Client-Server Messaging and Groupware
White Paper
Abstract
This White Paper provides an overview of how Microsoft® Exchange will integrate with the Windows NT® 5.0 operating system Active Directory service as well as the benefits of integration. Moving to a common directory reduces the total cost of ownership, provides a unified view of all objects, and a single point of administration across the enterpise. By providing, among other things, a replication agent between the Exchange Directory Service and the Active Directory to keep all objects in sync, provide full backward compatibilty for all Exchange clients, and offer a unified administration program, the migration to and coexistence with the Active Directory will be greatly simplified.
© 1997 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Microsoft, the BackOffice logo,Outlook, Visual Basic, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Java is a trademark of Sun Microsystems, Inc.
Other product or company names mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation · One Microsoft Way · Redmond, WA 98052-6399 · USA
0997
Two new Microsoft® software releases in 1998 will significantly enhance the way businesses communicate. Microsoft Windows NT® operating system version 5.0 will be available early in the year, followed by the next major release of Microsoft Exchange Server with directory integration, codenamed “Platinum,” which is due in the second half of the year.
With “Platinum,” servers and clients will use the Windows NT 5.0 Active Directory for universal access to all user and configuration information. This directory integration provides Exchange customers with even greater scalability, enhanced security, and native Internet Lightweight Directory Access Protocol (LDAP) version 3.0 support, as well as a single point of administration.
We know that any upgrade has inherent costs, which is why we made it a fundamental design goal of “Platinum” to provide seamless upgrading and interoperability with previous versions of Exchange servers and Exchange clients. By unifying the underlying object classes and directory tree, “Platinum” will provide administrators of Exchange and Windows NT with a consistent administrative model. Additionally, with rich directory replication between the Active Directory and the Exchange Directory Service, recipient administrative functions for the entire Exchange organization can be performed through the Windows NT 5.0 Microsoft Management Console (MMC).
With these two new releases, we’re taking great strides toward realizing Microsoft’s Zero Administration for Windows® vision. This vision—offering a simplified and single point of administration—is our focus and will be an inherent trait in all future releases.
This white paper discusses the benefits of migrating to the Active Directory, as well as the simplicity with which migration is achieved.
If you’re unfamiliar with the features and benefits of Microsoft Exchange Server and Windows NT Server, this section provides an overview of the Exchange Directory service and a brief outline of the forthcoming Windows NT 5.0 Active Directory.
We introduced the Exchange Directory Service with the first release of Exchange in March 1996. Since its release, Exchange has been deployed in thousands of companies with directory sizes ranging from 10 users to hundreds of thousands of entries. The Exchange Directory Service delivered our first distributed, multimaster (for example, every Exchange server has a full, modifiable, copy of the directory), replicated directory for messaging. The Exchange Directory Service provides the following features:
At Microsoft, we’re building the foundation for distributed computing with our next-generation Active Directory Service. This Active Directory Service, part of Windows NT 5.0, combines the best of the Internet’s Domain Name Service (DNS) locator services and the X.500 naming standards. This combination provides enterprises with the interoperability they need to unify and manage the multiple name spaces that now exist across the varied software and hardware environments of corporate networks.
The Active Directory Service incorporates LDAP as its core protocol, so it can work across operating system boundaries, integrating multiple name spaces. This next-generation directory service can be included in and manage application-specific directories, as well as other network operating system–based directories. This broad functionality offers a general purpose directory service that reduces the administrative burdens and costs associated with maintaining multiple name spaces.
The Active Directory Service provides a single point of administration for all published resources, including files, peripheral devices, host connections, databases, Web access, users, other arbitrary objects, and services. This next-generation Directory Service also supports a hierarchical name space allowing objects to be grouped by organizational unit.
Supporting more than 10 million objects per store, with multiple stores, the Active Directory Service offers unparalleled scalability while also providing unsurpassed simplicity for smaller businesses. When combined with the forthcoming Microsoft Distributed File System, part of Windows NT 5.0, the Active Directory Service will bring networks even closer to the goal of having a single global name space.
The Active Directory Service is seamlessly integrated with Windows NT Server—the only operating system that offers traditional file and print, applications, communications, and Internet/intranet support built in. Windows NT Server is the best file and print server for all of your business’s information and resource-sharing needs, outperforming the other operating systems available today. It is also the premium applications server available, offering the best scalability/price ratio in the industry. Additionally, Windows NT Server is an excellent communications platform, offering such features as Remote Access Services (RAS), Telephony Application Programming Interface (TAPI), and Point to Point Tunneling Protocol (PPTP).
The Active Directory Service provides the power of X.500 interoperability, without requiring systems to host the entire X.500 overhead. Our Active Directory Service implements the protocols needed for X.500 communication, including subsets of the 1993 Directory Access Protocol (DAP), Directory System Protocol (DSP), and Directory Information Shadowing Protocol (DISP), and, as already noted, LDAP. The result of this collection of protocols is the high level of interoperability required for administering today’s diverse networks.
The Active Directory includes the following features and benefits:
Microsoft is committed to the Zero Administration for Windows vision. Toward this vision, we have developed a platform to fully integrate with the Windows NT 5.0 Active Directory. By creating “Platinum” with full integration in mind, we’ve been able to make migration to the Active Directory Service extremely simple, while preserving backward compatibility with previous versions of Exchange. This integration benefits both existing and future Microsoft Exchange customers, by providing a consistent directory strategy that provides a number of advantages.
The most significant benefit of directory integration is the lower cost of ownership when maintaining two (or more) directory services and sets of data. This benefit is a result of two features:
The Active Directory Service will be the single universal repository for all user and resource information. “Platinum” will access this repository, providing a consistent data view to the operating system, Exchange, and other applications.
The Active Directory Service provides a flexible architecture enabling users (Mailboxes) to be moved between sites and renamed without adversely affecting Personal Address Books or old mail messages. The Active Directory also comes with a set of tools for renaming, merging, and splitting domains, making the directory even more customizable.
The Windows NT 5.0 Active Directory Service adds several significant new features to extend and enhance the Exchange replication feature set, resulting in a reduction in network traffic and processing time.
The Active Directory will replicate only changed properties. If, for example, the administrator changes a user’s telephone number, only the new telephone number is replicated to other servers, not the entire user object. This property-specific update significantly reduces the amount of replication traffic within and between sites.
The Active Directory Service uses a more efficient replication model for intra-site and inter-site replication. The Active Directory will support any replication topology including, for example, a ring topology. This flexibility allows multiple replication paths to different sites, so the system is not prone to a single point of failure.
The Active Directory replaces the Windows NT security model and adds two important features.
With the Active Directory Service, administrators can set up permissions on any properties on any object, allowing them, for example, to give a group of users the ability to modify their office location and phone number but not their e-mail address.
Active Directory applies all permissions directly to every object. Rather than cycling through a hierarchy to check on a user’s access to a certain piece of data, the object itself will know whether a user has access to its particular piece of information. This feature not only results in greater performance, but also alleviates the need for administrators to consider the wide-reaching hierarchical implications that can result when giving a user permission to access one piece of data.
The Active Directory Service provides several enhancements to simplify and unify administration.
Data has shown that the Exchange directory can already service more client requests than are, on average, generated by any single Exchange server. With Exchange using the Active Directory, you can minimize the number of computers that need to run the directory service. With fewer computers running the directory service, the amount of replication network traffic and replication latency is also minimized.
With fewer directory servers and the richer replication model, scalability is significantly enhanced—without reducing the efficiency of the network services or increasing the processing power needed on the Exchange servers.
The Active Directory Service itself defines a wide variety of classes such as service, site, machine, and organizational unit. The Active Directory Service is also extensible through the Active Directory API (formerly known as OLE DS), allowing administrators and applications the flexibility to extend the definition of objectClasses, or to create new objectClasses (such as message queues, configuration objects, and monitor objects).
This extensibility allows administrators, for example, to add new attributes for Address Book Views (such as “Current Project”), for company-specific attributes (such as “Employee ID”), or Authorization (such as “Expense Approval”).
The Active Directory can be accessed by a wide range of clients including Exchange, Outlook™, Outlook Express (via the Windows Address Book), as well any generic LDAP client.
LDAP is the industry-standard protocol for accessing a directory service and is the primary protocol for accessing the Active Directory. By using LDAP, any client running on any platform that supports LDAP version 2.0 or 3.0 can search, read, or write to any directory object. This protocol greatly increases the openness of “Platinum.”
The Active Directory Service also supports the NSPI used by Exchange 4.0 and 5.x clients for complete backward compatibility. Combined with the replication agent (discussed later), this feature also ensures that existing personal address book (PAB) entries, off-line address book (OAB) entries, as well as replies to old e-mail messages will continue to work properly.
Active Directory Service provides a single, common programming interface to facilitate programming needs. You can use Active Directory to query, enumerate, and manage the resources in a directory service no matter which network environment is associated with the resource. Active Directory abstracts the capabilities of directory services from different network providers to present a single set of directory service interfaces for managing network resources. This common programming interface, ADSI, makes it easier to perform common administrative tasks, such as adding new users, managing printers, and locating resources throughout the distributed computing environment. By programming your queries to ADSI, you no longer need to concern yourself with the nuances of a proprietary directory service.
ADSI lets Exchange customers use the scripting language with which they are familiar (such as Visual Basic®, Scripting Edition [VBScript], Java™, and Perl) to read, write, or search through the directory. Scripting in the various languages is supported on the client side with Internet Explorer 3.0 and on the server side with Internet Information Server (IIS) Active server pages. For application developers, ADSI allows C++ full access to the directory through a COM interface.
With the release of “Platinum,” Exchange customers will get all of the great benefits of directory integration—through the Windows NT 5.0 Active Directory—and the security of knowing “Platinum” has been designed to be extremely simple to implement and use, while maintaining backward compatibility. Full integration with the Active Directory moves us closer to the Zero Administration for Windows vision and offers administrators a host of benefits:
These rich features work together to deliver improved functionality and full integration with the Active Directory.
With “Platinum,” all the information currently stored in the Microsoft Exchange Directory service will be represented in the Active Directory. This information can be thought of as two distinct areas:
In the Active Directory, Exchange recipients will be stored as one of the following native Windows NT 5.0 objects in the Domain container:
With Exchange integration into the Active Directory, any object in the Active Directory can easily be mail-enabled. To mail-enable a native Windows NT 5.0 objectClass or third-party objectClass, the schema definition of the object can be modified to include the Exchange-Recipient Auxiliary class and to set the LDAP mail attribute on the object. This modification allows “Platinum” to know where to route mail addressed to this object. For example, the Windows NT Server object could be mail-enabled and the mail attribute could be set to server_admin@company.com. Users could then send messages directly to the server, to request additional disk space, for example, and the messages would be routed to the server administrator.
All configuration information currently stored in the Exchange directory and registry will be stored in the Active Directory. The Active Directory has a special container (Naming Context) “Configuration,” which is replicated to every Active Directory server in the organization, and this is the container in which all the Exchange configuration information will be stored. As the Configuration container is replicated everywhere, it is also modifiable everywhere.
Figure 1. Exchange and Active Directory structures
Within the Configuration container are two sub-containers that are of particular interest for Exchange:
Note that the Active Directory (and Exchange) administration tools will hide much of this complexity to enhance usability.
Under the \Configuration\Services container, Exchange will create an “Microsoft Exchange” container to include global routing information, directory replication information for replicating between the Active Directory and down-level Exchange servers, and down-level Exchange site information used for migration/coexistence.
Under the \Configuration\Site container is a container for every Active Directory site in your company (for example, “Los Angeles,” “New York,” “Seattle”). By definition, every Exchange server will exist in one of the Active Directory sites. Exchange will create a sub-container “Microsoft Exchange Settings” under the site where it is installed, and under this container are containers for Connectors, Monitors, Protocols, Servers, and Directory Replication (for Microsoft Mail and other systems) — similar to the containers that currently exist in the Exchange directory service under Configuration container.
Figure 2. Unified Directory Information Tree (DIT)
An Exchange site is defined as a group of servers that can communicate over high-bandwidth, permanent, and synchronous connections. The Active Directory builds on this definition saying that a site is a collection of IP subnets. The difference between the two versions of the definition is that with Active Directory, users, or recipients, are mapped to domains rather than sites.
With the release of “Platinum,” as well as with future versions of BackOffice™ products, there will no longer be Exchange sites or SMS sites, only a single definition of a site. When an administrator installs an Exchange server, the server will automatically be inserted into the site where it is physically located, based on its IP address. The Exchange routing engine will use the site to automatically generate an optimized messaging topology. The Active Directory will use the site topology information for directory replication. The Windows NT Administration programs will provide rich site manipulation, enabling administrators to move servers between sites, split sites, or join sites.
A Windows NT 5.0 domain, similar to a Windows NT 4.0 domain, is an administrative unit of the directory service that can contain computers, user accounts, groups, and contacts. A Windows NT 5.0 site, as mentioned above, is a group of Active Directory servers that can communicate over high-bandwidth, permanent, and synchronous connections that determine how directory information is replicated through the organization. In a real sense, no direct relationship exists between Windows NT 5.0 domains and sites. The following diagrams depict several possible Windows NT 5.0 organizations.
Figure 3. In this first diagram, the Acme Company has three sites in three cities with relatively slow network connections between each of the sites. They currently have a single domain with all administration done in the Los Angeles site.
Figure4. The company is located in one central location with high-speed connections between all users and servers, so it has a single site. However, for administrative purposes, it has three different domains for each of the functional divisions in the company, “Support,” “Sales,” and “Development.”
Figure 3. This international corporation has two “hub” sites: Europe and North America. In each of these hubs are three small satellite sites used for sales offices. Similar to Figure 4, for administrative purposes they have three different domains for each functional division in the company.
In a pure “Platinum” and Windows NT 5.0 environment you would see no Exchange sites, you would see only Windows NT 5.0 sites that contain Exchange servers and Windows NT 5.0 domains that contain mail-enabled objects (User, Group, Contacts, and so forth). However, as we move from previous versions of Exchange to “Platinum,” the Exchange recipients have a direct relationship with the objects in the Windows NT 5.0 domain, and most of the Exchange configuration information is directly mapped to the Windows NT 5.0 sites in preparation for the migration to the Active Directory.
It’s interesting to note that, unlike the current versions of Exchange, users are not tied to sites, rather user objects live in domains. This makes moving users between sites (such as Los Angeles to New York) invisible to the user. The underlying operation would be:
Now all new mail messages are routed to the server in New York, and mail messages that were previously sent by the user from Los Angeles can be replied to and the reply will go to the New York server. This feature allows the previous PAB and OAB entries to remain valid.
Today, much of Microsoft Exchange management is accomplished by modifying entries in the Exchange Directory service. As we move forward to the “Platinum” Server, a similar model will emerge that will be greatly enhanced with improved security, per-property replication, and globally writable replicas. As mentioned earlier, all the configuration information currently stored in the Exchange Directory service will be moved into the Active Directory as well as most of the current Exchange registry settings.
Windows NT 5.0 will deliver the MMC that provides a framework for all Windows NT administrative tools, called “snap-ins.” The Directory Service Administration snap-in will be the primary management tool for all objects located within the domain, including the User, Group, Contact and Computer. This snap-in will provide basic functionality to create, modify, and delete objects and organization units, as well as the ability to move objects between organizational units. After installing the “Platinum” Server, a new set of attributes (such as message size limits and delivery restrictions) and objectClasses (for example, Distribution-List and Public-Folder) will be added to the Active Directory schema. To administer these Exchange-specific items, Exchange will extend the Directory Service Administration snap-in to graphically expose the new attributes and classes so they are both viewable and modifiable.
Additionally, Exchange will provide a snap-in or set of snap-ins to manage all the Exchange-specific configuration information, such as Connectors, Monitors, and Servers.
The “Platinum” Server will support all previous Microsoft Exchange clients and Internet standards-based clients. For Directory access, the Internet clients will access the Active Directory using the LDAP protocol.
Exchange 5.5 clients as well as Exchange 4.0 or 5.0 with the latest Service Pack will be “redirected” to the Active Directory server. In this scenario, when the Exchange client starts up, the Exchange server notifies the client that the directory server it should talk to has been moved to another server (in this case an Active Directory server), and gives it the name of the new server to contact.
Figure 6. After upgrading, the Exchange client uses MAPI RPC to communicate directly with the Active Directory for all directory lookups and with the Exchange “Platinum” server for, example, reading and sending mail. By re-directing the existing client to the Active Directory, this allows you to consolidate the number of computers that need to run the directory service saving hardware costs and network bandwidth required for replicating directory changes.
Alternatively, the Active Directory, acting as a Global Catalog server, can be run directly on the Exchange server and the client will communicate directly with a single machine for Directory and Messaging.
By clearly defining the relationship between Windows NT 5.0 sites and the new “Platinum” specifications, we’ve been able to develop a migration plan that is both simple and effective. All information currently stored in the Microsoft Exchange Directory will be stored in the Active Directory, including Recipient information (Mailbox, Distribution Lists, and Custom Recipients) and Configuration information (such as Connectors, Monitors, and Protocols). With the release of “Platinum,” there will be only one definition of a site, and the Windows NT Administration programs will provide rich site manipulation, enabling administrators to move servers between sites, split sites, or join sites.
Windows NT 5.0 will deliver the MMC that provides a framework for all Windows NT administrative tools, including Exchange. In addition, the release of “Platinum” will support previous versions of the Exchange client and Internet standards-based clients. With these features, “Platinum” has been designed to work simply, efficiently, and effectively with the new Active Directory server.
This section outlines the role of the Exchange replication agent in migration, the steps required to migrate from the Exchange version that you have now to “Platinum” with Windows NT 5.0 Active Directory server, as well as how your existing Exchange server will inter-operate with “Platinum.”
The Exchange replication agent, which will be available shortly after the release of Windows NT 5.0, plays a critical role in migration to and coexistence with the Active Directory. The replication agent maintains the consistency of the updates between directories, providing a single point of administration for all Exchange recipients in the Active Directory. It’s also flexible enough to run on any machine on the network.
The Exchange replication agent has several features:
The replication agent works on two levels: the initial synchronization and the ongoing incremental synchronization.
During the initial synchronization, the replication agent:
The Unique Synchronization Number (USN) is monotonically increasing value; after every directory update the current USN is stamped on the modified object (by the directory) and then the USN is incremented. During the ongoing incremental synchronization, the replication agent:
As we will discuss in the following sections, this bidirectional replication between the Exchange Directory and Active Directory provides a critical component to any migration/coexistence path.
When you upgrade to Windows NT 5.0, your existing Exchange servers will work just as they did with the Windows NT 4.0 servers. The Exchange servers will continue to do User validation through the standard Windows APIs (which Windows NT 5.0 will continue to support). When you upgrade the server on which Exchange is running to Windows NT 5.0, you will immediately notice some of the benefits of Windows NT 5.0, such as better performance, plug and play functionality, and the new set of Windows NT management tools (for Directory Service, Servers, Monitoring, and so forth). However, you will not have a unified directory until you upgrade to “Platinum.”
Before upgrading your Microsoft Exchange server to “Platinum,” it is important to note that the Primary Windows NT User for all Mailboxes and Custom Recipients must be a Windows NT 5.0 User (or Group). This is because all of the Exchange attributes (first name, last name, and so forth) that must be migrated do not exist on a Windows NT 4.0 User.
Upgrading to “Platinum” will be as simple as running the Setup program and answering a few basic questions. During the setup process, these high-level operations will occur:
After a server is upgraded:
The ability of “Platinum” Server to coexist with existing Microsoft Exchange servers and sites is critical to the migration process. We’ve designed most of the migration to be automatic and to be done by the installation process:
The Microsoft Exchange replication agent will be available shortly after the release of Windows NT 5.0. This agent maintains the consistency of updates and ensures a single point of administration. The replication agent works with an initial synchronization, mapping the Exchange Directory to the Active Directory, then with incremental synchronizations—on an administrator-defined interval—routinely updating the information between the directories.
When you upgrade your present Exchange server to “Platinum,” you’ll notice that most of the migration paths have been built directly in to the “Platinum” installation process. This simple, efficient upgrade allows you to take advantage of the breadth of resources available on the Active Directory, with the confidence of knowing that backward compatibility is ensured.
Following are three different scenarios that illustrate the installation and upgrade process for some typical configurations:
For a new installation of “Platinum,” the Windows NT Primary Domain Controller must be running Windows NT 5.0. When run, the setup program automatically does the following:
Once the installation is complete:
When upgrading the first existing server to “Platinum,” the Windows NT Primary Domain Controller must be running Windows NT 5.0. When run, the setup program will automatically do the following:
At this point, similar to above, the “Platinum” services interact with the Active Directory and new clients interact directly with the Active Directory via LDAP. Additionally:
Visually, the results of this migration would look like the following diagram.
Figure 7. After upgrading the first server in the Exchange site, the Replication Agent ensures the objects in both directories are in sync.
At this point, all Exchange servers have been upgraded to “Platinum.”
After all Exchange servers in the site are upgraded to “Platinum,” the replication is no longer needed and automatically removed.
Upgrading a multidomain, multisite organization is identical to upgrading a single- site, multiserver organization (covered in the previous scenario), with the following caveats:
No, you can upgrade the Exchange server first and then upgrade the clients over time. The Exchange 5.5 client will automatically be redirected to the to the “nearest” Active Directory; the Exchange 4.0 and 5.0 clients (with the latest Service Pack) will also automatically be redirected to the “nearest” Active Directory. Alternatively, by installing the Active Directory directly onto the “Platinum” server, Exchange 4.0 and 5.0 client without the Service Pack will continue to work without modification.
Yes. Please see the “Migration and Coexistence” section for more information.
No information will be lost when upgrading to “Platinum.” All the directory entries and attributes will by copied to the Active Directory.
Conceptually, both sites define a collection of servers with high-bandwidth connectivity. Exchange will use the same site definitions as the Active Directory for message routing. During migration, “legacy” Exchange sites will coexist with Active Directory sites and will be used for message routing.
Currently, Exchange routes all mail messages based on the recipient’s Distinguished Name (DN), which is one of the reasons why it is difficult to move users between containers and sites. In “Platinum,” mail will be routed on a new attribute mail-drop, which indicates the Exchange server (and indirectly the site) from which the recipients receives their mail.
Yes. Access to Public Folders (and Private folders) will be based on the Windows NT 5.0 security access model. For more information on Windows NT 5.0 security, see the Windows NT Security white paper.
Yes.
DAPI will be supported for backward compatibility only. The interface to the directory in “Platinum” is the Active Directory Service Interface (ADSI).
No. All administration of the Active Directory will be through the new Windows NT and Exchange Microsoft Management Console (MMC). Any changes made using the Exchange Administration against an Exchange 4.0 or 5.x server will be propagated to the Active Directory via the Exchange replication agent.
Yes.
With the upcoming releases of Windows NT 5.0 and “Platinum,” all user and configuration information will be accessible from a single, unified directory. Exchange Directory integration with Active Directory brings us closer to realizing the Zero Administration for Windows vision.
“Platinum” has been designed to simply and efficiently migrate to the Active Directory while providing full backward compatibility. This consistent directory strategy offers many benefits, including reduced cost of ownership, improved replication, enhanced security and scalability, unified administration, and extensible schema, as well as client access protocols and a single common programming interface.
As “Platinum” is being designed in tandem with the Active Directory, simple migration to, and coexistence with, the unified directory are inherent features in the upcoming release. The replication agent, available shortly after the release of Windows NT 5.0, ensures consistent updates between the Exchange Directory and the Active Directory, and efficient backward compatibility. And as “Platinum” is designed for migration to the Active Directory, the migration path is built into the installation process, making the transition simple, intuitive, and efficient.
With the release of “Platinum,” administrators can look forward to a simple migration to the Active Directory, resulting in a single, unified directory.
For the latest information on Microsoft Exchange Server, check out our World Wide Web site at http://www.microsoft.com/exchange.