Tuesday, July 29, 2008

Some Rumblings in designing active directory and Exchange

There are many high-level documents e in regards to designing AD and the exchange available on the Microsoft side as well as individual blogs. Based on experience of the administrator it is possible to read and implement the best practices for stability and business continuity. I wanted to underline some of the basic implementation for AD and exchange design.

Active Directory

We start with AD, because the base for any application is the AD (active directory), As an Active Directory Domain Services administrator, we all must understand the healthy AD requires healthy DNS and Exchange comes on top of this picture. Therefore, knowing, understanding, and implementing the basic and the best practices always lead to stability in many environments.

Separation of roles and responsibilities (Business needs to decide this)

First step is to define the roles such as below

  • Domain administrators
  • Enterprise administrators
  • Help desk
  • Network security
  • Exchange administrators
  • Define name convention
  • Separation admin accounts from regular account
  • YY-oz, or zz-oz ( admin), or anything can do this type of separation
  • Oz ( regular account), $_Exchange ( service account), TE-john ( Temp Employee)

AD (Active directory) OU structure needs to be re-design either using geographically dispersed design or the function base AD design or mix.

Having two sub OU's under a primary OU, will allow the GPO;s to apply either PC's and the user account or both such as having OU called HR ( Human Resource)


Sub OU

HR computers and users will be place in below, sub OU's. The logical name convention will be implemented as well ( or any other standards)


HR ( human Resource)







Of course having simple name convention for account and other objects (PC) is very important especially a large environment (follow some type of standards)

  • Giving more rights to anyone more than what they need is to me the most common mistake many organizations do, the cause of this is due to poor planning and lock of knowledge in my opinion.
  • Monitoring active directory database replication is mission critical almost for any environment
  • Policies are good as long as they are being forced, if no one is going to make sure, if they are being used or not, many things will not get done correctly.
  • SOP ( Standard operations) needs to be build for the business
  • SOP included installing a server, step by step and installing applications for the business
  • SOP also clearly defied what RAID level needs to be used for given type of installation
  • For instance installing domain controllers best practices as follows

C Drive ( 64 Bit windows 2003 SP2) 8 Gig memory

OS & Logs

RAID 1 + 0

D Drive ( NTDS)

SysVol & .DIT database

RAID 1 + 0

H Drive CD-Room


For exchange installation, the vendor best practices when working with SAN backend for the disk configuration. The OS installation should be basic RAID 1 + 0 for redundancy. If it is all possible, install Exchange binaries on a separate disk spindles with correct RAID configuration. The rule is any type of RAID configuration provides the fastest read & write will satisfy the best results. Do understand and implement the basic mechanic behind the applications such as Exchange and what type of operations they perform the most. This will dictate the level of RAID configuration when it comes to designing Exchange for given environment.

  • Logs
  • Databases
  • Exchange binaries
  • Develop strategies for the backup
  • Leave spare mail store (Enterprise edition) if it possible so that you will never have to perform ESEUTIL. Move mailboxes around to delete the databases contain white space. Taking Exchange offline for defragmentation is pointless and involved more affords.


Also monitoring your investment is very important; the large enterprise networks will need to monitor AD and exchange database and related services. Small environment network administrator will include this into their daily task


Oz Ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

No comments: