Monday, November 2, 2009

Migration to Exchange 2010

Many of you are still running Exchange 2003 and it is working just fine. Exchange 2007 is the current active release and Exchange 2010 will be released the end of 2009, according to Microsoft.

The question for many of you is whether or not you should upgrade to Exchange 2007, or simply wait and upgrade directly to Exchange 2010 skipping Exchange 2007 altogether.

To help you make the decision, here are some deciding factors.

  • What is the age of the hardware currently supporting your Exchange 2003 environment? Can your existing hardware provide good email service until you move to Exchange 2010?
  • What are your budget constraints? Can you afford to purchase Exchange 2007 CALs this year and then purchase new CALs again for Exchange 2010?
  • What are your resource constraints? Can you afford the staff resources to perform the Exchange 2007 migration now and then repeat the process again in 2010?
  • What are your functionality demands? Do you require support for unified communications now, or can you wait until 2010?

Your decision to remain on Exchange 2003 and wait another year for Exchange 2010 will largely be shaped by these cost and resource related concerns. There is no technical requirement to upgrade to Exchange 2007 before you migrate to Exchange 2010.

When you eventually upgrade to Exchange 2010, you will require complete new server hardware, so plan accordingly.

Wednesday, October 7, 2009

I love Windows Server 2008R2…

  • Recycle Bin for Active Directory
  • Offline Domain joining
  • Hyper-V Live Migration
  • Cluster Node Connectivity Fault Tolerance
  • Hyper-V 2.0
  • Virtual Desktop Infrastructure (VDI)
  • Desktop Virtualization is a new feature in Windows Server 2008 R2
  • Windows clients (XP, Vista, Windows 7) run on virtual machines on a centralized server
  • VDI includes the following technologies: Hyper-V, Live Migration, System Center Virtual Machine Manager 2008, Microsoft Application Virtualization version 4.5 in Microsoft Desktop Optimization Pack (MDOP), and Vista Enterprise VECD licensing
  • Graphical PowerShell: GUI for creating and debugging PowerShell scripts


Management tools for Windows Server 2008R2

  • Server Manager now supports remote administration of servers
  • Better integration of management consoles in Server Manager
  • Active Directory Administrative Center and IIS have a task-driven user interface and their administrative capabilities are based on PowerShell cmdlets
  • Hyper-V’s user interface is also based on PowerShell cmdlets, has updated VM performance and management capabilities, and tighter integration with Virtual Machine Manager 
  • Best Practices Analyzer (BPA): Each server role has a BPA to help administrators configure it properly

Wednesday, September 30, 2009

Exchange 2010 email archiving in summary:

  • Tightly integrated with Outlook.
  • PSTs can be dragged and dropped into the archive.
  • Unified search across the live message store and the archive.
  • Search across multiple mailboxes for qualified staff.
  • Simple retention policies, based on the number of days of retention, can be defined. These policies can be defined to apply to a folder, individual messages, or an entire mailbox.
  • Legal holds can be imposed, overriding defined retention policy.
  • There’s basic mailbox and configuration logs and auditing.
  • Stubbing’s not used.

Archive Mailbox In Exchange 2010

Archive Mailbox is one of the many welcoming features in Exchange 2010 Server. This feature solves issues related to PST files which gives headache for any exchange admins.

Let me explain how archive mailbox feature will address the existing problems.

  1. There is no company which doesn’t have staff using PST files. Archive mailbox gets rid of PST files by giving the user an additional mailbox.
  2. PST files are local to the user’s machine, gets corrupted easily and is hard to include the files in backup. Archive mailbox sits in the same mailbox database as the user’s main mailbox and can be included in the backup easily.
  3. Archive Mailbox is available in Outlook as well as Outlook Web App (OWA), which is a huge improvement. Users can access their email archive irrespective of where they are.
  4. Archive Mailbox is included as part of the Exchange Enterprise CALs and hence no extra cost is required (for those who have ECALs).
  5. Retention policies can be set for emails/folders in the archive mailbox.
  6. User has the option to search for emails in archive only or both primary & archive mailbox.
  7. Archive Quota can be set separate to the primary mailbox.
  8. Emails in existing PSTs can be dragged into the archive mailbox very easily.
  9. Users get Conversation View scoped to archive mailbox as well.
  10. The archive and primary mailbox share the same user account.
  11. Only one archive mailbox can be configured for a user.
  12. Archive mailbox gets created on the same mailbox database as the primary one, which is a drawback. Future service packs might bring the option to create the archive mailbox in a different database.
  13. The default quota warning for the archive mailbox is 10GB, which can be changed.
  14. All in all, it is good news for admins as they don’t have to worry about issues like a lost laptop with PST files in it, corrupted PSTs etc.

Friday, August 21, 2009

An Overview on Backing up and Restoring Active Directory

To ensure availability of mission critical resources and network objects, and business continuity, you would need to perform backups of Active Directory if it is running in your environment. This is because Active Directory normally hosts mission critical data, and resources. Backups are typically preformed for a number of reasons, including the following:

  • Protect your network environment from the accidental deletion of, or modification of data, and from hardware failures: Having a readily accessible back up of Active Directory would ensure that you can recover any important Active Directory objects which were deleted in error. Backups also prove invaluable when unauthorized users intentionally delete or modify data. The backup would enable you to restore data to its previous state of integrity. Because certain hardware failures such as corrupted hard disk drives can cause considerable loss of data, backing up your data would ensure that the business can continue to perform its mission critical functions when such an event does occur.

Store mission critical data: It is recommended to regularly back up mission critical data so that any previous version of information can be accessed, if necessary, at some time in the future
because Active Directory is dependent on the Registry, you need to back up files within the system directory. These files are called system files. System state data basically contains the main configuration information in Windows 2000, and Windows Server 2003. What actual information is included in system state data is determined by operating system (OS) configuration.

System state typically includes the following important data, files and components:
  • The Windows Registry
  • The contents of the SYSVOL directory
  • Files which are protected by the Windows File Protection system
  • Boot and system files:, Ntldr and Bootsect.dat.
  • The COM+ Class Registration database
  • The Active Directory database (Ntds.dit), including all log files and checkpoint files
  • Cluster service files
  • Certificate service files
  • The Internet Information Server (IIS) metabase
You can use one of the methods listed below to back up Active Directory.
  • You can back up the system state data only
  • You can back up Active Directory as part of a full system backup
  • You can back up Active Directory as part of a partial system backup
The best option to use when specifying what data or components should be backed up in the Active Directory backup; is to specify a back up of system state data. This ensures that all core system files are backed up. When a full system backup is performed, system state data is automatically included in the back up process. When performing a partial backup, you can specify that system state data should be included. Manually specifying individual files and components for an Active Directory backup can be an extremely complicated process. Apart from having to be able to identify and specify all important system files and

components, you also need to be able to specify which other important Active Directory data and components need to be backed up, such as the replication topology, and Group Policy information. You can back up Active Directory by using the Windows Server 2003 Backup utility, or you from the command line, using the Ntdsutil command-line utility. The Windows Server 2003 Backup utility includes the feature of using volume shadow copying to back up open files. With the previous versions of Windows, a third party backup tool had to be used to back up open files. The Volume Shadow Copy service creates a read-only copy of any open files. This in turn ensures that these files can continue to be accessed. In Windows 2000 Active Directory, you could only perform one of the following restore methods:
  • Authoritative Restore
  • Non- Authoritative
When it comes to restoring Windows Server 2003 Active Directory, you can use one of the following restore methods:
  • Normal Restore: In Windows 2000, this was your Non-Authoritative restore method. A Normal restore functions pretty much the same as a Non-Authoritative restore. With a Normal restore, the Backup utility is run on the computer while in Directory Services Restore Mode. After the domain controller is rebooted, normal replication occurs with replication partners.
A normal restore is typically performed when the following conditions exist:
o A domain has multiple domain controllers, and only one domain controller is operational. You can use a Normal restore to restore all other domain controllers in the domain.
o A domain has a single domain controller, and that domain controller has to be restored. You can also choose to alternatively perform a Primary restore of Active Directory.

  • Authoritative Restore: An Authoritative restore of Active Directory has to be performed in cases where a Normal restore would not be able to return Active Directory to the correct state. For instance, if an organizational unit was deleted in error, a Normal restore would only result in the particular OU being deleted once again, after replication. This is basically due to the replication partners having a higher version number for the particular OU. An Authoritative restore has a similar process to that of a Normal restore, the difference being that after system data is restored, you define certain Active Directory objects as being authoritative. When Active Directory objects are defined as authoritative, the particular objects have the higher version numbers. This results in these objects being replicated to the other domain controller’s copies of the Active Directory database.
  • Primary Restore: The Primary restore method is used when each domain controller within a domain hosting multiple domain controllers, needs to be restored. What this means is that the entire domain has to be reconstructed from the Active Directory backup. This method can also be used to restore Active Directory for a domain that only has one domain controller. The Primary restore method is selected in Windows Server 2003 Backup utility by merely enabling the Primary restore method checkbox. This removes previous complexities associated with performing this type of restore in Windows 2000. The Primary restore process is also very similar to that performed for a Normal restore of Active Directory.

Exchange Server 2003 Data Storage and Management

Understanding Exchange Server 2003 Data Storage

Exchange Server 2003 uses the Extensible Storage Engine (ESE) database structure to store data. Data can be stored separately for messages and for transactions:
Messages are stored in.edb and .stm database files. Database files also contain a number of other components, including:

• Rules
• Folders

• Attachments

• Indexes

Transactions are stored in transaction log files.

A message that is created is first written to log files before it is written to the database files. From the log files, the transactions are sequentially written to a numbered file. Data in the log file is written to the database at a later stage. Transaction log files are written to in a sequential order. Database files are written to in a random manner. They are also read in a random manner. Exchange Server 2003 automatically creates a new transaction log file when the current log file reaches 5 megabytes (MB) in size. The transaction log files and database files should be located on disk systems that have the following characteristics:
The disk systems are optimized for the type of functions to be performed.
The disk systems do not compete.

The disk setup that you use for transaction log files and database files should provide the following:
• Best cost.

• Best data protection.

• Best performance.

Understanding How Transaction Logs Protect Data
When you store transaction log files separately to database files, the following benefits are achieved:
• Disk performance is improved.

• Protection from data loss.

Each storage groups has its own transaction log file. The Information Store is arranged into storage groups. A storage group is a group of separate databases which have a common set of transaction log files. It is these storage groups that contain the mailbox stores, public stores, or both of these stores
From the transaction log file, the information is saved to the database file of the storage group. A checkpoint file indicates which transaction log entries have since been written to the database file. The information is not deleted from the transaction log file at this stage. It is only deleted when a full online backup of all the databases in the storage group is performed.
The concept of a soft recovery and hard recovery is illustrated below:

Soft recovery: When the hard disk containing the storage group databases is lost, the damaged disk can be replaced. You can use the latest database backup for the restore. When the checkpoint file is deleted, an automatic log file replay of all transactions that took place since the backup, transfers the transactions from the log files to the databases. A soft recovery is also referred to a roll-forward recovery.

Hard recovery: A hard recovery can be performed when you have backed up transaction log files since the last full backup. With a hard recovery, transaction log files from the backup medium are replayed after the database is restored from an online backup. If Exchange 2003 detects that additional log files are available on the server, soft recovery is initiated to restore these log files to the database.

If the disk you are using for the transaction log files fails and the disk storing the databases are still online, no storage group data needs to be restored. You cannot though replay any transactions that are recorded to log files and not to the database files on disk.

Storage Technologies used with Exchange Server 2003
The different storage technologies that can be used with Exchange Server 2003 are listed below. The storage technology that you choose will be determined by the size of your Exchange Server 2003 organization

External storage array (ESA): The characteristics and features of an external storage array are listed here:
An external Small Computer System Interface (SCSI) drive cabinet hosts multiple SCSI disk drives that are typically set up as RAID sets.
SCSI cables connect the disk drives to an Exchange Server 2003 server.
External storage has to be managed on a per Exchange Server 2003 server basis.
External storage provides good performance.
Limited scalability is provided.
Recommended for small Exchange organizations.

Network Attached Storage (NAS): The characteristics and features of network attached storage are listed here:
SCSI or fiber channel connections can be used to connect the storage device to the Ethernet network.
Network attached storage has its own IP address and is not directly attached to the Exchange Serve 2003 server.
File requests are mapped by the Exchange Server 2003 server to the network attached storage server.
This is not the recommended storage technology for Exchange Server 2003, simply because Exchange Server 2003 has local data access and bandwidth requirements that are not compatible with network attached storage products.

Storage area network (SAN): The characteristics and features of a storage area network are listed here:

• For medium to large Exchange organizations, using a SAN as a storage technology is the recommended solution.

• A SAN uses fiber channel switching to provide fast and reliable connections between storage and applications.

• SANs optimize the performance and reliability of a server.

• SAN packages are supplied by hardware vendors such as IBM and Intel. The SAN package includes all hardware, software and support functions.

• The main components that make up a SAN are listed here:

• Fiber channel switching

• Storage arrays that store and protect data.

• Storage software and SAN management software

• The advantages of using a SAN technology in an Exchange Server 2003 organization are listed here:

• You can connect multiple Exchange Server 2003 servers to multiple storage arrays and share storage between the servers.

• The high I/O bandwidth needed by Exchange Server 2003 is supported by SAN solutions.

• The Exchange organization can be easy expanded by adding servers.

• SANs are highly scalable and disks can easily be added.

Managing Storage and Storage Groups
• A few best practices for configuring storage groups and databases are summarized here:

• You should never use circular logging.

• Use only four databases for each storage group.

• When creating additional storage groups, create the databases that are needed before you create the additional storage groups. This prevents overhead on the server for log file management.

• To ensure short maintenance and restore times, you should strive to keep the size of the databases small.

• When you configure your storage group limits, it is recommended that you do not enable the prohibit-send option.

• You should not change the online system maintenance default setting of enabled.

• It is recommended that you perform a full backup each day, if feasible.

• Verify that backups have occurred successfully.

• You should retain deleted mailboxes for a minimum of thirty days.

• You should retain deleted items for a minimum of seven days.

• Ensure that the logs are purged.

Additional Storage groups would need to be created under the following conditions:

• There is a need to utilize separate physical transaction log drives so that performance can be improved.

• There is a requirement that multiple databases need to be backed up simultaneously. If you use multiple storage groups, then each storage group can
be backed up at the same time.

• The existing storage group is already using the maximum number of databases supported, and you need another

Saturday, July 4, 2009

What Information is replicated in Active Directory

In Active Directory, there are certain actions that are considered Active Directory replication triggers. The activities that trigger or initiate Active Directory replication is summarized below:

  • When an object is created.
  • When an object is deleted.
  • When an object is moved.
  • When an object is changed or modified.

Domain controllers typically contain the following directory partition replicas or naming context replicas:

  • Configuration: The configuration partition or naming context (NC) contains objects that relate to the logical structure of the forest, structure of the domain, and replication topology. Each domain controller in the forest contains a read/write copy of the configuration partition. Any objects stored in the configuration partition are replicated to each domain controller in each domain, and in a forest.
  • Domain: The domain partition or naming context (NC) contains all objects that are stored in a domain. Each domain controller in a domain has a read/write copy of the domain partition. Objects in the domain partition are replicated to only the domain controllers within a domain.
  • Schema: The schema partition or naming context (NC) contains objects that can be created in the Active Directory directory, and the attributes which these objects can contain. Domain controllers in a forest have a read-only copy of the schema partition. Objects stored in the schema partition are replicated to each domain controller in domains/forests.
  • Application: The application partition is a new feature introduced in Windows Server 2003. This partition contains application specific objects. The objects or data that applications and services store here can comprise of any object type excluding security principles. Security principles are Users, Groups, and Computers. The application partition typically contains DNS zone objects, and dynamic data from other network services such as Remote Access Service (RAS), and Dynamic Host Configuration Protocol (DHCP).

Saturday, June 20, 2009

Message transport in Microsoft Exchange Server 2007

Message transport in Microsoft Exchange Server 2007 involves the interaction ofvarious components such as the Microsoft Exchange Mail Submission service, store driver, submission queue, and categorizer.

The Microsoft Exchange Mail Submission service is a notification service that runs on Mailbox server roles in Exchange Server 2007.

When a message becomes available for retrieval in the Outbox folder of a sender, the Microsoft Exchange Mail Submission service notifies a Hub Transport server in the local Active Directory site.

If there are multiple Hub Transport servers in the site, the Microsoft Exchange Mail Submission service evenly distributes notifications among all the available Hub Transport servers.

When the Microsoft Exchange Transport service starts on each Edge Transport server or Hub Transport server, the categorizer creates the local submission queue. The store driver on the Hub Transport server role retrieves the message, which is in MAPI format, from the sender’s Outbox folder and converts it to the Summary-Transport Neutral Encapsulation Format (S/TNEF). S/TNEF is a type of Transport-Neutral Encapsulation Format (TNEF), which has no plain text part and is in eight–bit binary format.

The store driver then submits the message to the submission queue and moves the message from the Outbox to the Sent Items folder. Messages can also enter the submission queue on a Hub Transport server from an SMTP Receive connector or from the Pickup directory.

The submission queue stores all messages on disk until the categorizer processes them. The categorizer processes the messages one at a time and always selects the oldest message in the submission queue first.

On an Edge Transport server, the categorizer verifies the recipient SMTP address of an inbound message and places it directly in the delivery queue. The message is then routed to a Hub Transport server.

On a Hub Transport server, the categorizer processes all inbound messages based on the information about the intended recipients. The categorizer makes copies of messages that have multiple recipients, determines routing paths, converts content format, and applies organizational message policies. After the categorizer processes the message, the message is removed from the submission queue.

Thursday, May 28, 2009

Features that are in Exchange 2003 but not Exchange 2007

  • Access to public folders via Outlook Web Access, IMAP, or NNTP
  • Active-active clustering
  • Administrative groups
  • CDO 1.2
  • CDO for Workflow
  • Coexistence with Exchange 5.5
  • Connector and migration tools for GroupWise
  • Exchange 5.5 Event Servic

Features that are in Exchange 2007 but not in Exchange 2003

  • Archiving/Compliance
  • Mailbox Auto-discover
  • Better backup and restore
  • Unified Messaging
  • Better Anti-Spam and AV
  • CCR and LCR
  • Better calendaring and resource management
  • Transport rules

Sunday, May 24, 2009

Windows Server 2003 trusts

Windows 2003 supports six types of trusts
(although the OS doesn't support all types for all forest modes)

Tree-root trust : Windows 2003 automatically creates a transitive, two-way trust when you add a new tree-root domain to an existing forest. Tree-root trusts let every domain in different trees in the same forest implicitly trust one another.

Parent-child trust : Windows 2003 automatically creates a transitive, two-way trust when you add a child domain to an existing domain. This trust lets every domain in a particular tree implicitly trust one another.

Shortcut trust : When domains that authenticate users are logically distant from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.

External trust : Administrators can manually create an external trust between domains in different forests or from a Windows 2003 domain to a Windows NT 4.0 or earlier domain controller (DC). External trusts are non-transitive and can be one way or two way.

Forest trust : When two forests have a functional level of Windows 2003, you can use a forest trust to join the forests at the root. An administrator can manually create a two-way forest trust that lets all domains in both forests transitively trust each other. Forest trusts can also be one way, in which case the domains in only one of the forests would trust the domains in the other forest. Multiple forest trusts aren't transitive. Therefore, if forest A has a forest trust to forest B and forest B has a forest trust to forest C, forest A does not implicitly trust forest C.

Realm trust : An administrator can manually create a realm trust between a Windows 2003 domain and a non-Windows Kerberos 5 realm. Realm trusts can be transitive or non-transitive and one way or two way.

Windows XP Boot Process

1 : First is the POST, this stands for Power On Self Test, for the computer. This process tests memory as well as a number of other subsystems. You can usually monitor this as it runs each test. After that is complete the system will run POST for any device that has a BIOS (Basic Input-Output System). An AGP has its own BIOS, as do some network cards and various other devices.

2 : Once the POST is complete and the BIOS is sure that everything is working properly, the BIOS will then attempt to read the MBR (Master Boot Record). This is the first sector of the first hard drive (called the Master or HD0). When the MBR takes over it means that Windows is now in control.

3 : The MBR looks at the BOOT SECTOR (the first sector of the active partition). That is where NTLDR is located, NTLDR is the BOOT LOADER for Windows XP. NTLDR will allow memory addressing, initiate the file system, read the boot.ini and load the boot menu. NTLDR has to be in the root of the active partition as do NTDETECT.COM, BOOT.INI, BOOTSECT.DOS (for multi-OS booting) and NTBOOTDD.SYS (if you have SCSI adapters)

4 : Once XP is selected from the Boot Menu, NTLDR will run NTDETECT.COM, BOOT.INI and BOOTSECT.DOS to get the proper OS selected and loaded. The system starts in 16-bit real mode and then moves into 32-bit protected mode.

5 : NTLDR will then load NTOSKRNL.EXE and HAL.DLL. Effectively, these two files are windows XP. They must be located in %SystemRoot%System32.
NTLDR reads the registry, chooses a hardware profile and authorizes device drivers, in that exact order.

6 : At this point NTOSKRNL.EXE takes over. It starts WINLOGON.EXE that in turn starts LSASS.EXE, this is the program that display the Logon screen so that you can logon.

Wednesday, May 13, 2009

Definitions: Exchange 2007

Availability Service

A web service that is responsible for providing free/busy information to the Outlook 2007 client and Outlook Web Access 2007 and is available as a public web service to allow third-parties to develop tools to integrate with it.

Cluster Continuous Replication (CCR)

A Exchange 2007 clustering technique that leverages MSCS however has no requirement of shared disk. To do this it is built on a Windows failover Majority Node Set (MNS) cluster and "log ships" the transaction logs to the passive node. The passive node then applies these logs to its copy of the database.

Local Continuous Replication (LCR)

An Exchange 2007 high-availability option that replicates a local storage group to another location on the same server. The intent is that this replication would be done to a second locally attached disk subsystem so that if a failure on the primary disk were to happen an administrator could manually mount the second copy of the storage group to restore service.


The smallest unit of a PowerShell command. There are over 360 cmdlets that will ship with Exchange 2007. These are usually simple task based commands such as "move-mailbox" or "new-mailbox".

Exchange 12

Exchange 12 is the internal code name for Exchange 2007. So if you see Exchange 12 referenced, you can assume that the correct name is Exchange Server 2007.

Exchange ActiveSync (EAS)

A technology created to allow for mobile devices to synchronize with an Exchange mailbox. Windows Mobile devices as well as some non-Microsoft devices are able to leverage this technology.

Exchange Management Console ("the console")

This is the Graphical MMC based console for administering Exchange, Mailboxes, contacts and distribution lists.

Exchange Management Shell (EMS, or "the shell")

This is the command line interface that uses the PowerShell technology to administer Exchange, Mailboxes, contacts and distribution lists. At RTM EMS will actually have more abilities than does the Exchange console, however many of these tasks not exposed in the console are not commonly used.

Hub Transport Role (Hub)

This role (formerly referred to as "bridgehead") handles internal transport and routing and is tightly integrated with Active Directory directory services. The Hub Transport role can also apply policies to messages to enforce compliance requirements. Unlike Exchange 2000/2003 the Hub transport does not rely on the IIS SMTP service to function.

Edge Transport Role (Edge)

This role provides antivirus and anti-spam protection for the Exchange organization at the perimeter of the network. The Edge role does not rely on Active Directory rather it uses ADAM to provide configuration information.

Mailbox Role

This server role is responsible for hosting mailbox databases. A mailbox database contains users' e-mail, calendar, contact, and task data.

Client Access Server Role (CAS)

This role enables mailbox access through Outlook Web Access, POP3, IMAP4, Outlook Anywhere (formerly known as remote procedure call [RPC] over HTTP), and Exchange Server ActiveSync. This role is similar in function to an Exchange 2000/2003 front-end but not in operation.

Managed Folders

Folders used in the Messaging Records Management (MRM) feature of Exchange Server 2007. MRM allows retention policies to be set on folder in user mailboxes.

One liner

A group of PowerShell commands that pipeline information to each other to accomplish a single task (please fix me!)

Outlook Anywhere (formerly RPC/HTTP)

A technology that encapsulates RPC communications within HTTP calls. This allows for the use of Outlook through the internet without opening all of the required RPC ports.

Outlook Web Access (OWA)

A web interface for access an Exchange mailbox. This interface can view email, calendar, voice mail, and faxes. It also provides an interface for managing Windows Mobile devices using Exchange ActiveSync.

Outlook Voice Access (OVA)

A phone interface for an Exchange mailbox. This will allow a user to call in to get his mailbox items read. These mailbox items include voice mail, email, calendar appointments.


Formerly known as codename "Monad", this is the command line shell used to administer Exchange, and is the foundation for the new generation of scripting capabilities that can be added to Windows Server 2003, Windows Vista, and Windows XP. Currently available as a free download, future versions of Microsoft Operating Systems will include PowerShell.


Server roles allow for each of the discrete functions of Exchange to be broken out into multiple services and thus servers. However a single server can run four of the roles (Mailbox, Client Access, Hub Transport, and UM) at once though this is only advisable in smaller scenarios. The roles are Hub Transport, Client Access, Edge Transport, Mailbox, and Unified Messaging.

Single Copy Cluster (SCC)

This type of clustering is the traditional Exchange clustering method. It requires a MSCS cluster and shared storage. It has support for up to eight nodes with Windows 2003 Enterprise and requires at least one passive node.

Standby Continuous Replication (SCR)

A new continuous replication option available in Exchange Server 2007 Service Pack 1. This allows copies of the database to be kept on other Exchange servers or clusters for recovery. This sort of replication can work between datacenters.


Short for Unified Messaging. Exchange 2007 adds the ability to integrate Voice Mail and Email into a single place. This allows for telephone users (OVA), Web users (OWA) and MAPI users to access both email and voice mail.

Unified Messaging Role

This server role enables users to receive voice mail, e-mail, fax messages, and calendar information in their Exchange inbox; voice access to the inbox from any phone; and speech-enabled Automated Attendant functionality that allow callers to interact through touch tone menus or their voice using speech recognition.

WebReady Document Viewing

This is a feature of Outlook Web Access that will render Office 2003 (and previous) and Adobe Acrobat files in HTML for viewing on clients that do not have the appropriate viewers installed. This is an excellent feature for kiosk access to Outlook Web Access.

Monday, May 4, 2009

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only. The four domain functional levels, their corresponding features, and supported domain controllers are as follows:

Windows 2000 mixed (Default)
Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003
Activated features: local and global groups, global catalog support

Windows 2000 native
Supported domain controllers: Windows 2000, Windows Server 2003
Activated features: group nesting, universal groups, SidHistory, converting groups between security groups and distribution groups, you can raise domain levels by increasing the forest level settings

Windows Server 2003 interim
Supported domain controllers: Windows NT 4.0, Windows Server 2003
Supported features: There are no domain-wide features activated at this level. All domains in a forest are automatically raised to this level when the forest level increases to interim. This mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers.

Windows Server 2003
Supported domain controllers: Windows Server 2003
Supported features: domain controller rename, logon timestamp attribute updated and replicated. User password support on the InetOrgPerson objectClass. Constrained delegation, you can redirect the Users and Computers containers.

Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains maintain their current domain functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to that domain.

The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included.

Forest Functional Level
Forest functionality activates features across all the domains in your forest. Three forest functional levels, the corresponding features, and their supported domain controllers are listed below.

Windows 2000 (default)
Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
New features: Partial list includes universal group caching, application partitions, install from media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging. No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG) role.

Windows Server 2003 interim
Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a Windows NT 4.0 Domain" section of this article.

Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit Windows Server 2003
Supported domain controllers: Windows Server 2003
Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000

After the forest functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the forest. For example, if you raise forest functional levels to Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be added to the forest.

Saturday, May 2, 2009

Microsoft Windows Operating system Family

We can Classify Windows Operating System into 3 Categories

1 : Desktop Operating System

2 : Client Operating System

3 : Server Operating System

Desktop Operating System

Client Operating System

Server Operating System

Windows 95/98

Windows NT Workstation

Windows NT Server

Windows ME

Windows 2000 Professional

Windows 2000 Server Family

Windows XP Home Series

Windows XP Professional

Windows Server 2003 Family

Windows Vista Home Family

Windows Vista Ultimate, Business

Windows Server 2008 Family

Windows 7

Starter, Home Series

Windows 7

Professional, Enterprise and Ultimate

Windows Server 2008 R2

Friday, May 1, 2009

Difference between Domain and Domain Controller

In Active Directory, a collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains. In DNS, any tree or subtree within the DNS namespace. Although the names for DNS domains often correspond to Active Directory domains, DNS domains should not be confused with Active Directory domains.

In an Active Directory forest, a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. Administrators can manage user accounts, network access, shared resources, site topology, and other directory objects from any domain controller in the forest.

Thursday, April 30, 2009

Active Directory Partitions

Schema partition
Configuration partition
Domain partition
Application partition

Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.

Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.

Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.

Domain Partition
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.

Application Partition
Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.

As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones --

ForestDNSZones and DomainDNSZones:
ForestDNSZones is part of a forest. All domain controllers and DNS Server in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.

DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone
in the DomainDNSZones.

Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog Server.

Thursday, April 23, 2009

Windows Server 2008 - New Active Directory Features

New developments for Active Directory in Windows Server 2008, include a Read-only domain controller (RODC), reducing domain controller reboots, and separating the domain administrator from the local machine administrator accounts.

Windows Server 2008 Active Directory Topics
The Five Active Directory Roles
How to Install an Active Directory Role
Read-only Domain Controller (RODC)
Re-startable AD
STS (Security Token Service)
DC (Domain Controller) / Domain Admin Separation

The Five Active Directory Roles
While 'Role' is normally such an insignificant word, in Windows Server 2008 Microsoft have elevated 'Role' to a the status of a keyword. The most important association for the word 'Role' is to invoke the correct installation wizard, who then installs all the necessary sub-components associated with that role.

1) AD DS - Active Directory, Directory Services.
This is the main Active Directory database for user and computer objects. AD DS is a descendant of Active Directory in Windows 2000 --> 2003 --> 2008. Remember the two sides of AD DS, the physical data store and the logical, forest, domains, OUs and sites.

2) AD CS - The Certificate Services (CS) specializes in managing digital certificates (PKI). Security is the key, the idea is to protect data in these scenarios: S/Mime for email, SSL for websites, smartcard logon via VPN and for encrypting files (EFS). Naturally, integrates with the above AD DS.

3) AD RMS - Rights Management Solution. Can be used to protect documents sent in emails. Users must first have an AD DS account. Services using RMS must also be registered in Active Directory.

4) AD FS - Federation Services
Federation manages trust relationships between different organizations. Also provides single sign on for web based applications, for example, online retailers.

5) AD LDS - Active Directory Lightweight Directory Services
This is like the ADAM (Active Directory Application Mode) service of Windows Server 2003. Only use AD LDS for applications that cannot use the regular AD DS, for example where there are security worries, or you just need to test LDAP features. Unlike the other roles, AD LDS is an alternative to the main Active Directory and not an extension.

How to Install an Active Directory Role
Firstly, with Active Directory you always need to plan. I am assuming that you have installed a member server. Now is the time to ask smart questions such as, 'Is this a brand new forest?' or, 'Is this an additional domain controller in an existing domain'.
Secondly, the mechanics are easy. The new method of installing active directory in Windows Server 2008 is to use 'Add roles'. For this feature, call for the Server Manager and then scroll down to 'Add roles'.
The Active Directory wizard will guide you through all the options so that you can make smart choices for your situation. New choices include, specifying a DNS server, setting the server as a Global Catalog, selecting the Read-only Domain Controller option. At his time you may also want to select a site for your DC, and more importantly, set the Function Levels for the domain, or even the entire forest.
If you are familiar with command line program called dcpromo, then you will be used to the planning tree, new domain / child domain /new forest. Just go to the command line as you did in Windows Server 2003 and type dcpromo.
Be aware that you can still create answer files for dcpromo. This is useful if you are creating multiple domain controllers with similar specification.

Read only Domain Controller (RODC)
The goal of a Read-only DC (RODC) is to reduce physical security requirements and simplified local operations. At first sight this sounds like a return to the BDC. While this indeed is a read-only copy of the Active Directory database, its rationale is different from the old NT 4 BDC. The RODC philosophy is don't install features that a small office does not require.

All the features that Microsoft have put into a read-only DC is to turn their vision of a branch office model into reality. The model requires that of local domain controller that can service users' logon requests, but without the need for an administrator out at the branch. A read-only DC, which can authentication clients from it's own site, is much less vulnerable to attack from hackers.
One crucial decision is how to control password caching on the RODC. The benefits of caching are clear, faster second and subsequent logons and the ability to logon if the WAN link to the normal Domain Controllers is down. However, there is a security liability of caching the password of important accounts, for example the Administrator or your Financial Director. Your biggest security worry with the RODC is if it was stolen, what could a hacker do with unlimited time to crack cached accounts and passwords in the SAM database.
As usual, Microsoft have thought through the problem and come with the answer in the form of a Password Replication Policy. In a nutshell this policy determines which accounts can have their password's cached.
When you setup the RODC, specify which account passwords to allow or deny from being cached on an RODC. This configuration page appears only if you select the 'Use advanced mode installation' check box.

Re-startable AD (Active Directory)
Windows Server 2008's re-startable AD will continue the trend to reduce domain controller reboots. This restart facility is particularly welcome after you apply security updates to Domain Controllers. Re-startable Active Directory is implemented as a normal Windows service that can be stopped and started as required. Not only will this reduces the need for reboots, but it also it simplifies offline actions such as defragging the AD database.
The secret to restarting Active Directory is to remember that it has a corresponding service, which you can start and stop via the Computer Management snap-in.
You may wish to check which services depend on AD DS to function. The best way to check these dependencies is to right-click Active Directory Domain Services, and then click Properties. Incidentally, all the dependent services stop first. Then Windows Server 2008 stops the AD DS.

STS (Security Token Service)
Windows Server 2008 will add a new service to Active Directory called a Security Token Service (STS), that integrates authentication and authorization in a manner that simplifies access management. The Security Token Service extends the capabilities introduced with ADFS (Active Directory File System) to include support for smart clients, 'InfoCards,' and privacy support, In addition, STS will integrated resource discovery and management. For example, using the STS, customers will be able to automatically find application resources and operations, and provide granular access control for these operations.

DC (Domain Controller) / Domain Admin Separation
In Windows Server 2008 Server there will be a DC (Domain Controller) Admin and a separate Domain Admin. This means the DC Admin will not automatically have all privileges in the domain. You will see a new user group called DC Admin. The DC Admin will be able to login to the domain controllers but they will not be automatically granted domain administrator privileges.

Other new features of Server 2008 Active Directory
Install a DC as a Server Core: and thus minimize surface area

Wednesday, April 22, 2009

Difference Between Domain and Workgroup a Network

  • Client-Server Architecture...Peer-to-peer Architecture
  • Centralized Management & Administration
    De-Centralized Management & Administration
  • Domain Login (Centralized)....Local Login (De-Centralized)
  • Implemented where Security is more important....Implemented where resource sharing is more important
  • A copy of Active Directory is present i.e. A domain controller is present in a Domain Network Active Directory is not present in a Workgroup network
How a network transmits data

To view a Web page, the user opens a Web browser, such as Internet Explorer, and enters a Web address, such as

The computer translates the Web address into an Internet Protocol, or IP address.

TCP/IP adds the hardware address of the default gateway and sends the data to the computer’s network interface card. In this example, the default gateway is an asymmetric digital subscriber line (ADSL) router, but it can also be a cable modem or a dial-up analog modem.

The network interface card sends the data in single or multiple packets over a wired or wireless network. In this example, the ADSL router is connected directly to the Internet through your Internet service provider (ISP).

TCP/IP sends the data, or network packet, to the local computer’s network interface card, which then passes the packet to the ADSL router. The ADSL router retrieves the packet and passes it to TCP/IP.

TCP/IP examines the packet and decides where to send the data next. TCP/IP replaces the hardware address with the hardware address of the next router and passes the data to the network interface card for transmission on the network.

The data may pass through several routers before it reaches the destination host, or Web server. At every router, the packet is examined and TCP/IP decides where to send the data next.

When the packet reaches the Web server, the application retrieves the requested data (in this case, the Web page) and sends it back to the requesting computer.

The network interface card on the computer receives the data and passes the information to TCP/IP. TCP/IP examines the packet and passes the data to Internet Explorer, which then displays the page. In this example, the computer and ADSL router represent a local area network, or LAN, because they are physically close together.

The Internet is an example of a wide area network, or WAN, because the routers on the Internet typically connect different networks that are geographically separated. In an office environment, when a user requests a Web page, the packet may pass through several hubs, switches, or routers on the office LAN before it reaches the Web server on the Internet.

The network initialization process

When Windows Vista starts, the Windows Firewall initializes before the computer connects to the network. This arrangement helps protect the computer from attackers.

During startup, the operating system initializes the network interface card (NIC) and assigns unique IPv4 and IPv6 addresses.

Windows Vista requests a DHCP address lease and obtains the address of a DNS server, if configured on the DHCP server.

Windows Vista then registers this IP address with the computer's name and domain on the network.

The operating system requests the Media Access Control (MAC) address for the DNS server's IP address.

Windows Vista sends a DNS service (SRV) query and a corresponding address (A) query for a domain controller in the computer's domain.

The operating system then sends the domain controller an LDAP request for a suitable network logon point. Typically, the domain controller responds with its own name.

Windows Vista then uses TCP and remote procedure calls (RPCs) to bind to that domain controller.

The client computer uses Network Time Protocol (NTP) to synchronize its clock with the domain controller because Kerberos version 5 authentication requires time synchronization.

The client computer and the domain controller now conduct Kerberos negotiation, falling back to NTLM if unsuccessful. If successful, the server responds with a Kerberos ticket.

Windows Vista then makes a server message block (SMB) connection to the server, trying SMB 2.0 first, and reverting to SMB 1.0, if unsuccessful.

Windows Vista binds to the domain controller's SYSVOL share and applies the computer element of any relevant group policies. These policies can include changes to the firewall settings.

The network initialization process is now complete.

Features OF Read-Only Domain Controller (RODC)

A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials
Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.

Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.

Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller
An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC). If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection
A DNS server running on an RODC doesn’t support dynamic updates.
If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server. The client can then update against this DNS server.
This single record will then be replicated from the writable DNS server to the RODC DNS server.
Password Protection
By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
However, an RODC can cache passwords. If a password isn’t cached, the RODC will forward the authentication request to a writeable DC. The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:
A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
A domain user having the Administrator role can do maintenance work on the RODC such as installing software. If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.