2.2 Understanding the AD Domain Structure
After
the AD DS forest structure has been chosen, the domain structure can be
laid out. As with the forest structure, it is often wise to consider a
single domain model for the Exchange Server 2013 directory. In fact, if
deploying Exchange Server is the only consideration, this is often the
best choice.
There is one major exception
to the single domain model: the placeholder domain model. The
placeholder domain model has an isolated domain serving as the root
domain in the forest. The user domain, which contains all production
user accounts, would be located in a separate domain in the forest, as
illustrated in Figure 2.
Figure 2. The placeholder domain model.
The
placeholder domain structure segregates high-level schema-access
accounts into a completely separate domain from the regular user
domain. Access to the placeholder domain can be audited and restricted
to maintain tighter control on the critical schema. The downside to
this model, however, is the fact that the additional domain requires a
separate set of domain controllers, which increases the infrastructure
costs of the environment. In general, this makes this domain model less
desirable for smaller organizations because the trade-off between
increased cost and less security is too great. This is a model that was
once commonly deployed by organizations before it became apparent that
the domain is not an effective security boundary.
2.3 Reviewing AD DS Infrastructure Components
Several
key components of AD must be installed within an organization to ensure
proper Exchange Server 2013 and AD DS functionality. In smaller
environments, many of these components can be installed on a single
machine, but all need to be located within an environment to ensure
server functionality.
Outlining the Domain Name System (DNS) Impact on Exchange Server 2013 Design
In
addition to being tightly integrated with AD DS, Exchange Server 2013
is joined with the Domain Name System (DNS). DNS serves as the lookup
agent for Exchange Server 2013, AD, and most new Microsoft applications
and services. DNS translates common names into computer-recognizable IP
addresses. For example, the name www.cco.com translates into the IP address of 12.155.166.151. AD DS and Exchange Server 2013 require that at least one DNS server be made available so that name resolution properly occurs.
Given the dependency that both Exchange Server 2013 and AD DS have on DNS, it is an extremely important design element.
Reviewing DNS Namespace Considerations for Exchange Server
Given
Exchange Server 2013’s dependency on DNS, a common DNS namespace must
be chosen for the AD DS structure to reside in. In multiple tree domain
models, this could be composed of several DNS
trees, but in small organization environments, this normally means
choosing a single DNS namespace for the AD DS domain.
There
is a great deal of confusion between the DNS namespace in which AD DS
resides and the email DNS namespace in which mail is delivered.
Although they are often the same, there is no reason that the two
namespaces have to be the same. When Exchange Server is first
installed, the AD domain is chosen as the default SMTP domain, but that
can be changed. For example, CompanyABC’s AD DS structure is composed
of a single domain named abc.internal, and the email domain to which mail is delivered is companyabc.com.
The separate namespace, in this case, was created because someone
believed that it reduced the security vulnerability of maintaining the
same DNS namespace both internally and externally (published to the
Internet).
Likewise, there is no necessary
relationship between the Active Directory user principal name (UPN)
that can be used for user logon and the SMTP email address, but using
the same for both makes it easier for users.
For simplicity, CompanyABC could have chosen companyabc.com
as its AD DS namespace. This choice increases the simplicity of the
environment by making the AD DS logon UPN and the email address the
same. For example, the user Pete Handley is [email protected] for logon and [email protected]
for email. This option is the choice for many organizations because the
need for user simplicity often trumps the higher security.
Optimally Locating Global Catalog Servers
Because
all Exchange Server directory lookups use AD, it is vital that the
essential AD global catalog information is made available to each
Exchange server in the organization. For many small offices with a
single site, this simply means that it is important to have a full
global catalog server available in the main site where there are
Exchange servers.
The global catalog is an
index of the AD DS database that contains a partial copy of its
contents. All objects within the AD DS tree are referenced within the
global catalog, which enables users to search for objects located in
other domains. Not every attribute of each object is replicated to the
global catalogs, only those attributes that are commonly used in search
operations, such as first name and last name. Exchange Server 2013 uses
the global catalog for the email-based lookups of names, email
addresses, and other mail-related attributes.
Note
Exchange Server 2013 cannot make use of
Windows Server 2008 Read-Only Domain Controllers (RODCs) or Read-Only
Global Catalog (ROGC) servers, so be sure to plan for full GCs and
domain controllers (DCs) for Exchange Server.
Because full global
catalog replication adds bandwidth usage to the standard domain
controller replication, it is important to design a site structure to
reflect the available WAN link capacity. If a sufficient amount of
capacity is available, a full global catalog server can be deployed.
If, however, capacity is limited, universal group membership caching
can be enabled to reduce the bandwidth load.
