Friday, June 29, 2007

Turning OOF messages on the Exchange server is a bad idea for several reasons

OOF messages reply to spam. And most OOF messages have an email address of a coworker or personal information may be exploiting by spammer for social engineering. This increases spam, which causes employees to waste their time to deal with junk mail. Many list serves and mailing lists will auto subscribe you from their newsletters and lists when they receive an OOF message. When Out of Office is enabled, only one reply is sent to each sender, even if you receive multiple messages from that person (;EN-US;157961

The Out of Office Assistant sends an automatic reply to notify users who send you messages that you are away from the office. Your reply is only sent once to a message sender. This is reset when you toggle the Out of Office in the client. In other words, Microsoft Exchange clears the internal "sent o" list when you disable the Out of Office that is currently enabled.

If you would like to have a reply sent for every message, use Inbox Rules instead of Out of Office.

Risks involved if the mail loop occurs

Mail looping incidents involving huge number of mail messages flooding user mailboxes
conceivably it could fill all available disks on the Exchange server. Especially in a larger enterprise environment the damage can be significant. The result may cause space reduction on the hard drive and cause the server to shut down. OOA could be exploited as a denial of service attack if automatic replies to the internet. If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is valid, and a spammer could add that to a list of known-valid addresses for future spamming runs. This will let the Spam mail come into the corporate network. The impact might be severe if valid DL (distribution List) gets exposed to the spammers.

Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.


Oz Ozugurlu

Thursday, June 28, 2007

/3GB /USERVA=3030 parameters on the boot.ini

Let's understand why we need to perform some tuning in Exchange servers. Microsoft recommends editing to boot.ini file on Exchange servers if they have more than 1GB memory installed. Why we need to do this, to optimize the virtual memory usage of the Information Store service. Here is official Microsoft explanation under typical circumstances and for each process, 2 GB of virtual address space is allotted for the user-mode process, and another 2 GB of virtual address space is allotted to the operating system. When you use the /3GB switch in Windows Server 2003, 3 GB of virtual address space is allotted for the user-mode process, and only 1 GB of virtual address space is allotted to the operating system. This reallocation of the extra 1 GB of address space helps to resolve the problem of memory fragmentation in the Store.exe virtual address space. With the larger address space allocated to Store.exe, memory can be more easily joined before all large memory blocks are used.

[Boot loader]




[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect /redirect /3GB /USERVA=3030

So all you need to do is adding this extra switch into boot.ini and saving it. (make sure the boot.ini is NOT read only)

/3GB /USERVA=3030

Note Make sure that the Store.exe process does not run out of virtual address space. If this behavior occurs, memory allocations fail (even if there is plenty of physical RAM remaining), and you must restart the Microsoft Exchange information store service.

For example, a server with 2 GB of physical RAM that does not have the /3GB switch in the Boot.ini file will run out of memory when the Store.exe virtual address space reaches 2 GB. Windows Task Manager shows that only about 1.5 GB is actually being used in this scenario, but the server will still be out of memory.

The /USERVA switch is new to Windows Server 2003 and provides better granularity for splitting memory allocations between user mode and kernel mode. This behavior lets you scale the server to a greater number of users without the risk of exhausting system resources. By using /USERVA=3030, an additional 42 megabytes (MB) of memory is allocated to the kernel for page table entries (PTEs). However, this value may need more tuning. You can monitor the PTE consumption by using Performance Monitor. The object to monitor is Free System Page Table Entries. If values that are less than 7000 are observed, the value of 3030 must be reduced because the system is unstable. If the value is less that 20,000, reduce the value in 64-MB steps until values that are greater than 20,000 are

the server to a greater number of users without the risk of exhausting system resources. By using /USERVA=3030, an additional 42 megabytes (MB) of memory is allocated to the kernel for page table entries (PTEs). However, this value may need more tuning. You can monitor the PTE consumption by using Performance Monitor. The object to monitor is Free System Page Table Entries. If values that are less than 7000 are observed, the value of 3030 must be reduced because the system is unstable. If the value is less that 20,000, reduce the value in 64-MB steps until values that are greater than 20,000 are observed.

Note Microsoft Product Support Services strongly recommends using a range of memory that is within the range of 2800 to 3030 for the /USERVA switch. This range is wide enough to provide a large enough pool of system PTEs for all currently observed issues. Typically, a setting of /userva=2800 provides close to the maximum available number of system PTEs that are possible. Currently, Microsoft Product Support Services has not seen an Exchange Server computer that requires values that are less than 2900.

You may also monitor the virtual address consumption by using Performance Monitor. Add the Virtual Bytes counter for the Store.exe process to make sure of an accurate reading of the virtual space. The Store.exe process is the only Exchange 2003 process that you must monitor. Other Exchange 2003 processes will not grow sufficiently large to cause any problems.

Because Exchange Server uses the /3GB switch as it scales up, the Exchange Server computer cannot efficiently use more than 4 GB of RAM. Exchange Server does not support instancing, Physical Address Extension (PAE), or Address Windowing Extensions (AWE). Therefore, 4 GB of RAM is the maximum amount of memory that an Exchange Server computer can efficiently use


Oz ozugurlu

Information Store fails with MSExchangeIS 9564

Problem: Information store won't come online, and event log has MSExchangeIS 9564

Cause: Antivirus software is causing the problem, in this case

Solution: Disable AV from register and restart the information store service

Information store won't mount, and event log will have the following error Event ID: 9564

After performing several tests, and disabling most of the services have figured out the AV software is causing the issue. Disabling AV from register did the trick


Set enabled to 0 to disable the AV

Event Type: Error

Event Source: MSExchangeIS

Event Category: General

Event ID: 9564

Date: 6/28/2007

Time: 9:12:34 AM

User: N/A

Computer: CHTNCHAAP1


Error 0xffffffff starting the Microsoft Exchange Information Store.

Failed to init VSERVER.

For more information, click

Oz Ozugurlu

Monday, June 25, 2007

WebSense testlogserver -onlyip

We will investigate in Websense why such URL address is getting blocked, even though the URL address is not in any of the denied list with Websense

Problem: WebSense is blocking the current URL (, which is not suppose to be, and we are asked to figured out why?

Trouble shooting steps:

Log in to the Websense server, and open Websense Enterprise manager.Click on Server, Settings, Click on logging/Events

On the Log Server (point it to server itself, if it is not) we are doing this to perform a test, to find out why Websense is blocking this URL address.

Now let's take a look at two services on the Websense servers

Websense Filtering Service

Filters and logs Internet and protocol traffic.

C:\Program Files\Websense\bin\EIMServer.exe -scm

Now drill down to this directory on you Websense server from DOS command prompt

C:\Program Files\Websense\bin>

In the bin directory we will execute exe program called "testlogserver" with a switch –onlyIP as below

C:\Program Files\Websense\bin>testlogserver -onlyip

The IP address in this example is belong to the workstation where I will be opening internet browser and hit the URL in this example (,

I am basically telling Websense if you see any traffic being generated from this IP capture it.

As soon as I hit the above website I am capturing below data on the DOS screen

Using version 3

time=Fri Jun 22 17:33:49 2007 version=3

server= source= dest=

protocol= "http"

url= ""

port= "80"

category= 14 (GAMES)

disposition= 1025 (CATEGORY BLOCKED)

app type= ""

keyword= ""

user= "LDAP:// OU=Mail Test,OU=Service Accounts,OU=NHQ Region


bytes sent=0 bytes received=0 duration=0

As you see Websense is making mistake and categorizing this URL as game, if you are asking why, which I asked the WebSense support they said, they make mistakes time to time, this is why we have recategorized option in WebSense application server, which is the option to recategorize this URL correctly.( adding into a allowed category)


Oz ozugurlu

Sunday, June 24, 2007

How to forward mails using “TargetAddress” attribute with Creating Simple Contact In Exchange

You can forward any mail you wish without having a mailbox, all you need is to create a contact. You will save your CALs if you do it this way. You can also accept mail and forward them automatically to the vendor. Let's say your mail server is authoritative for .Now you want to forward all e-mails sent to to the outside E-mail address You do not want to create an account, due to security concerns, or you want to save your CALS.

Simply create a contact called and add second SMTP address to the same contact . When mail send to the SMTP address your Exchange server will accept the mail, since the SMTP address is valid, owned by an contact object, than your server will see the TargetAddress attribute has an outside SMTP address (in this example and forward the mail out to the internet for delivers to this SMTP address.

If you never knew the attribute called "TargetAddress" you
would think this can only be achieved by enabling forward option on the mail box by pointing to a contact

It is simple and clean



Wednesday, June 20, 2007

Create Bulk Users from TXT File Exchange 2007

In this Example we will create bunch of test users from EMS (Exchange management Shell). I think getting to hang of the shell takes some time and challenge. When we see the power of new EMS, I am sure we all will like it a lot. There are a lot of samples on the web showing how to get this accomplish, I am putting some extra afford to get someone who has never touched EMS yet, and following this article and creating 50 users in 10 seconds. Let's get going step by step how to get this goal done in Exchange 2007.

  • Open EMS (exchange management Shell)
  • Now change your directory to root director (Optional) by typing Desktop>cd /.
  • Press Enter. Now you are on Root directory, Go ahead and type

    Md BulkUsers

    And hit enter (MD is make directory, essentially you are creating a folder from EMS, versus GUI)

    Type CD Bulk* (Change directory to this folder)

All we did so far, creating a folder called BulkUsers and we have changed our directory into this folder. Now type notepad on the EMS (Exchange management Shell) and copy and paste below list into it















































Save the file into the folder you have created and name it "IT.txt"

Now you are on EMS, copy and paste the following string into the EMS,

$Password=Read-Host "Enter Password" -AsSecureString

Note# if you neglect the – (dash) in front of AsSecureString or not type it at all, you will see the password while you are typing it in the Exchange Management Shell, This might be causing security issues. Also make sure the password meets your complex password requirements otherwise the script will fail with a corresponding error

Enter your Complex password (the password is going to be the same for all the accounts)

Now we are almost ready.

Import-CSV IT.txt | foreach {new-mailbox -alias $_.alias -name $ -userPrincipalName $_.UPN -database "SG1-MB1" -org IT -Password $Password}

Now,Couple things above needs to be changed.

  • -database "SG1-MB1"
  • -org IT

SG1-MB1 is in my environment Storage Group one, mail box store one, this is name convention I come up with. In order to figured out what is yours do this on the EMS(exchange management shell)


[PS] C:\BulkUsers>Get-MailboxDatabase

As you see below table, I could use any of these in the script above, when you figured out your replace into the script.

Name Server StorageGroup Recovery

---- ------ ------------ --------

SG1-MB1 EXC07 SG1 False

SG2-MB1 EXC07 SG2 False

SG3-MB1 EXC07 SG3 False


The second one, where we will be pacing all these users. I have created OU called IT as below and I am going to place all the users in this OU, so Either Create an OU with the same name on your AD or create something else, but don't forget to come back and modify the script.

Now we are ready to copy the script into the EMS and hit enter. If we go back to ADUC and look into the IT , OU we will see all the users listed there, Don't forget if you need to create more users, just open the notepad, CTRL + H ( find and replace) as below Enjoy creating users, in exchange 07. As you see how easy to create bulk users and it is really powerful


Oz ozugurlu

Tuesday, June 19, 2007

Black Berry 4.0 Handheld is not getting any mails

Most of the times I have seen problems such, where outlook gets the mail instance whereas the message never makes to the hand help. We see our client most of the times asking is something wrong with BES servers I have not been getting mail on my Black Berry since several hours


Make sure BES server is up and running..After you log in on the BlackBerry manager make a right click and go to Properties make sure SRP is connected and it is in running stage, you can go to directory below on the BES server

C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility>

And type


I have copied all these EXE files on %windir%\system32 directory, so that I can execute them from DOS at any time



-host <hostname>

-port <port>




Allows administrators to backup and restore BlackBerry Server information, including configuration and user information, into a password-protected file.





HandheldCleanup -U

Perform Handheld Mailbox check and update.




Tips: if you they the Exe file name following with forward Slash and question mark you get the usage of the utility such as C:\>FixMapiSvc.exe /?

Now fins the use who is complaining not getting mails on to his or her Black Berry and from Back Berry manager. Make a right click and look at the user Statistic.

  • Check the time the message was received last.
  • Check the time the message Received by hand held, last handheld contact.
  • Verify the latency. Now Click Close

Now make a right click and set Test E-mail to the client verify if it is making the hand held or not.

Now, make sure handheld is getting fair signal. If you are still having problems mail is getting to user inbox but the handheld. Take the battery out for couple minutes; put the battery back in to the device. Perform the E-mail test one more time.

If you are still having problem, you might have been bounced from strong tower to the weakest one and device might be in hang stage. Check the routing table on the device goes to

  • Options,
  • Advance options,
  • Host routing table

On the TOP of the routing entry, make a right click and select register now. Go back and perform a test mail one more time


Best Regards

Oz Ozugurlu

Monday, June 18, 2007

HTTP/1.1 401 Unauthorized


Here is the Problem. Support Team builds new Exchange 2000 server into existing environment. Support team moves all the users from working exchange server, to the new exchange server. After move is complete support team notices one can get to OWA, however outlook works fine. Support team opens a case with upper tier for resolution of this problem.

General information about the environment:

This organization is fairly huge; the mail comes from outside passes trough clustered ISA servers in DMZ.ISA servers host the host name for the URL, ISA accepts the traffic and passes the traffic to the inside network, trough Second PIX. The request comes to Content Switch (CSS). CSS has two OWA road balanced servers. Each server has two NICs build in them. One NIC is dedicated for OWA traffic only, for traceability reasons. Each time an Exchange server gets added to the SMTP domain, the IP address of the exchange server needs to be added into the dedicated NIC, as persistent route. There are simple batch files build for this purpose as follows, for convenience purpose, these batch files are being used.


Route add MASK –p

If there is route needs to be deleted, there is another batch file available

Route delete

After content switch passes the traffic to the OWA server, below window appears. Note that this company is not using form base authentication for OWA. User inputs the valid user name and the password along with correct DOMAIN name followed with back slash, windows pops right back, and user repeats this process two more times, and sees the following message on the browser

"HTTP/1.1 401 Unauthorized"

Trouble shooting:

Upper tier logs on to the OWA servers, and opens the browser. First thing they do is, type the hostname of the internal mail server into the browser along with /Exchange


They use valid user name and password and verify the user is not able to log in. Support team logs in to the mailbox server and checks all the IIS, Exchange related virtual directories, permissions and fins several permissions problems and correct all of them one by one. After they make sure all permissions look good they go back and try to log in on more time, and successfully get to user mailbox suiting on this mailbox server, by using the internal server host name /Exchange. Now support team goes back to one of the OWA servers, and logs into the FE (OWA) server, and tries to log I as the same user into the OWA. The FE servers should be able to locate the user mailbox servers and well as the Authentication server (DC). The user name and password by this way would be validated against Active Directory NTDS.DIT database and if the credential fine user would see its mailbox.

While this test is being performed the support team opens DOS command and type the following string

Netstat –n 1 |Find ""

Those of you who know UNIX will now this command. Rest will find very exciting and useful. Netstat –n is displays addresses and port numbers in numerical form. The number1 is to tell the DOS refresh the window every one second. Pipe is to connect the following command, Find"X.X.X.X" IP address if there is any port connection opens. These are the ports we expect to see connection on Port (DSAccess) 389 and 3268. After issuing the following command (Netstat –n 1 |Find "") support team attempt to log in as user, and there is no authentication happened on the OWA servers. Obviously the OWA servers don't even bother to talk to the Domain Controller for the mailbox server. Support team opens another CMD window, and telnet into the Domain controller local Exchange server configured to talk too. Soon enough the Netstat –n windows start showing connection on both ports 389 and 3268.

Support team goes back to First Exchange server and finds out the DNS IP addresses, and they found out the server Primary address is configured for ISP DNS IP addresses( such as surprise (-: ). They take the ISP DNS server from DNS list and only add internal DC/GC IP address there. They go back and make the corrections on the new Exchange server. They use following commands

IPconfig /FlushDNS

IPconfig /RegisterDNS

NbtStat –RR

Restart netlogon service on both servers( DC and the exchange server)

After time for replication completes, user are able to login trough corporate OWA link.

Best Regards

Oz Ozugurlu











Thursday, June 14, 2007

Create Bulk users with TXT File Exchange 2007 PART#1

I am getting used to this new Exchange management shell (EMS); and I start enjoying it the more I can make my own discoveries and make my life easier. This tip is for total baby beginners. I quickly realized and enjoying it with new MMC 3.0, new EMS (exchange management shell) shows you at the end of each task execution brief summary. This summary is totally, can be copy to a note pad or word application. First of all we will create a user by using GUI and look trough the code and get some learning points. If you like to read more about the management Shell read here. Honestly it is a challenging at the very first time to deal with the new Shell for those who are not script person (I am one of them). The point I am trying to make is that, creating a mailbox was possible with some hundred codes before, now it can be done with two lines. Also each time we perform a task, creating users, group's ant etc, at the very end we get a summary of what code in shell has been executed and copy it and making some changes and reusing it. I think this is a great learning Chance for us first time in the Microsoft history. We are able to see what is happening in the background and we can generate the same and Bulk operation same as the code itself.

We click on new user and now we will have to fill out bunch of Empty Fields, as shown below

What we interested in is the Exchange Management Shell command, which is the same as what we have done with GUI, ESM.

Summary: 1 item(s). 1 succeeded, 0 failed.

Elapsed time: 00:00:01





Exchange Management Shell command completed:

New-Mailbox -Name 'Exchange01' -Alias 'Exchange01' -OrganizationalUnit ''

-UserPrincipalName '' -SamAccountName 'Exchange01' -FirstName 'Exchange01'

-Initials '' -LastName 'Msexchange' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false -Database 'CN=SG3-MB1,CN=SG3,CN=InformationStore,CN=EXC07,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=smtp25,DC=org'


Elapsed Time: 00:00:01


So I am going to copy and paste here one more time the command


New-Mailbox -Name 'Exchange01' -Alias 'Exchange01' -OrganizationalUnit ''

-UserPrincipalName '' 'Exchange01' -FirstName 'Exchange01'

–Initials '' -LastName 'Msexchange' -Password 'System.Security.SecureString'-ResetPasswordOnNextLogon

$false -Database 'CN=SG3-MB1,CN=SG3,CN=InformationStore,CN=EXC07,CN=Servers,CN=Exchange

Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft





If you can see the pattern from below table each line (Parameter), starts with – (dash) and following with command. After each Parameter there is an Apostrophe 'Value or data' and closing Apostrophe. All other lines will follow the same pattern. This is what we need to keep memories to make our lives less painful going trough learning Command-lets

New-Mailbox –Name


  • -Alias
  • 'Exchange01'
  • -OrganizationalUnit
  • ''
  • -UserPrincipalName
  • '' 'Exchange01'
  • -FirstName
  • 'Exchange01'
  • –Initials
  • No data
  • -LastName
  • 'Msexchange'
  • -Password
  • 'System.Security.SecureString'
  • -ResetPasswordOnNextLogon
  • -ResetPasswordOnNextLogon $false
  • -Database
  • 'CN=SG3-MB1,CN=SG3,CN=InformationStore,CN=EXC07,CN=Servers,CN=Exchange
  • Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft
  • Exchange,CN=Services,CN=Configuration,DC=smtp25,DC=org'


Let's take a look at some of the parameters which are required to complete the creating a mailbox task. Some of these are optional.

To run the New-Mailbox cmdlet, the account you use must be delegated the following:

  • Exchange Recipient Administrator role
  • Account Operator role for the applicable Active Directory containers 

Here is the example from TechNet

The first example shows how to create a user Chris Ashton in Active Directory and create a mailbox for the user. The mailbox is located on Storage Group 1, in Mailbox Database 1. The password must be reset at the next logon. To set the initial value of the password, this example creates a variable, $password, prompts you to enter a password, and assigns that password to the variable as a SecureString object.


The second example shows how to create a user in Active Directory and a resource mailbox for a conference room. The resource mailbox is located on Storage Group 1, in Mailbox Database 1. The password must be reset at the next logon. The Exchange Management Shell will prompt for the value of the initial password, because it is not specified.


$password = Read-Host "Enter password" -AsSecureString New-mailbox -UserPrincipalName -alias chris -database "Storage Group 1\Mailbox Database 1" -Name ChrisAshton -OrganizationalUnit Users -password $password -FirstName Chris -LastName Ashton -DisplayName "Chris Ashton" -ResetPasswordOnNextLogon $true New-Mailbox -UserPrincipalName -alias confmbx -name ConfRoomMailbox -database "Storage Group 1\Mailbox Database 1" -OrganizationalUnit Users -Room -ResetPasswordOnNextLogon $true


Part 2 we will create Bulk mailboxes from TXT files.







Tuesday, June 12, 2007

550 5.7.1 Unable to relay

Question has been asked one more time, about open relay and how we would make sense what was actually going on. I am not going to talk about how mail server becomes an open relay server, but I will try to make you understand how can a simple Telnet test be performed and how can we understand the outputs from this little test. A Telnet test involves establishing a Telnet session from a computer that is not located on the local network to the external (public) IP address of the Exchange server. You need to carry out the test from a machine at home, or from another office. Doing the test from a machine on your own network will produce useless results.

Start a command prompt.

Clicks start, run and type CMD

Type 25 (Substitute the IP address to your own IP address) this is your external IP address

You should get a response back similar to the following:

220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at

Type the following command in to the telnet windows:

Helo (note "" can be anything but your real domain which your Exchange server is responsible for

250 Hello []


250 2.1.0 OK


550 5.7.1 Unable to relay for


Let's try to understand what happened in the lines above, We telnet into the recipient mail server on port 25 by typing

Telnet 25

We got 220 Form mail server with SMTP Banner

We said hello in SMTP way by typing below on the command line and HIT enter


We got 250 back from Recipient mail server ( 250 means everything is okay so far)

We said we will send you a mail and mail is coming from: ( this is totally made up SMTP address, you could write anything without @ part or even <> this

We got 250 one more time (Recipient mail server says, sure we need to says next who we are sending this mail too, by typing below mail

Rcpt (here is the catch; the recipient mail server is Authoritative domain for SMTP name space which is I am talking to this mail server and assuming I am someone which I am not actually, and I am telling the mail server accept the mail for a user if you paid attention. The server will or should think in this way. Why this person is asking me to accept mail for SMTP domain and the behalf of a user called, I am no t Authoritative for so I won't accept mail for this SMTP domain and issue following message

550 5.7.1 Unable to relay for, if you get 250 instead it means your server is OPEN relay, meaning the server accepting mails which the server is not Authoritative SMTP domain for.


Oz Ozugurlu

Friday, June 8, 2007

WHY transaction logs 1mb In Exchange 2007

The transaction log size in Exchange 2007 is set for 1MB unlike Exchange 2003 which is 5MB. What is the reason behind this reduction on size?

The answer is ties into Exchange 2007 one of the newest future called log shipping. Where are we going to transport exchange live logs in Exchange 2007.

The answer behind this question is couple new futures offered by Exchange 07, such as local continuous replication (LCR) and cluster continuous replication (CCR).

Log Shipping ties below table


local continuous replication


cluster continuous replication


When these futures are enables, SG transaction logs get copied from the running production SG to the copy SG. The logs on the copy SG are replayed into the database to keep it up to date. The catch is that transaction logs can't be sent to the copy SG unless the log is closed on the production SG. To allow the logs close quickly, the size of the logs redeemed into 1MB versus 5MB. Also smaller transaction logs will give less risk to lose big amount of data. Honestly speaking if you lose data, you are losing data but since the mechanic is fast and risk is minimized the lost should be less and recovery time is much faster.


Oz ozugurlu

Thursday, June 7, 2007

Which Exchange topology is best for you?

Below is taken straight from Microsoft articles and best practices explaining the basic topologies and the clear picture of their implementations. The golden rule is always keep it simple, and don't make it complicated. The more any type of design gets complicated, you are looking into potential problems, and so if you don't need it don't try to deploy resource forest, stick to a Single Forest and take advantage of simple design, and lay down your active directory with more granular control over multiple OU structure. Exchange is such application integrated with AD as cast and stone. Most of the Exchange administrators deal with Active directory and other applications relaying mail capabilities. Therefore if you do not have a security reason going into Resource forest implementation stick with simple design and save head ache for yourself.

Single Forest

If your organization has a single Active Directory forest, you can implement Exchange in that forest. The single forest Exchange design is recommended because it offers the richest set of mail system features and has the most streamlined administrative model. Because all resources are contained in a single forest, a single global address list (GAL) contains all users across the entire forest. The following figure illustrates this scenario

The single forest option offers the following advantages:

Provides the richest set of mail system features

  • Allows for a streamlined administrative model
  • Leverages an existing Active Directory structure
  • Uses existing domain controllers and global catalog servers
  • Does not require provisioning or synchronization

The main disadvantage associated with this option is that administrators need to determine how to share or divide responsibilities for managing

Using a Dedicated Exchange Forest (Resource Forest)

There are some cases in which you may need to set up a separate Active Directory forest that is dedicated to running Exchange. For instance, you may have a Windows NT forest that you want to retain. Or, you may need to separate administration of Active Directory objects and Exchange objects; therefore, you may want to set up a separate Active Directory forest dedicated to running Exchange. Companies that require security (forest) boundaries between Active Directory administration and Exchange administration may choose this option.

The Exchange forest (also known as the resource forest) is dedicated to running Exchange and hosting mailboxes. User accounts are contained in one or more forests, referred to as the account forests, which are separate from the resource forest. For more information about deploying Exchange in a multiple forest environment, see Planning to Deploy Exchange in a Multiple Forest Environment.

The enabled user from the account forest is associated with a mailbox attached to a disabled user in the resource forest. This configuration allows users to access mailboxes that reside in different forests. In this scenario, you configure a trust between the resource forest and the account forest. You may also need to set up a provisioning process so that each time an administrator creates a user in Active Directory, a disabled user with a mailbox is created in Exchange

Using Multiple Forests with Exchange

Although a single-forest topology is recommended because it provides the richest set of messaging features, there are various reasons for implementing multiple forests. Some of these reasons include:

  • You have multiple business units that require data and service isolation.
  • You have multiple business units that have separate schema requirements.
  • You are confronted with a merger, acquisition, or divestiture.

Whatever the case may be, the only way to establish strict boundaries between business units is to create a separate Active Directory forest for each business unit. If this is your Active Directory configuration, the preferred way to implement Exchange is to create an Exchange resource forest. For more information about this, see "Using a Dedicated Exchange Forest." For additional information on how mergers and acquisitions can impact your Active Directory topology, see "Active Directory Implications of Mergers and Acquisitions."

However, if the resource forest option is not feasible (for example, with mergers or acquisitions, or because multiple forests are already running their own instances of Exchange), you can implement Exchange across multiple forests, as illustrated in the following figure.

Exchange deployed in multiple forests, with synchronization between forests (classic multiple forest configuration)

Oz Ozugurlu

Active Directory NTDS.DIT Database

Active directory database called NDS.DIT (directory Information Tree). Active directory database gets installed by defaults following directory.

C:\windows\NTDS\NTDS.DIT and .DIT stands for Directory information tree. It is essential for Exchange administrators to know and understand about the structure of .DIT database since Exchange related information gets stored on Domain, Configuration and Schema partitions of active directory. Of course DNS zone Data will contain records (host records) which every host will use these records within the Active directory environment


.DIT Database in Active Directory 2000

Domain =

Domain Partition ( RDO Resident directory Objects)


DNS Data Stored here (.DIT windows 2000 AD)


Configuration partition Contains information about other domains

Exchange organization information is held here as well as Domain, and schema partitions



Definition of objects


Domain Partition

(Resident directory object)

This partition stores below objects User, Groups, Computer accounts, all these are resident directory object lives in this partition.DNS data also gets stored here with windows 2000 active directory.


Schema Partition

Definition of an object is called schema, all domain controllers must be agree definition of an object, and this definition is replicated to all other domain controllers so all domain controllers is agree about the schema. Definition is replicated to all other Domain controllers in active directory FOREST. So all domain controllers are agree about definition of Object


Configuration partitions

It contains information about all other domain controllers, lets every domain controllers know existenceof other domain controllers, where they are, what are the names of those Domain controllers and so on


DIT Database in Active Directory 2003

Domain =

Domain Partition ( RDO Resident directory Objects)



Configuration partition Contains information about other domains

Exchange organization information is held here as well as Domain, and schema partitions



Definition of objects

Application Partition

Application specific data , such as DNS Zone data

DNS Data Stored here (.DIT windows 2000 AD)


Microsoft realized the problem with .DIT partitioned database in Windows 2000. The DNS zone data information was being kept in the Domain partition of the Database. When replication occurs, this data was getting replicated to the domain controller which is not DNS servers. Therefore the problems was fixed on .DIT partitioned database on windows 2003 architecture by adding additional partition called application partition date will be stored here and this will avoid unnecessary replication.

Where Exchange recipient related information would be kept in .DIT database?


Best Regards