Summary
This module examined how to set up Microsoft Exchange Server by using role-based permissions. Exchange Server is dependent on Active Directory because it stores relevant settings. Examples of settings stored in Active Directory rather than Exchange are proxy addresses and SendAs permission. This interconnection requires several considerations in enterprise environments because the job roles of a messaging administrator and an Active Directory administrator differ substantially. A messaging administrator must plan and configure permissions carefully so as not to put their environment or their entire Active Directory at risk.
The module then explored how many organizations deploy multiple Active Directory forests to create security boundaries within their organizations. You learned that using multiple forests helps administrators define security boundaries to better match their requirements. For example, organizations may want to ensure the fewest number of people have access to resources, or they may want to segment divisions within an organization.
You learned that RBAC applies permissions to all Exchange objects within a single forest. The RBAC configuration in each forest is configured independently of all other forests. You also learned that if you have multiple Exchange forests and you want to configure permissions identically within each forest, you must apply the same configuration explicitly in each forest.
To support the varying needs to separate the management of Exchange and Active Directory, Exchange 2013 and later lets you choose whether you want a shared permissions model or a split permissions model. The module analyzed how Exchange offers two types of split permissions models, RBAC and Active Directory, but it defaults to a shared permissions model. This module examined these models and identified the major differences between them.