Tuesday, July 29, 2008

Some Rumblings in designing active directory and Exchange

There are many high-level documents e in regards to designing AD and the exchange available on the Microsoft side as well as individual blogs. Based on experience of the administrator it is possible to read and implement the best practices for stability and business continuity. I wanted to underline some of the basic implementation for AD and exchange design.

Active Directory

We start with AD, because the base for any application is the AD (active directory), As an Active Directory Domain Services administrator, we all must understand the healthy AD requires healthy DNS and Exchange comes on top of this picture. Therefore, knowing, understanding, and implementing the basic and the best practices always lead to stability in many environments.

Separation of roles and responsibilities (Business needs to decide this)

First step is to define the roles such as below

  • Domain administrators
  • Enterprise administrators
  • Help desk
  • Network security
  • Exchange administrators
  • Define name convention
  • Separation admin accounts from regular account
  • YY-oz, or zz-oz ( admin), or anything can do this type of separation
  • Oz ( regular account), $_Exchange ( service account), TE-john ( Temp Employee)

AD (Active directory) OU structure needs to be re-design either using geographically dispersed design or the function base AD design or mix.

Having two sub OU's under a primary OU, will allow the GPO;s to apply either PC's and the user account or both such as having OU called HR ( Human Resource)


Sub OU

HR computers and users will be place in below, sub OU's. The logical name convention will be implemented as well ( or any other standards)


HR ( human Resource)







Of course having simple name convention for account and other objects (PC) is very important especially a large environment (follow some type of standards)

  • Giving more rights to anyone more than what they need is to me the most common mistake many organizations do, the cause of this is due to poor planning and lock of knowledge in my opinion.
  • Monitoring active directory database replication is mission critical almost for any environment
  • Policies are good as long as they are being forced, if no one is going to make sure, if they are being used or not, many things will not get done correctly.
  • SOP ( Standard operations) needs to be build for the business
  • SOP included installing a server, step by step and installing applications for the business
  • SOP also clearly defied what RAID level needs to be used for given type of installation
  • For instance installing domain controllers best practices as follows

C Drive ( 64 Bit windows 2003 SP2) 8 Gig memory

OS & Logs

RAID 1 + 0

D Drive ( NTDS)

SysVol & .DIT database

RAID 1 + 0

H Drive CD-Room


For exchange installation, the vendor best practices when working with SAN backend for the disk configuration. The OS installation should be basic RAID 1 + 0 for redundancy. If it is all possible, install Exchange binaries on a separate disk spindles with correct RAID configuration. The rule is any type of RAID configuration provides the fastest read & write will satisfy the best results. Do understand and implement the basic mechanic behind the applications such as Exchange and what type of operations they perform the most. This will dictate the level of RAID configuration when it comes to designing Exchange for given environment.

  • Logs
  • Databases
  • Exchange binaries
  • Develop strategies for the backup
  • Leave spare mail store (Enterprise edition) if it possible so that you will never have to perform ESEUTIL. Move mailboxes around to delete the databases contain white space. Taking Exchange offline for defragmentation is pointless and involved more affords.


Also monitoring your investment is very important; the large enterprise networks will need to monitor AD and exchange database and related services. Small environment network administrator will include this into their daily task


Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Sunday, July 20, 2008


As I have promised, I am posting basic AD (Active directory) questions. The questions below are homework to my Saturday MCSE class. Hopefully when everyone in the class become MCSE 2003, they will all go for Exchange 2007 class which will start shortly after MCSE (-:, this was commercial by the way.

The answers to below questions will be pretty short, if you discover yourself you are thinking or trying to explain below concept more than couple minutes or one or two sentences, I would say you need AD steroid which I think it is the webcast ""Active directory inside out" by Michael Murphy. After learning AD, I strongly recommend to all my students to learn about Exchange 2007.


  1. What is active directory?
  2. What is a Domain
  3. What is inside the active directory database? Describe the content
  4. Domain is not security boundaries as it was in AD NT 4.0 anymore why?
  5. What is a Domain Controller?
  6. What is a standalone server
  7. What is an Object
  8. What does DNS stand for? And what port DNS utilize and what is the usage of DNS in Active directory?
  9. What do you understand from active directory integrated DNS?
  10. What is an attribute?
  11. What is schema
  12. What is organizational Unit (OU)
  13. What are three primary functions of OU's
  14. What id forest?
  15. What is GC (Global Catalog server) define it.
  16. What is tree?
  17. If my company DNS name space is father.org and I want I to have two child domains, what would be DNS name space for below names?



Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Friday, July 18, 2008

Active Directory 2008

Active directory for no question is the most important constituent in Microsoft networking. Most people will not even realize all the other applications runs on top of the AD and its .DIT database. Recent AD cleanup work I have done for a large client made me start seeing, AD in a different perspective. Exchange is only one of these applications, which depends heavily or will die without Active directory. Active directory will need healthy DNS in order to function properly or else, it will suffer from many diseases such as not being able to locate the resources client needs or the replication. Below some of good information, I decided to summarize.

Therefore, the equation goes this way

  • Exchange=AD=DNS (=, needs)

The interaction with AD Database for most of the administrator starts with daily operational tasks. This includes creating users, groups and similar task. The fact to matter is every time these type of task is being performed the administrator touches or modifies the .DIT database by using ADUC ( active directory users and computers snaps in)

.DIT database is partitioned database and there are 3 partitions constitute the .DIT database.

  • Domain
  • Configuration
  • Schema

AD DS (Active directory, domain services) database is stored by default in the

  • %Systemroot%/NTDS/NTDS.dit ( Directory information tree)

Below are the components of the .DIT database





ESE (Esent.dll)

Lightweight Directory Access Protocol (LDAP)

LDAP v3 is the most common interface used by directory clients to locate information in the directory store. LDAP v3 is backward compatible with LDAP v2. Clients can use port 389 (the standard LDAP port), port 636 (LDAP secured by SSL), port 3268 (for global catalog lookups), and port 3269 (Global catalog LDAP secured by SSL) to access the LDAP interface. Clients can also use UDP Port 389 for both LDAP and Netlogon (this interface is used to locate domain controllers).

Messaging API (MAPI)

MAPI is used by messaging clients such as Outlook to access the Microsoft Exchange Server data stored in the data store. Exchange Server 2000 and later use the AD DS data store to store all recipient information, and the MAPI interface enables messaging clients to access the Global Address List (GAL). MAPI uses RPC communication.


DSA runs as Ntdsai.dll on each domain controller) provides the data store access interfaces. In addition, the DSA enforces directory semantics, maintains the schema, guarantees object identity, and enforces data types on attributes. When clients or other domain controllers need to access the directory store, they used one of the supported interfaces to connect (bind) to the DSA and then search for, read, and write to AD DS objects and their attributes.

The database layer resides in Ntdsai.dll

It provides an internal interface between the DSA and the directory database. The DSA cannot directly connect to the database; applications go through the database layer. The database layer also provides an object view of the directory database, making the data accessible to the DSA as a set of hierarchical containers.

The database layer is also responsible for the creation, retrieval, and deletion of individual records (objects), attributes within records, and values within attributes.

The Extensible Storage Engine (ESE)

A Windows component is used by AD DS, as well as by several other Windows components, as an interface to the database. The ESE is responsible for indexing the data in the database file and for transferring the data in and out of the database. It also maintains the rows and columns that comprise the database. Its purpose is to enable applications to store and retrieve data. The ESE also implements the transactional process for committing changes to the database.

The data store stores directory information in a single database file. In addition, the data store also uses transaction log files, to which it temporarily writes uncommitted changes, as well as committed transactions prior to committing them to the database.


  • Domain is boundary of replication

  • Domain is boundary of DNS name space.
  • Domain is boundary of administration.
  • Domain is also boundary of authentication

Domain Controller:

  • Authentication server is domain controller.


  • Domain name service/System
  • We use DNS the reference object and locate the services offers by a domain,
  • In addition, DNS is required to locate computer, services and any other information is available in the active directory.

Global Catalog server

  • Global Catalog server is a central repository. The global catalog server has a partial, read-only replica of all other domain directory partitions in the forest .All domains in the Tree share common global catalog server.GC contains references to all objects in active directory regardless, which domain the (objects) are created. That is why global catalog server is very important
  • Without a global catalog, search requests received by a domain controller for an object in a different domain would result in that domain controller referring the query to a domain controller in the object domain
  • Global catalog queries are identical to any other LDAP query against a Windows Server 2008 domain controller. The only difference is that the global catalog query uses TCP port 3268 rather than TCP port 389, which is the standard LDAP port. If a domain controller that is also a global catalog server receives a query on port 389, it will not search the global catalog for objects in other domains.

User Logons

Global catalog servers are also used when processing user logons.

  • Every time a user logs on to a domain, a global catalog server is contacted.
  • This is because nonglobal catalog domain controllers do not contain any information about universal group membership.
  • Universal groups can contain user and group accounts from any domain in a particular forest.
  • Since universal group membership is forest-wide, group membership can only be resolved by a domain controller that has forest-wide directory information

In order for an accurate security token to be generated for the user-seeking authentication, the global catalog must be contacted to determine the user's universal group membership.

Windows Server 2008 supports a feature known as universal group membership caching that makes it possible to log on to a Windows Server 2008 network without contacting a global catalog. Universal group membership can be cached on nonglobal catalog domain controllers after a user has logged on to that domain controller.

After this information is obtained from a global catalog, it is cached on the domain controller for the site indefinitely and is periodically updated (by default every 8 hours). Enabling this feature results in faster logon times for users in remote sites, as the authenticating domain controllers do not have to access a global catalog


Hierarchy of domains forming contiguous name space that maps to the DNS infrastructure. What defines three is contiguous name space.

  • Father.com
  • Son.Father.com
  • Sister.Father.com

There are not many differences in AD 2003 versus AD 2008. There are several improvements in AD 2008, but having a good solid base on AD 2003 will cover almost 85 percent of the knowledge in my opinion. The recent book I am reading "Windows serer 2008 Active Directory Resource Kit" Microsoft Press book does have great information in this regard. If you would want to get AD 2008 book this one is highly recommended.

Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Friday, July 11, 2008

WHY Exchange Admin must secure the Logs with his life

I am reading this great Technet article in regards to architecture Exchange databases and decided to post some of it as it is in my blog and give the reference link to it.

The Key points are as follows

Information store work hand in hand with following components

  • MAPI
  • Information Store
  • Database engine
  • Operating System disk I/O

The Database engine

  • The Exchange database engine caches the disk in memory by swapping 4 KB chunks of data
  • These called pages, and they work in and out of memory
  • It updates the pages in memory and takes care of writing new or updated pages back to the disk.
  • This makes the system more efficient because writing to memory is FASTER

When users make requests
Let's say using outlook)

  • The database engine starts loading the requests into memory and marks the pages as "dirty" (a dirty page is a page in memory that has been written with data).
  • Now we know who is actually corrupting exchange databases, all it is users fault isn't it (- :
  • These dirty pages are then later written to the information store databases on disk.

The information on disk is never completely up-to-date

  • Although caching data in memory is the fastest and most efficient way to process data, it means that while Exchange is running, the information on disk is never completely up-to-date.
  • since many changes in memory haven't made it onto disk yet, the database and memory are out of sync

Because these operations are done in a transaction, Exchange will perform none or all of these operations. As a result, it doesn't matter which order Exchange performs the operations. The message can be deleted safely from "Inbox" first because the system knows that the delete will only be committed if the message is also inserted into "Important." Thanks to transactions, even if the system crashes, it is guaranteed that Exchange will never lose an e-mail message while moving it. What's more, Exchange will never end up with two copies of an e-mail message that was moved

  • The user sends a message.
  • MAPI calls the information store to tell it that the user is sending the message.
  • The information store starts a transaction in the database engine and makes the corresponding changes to the data.
  • The database engine records the transaction in memory by dirtying a new page in memory.
  • At about the same time, the database engine secures the transaction in the transaction log file and creates a log record. When the database engine reaches the end of a transaction log file, it rolls over and creates a new log file in sequence.
  • The database engine writes the dirty page to the database file on disk.
  • The checkpoint file gets updated

Read more


Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Monday, July 7, 2008


The questions below are very generic and ask many times for exchange administrators. I have decided to share one of my post on MSExchange.org with you guys here.


What does moving mailboxes to a new store due to Single instance of attachments? I feel my store will grow 20% if I do this.
----Yes breaking the DB into smaller DB will cause SIS to break, but remember having 65GIG one huge mail DB is not efficient for the exchange server, in my opinion. Exchange utilizes what Microsoft terms a single-instance message store. This single-instance message store works on a per database basis. If you break 65GIG into 15 GIG 4 databases (last one is 18 gigs) it will be much easier for exchange to deal with these smaller databases versus one big database, your performance will increase and backup will be happier.

---What is this SIS? It is shared message storage if you would think so, Exchange stores copy of message and creates pointer to multiple mailboxes within the same mail store. If a message is sent to one recipient, and if the message is copied to 20 other recipients who reside in the same mailbox store, Exchange Server maintains only one copy of the message in its database. Exchange Server then creates pointers

If a message is sent to one recipient, and if the message is copied to 20 other recipients who reside in the same mailbox store, Exchange Server maintains only one copy of the message in its database. Exchange Server then creates pointers.

These pointers link both the original recipient
and the 20 additional recipients to the original message. If the original recipient and the 20 additional recipients are moved to another mailbox store, only one copy of the message is maintained in the new mailbox store.

The new mailbox store can be on another server
in the same site or in an administrative group. If the server is in another site, single-instance storage is retained only if you use the Move Mailbox Wizard in Microsoft Exchange Server 2003 Service Pack 1 (SP1) or later versions.

The Exchange Server 2003 SP1 Move Mailbox wizard
introduced a new Cross Administrative Group Move feature that lets you move mailboxes across administrative groups.


I have a Mailbox store of 65GB with a stm of 17GB so 83GB total. my 1221 says i can recover 18 Gbs although I expect to grow internally with new users and have implemented a 3rd party archiver called Sunbelt Exchange Archiver which replaces single instance at that point.

----65 Gig database is too big for exchange to handle (generally speaking),
you have exchange enterprise version you should not let your mail DB to grow this big, this is telling me, there is poor planning in the design exist in your exchange environment
, assuming you are not maxed out with all available databases, and not even utilizing them, why?????

The simple rule is the smaller the database, the happier the Exchange will be (your backup, performance as well)

I would implement the design as below, and distribute the mail boxes equally ( you want to keep a mail store empty, couple so that you will never ever have to use ESEUTIL, again simply as moveing the mailboxes around in the night and delete the ones getting polluted with the white space).


  • SG1-MB1
  • SG1-MB2
  • SG1-MB3
  • SG1-MB4
  • PF1


  • SG2-MB1
  • SG2-MB2
  • SG2-MB3
  • SG2-MB4
  • SG2-MB5 (empty, use for maintenance)


  • SG3-MB1
  • SG3-MB2
  • SG3-MB3
  • SG3-MB4
  • SG3-MB5 (empty, use for maintenance)


  • SG4-MB1
  • SG4-MB2
  • SG4-MB3
  • SG4-MB4
  • SG4-MB5 (empty, use for maintenance)

The problem with any archiving software is, when you run the third party utility, it will go to exchange and index all the mail you specified within the time range and leave some short cut in the user mailbox. The idea is great the user won't even understand where the mail is, they will click on the shortcut icon and that time mail data (most likely is going to be sitting on some type of SAN, environment will come back to exchange mail store, so that the user can see it. When you index 63 gig mail data, the size of the database won't change; you will end up having WHITE SPACE, therefore you will have to keep some empty mail stores to move user mailboxes and delete the one with white space, don't even bother with ESEUTIL, waste of time.


So do I create a new Storage group ( I have enterprise) or Do I just create a new Store in the First Storage group? Like Mailbox store current To New Mailbox store Or is it better to create a new storage group\Like First Storage group Mailbox Store to Second Storage Group Mailbox Store

--I have already answered this question, the design has mentioned above is true for exchange 2003, the new recommended implementation is 1SG + one DB for exchange 2007.


Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Friday, July 4, 2008

Unable to read the header of logfile

If you do have a good backup information store or brick level read the section mentions, restore with good backup"


Exchange 2000 Information store is not mounting, all exchange services seems to be running however, when attempting to mount the databases, and exchange is reporting some generic error.


Most of the problems I have seen similar to this one are cause by human factor. Running exchange on very old crapy servers and not performing hardware refresh is the result of huge time consuming when it comes to database repair.

The application log on the exchange server is one of the most important places for exchange administrator to go and gather exchange related information, because the exchange specific events will be logged in there.

Here is one of the errors on the problem exchange server

Event Type: Error

Event Source: ESE

Event Category: Logging/Recovery

Event ID: 412

Date: 7/3/2008

Time: 1:40:37 PM

User: N/A



Information Store (4948) e53f288d-df1b-47ba-9c3b-901e530848a5: Unable to read the header of logfile E:\exchsrvr\mdbdata\E003C9F3.log. Error -530.

For more information, click

The event log and the error description are leading me to corruption on the exchange database and we are deciding to repair the database.Those of you who has experience fixing the database problem with exchange will remember the tool called "ESEUTIL" and normally can be found in the directory, where exchange binaries are installed in the folder called "BIN"

  • Open CMD
  • Navigate to this directory ( Use windows GUI, to make sure of the exchange installation directory)
  • ESEUTIL /? ( if you want to know the available switches)
  • ESEUTIL /P (Repairs a corrupt offline database by discarding any pages that cannot be fixed)
  • C:\Program Files\Exchsrvr\BIN>eseutil -p E:\exchsrvr\mdbdata\priv1.stm ( this is what I used)
  • Now depending upon your server hardware resources, the ESEUTIL will take time to complete

PS: Do not get frustrated with ESEUTIL, the process will take as much as it wants to take, there is not much to do but wait with patience, go get cup of coffee.

Here are the nice guidelines to have a side.

  • You run Eseutil /P first.
  • Then you run Eseutil /D.
  • Then run Isinteg -fix -test alltests.
  • Plan on moving the mailboxes from the repaired database to a newly created database. Never trust a repaired database for long term use; will likely cause issues further down the road.

For Isinteg

  • "Isinteg -s (servername) -fix -test alltests"

IF you encounter problems here some more to try

  • Stop all exchange services.
  • Delete all *.log files
  • Move the "E00.log" and "E00.chk" files to another folder.
  • Mount the Information Stores.

Restore with good backup

If you do have your information store level backup and your log files go ahead and restore it from your backup and save the day. If you do only have brick level backup you are still good. (VERITAS or similar products).

Go to ESM, and find out the exchange databases locations, and rename all databases to "old-Priv1.edb" "old-Priv1.stm" and so on. Now mount the databases, exchange will warn you and it will say, if you force me to do this I am going to create brand new mail databases, and everyone will get brand new mailbox, meaning no previous mail data. It is fine go ahead and click okay. Now make sure all mailboxes are accessible and exchange is happy. Go to your backup software and perform brick level restore. This will bring all mail data to last good backup time.

Why we want to do it instead of attempting to repair the database? The Eseutil /P, might consume enormous amount of time, in some situations. Especially if the server you will be running Eseutil from is weak on hardware CPU and memory resources (Crapy server). I have witnessed in some cases the /P took a day to complete.

Also remember Microsoft recommends not keeping a repaired database around too long since it is tent to get corrupted again

Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Is it possible to defragment a mounted information store?

After running ESEUTIL /P on one of the exchange servers we maintain, I am quickly realizing this will take a long time to complete, and of course I am hanging out at the "MSExchange.org" exchange forums. Excellent place to hang out, so much to learn there. (- :

Here is a great question being asked by one of our member and I wanted to blog this here to share the point with all my friends.


Is it possible to defragment a mounted information store?
What would be the risk? What are the benefits if any?


This is a good question, and exchange _Geek provided you excellent MS link explaining the difference offline and online defrag. Most offend I get to asked same question , and therefore, I wanted to make sure when you read the MS article provided here, you will be clearly understand the difference offline and online defrag when it comes to exchange databases.

"During the offline defragmentation process, Eseutil.exe creates a new database. It copies only the in-use database records to the new database file, which results in a new compact database file. An offline defragmentation is the only method that reduces the physical file size of the databases"

The way it works as you see, exchange will create a new "EMTY" database and start copying the data from original database into this newly created DB, and at the end it will delete the original database which may contain white space (Space cannot be used by the database) and now you have a brad new DB which has only contains mail data.

It looks like getting when your car tires getting real dirty and old you ordering the new ones, but you are keeping your rims with the new tires. You still want to drive the car, when the work is being done (-:, no you cannot , you need to sit and wait, until the new tires put on the car and mechanic makes sure it is safe to drive

Enjoy your coffee until then (this happens when you use "ESEUTIL" with any of the switches)



Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com/

Wednesday, July 2, 2008

Replication is not working receiving “Access Denied”

One of our domain controllers in our DMZ start not replication and we start getting "Access Denied" message on the problem domain controller. After increasing the diagnostic login on the problem domain controller with following key, we found out the problem and the quick fix.

  • CurrentControlSet
  • Services
  • NTDS
  • Diagnostics.

We identified the NTP source was statically defined on the problem domain controller. To see the NTP setting issue following command from CMD,

  • net time /querysntp

Kerberos security is essentially dependent upon all computers being sync-- five minutes by default in an Active Directory domain. This is not only true/valid for the user authentication but also true for AD replication service. This was the initial problem we had, the problem DC was behind 7 minutes to the PDC, and it was configured to sync with external time source, for unknown reason. (I did not do it, believe me). To see the current setting we issues following command from CMD

  • net time /querysntp
  • net time /setsntp:server,server,etc

Issuing net time /setsntp and empty no server name, reset the problem DC time to begin to sync with PDC, and after rebooting the problems DC, deleting all replication objects and clicking on "Check Replication topology" re-establish the connections and replication start happening.

Well, I lost a lunch to Paul Yu (Microsoft) for troubleshooting the problem, and LaRosa, Enrique. I also have to admit having Jason Weaver around is feels like to have insurance, since one would never know when the deathly accident would occurs.


Oz ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com/

Tuesday, July 1, 2008

MVP AWARD and making a difference

Today is for sure one of the happiest days of my life. July the first, and I received Exchange MVP award today. I would like to say million thanks to all my friends and students who helped me to achieve one of my biggest goals and dream in my life.

I would like to pass my special, thanks for James Chong (Exchange MVP), all Msexhange.org family & members,
all my friends, Andy Goran, Dean T Uemura (Exchange MVP).

My team from work Exchange Engineers, (Brad, Jeff, Jason, Pushpendu, Rony, Scott, Josh, Gene)

Thanks all to you for all your continuous supports and encouragements over time, I could not have done without you all.

here is my MVP Profile at Microsoft

"I love Exchange"

All the best,

Oz ozugurlu