Microsoft Exchange Server 2010: Exchange Server and Active Directory

Using Active Directory as a critical component of your Microsoft Exchange Server environment gives you lots of flexibility, options and performance.

Excerpted from “Exchange 2010 - A Practical Approach,” published by Red Gate Books (2009).

Jaap Wesselius

Exchange Server and Active Directory are well-integrated and well- suited for working together. Active Directory needs to be up to at least the Windows Server 2003 level. This is true for both the domain functional level and the forest functional level. This can be confusing, because Exchange Server 2010 runs only on Windows Server 2008 or Windows Server 2008 R2. However, that just refers to the actual server on which Exchange Server 2010 is running.

The forest Schema Master needs to be Windows Server 2003 SP2 (Standard or Enterprise Edition) or higher. Likewise, in each Active Directory site where Exchange Server 2010 will be installed, there must be at least one Standard or Enterprise Windows Server 2003 SP2 (or higher) configured as a Global Catalog server.

From a performance standpoint, the ratio of 4-to-1 for Exchange Server processors to Global Catalog server processors still applies to Exchange Server 2010. (It’s the same ratio for Exchange Server 2007.) Using a 64-bit version of Windows Server for Active Directory will also increase system performance.

You can install Exchange Server 2010 on an Active Directory domain controller. However, for performance and security reasons, you probably shouldn’t do this. Instead, it’s better to install Exchange Server 2010 on a member server in a domain.

Walk Through the Forest

A Windows Server Active Directory consists of one forest, one or more domains, and one or more sites. Exchange Server 2010 is bound to a forest, and therefore one Exchange Server 2010 organization is connected to one Active Directory forest. The actual information in an Active Directory forest is stored in three locations, also called partitions:

  • Schema Partition: This contains a blueprint of all objects and properties in Active Directory. In a programming scenario, this would be called a class. When you create an object such as a user, it’s instantiated from the user blueprint in Active Directory.
  • Configuration Partition: This contains information used throughout the forest. Regardless of the number of domains configured in Active Directory, all DCs use the same Configuration Partition in that particular Active Directory forest. As such, it’s replicated throughout the Active Directory forest. All changes to the Configuration Partition have to be replicated to all DCs. All Exchange Server 2010 information is stored in the Configuration Partition.
  • Domain Partition: This contains information regarding the domains installed in Active Directory. Every domain has its own Domain Partition, so if there are 60 domains installed, there will be 60 different Domain Partitions. User information, including Mailbox information, is stored in the Domain Partition.

Exchange Server 2003 first used the concept of Administrative Groups to delegate control between different groups of administrators. It created a default First Administrative Group during installation. Then you could create additional Administrative Groups when you installed more Exchange 2003 servers, and delegate control of these servers to other groups. Administrative Groups were stored in the Configuration Partition so all domains—and thus all DCs and Exchange Servers—could see them.

Exchange Server 2007 uses Active Directory Security Groups for delegating control. It only creates one Administrative Group during Exchange Server 2007 installation. This group is called Exchange Administrative Group – FYDIBOHF23SPDLT. All servers in the organization are installed within this Administrative Group. Permissions are assigned to Security Groups, and Exchange administrators are members of these Security Groups.

Exchange Server 2010 uses the same type of Administrative Group, but it doesn’t delegate control using Active Directory Security Groups. Microsoft has since introduced the concept of Role-Based Access Control (RBAC).

When you separate a network into multiple physical locations, connected with “slow” links and separated into multiple IP subnets, you create “sites,” in Active Directory terms. For example, you might have a main office located in Amsterdam with an IP subnet of There might be a branch office located in London with an IP subnet of Both locations have their own Active Directory DC, and handle client authentication in their own subnet. Active Directory site links control replication traffic between sites. Clients in each site use DNS to find services such as DCs in their own site, thus preventing the use of services over the WAN link.

Exchange Server 2010 uses Active Directory sites for routing messages between sites. Using the same example of the Exchange Server 2010 Hub Transport Server in Amsterdam and Exchange Server 2010 Hub Transport Server in London, the IP Site Links in Active Directory would route messages from Amsterdam to London. This concept was first introduced in Exchange Server 2007, and nothing has changed in Exchange Server 2010.

Exchange Server 2003 used the concept of Routing Groups. Active Directory already used Active Directory sites. Active Directory sites and Exchange Server Routing Groups aren’t compatible with each other. To have Exchange Server 2003 and Exchange Server 2010 work together in one Exchange organization, you have to create a special connector—the so-called Interop Routing Group Connector.

Active Directory Rights Management

Active Directory Rights Management Services (AD RMS) lets you control what users can do with e-mail and other documents sent to them. You can, for example, disable the Forward option to prevent classified messages from being leaked outside the organization.

With Exchange Server 2010, there have been several new features added to AD RMS, such as:

  • Integration with Transport Rules. This is a template for using AD RMS to protect messages over the Internet.
  • AD RMS protection for voicemail messages coming from the Unified Messaging Server Role.

Transport and Routing

With Exchange Server 2010, you can implement cross-premises message routing. In a mixed hosting environment, Exchange Server 2010 can route messages from the datacenter to the on-premises environment with full transparency.

Exchange Server 2010 also provides enhanced disclaimers. You can use this to add HTML content to disclaimers to add images, hyperlinks and so on. You can even use Active Directory attributes (from the user’s private property set) to create a personal disclaimer.

To create a highly available and reliable routing model, the Hub Transport Servers in Exchange Server 2010 now contain Shadow Redundancy. Here’s how that works: A message is normally stored in a database on the Hub Transport Server. In Exchange Server 2007, the message is deleted as soon as it’s sent to the next hop. In Exchange Server 2010, the message is only deleted after the next hop reports successful message delivery. If this report doesn’t arrive, the Hub Transport Server will try to resend the message.

For more high-availability messaging support, the messages stay in the transport dumpster on a Hub Transport Server. They’re only deleted if they’re successfully replicated to all database copies. The database on the Hub Transport Server has also been improved on an Extensible Storage Engine level, resulting in a higher message throughput on the transport level.


Previous versions of Exchange Server relied on control delegation via multiple Administrative Groups (specifically, Exchange Server 2000 and Exchange Server 2003) or Group Membership. Exchange Server 2010 now contains an RBAC model to implement powerful and flexible management.

Messaging Policy and Compliance

As part of a general compliance regulation, Microsoft introduced the concept of Managed Folders in Exchange Server 2007. This lets you create compliance features. This has been enhanced with new interfaces in Exchange Server 2010, such as the option to tag messages, cross-mailbox searches, new transport rules and actions, and new retention policies.

Mailbox Archive

Exchange Server 2010 now contains a personal archive. This is a secondary mailbox connected to a user’s primary mailbox. It’s actually located in the same Mailbox Database as the user’s primary mailbox. Because Exchange Server 2010 now supports a Just a Bunch of Disks, or JBOD, configuration, this isn’t a big deal. The Mailbox Archive really is a great replacement of (locally stored) PST files.

Unified Messaging

The Exchange Server 2010 Unified Messaging Server Role can integrate a telephone system like a private automatic branch exchange, or PABX, with the Exchange Server messaging environment. This lets you offer Outlook Voice Access.

You can interact with the system using your voice, listen to voicemail messages or have messages read to you. Exchange Server 2010 offers some new functionality such as Voicemail Preview, Message Waiting Indicator, integration with text messages(SMS), additional language support and more.

Clearly, integrating Active Directory into your Exchange infrastructure gives you considerable options and flexibility because Active Directory and Exchange work well together.

Jaap Wesselius

Jaap Wesselius is the founder of DM Consultants, a company with a strong focus on messaging and collaboration solutions. After working at Microsoft for eight years, Wesselius decided to commit more of his time to the Exchange community in the Netherlands, resulting in an Exchange Server MVP award in 2007. He is also a regular contributor at the Dutch Unified Communications User Group and a regular author for Simple-Talk.

Learn more about “Exchange 2010 - A Practical Approach” at