Installing and Configuring the Basics of Exchange Server 2013 for a Brand-New Environment (part 4)

10. Planning a Proper Sites and Services Architecture

As stated earlier, as with its predecessors, Exchange Server 2007 and Exchange Server 2010, Exchange Server 2013 has the ability to natively utilize Active Directory Sites and Services for routing mail, rather than having to implement and maintain an independent routing topology using connectors.

Administrators should be aware of the best practices for designing a proper Sites and Services architecture to support Exchange Server 2013. From a high-level perspective, within AD it is necessary for administrators to create sites, allocate subnets to sites, and then create site links between sites for communication to occur.

Active Directory Sites

The basic unit of AD replication is known as the site. Not to be confused with physical sites or Exchange Server sites, the AD site is simply a group of domain controllers connected by high-speed network connections. Each site is established to more effectively replicate directory information across the network. In a nutshell, domain controllers within a single site will, by default, replicate more often than those that exist in other sites. The concept of the site constitutes the centerpiece of replication design in AD.

Associating Subnets with Sites

In most cases, a separate instance of a site in AD physically resides on a separate subnet from other sites. This idea stems from the concept that the site topology most often mimics, or should mimic, the physical network infrastructure of an environment.

In AD, sites are associated with their respective subnets to allow for the intelligent assignment of users to their respective domain controllers. For example, consider the design shown in Figure 2.

Figure 2. Sample Exchange Server and Client site assignment.

In this example, Server-EX01 is a physical member of the 192.168.115.0/24 subnet. Server-EX02 and Client01 are both members of the 192.168.116.0/24 subnet. Based on the subnets, Server-EX01 will automatically be assigned to the domain controller Server01 in SITE01, and Server-EX02 and Client01 will be assigned to the domain controller in SITE02.

Using Site Links

By default, the creation of two sites in AD does not automatically create a connection linking the two sites. This type of functionality must be manually implemented by the creation of a site link.

A site link is essentially a connection that joins together two sites and allows for replication traffic to flow from one site to another. Multiple site links can be set up and should normally follow the wide area network (WAN) lines of your organization. Multiple site links also assure redundancy so that if one link goes down, replication traffic has an alternate path.

Site link replication schedules can be modified to fit the requirements of your organization. If, for example, the WAN link is saturated during the day, a schedule can be established to replicate information at night. This functionality allows you to easily adjust site links to the needs of any WAN design.

Exchange Server 2013 and Site Membership

After the AD site topology has been created, including adding the appropriate subnets to sites and creating site links between sites, an administrator can now take Exchange Server placement into consideration.

Similar to AD domain controllers, Exchange Server 2013 servers will be associated with sites in AD based on their IP address and subnet mask. As stated earlier, there should be at least one domain controller/global catalog server residing in each site that an Exchange Server 2013 server resides.

 Establishing a Proper Global Catalog Placement Strategy

Another area of importance is the design and placement of global catalog servers within the environment. The importance of the global catalog server cannot be overstated. The global catalog is used for the address list that users see when they are addressing a message and by Exchange servers every time a message is delivered. If a global catalog server is not available, the recipient’s address will not resolve when users address a message, and the message cannot be delivered.

There should be at least one global catalog server in every AD site that contains an Exchange Server 2013 server. The recommendation from Microsoft is as follows:

If Active Directory is running on a 32-bit system, the recommendation is 4:1—for every four processor cores in your Mailbox servers, you should have one processor core in a global catalog server. For example, if you have two Mailbox servers, each with dual quad-core processors, that is 16 processor cores. You should have at least 4 processor cores worth of global catalog computing, so 1 quad core server, or 2 dual-core servers should do the trick.

If Active Directory is running on a 64-bit system, the recommended ratio is 1:8. However, you must have enough memory installed on the server to cache the entire Active Directory database in memory. To confirm the size of your Active Directory database, look at the size of the %WINDIR%\NTDS\NTDS.DIT file.

For optimization, plan on having a global catalog server close to the clients to provide efficient address list access. Making all domain controller servers global catalog servers is recommended for an organization that has a single AD domain model and a single site. Otherwise, for multidomain models, all domain controllers can be configured as global catalog servers except for the domain controller hosting the Infrastructure Master FSMO role.

11. Understanding Role Based Access Control

Exchange Server 2013 uses the Role Based Access Control (RBAC) permissions model on the Mailbox and Client Access server roles. As with Exchange Server 2010, Exchange Server 2013 provides predefined roles, role groups, and role assignment policies to facilitate the assignment of permissions to administrators and users.

Using RBAC allows you to easily control what your administrators and users can (and cannot) access. Rather than applying permissions directly to user accounts, the permissions are applied directly to the role. To facilitate assigning multiple roles to administrators, Exchange Server 2013 includes role groups. Role groups can contain Active Directory users, universal security groups, and other role groups. Roles assigned to a role group grant permissions to all members of the role group.

In addition, role assignments can be “scoped” to include only specific resources within the organization. The role (and the permissions associated with it) allows certain tasks to be accomplished, while the role scope determines what resources can be administered.

The RBAC model role groups consist of the following:

• Management role—A container for grouping management role entries.

• Management role entries—A cmdlet (including parameters) that is added to a management role. This process grants rights to manage or view the objects associated with that cmdlet.

• Management role assignment—The assignment of a management role to a particular user or a universal security group. This grants the user (or the members of the security group) the ability to perform the management role entries in the management role that they are assigned to.

• Management role scope—Scopes are used to target the specific object or objects that the management role assignment is allowed to control. A management role scope can include servers, organizational units, filters on server or recipient objects, and more.

As described by Microsoft, this process allows complete control of the who (management role assignment), the what (management role and management role entries), and the where (management role scope) in the security model.

Role Based Access Control is not used on Edge Transport servers, as these servers are designed to sit outside the domain.

Exchange Server 2013 provides several built-in management role groups that cannot be modified, nor can the management role entries be configured on them. However, the scope of the built-in management roles can be modified.

The following built-in management role groups are included by default in Exchange Server 2013:

• Organization Management—Administrators assigned to this role group have administrative access to the entire Exchange Server 2013 organization, and can perform almost any task against any Exchange Server 2013 object, with some exceptions, such as the Discovery Management role. Even if a task can only be completed by another role, members of the Organization Management role group have the ability to add themselves to any other role.

As this role group is very powerful, it is recommended that it only be assigned to users who are responsible for organizational-level administration. Changes made by this role can potentially impact the entire Exchange organization.

• View-Only Organization Management—Members of this role group can view the properties of any object in the Exchange organization but cannot modify the properties of any object.

This role group is useful for personnel who need to be able to view the configuration of objects within the environment but who do not need the ability to add new or modify existing objects.

• Recipient Management—Administrators assigned to this role group have the ability to create or modify Exchange Server 2013 recipients within the organization.

• UM Management—Administrators assigned to this role group can manage features in the Exchange Server 2013 organization such as Unified Messaging (UM) server configuration, UM properties on mailboxes, UM prompts, and UM auto attendant configuration.

• Help Desk—Members of this role group can view and modify the Microsoft Office Outlook Web App options of any user in the organization, such as the user’s display name, address, and phone number. However, it does not include options that aren’t available in Outlook Web App options, such as modifying the size of mailboxes or configuring the mailbox database.

• Hygiene Management—Members of this role group can configure the antivirus and antispam features of Exchange Server 2013.

• Records Management—Administrators assigned to this role group have the ability to configure compliance features, including transport rules, message classifications, retention policy tags, and others.

This role group is often assigned to administrators or members of an organization’s Legal Department who need the ability to view and modify compliance features in an organization.

• Discovery Management—Administrators assigned to this role group have the ability to perform searches of mailboxes in the Exchange organization for data that meets specific criteria and can also configure legal holds on mailboxes.

• Public Folder Management—Member of this role group can manage Exchange Server 2013 public folders.

• Server Management—Administrators assigned to this role group can configure Unified Messaging, client access, server-specific configuration of transport, and mailbox features, such as database copies, certificates, transport queues and Send connectors, virtual directories, and client access protocols.

• Delegated Setup—Members of this role group have the ability to deploy servers running Exchange Server 2013 that have been provisioned by a member of the Organization Management role group.

• Compliance Management—Administrators assigned to this role group have the ability to configure and manage Exchange compliance settings in accordance with their organization’s policy.

If the Exchange Server 2013 built-in role groups don’t match the job functions of the organization’s administrators, role groups can be created and customized.

Exchange Server 2013 also provides role assignment policies to control the settings that users can configure on their personal mailboxes and distribution groups. The policies can control the users’ ability to change their display name, contact information, membership in distribution groups, or voice mail settings. Mailboxes are assigned a default role assignment policy if an alternative role assignment policy is not specified.

The Exchange Administration Center (EAC) can be used to manage role groups and role assignment policies.