The Active Directory (AD) is the backbone of Windows 2000, providing a universal repository for resource and service location, account information, and security policies. Security information in the previous Windows NT environment was stored in the Security Accounts Manager (SAM) database. Replication of the SAM database followed the single-master model; changes occurred on the PDC and were replicated to all BDCs. If the PDC was unavailable, a BDC was promoted to take the role. Each account listed in the SAM was assigned a security ID (SID), and the SID was used to determine access permissions when the account attempted to utilize a secured resource.
In previous versions of Windows NT, the primary domain controller (PDC) was responsible for maintaining the authoritative source of all domain accounts. A domain could have only one PDC, but multiple backup domain controllers (BDC) could be installed. BDCs received a copy of the PDC's account list and could be used to distribute the job of authentication.
Windows 2000 replaces the SAM database with the Active Directory. Replication of the Active Directory is multimaster, meaning that any copy of the directory is authoritative and changes made on one copy will be replicated to all other copies of the AD. In addition to account information and group memberships, the Active Directory is used to store and maintain computer accounts, available services, and security properties for each user or security principle. Information in the Active Directory is secured using the Access Control Model and Kerberos authentication, each discussed later in the article.
Windows NT and previous versions of Exchange maintained separate security databases that were managed individually. Although accounts in the Exchange directory were mapped to entries in the Windows NT SAM, the objects were separate and permissions were assigned independently. Permissions for Exchange administration and user access were assigned from within the Exchange 5.5 environment and stored in the Exchange 5.5 directory database.
In contrast, Windows 2000 and Exchange 2000 share a common security database in the Active Directory. Exchange 5.5 mailboxes are independent objects, mapped to a Windows NT account in the SAM. Exchange 2000 users are identified by extensions in the associated user object of Windows 2000 Active Directory. All security configurations for Exchange 2000 are housed in the Active Directory, making AD one of the most critical components of Exchange security.
To provide integration with Exchange, objects in the Active Directory can be:
Mailbox-enabledA mailbox-enabled object is equivalent to an Exchange 5.5 recipient. Only user accounts can be configured as mailbox-enabled objects in Active Directory. When a user is created in an Exchange 2000enabled domain, an additional screen is offered for entering mail-specific information.
Mail-enabledA mail-enabled object is configured with an e-mail address but is not associated with a mailbox. Exchange 2000 groups or contacts are examples of mail-enabled objects.
Groups and contacts within Exchange 2000 are equivalent to distribution lists and custom recipients within Exchange 5.5.
Mail-disabledA mail-disabled object has no e-mail address. Groups created only for security-specific tasks, such as Domain Admins or Print Operators, are examples of mail-disabled objects.
When you create a new user in an Exchange 2000enabled domain, you are prompted to specify the Exchange-specific entries for the object.
Security Options in Active Directory
After Exchange has been added to a Windows 2000 forest, Exchange-related entries modify the schema. Each mail-enabled object can be configured to utilize these additions within the Active Directory. The user objects receive an Exchange General tab, E-mail Addresses tab, and an Exchange Features tab in the default view of Active Directory Users and Computers. By choosing View, Advanced Features, a tab called Exchange Advanced is also available. To view or edit the security options available for mailbox-enabled users, open the Users and Computers MMC snap-in.
The Active Directory extensions are available only when accessing Active Directory from servers that have the Exchange System Manager installed.