Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-03-17
As a business grows in size, its infrastructure typically grows along with it. Such growth often brings with it added complexity and new security challenges. Of the four defined organization models for Microsoft Exchange Server 2007, the large Exchange organization is the largest organization model that can be deployed in a single Active Directory directory service forest environment. The distinguishing characteristics of the large Exchange organization include:
- Five or more routing groups, or five or more
Active Directory sites that have at least one Exchange server
deployed. Multiple locations and Active Directory sites
introduce the multi-site routing protocol and role discovery
algorithms, as well as a requirement to use IP site links.
Note: Multiple routing groups will only exist in a large Exchange organization that includes Exchange 2007 and either Exchange Server 2003 or Exchange 2000 Server, or both. In a pure Exchange 2007 environment, all servers belong to a single routing group.
- A single Active Directory forest. The introduction of a
second or subsequent forest, or the introduction of directory
synchronization tools, such as Microsoft Identity Integration
Server, automatically redefines the topology as a complex Exchange
organization. For more information about complex Exchange
organizations, see Planning for a Complex
- The Service Delivery Location (SDL) and Client Service Location
(CSL) reside in multiple physical locations, and there is often
greater separation between them.
- Although in this topology the Exchange organization includes
multiple points of presence, the external messaging and client
protocol-specific namespaces are common across most or all
An Exchange organization with all of the listed characteristics is considered a large Exchange organization.
Single and Multiple Active Directory Domains
The single domain topology includes all scenarios where a single Active Directory domain is deployed for all user and computer objects. In a single domain model, a common domain name suffix is in use by all computer objects, and the domain name suffix matches the domain namespace used by Active Directory.
Large Exchange organizations often include multiple Active Directory domains. Within Active Directory forests, there is considerable variability on the organization of domains. Generally, domain models that are based upon geographic boundaries rather than business unit boundaries tend to have more longevity and flexibility because geographic boundaries change less frequently than business units. Although not a requirement of a multiple-domain environment, we recommend that geographically based domains be deployed where possible.
The most prominent multiple-domain model is the parent/child domain relationship. In this model, the root or parent domain is deployed primarily to provide a namespace for the forest. An equally important function is to prevent the proliferation of domains and expansion of the forest. Adding domains to a forest requires administrative access to the root domain, and typically very few personnel have administrative access to the root domain. After the parent domain is installed, one or more child domains may be added. A child domain refers to a domain that is subordinate to the parent domain. A child domain is typically where user accounts, file servers, and application servers are installed. In a normal Active Directory topology, the domain namespace is contiguous and reflects the hierarchy of the domains deployed. For example, if a root domain is named fabrikam.com, child domain names could include us.fabrikam.com, eu.fabrikam.com, and asia.fabrikam.com.
Beyond first-level child domains, additional layers of hierarchy may also be deployed. These layers are generally referred to as grandchild domains. To simplify Exchange environments, we recommend not using grandchild domains to host Exchange, and that you restrict your Exchange server membership to child domains. This approach does not mean that grandchild domains cannot be used to host mailbox-enabled users. All domains in a forest have transitive trusts between them, and as long as the Domain Name System (DNS) is working correctly for all domains in the forest, this configuration of users and servers should function normally.
|The use of grandchild domains may require some additional configuration of DNS suffix search order on each host in the forest to work correctly.|
The simplest implementation of multiple parent/child domain relationships is when all domains are deployed at a single location. This topology is uncommon, and it often includes a segregation of administration responsibilities between the domains. A more common deployment scenario of multiple parent/child domain relationships is when the domains are deployed along SDL boundaries.
Dedicated Active Directory Sites
Supporting high concentrations of Exchange servers and clients out of a single SDL can create a significant demand for directory services. Beyond Exchange, the addition of other applications that require directory services, client authentication, or directory replication can cause a significant degradation in the health and performance of Exchange. To alleviate directory service congestion, the creation of a dedicated Active Directory site to host Exchange servers using dedicated domain controllers and global catalog servers is a current best practice. By segmenting an SDL into multiple Active Directory sites, it becomes possible to separate the directory traffic generated by Exchange servers and Microsoft Outlook clients from other directory service traffic.
|At this time, Exchange 2007 is undergoing performance and scalability testing and tuning, including testing the performance characteristics of systems with 64-bit directory servers. After this testing is complete, a review of this best practice will occur and supplemental information will be provided.|
In the case of a location which hosts a dedicated Exchange Active Directory site, it is acceptable for foreign domain controllers to be located in the same Active Directory site that is used for general client authentication rather than the dedicated Exchange Active Directory site, provided that there is a direct IP site link between the two Active Directory sites and the segregation of mailbox ownership is maintained across the SDLs.
Examples of Large Exchange Organizations
A large Exchange organization comes in many varieties. However, large Exchange organizations typically have common attributes. For example, there is an increase in the number of physical locations supported by Exchange, even though Exchange is not deployed to all locations. In addition, many large Exchange organizations have multiple points of egress to the Internet, often using multiple Internet service providers (ISPs) while maintaining a single messaging and client protocol namespace.
- Figure 1 illustrates one example of a large Exchange
Planning Considerations for Large Exchange Organizations
- During the planning phase of your deployment, and before you
deploy any Exchange 2007 servers in a large Exchange
organization, we recommend that you consider the following
- When a multiple-domain model is deployed, domain controller
placement should be such that all domains used as security
principals on Exchange objects should have excellent connectivity
to locations that host many Exchange resources. This is especially
important in Exchange server consolidation scenarios.
- When an organization reaches sufficient size to require a
dedicated Active Directory site for Exchange, it is quite
common for this configuration to be replicated across major data
center locations. This introduces additional replication links that
must be accounted for in topology discovery, as well as
Active Directory sites which do not have any Exchange
- When domain boundaries are based upon business unit boundaries
rather than geographic boundaries, it can be common for the
distribution of domains and SDLs to overlap significantly. When
this occurs, a single Exchange server or group of Exchange servers
will end up hosting resources from multiple domains out of a common
SDL. This sharing of infrastructure increases the need for
directory resources and additional domain controllers for each of
the affected domains due to the additional authentication
requirements for each domain, for management of distribution lists
from the Outlook client, and for client referrals to a global
catalog server. A proportionate number of global catalog servers
from the appropriate domain must be available for use by clients
because the Exchange server will send global catalog server
referrals to a client that includes a global catalog server from
the domain in which the mailbox account is hosted. In the case of a
dedicated Exchange Active Directory site, this means
domain controllers from each domain that the Exchange servers host
resources for must be included in the
Exchange Active Directory site.
- When deploying a large Exchange organization, providing high
availability deployment options becomes an important consideration.
In Exchange 2007, there are multiple solutions that can be
used to provide high availability for each server role. For more
information about high availability strategies and features for
Exchange 2007, see High
Transitioning a Large Exchange Organization
If you are transitioning from an existing Exchange Server 2003 or Exchange 2000 Server organization to an Exchange 2007 organization, be aware that you cannot perform an in-place upgrade of your servers. You must add one or more Exchange 2007 servers to your existing organization, move mailboxes and other data to Exchange 2007, and then remove the Exchange 2003 or Exchange 2000 server from the organization.
For more information about deploying and transitioning to a large Exchange 2007 organization, see Deploying a Large Exchange Organization.