub site, you may find adjusting IP site link costs useful.
39. What will you do if Client Access Server not available on the internet?
Check out these http://technet.microsoft.com/en-us/library/bb310763.aspx http://msexchangeteam.com/archive/2007/09/04/446918.aspx http://msexchangeteam.com/archive/2007/09/10/446957.aspx http://msexchangeteam.com/archive/2007/10/12/447266.aspx articles:
40. What steps do you take to upgrade Exchange Server 2000 to Exchange Server 2003 Step-by-Step: Migrating Exchange 2000 to Exchange 2003 Using New Hardware Migrate your mail system from Exchange 2000 Server running on a Windows 2000 Server system to a new server running Exchange Server 2003 on Windows Server 2003. This scenario will take you through all Exchange-related issues from adding your first Windows Server 2003 system to unplugging your old Exchange 2000 system when finished. If you simply want to do an in-place upgrade of Exchange 2000 to Exchange 2003 using the same server, youve got it made Microsoft has explained the process of upgrading and made it pretty simple. Even if youre still using Exchange v5.5, Microsoft has you covered with a wealth of documentation to peruse. But what if youre an Exchange 2000 organization that wants to bring in a new Exchange 2003 system alongside your existing machine, move all your content over to it, and decommission the original box? Then youre left scratching your head. At the time of this writing, there is no guide Ive been able to find that explains the process with any detail. This document will explain the process, combining information from numerous sources as well as my own experience. Its very easy to bring Exchange Server 2003 into your Exchange 2000 organization, with minimal disruption to your existing server or your users. This document assumes you have an Exchange 2000 organization running in native mode. Henceforth, the Exchange 2000 system will be referred to as the old server, and the Exchange 2003 system will be referred to as the new server. Prepare your Network for Windows Server 2003 Regardless of how you intend to get to Exchange 2003, there are some basic steps that must be done.
Page 37 of 46
1. Begin by reviewing Microsofts 314649 Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers This article explains that if you have Exchange 2000 installed in your organization, and you proceed with installing your first Windows Server 2003 system (and its accompanying schema modifications), you may end up with some mangled attributes in AD. Preventing this from happening is simple enough: a script called Inetorgpersonfix.ldf will do the trick. 2. Run adprep /forestprep from Windows Server 2003 CD on your Windows 2000 server that holds the Schema master FSMO role. (Of course youll need to be a member of Schema Admins). Be sure to replicate the changes throughout the forest before proceeding. 3. Run adprep /domainprep from Windows Server 2003 CD on your Windows 2000 server. I ran it on the system holding the PDC Emulator FSMO role. 4. Before bringing a new Windows Server 2003 system online, its a good idea to review your third-party server utilities and upgrade them to the latest versions to ensure compatibility. In my installation, this included the latest versions of BackupExec, Symantec Antivirus Corp. Edition, and Diskeeper. 5. Run setup /forestprep from the Exchange Server 2003 CD on the Windows 2000 server that holds the Schema master FSMO role. Replicate the changes throughout the forest. 6. Run setup /domainprep from the Exchange Server 2003 CD on a Windows 2000 Again, I ran it on the system holding the PDC Emulator role. II. Install Windows Server 2003 1. Install Windows Server 2003 on the new server, join it to the domain, then apply all hotfixes to the server to bring it up to date. 2. In AD, move the server object to the desired OU. 3. If youre paranoid like me, you may be tempted to install antivirus (AV) software on your new server at the earliest opportunity. Hold off on that for now. 4. Review Microsofts 815372 How to optimize memory usage in Exchange Server 2003 which explains a number of settings required for Exchange Server 2003. Specifically, you may need to add the /3GB and /userva=3030 switches to boot.ini, or you will have event 9665 in the event log. I also had to change the HeapDeCommitFreeBlockThreshold value in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ to 0x00040000 as directed in the article. 5.Review Microsofts 831464 FIX: IIS 6.0 compression corruption causes access violations. I obtained the fix from Microsoft, and you should do the same, as it fixes some nasties that may interfere with OWA.
server.
III. Install Exchange Server 2003 1. If you have installed any AV software on the new server, stop all AV-related services now, or you may experience a failed Exchange installation as I did. 2. Download the latest copy of the Exchange Server 2003 Deployment Tools, version 06.05.7226 as of this writing. 3. To begin the Exchange Server 2003 install on your new server, run Exdeploy.hta after extracting the tools. 4. Choose Deploy the First Exchange 2003 Server 5. Youll want to choose the item for your current environment, which in the context of this article is You are running Exchange 2000 in native mode and you want to upgrade a server or install the first new Exchange 2003 server. Choose Upgrade from Exchange 2000 Native Mode. 6. Run through the entire checklist and perform all the steps and tests. When you get to Step 9 in Exdeploy, youll need to specify the path to the Exchange Server 2003 CD since youre running Exdeploy from a location other than the CD. 7. Install all the Exchange components unless you have a compelling need to do otherwise. 8. When the install is completed, install Exchange Server 2003 Service Pack 1. 9. When SP1 is completed, run the Exchange System Manager from the Windows Server 2003 system, and you will see your new server listed in the Exchange organization, as well as your old server. 10. The POP3 and IMAP4 services arent set to start automatically, so configure them for Automatic startup if desired. 11. If you want to install or enable antivirus software, its now safe to do so.
IV. Get Familiar with Exchange Server 2003 1. At this point, you now have an Exchange 2003 system running in your existing Exchange organization. Microsoft has done a good job of allowing the two versions to coexist. 2. Before proceeding with your migration, there are a number of important tasks to consider at this stage. For openers, communicate with your users about the migration if you havent already, brief them on the new OWA interface, and by all means ask them to go through their mailboxes and delete old, unneeded items. Youll appreciate this later! ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 39 of 46
3. This is a good opportunity to spend some time reviewing your new Exchange server. Even if you spent time learning the new product in a lab environment (as you should have), exploring the system now before proceeding makes sense. Check out the new ESM, move a test mailbox to the new server, and try OWA. Go through your old server and take note of any settings you want to configure on the new system such as size limits on SMTP connectors or incoming/outgoing messages, etc. Youll find that Exchange Server 2003 is configured to block mail relaying by default. 4. This is a good time to uninstall the Exchange 2000 version of the ESM remote management tools (using the Exchange 2000 Server CD, run Setup, choose Remove) on any management workstations and install the new Exchange 2003 ESM, which can be used to manage both versions of Exchange server. 5. As you test message routing, you will find that any email coming into your organization from the outside will be automatically routed to the appropriate Exchange server where the mailbox resides. My test mailbox on the new server could send and receive mail, no problem. I could also access the mailbox with Outlook or OWA from within the organization, no problem. However, I was unable to access mailboxes on the new server from outside the organization. 6. In my configuration, an ISA Server 2000 system acts as the firewall, where web and server publishing rules exist to redirect incoming traffic to the old mail server. There was no simple way I could find to allow simultaneous access to both the old and the new servers. All incoming mailrelated traffic was directed to the old server. This limitation affected the rest of the migration as you will see. Note: There is a way to have multiple Exchange servers, both 2000 and 2003, behind a firewall, whereby mail is automatically directed to the appropriate server. This scenario involves installing Exchange Server 2003 on a server and configuring it as a front end server, which allows it to act as a proxy. Unfortunately, the front end server cannot hold any mailboxes on its own, so this isnt an option in the migration scenario in this article.
Note: For a front end server to make any sense, a minimum of three servers would be needed: the front end server itself, and at least two Exchange servers, to which the front end server would route messages, based on the mailboxes homed on each. In our migration scenario, one could have a front end server ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 40 of 46
routing mail to the old Exchange 2000 server and the new Exchange 2003 server. As mailboxes are moved from the old to the new server, the front end server would route messages to the correct place. This is a nice option for those with the hardware and the desire to do a gradual transition.
V. Configure Exchange Server 2003 to Host Public folders and Other Roles
As you begin moving folders and roles to the new server, one thing I learned the hard way is that you should use the ESM running on the new server. I used the ESM on a Windows XP remote management workstation, and found that things reported on the workstationss ESM werent always the same as the Exchange servers ESM. 1. Review Microsofts 307917 XADM: How to Remove the First Exchange 2000 Server Computer from the Site. This document contains most of what is needed to finish this migration, and explains in detail how to setup replication of Public folders. 2. Using the instructions in 307917 as a guide, setup replication for all public folders that were created by your organization on your old server. Do not setup replication for any folders you didnt create, as several of these will not be brought over to the new server. When the folders you replicated are in sync, remove the old server from the replication tab. These folders now exist solely on the new server. They are accessible to those within your WAN, but are inaccessible outside your firewall. 3. You should find that the Public folders called default and ExchangeV1 are already replicated to the new server. Using Step 2 and 3 in 307917, setup replication to the new server for the folders Offline Address Book, OAB Version 2, and Schedule+ Free Busy Information. If you have a folder called Internet Newsgroups, you should replicate that also. This folder is created by the Exchange system, though your organization may not use it. 4. If you check the Properties, Replication tab on your administtrative groups Folders node, you will see the replication interval for the public folders. Unless you specifically changed the interval on any individual public folders, they should follow this schedule. Always run means replication will run every 15 minutes. There is no replicate now option.
Page 41 of 46
5. Using Step 4 & 5 in 307917, rehome RUS and designate the new server as the routing group master. 6. Step 6 and 7 in 307917 didnt apply in my configuration; proceed with those as needed. 7. Using Microsofts 265293 How to Configure the SMTP Connector in Exchange, add the new server to the SMTP connector, remove the old server, then cycle the MS Exchange Routing Engine service and the SMTP service for these changes to take effect. Send a test message to verify the new server is sending the mail now. 8. There are a number of public folders on the Exchange 2000 server that do not need to be replicated and moved to the new server, including several that are part of the Exchange 2000 version of OWA. On my system these included:

Controls Event Config_<old server name> Events Root Exchweb Img Microsoft Offline Address Book First Administrative Group Schema-root Views
Just leave these folders on the old server. At this point, with the exception that your public folders are no longer accessible outside your firewall, there shouldnt be any noticeable difference to your users. You can accomplish all of the above during normal working hours without much fuss. However, the next step isnt as transparent.
VI. Move the Mailboxes to Exchange Server 2003

This is the moment weve all been waiting for, and its pretty straightforward. In order for this process to go as smoothly as possible, you should make sure that no users inside your organization are accessing the email system. You should also block all external access to your mail servers. 1. You can read a detailed description of moving mailboxes, see Henrik Walthers Moving Mailboxes with the Exchange 2003 Move Mailbox Wizard article for specifics. 2. Prevent outside access to your mail servers. In my case, this involved disabling the web and server publishing rules for IMAP4, POP3, and SMTP in my ISA Server 2000 system. 3. Make sure no internal users are accessing the mail server. 4. Turn off AV on both the old and the new server. Moving mailboxes is a time-consuming, resourceintensive process. AV scanning will slow this process down, and in some cases can cause problems when large scale data is being moved. 5. The Move Mailbox Wizard will allow you to select many mailboxes at a time, but it will only process four at a time. I chose the Create a failure report option, which wont move the mailbox if there are errors. I moved 75 mailboxes, 1.7GB of data, in 70 minutes, without a single error. 6. The key determining factor in the speed of the mailbox move process isnt so much size as it is the number of items in a mailbox. If your users deleted a lot of items per your request, the process will go a lot quicker now. 7. If you want to test your new system before moving all the mailboxes, you can move a handful of them, then turn on outside access (I would turn on AV as well). Keep in mind, youll need to ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 42 of 46
configure your firewall to point to the new mail server. You should be able to access the new mailboxes with OWA and POP3 mail applications like Outlook. You can also test access to Public folders in OWA if desired. Be sure to disable external access and AV before proceeding. 8. Move all the mailboxes, except SystemMailbox, System Attendant, and SMTP-ServerName, as these should already exist on the new server. 9. When the process is finished, configure your firewall to point to the new mail server, turn on AV, and enable external access. You are now running an Exchange Server 2003 mail system.
VII. Final Cleanup 1. Go through the public folders on the new server and remove the old server from the replication tab for any public folders that are still replicating to it. On my system this included default and ExchangeV1. 2. Have your clients logon to their email clients. Outlook will attempt to connect to the old mail server, but as long as the Exchange services are still running on it, it will automatically redirect Outlook to the new server. 3. Stop all the Exchange services on the old server. Stop IISAdmin, which should stop FTP, NNTP, SMTP, and WWW. 4. Your old server will still appear in the Exchange organization in the ESM, but thats OK for now. You may also see an entry in the Queues node on the new server, destined for the old server. You can ignore this also. 5. Allow your new server for run for a few days if desired, keeping the old system in its present state for the time being. You may even want to turn it off. 6. When youre satisfied that the migration is a success and the old server is no longer needed, insert the Exchange 2000 Server CD into the old server, run setup, and remove/uninstall Exchange 2000. Make sure the server is still connected to the network when you do this, as this process will remove the old server from the ESM. Congratulations! Because you began with an Exchange 2000 organization in native mode, your Exchange Server 2003 system is in native mode. Your migration is finished.
41. What steps do you take to upgrade Exchange Server 2003 to Exchange Server 2007?
General Preparation Tasks before the Transition

Before we start the Transition, you should review the event logs on all your Domain Controllers to make sure that no errors or warnings are in there. If you find any, you should correct them first before you go on. Additionally, you should make sure all Windows Updates are installed. DCDIAG.EXE from Windows Support Tools may help you during this task. Afterwards you should back up the system state of all your Domain Controllers to make sure you are able to restore Active Directory in the event of a failure during the setup process.
Domain and Forest Preparation for Exchange Server 2007

In order to prepare the Active Directory Environment you will have to import some new schema entries. This means you will have to log on locally to your Domain Controller on which the schema role resides. Since this means a re-indexing of your Active Directory Database, I recommend doing this during nonADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 43 of 46
work hours and if possible when running Active Directory Native Server 2003 forest mode. This would mean that we only have delta replications and no full replications like running on Windows Server 2000 mode. So you will have less replication traffic on your WAN links. If you have trouble during the schema enhancement for Exchange Server 2007, your only chance to go back to Exchange Server 2003 is to completely restore System State on your Schema Master Domain Controller and hopefully it would not have replicated some entries during this phase, because this would mean restoring System State on all your Domain Controllers in your network environment. But dont be angry, a restore of Active Directory is quite easy if you follow the following procedures:

Start your Domain Controller in Active Directory Restore Mode. Log on with your Active Directory Restore Mode Logon Credentials. Restore System State from backup. Configure Authoritative Restore using NTDSUTIL.EXE. Restart your Domain Controller. Follow the steps above for all your Domain Controllers.
Troubleshooting the Implementation of Hub Transport Servers

The first Exchange Server 2007 box you might implement is the one on which the Hub Transport Role will reside. This box is quite easy to implement, you should move forward after having a good system state backup ready in the event of a failure. If something unplanned happens during the move of the general configuration settings to Exchange Server 2007, your disaster recovery plan is to restore Active Directory from backup.
Troubleshooting the Implementation of Mailbox Servers

After having set up the mailbox or database role servers, which could be a single or multiple server deployment, perhaps in addition with one of the high availability features of Exchange Server 2007 (Local Continuous Replication, Standby Continuous Replication, Cluster Continuous Replication, or Single Copy Cluster), we have to move the mailboxes from the old environment to the new one. This mailbox move is quite easy, too. In general there should be no problems unless the user whose mailbox is currently being migrated is logged off. In general no problems should occur on the client systems, too: they should discover that their mailbox has moved to another server while they were offline. To insure this Exchange Server 2007 has a new functionality for automatic creation of MAPI profiles, if you have Outlook 2007 deployed. So make sure to have Outlook 2007 deployed before starting with the deployment of Exchange Server 2007 mailbox servers.
Troubleshooting the Implementation of Client Access Servers

The Client Access Server role provides functionalities like Outlook Web Access, Outlook Mobile Access (Exchange Push), etc. When migrating from other Exchange Server releases this is the first box you should implement (in general this will be your front end server machine), since this will allow Outlook Web Access to work on mailboxes that reside on older versions of Exchange and on Exchange Server 2007. If anything failed during the implementation of this server, you just have to reinstall this machine and try again.
Troubleshooting the Implementation of Unified Messaging Servers

When implementing the Unified Messaging role, your disaster recovery plan during your deployment of Exchange Server 2007 is quite easy, because this is a new feature set that was not part of earlier releases of the product. In the event of an unexpected error, you just have to take a second chance and reinstall the server again.
Troubleshooting the Implementation of Edge Servers

The Exchange Server 2007 Edge Server Role is a solution that is placed in your DMZ to relay your emails into your Exchange Organization or outside it, so it is responsible for incoming and outgoing emails and is completely independent from your Active Directory, because it works with ADAM (Active Directory in Application Mode). If you run into problems during its implementation, you will have to start over again. If it is already running, you can run the ExportEdgeConfig.ps1 Powershell script to save the configuration in a XML file and use this for import purposes on the new server.
Conclusion
As you have seen in the sections above the transition from Exchange Server 2003 to Exchange Server 2007 is not a big risk if you plan the project and each project phase should include a plan to revert if something unplanned happens and there is no way to go on. These risk management procedures will insure that you minimize unavailability times in case of an error and that your email environment will work properly and be available most of the time. Exchange Server 2007 with Service Pack 1 is a very stable and reliable solution. In my opinion, it is the best release Microsoft has come out with yet. So I think there is no reason for you to wait to migrate. Just create a project plan and your email server environment will survive the transition to Exchange Server 2007. If you still have any questions, please do not hesitate to contact me.
42. What are the AD switch available on Exchange Server 2007 MMC (Microsoft Management Console) v 3.0 Windows PowerShell Refer further tools from The Complete Reference Exchange Server 2007 McGraw Hill Publisher 43. Can Windows Server 2003 be installed in the same physical hardware with Exchange Server 2007? 64 bit version of Windows Server 2003 / Windows Server 2003 R2 is required to deploy Exchange Server 2007. Previously held volume licensing customers can request for 64 bit version Windows Server 2003 through media kits by exchanging 32 bit version of Windows Server 2003. 44. Exchange Server Role Definition
Server Roles Exchange Server 2000 was evolutionary in its architecture in many ways. It was the first native SMTP messaging system from Microsoft. It was also the first version of Exchange Server to depend on Active Directory Services and Internet Information Services (IIS) for both transport and client protocol support. The separation of the storage engine from the Internet client services was the foundation for the frontend/back-end architecture that defined Exchange Server 2000 and 2003.
Page 45 of 46
Exchange Server 2007 does not change the messaging transport, but it does replace the front-end/backend architecture with a set of predefined server roles that administrators can deploy into a variety of supported topologies (see Table 1-2). Server roles give administrators Server Role Description Server Role Mailbox Server
Client Access Server Hub Transport Server Unified Messaging Server Edge Transport Server
Description
Used for hosting users mailbox and public folder stores, as well as providing MAPI access for thick-client access Provides users with mailbox access through IMAP, POP, Outlook Web Access, and ActiveSync protocols Handles mail routing and controls mail flow by utilizing Active Directory site information Enables user mailbox access through a telephone, as well as enables telephony services such as voicemail, fax, and VoIP capabilities Provides increased security by placing SMTP services, mail quarantine, and smarthost capabilities on a perimeter network
Page 46 of 46

ADS Ex Server 0307 QandA VasRao 02jul09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ADS Ex Server 0307 QandA VasRao 02jul09

Uploaded by

Copyright:

Available Formats

ACTIVE DIRECTORY / EXCHANGE SERVER 2003

QUESTIONS AND ANSWERS COMPILED AND PREPARED BY

VASUDEVAN RAO ALIAS VAS RAO

References: Various books, internet and research

5. Exchange Server core on Active Directory Domain Controller

Global catalog for Exchange Server 2007

Server computer or Exchange Server 2003 computer.

Server computer or Exchange Server 2003 computer.

http://www.microsoft.com/en/us/default.aspx http://emailsolutions.searchexchange.com/kw;Global+Catalog+Server/exchange-content.htm ADS_Exserver03-07_Qanda_Vasrao_02Jul09 Page 4 of 46

Domain and Forest Preparation for Exchange Server 2007

Troubleshooting the Implementation of Unified Messaging Servers

8. Design consideration of systems

10. Should I dedicate current AD to Exchange Server 2007?

11. What is Auto Discovery Service?

12. Domain Controller on AD

Schema master Domain naming master

13. Purpose of Multiple Domains

14. Active Directory Disaster Recovery

17. What is ADAM?

18. ADFS on 2000 and 2003

19. What is SAN?

20. RAID Volume

21. DNS Proxy on AD

22. Capacity planning on Active Directory Service

23. How many Global Catalog Servers per ADS

24. Active Directory Service Database location

25. Active Directory Performance

26. What are Universal groups and Global Group?

Figure 2: Changes to settings in a GPO increment the version number

Replication of the Group Policy Template

2000 has Server and Advance Server editions

2000 Does not have any 64 bit server operating system

In 2000 there is complexality in administering Complex networks

File Server Resource Manager not robust

No Share point service found in Windows Server 2000

Print Management not robust

No telnet sessions available 2000 supports IPV4

29. Default policy of Windows Server 2003

They are: Passsword Policy

30. What is Universal Group caching

31. What is Group Policy order

32. Domain trust and forest trust

Trust Scenarios Technologies Related to Trusts

34. What are Exchange Server 2007 licence

VI. Move the Mailboxes to Exchange Server 2003

General Preparation Tasks before the Transition

Domain and Forest Preparation for Exchange Server 2007

Troubleshooting the Implementation of Hub Transport Servers

Troubleshooting the Implementation of Mailbox Servers

Troubleshooting the Implementation of Client Access Servers

Troubleshooting the Implementation of Unified Messaging Servers

Troubleshooting the Implementation of Edge Servers

You might also like