Dedicated Active Directory Sites for Exchange

Published Aug 28 2006 03:57 PM 3,237 Views

Exchange 2003 servers can benefit from an Active Directory design that utilizes site architecture to isolate Exchange.  This is best achieved through creating a dedicated Active Directory site which contains both Exchange 2003 servers and Global Catalog servers that are dedicated to the Exchange DSAccess process.  The potential benefits of this architecture are as follows:

- Reduction of Global Catalog overload potential through isolating Exchange messaging traffic and processes from the remainder of the environment by using dedicated Global Catalogs.

- Increased performance for Exchange LDAP queries through Global Catalogs that are dedicated to the Exchange DSAccess process.
NB: This assumes that you have the right number of GC processors to Exchange processors and a well connected network.

- Easier Management and monitoring of the Exchange environment due to segregating out of non-Exchange processes.
NB: However, this segregation will increase the number total number of domain controllers in your environment

- Increased performance for non-Exchange LDAP and directory services processes due to Exchange process segregation.
NB: This assumes that you have enough GC’s to service non-Exchange traffic

Excessive LDAP Read and Search Times can have a negative impact of the ability to service messaging requests. This could include:

- Impact to mail routing (for mail bound internally and externally)

- Impact to Client Ambiguous Name Resolution requests (i.e. address lookups DL expansions etc)

- Impact other functional processes, login authentication for resources (i.e. calendar and PFs) DL access Group Membership

As far as the Active Directory is concerned, Exchange is just an application. While it may be convenient for applications like Exchange to have dedicated sites, it adds complexity to AD. This may be the best approach from the application's perspective, particularly if AD isn't managed correctly or isn't being actively monitored for performance and scaled accordingly. From the AD service owner's perspective, it has dozens if not hundreds of applications to service. AD will strive to provide acceptable levels of service to all clients/apps without extra sites (Extra sites are defined as app-specific ones instead of those based on network topology). What level of performance is deemed acceptable for the AD and the Application (In this case Exchange)? It's entirely up to the application. The service owners need to understand this, monitor their systems closely, and ensure they have the right number of DCs available to meet application requirements.

There is also a risk angle. Even if AD can provide acceptable performance to applications during normal conditions, what happens when an applications starts to perform erratically? If steps are not in place to immediately isolate and repair this behavior, one bad application will begin to impact the others. Dividing AD into separate app-specific sites can help somewhat, but it's not a magic bullet. If another application decides to write millions of objects to the directory in a short period of time, the replication load would span sites and impact the "dedicated" Exchange DCs.

Application owners will generally prefer dedicated domain controllers over shared ones because it reduces the number of external influences on their application. This is not necessarily the best approach for the directory system as a whole because the added complexity is expensive and more difficult to manage. If an organization isn't comfortable with the risk of directory-enabled applications affecting each other, implementing dedicated sites is one way to reduce their risk. Exchange is a very important directory-enabled app and often warrants this kind of protection. That being said, the organization should evaluate their applications and rate each one on criticality, predictability, and supportability. There's nothing wrong with using those same Exchange DCs for other critical, predictable, supportable applications instead of building yet another set of sites.

If you consider Exchange and Outlook as a service (Email), then the change in the DSProxy algorithm introduced in Exchange Server 2003 Service Pack 2 (SP2) adds some additional concerns. If you have a multi domain forest, which has Exchange (and maybe some users) in one domain and users in another, then you may need to add GCs from the users domain into the Active Directory Site where the Exchange servers reside. Of course, this also increases the number of servers required for a dedicated Exchange Site.

Additional Reading Material

XADM: Exchange 2000 May Experience Performance Problems When PDC Emulator Is Used for DSAccess
http://support.microsoft.com/?id=298879

Exchange Server 2003 and Active Directory
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TechRef/efc39d47-89dc-45de-b5b4-f1e...

Exchange 2000 Server and Active Directory http://www.microsoft.com/technet/prodtechnol/exchange/2000/plan/exchange.mspx#XSLTsection12512112012...

XADM: Exchange 2000 May Experience Performance Problems When PDC Emulator Is Used for DSAccess
http://support.microsoft.com/?id=298879

XGEN: Optimizing Windows 2000 Active Directory Servers with Six or Eight Processors to Run with Exchange 2000
http://support.microsoft.com/default.aspx/kb/271088

Within few days, I will talk more about measuring the AD performance.

- Paul Flaherty

8 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-603870%22%20slang%3D%22en-US%22%3EDedicated%20Active%20Directory%20Sites%20for%20Exchange%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-603870%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3E%3C%2FP%3E%20%3CP%3EExchange%202003%20servers%20can%20benefit%20from%20an%20Active%20Directory%20design%20that%20utilizes%20site%20architecture%20to%20isolate%20Exchange.%26nbsp%3B%20This%20is%20best%20achieved%20through%20creating%20a%20dedicated%20Active%20Directory%20site%20which%20contains%20both%20Exchange%202003%20servers%20and%20Global%20Catalog%20servers%20that%20are%20dedicated%20to%20the%20Exchange%20DSAccess%20process.%26nbsp%3B%20The%20potential%20benefits%20of%20this%20architecture%20are%20as%20follows%3A%3C%2FP%3E%3CP%3E-%26nbsp%3BReduction%20of%20Global%20Catalog%20overload%20potential%20through%20isolating%20Exchange%20messaging%20traffic%20and%20processes%20from%20the%20remainder%20of%20the%20environment%20by%20using%20dedicated%20Global%20Catalogs.%3C%2FP%3E%3CP%3E-%26nbsp%3BIncreased%20performance%20for%20Exchange%20LDAP%20queries%20through%20Global%20Catalogs%20that%20are%20dedicated%20to%20the%20Exchange%20DSAccess%20process.%3CBR%20%2F%3E%3CB%3ENB%3A%20%3C%2FB%3EThis%20assumes%20that%20you%20have%20the%20right%20number%20of%20GC%20processors%20to%20Exchange%20processors%20and%20a%20well%20connected%20network.%3C%2FP%3E%3CP%3E-%26nbsp%3BEasier%20Management%20and%20monitoring%20of%20the%20Exchange%20environment%20due%20to%20segregating%20out%20of%20non-Exchange%20processes.%3CBR%20%2F%3E%3CB%3ENB%3A%20%3C%2FB%3EHowever%2C%20this%20segregation%20will%20increase%20the%20number%20total%20number%20of%20domain%20controllers%20in%20your%20environment%3C%2FP%3E%3CP%3E-%26nbsp%3BIncreased%20performance%20for%20non-Exchange%20LDAP%20and%20directory%20services%20processes%20due%20to%20Exchange%20process%20segregation.%3CBR%20%2F%3E%3CB%3ENB%3A%3C%2FB%3E%20This%20assumes%20that%20you%20have%20enough%20GC%E2%80%99s%20to%20service%20non-Exchange%20traffic%3C%2FP%3E%3CP%3EExcessive%20LDAP%20Read%20and%20Search%20Times%20can%20have%20a%20negative%20impact%20of%20the%20ability%20to%20service%20messaging%20requests.%20This%20could%20include%3A%3C%2FP%3E%3CP%3E-%26nbsp%3BImpact%20to%20mail%20routing%20(for%20mail%20bound%20internally%20and%20externally)%3C%2FP%3E%3CP%3E-%26nbsp%3BImpact%20to%20Client%20Ambiguous%20Name%20Resolution%20requests%20(i.e.%20address%20lookups%20DL%20expansions%20etc)%3C%2FP%3E%3CP%3E-%26nbsp%3BImpact%20other%20functional%20processes%2C%20login%20authentication%20for%20resources%20(i.e.%20calendar%20and%20PFs)%20DL%20access%20Group%20Membership%3C%2FP%3E%3CP%3EAs%20far%20as%20the%20Active%20Directory%20is%20concerned%2C%20Exchange%20is%20just%20an%20application.%20While%20it%20may%20be%20convenient%20for%20applications%20like%20Exchange%20to%20have%20dedicated%20sites%2C%20it%20adds%20complexity%20to%20AD.%20This%20may%20be%20the%20best%20approach%20from%20the%20application's%20perspective%2C%20particularly%20if%20AD%20isn't%20managed%20correctly%20or%20isn't%20being%20actively%20monitored%20for%20performance%20and%20scaled%20accordingly.%20From%20the%20AD%20service%20owner's%20perspective%2C%20it%20has%20dozens%20if%20not%20hundreds%20of%20applications%20to%20service.%20AD%20will%20strive%20to%20provide%20acceptable%20levels%20of%20service%20to%20all%20clients%2Fapps%20without%20extra%20sites%20(Extra%20sites%20are%20defined%20as%20app-specific%20ones%20instead%20of%20those%20based%20on%20network%20topology).%20What%20level%20of%20performance%20is%20deemed%20acceptable%20for%20the%20AD%20and%20the%20Application%20(In%20this%20case%20Exchange)%3F%20It's%20entirely%20up%20to%20the%20application.%20The%20service%20owners%20need%20to%20understand%20this%2C%20monitor%20their%20systems%20closely%2C%20and%20ensure%20they%20have%20the%20right%20number%20of%20DCs%20available%20to%20meet%20application%20requirements.%3C%2FP%3E%3CP%3EThere%20is%20also%20a%20risk%20angle.%20Even%20if%20AD%20can%20provide%20acceptable%20performance%20to%20applications%20during%20normal%20conditions%2C%20what%20happens%20when%20an%20applications%20starts%20to%20perform%20erratically%3F%20If%20steps%20are%20not%20in%20place%20to%20immediately%20isolate%20and%20repair%20this%20behavior%2C%20one%20bad%20application%20will%20begin%20to%20impact%20the%20others.%20Dividing%20AD%20into%20separate%20app-specific%20sites%20can%20help%20somewhat%2C%20but%20it's%20not%20a%20magic%20bullet.%20If%20another%20application%20decides%20to%20write%20millions%20of%20objects%20to%20the%20directory%20in%20a%20short%20period%20of%20time%2C%20the%20replication%20load%20would%20span%20sites%20and%20impact%20the%20%22dedicated%22%20Exchange%20DCs.%3C%2FP%3E%3CP%3EApplication%20owners%20will%20generally%20prefer%20dedicated%20domain%20controllers%20over%20shared%20ones%20because%20it%20reduces%20the%20number%20of%20external%20influences%20on%20their%20application.%20This%20is%20not%20necessarily%20the%20best%20approach%20for%20the%20directory%20system%20as%20a%20whole%20because%20the%20added%20complexity%20is%20expensive%20and%20more%20difficult%20to%20manage.%20If%20an%20organization%20isn't%20comfortable%20with%20the%20risk%20of%20directory-enabled%20applications%20affecting%20each%20other%2C%20implementing%20dedicated%20sites%20is%20one%20way%20to%20reduce%20their%20risk.%20Exchange%20is%20a%20very%20important%20directory-enabled%20app%20and%20often%20warrants%20this%20kind%20of%20protection.%20That%20being%20said%2C%20the%20organization%20should%20evaluate%20their%20applications%20and%20rate%20each%20one%20on%20criticality%2C%20predictability%2C%20and%20supportability.%20There's%20nothing%20wrong%20with%20using%20those%20same%20Exchange%20DCs%20for%20other%20critical%2C%20predictable%2C%20supportable%20applications%20instead%20of%20building%20yet%20another%20set%20of%20sites.%3C%2FP%3E%3CP%3EIf%20you%20consider%20Exchange%20and%20Outlook%20as%20a%20service%20(Email)%2C%20then%20the%20%3CA%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2006%2F03%2F17%2F422350.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Echange%20in%20the%20DSProxy%20algorithm%20introduced%20in%20Exchange%20Server%202003%20Service%20Pack%202%20(SP2)%3C%2FA%3E%20adds%20some%20additional%20concerns.%20If%20you%20have%20a%20multi%20domain%20forest%2C%20which%20has%20Exchange%20(and%20maybe%20some%20users)%20in%20one%20domain%20and%20users%20in%20another%2C%20then%20you%20may%20need%20to%20add%20GCs%20from%20the%20users%20domain%20into%20the%20Active%20Directory%20Site%20where%20the%20Exchange%20servers%20reside.%20Of%20course%2C%20this%20also%20increases%20the%20number%20of%20servers%20required%20for%20a%20dedicated%20Exchange%20Site.%3C%2FP%3E%3CP%3E%3CB%3EAdditional%20Reading%20%3C%2FB%3E%3CB%3EMaterial%3C%2FB%3E%3C%2FP%3E%3CP%3EXADM%3A%20Exchange%202000%20May%20Experience%20Performance%20Problems%20When%20PDC%20Emulator%20Is%20Used%20for%20DSAccess%20%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2F%3Fid%3D298879%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2F%3Fid%3D298879%3C%2FA%3E%3C%2FP%3E%3CP%3EExchange%20Server%202003%20and%20Active%20Directory%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Ftechnet%2Fprodtechnol%2Fexchange%2Fguides%2FE2k3TechRef%2Fefc39d47-89dc-45de-b5b4-f1e73ac30b34.mspx%3Fmfr%3Dtrue%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fwww.microsoft.com%2Ftechnet%2Fprodtechnol%2Fexchange%2Fguides%2FE2k3TechRef%2Fefc39d47-89dc-45de-b5b4-f1e73ac30b34.mspx%3Fmfr%3Dtrue%3C%2FA%3E%3C%2FP%3E%3CP%3EExchange%202000%20Server%20and%20Active%20Directory%20%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Ftechnet%2Fprodtechnol%2Fexchange%2F2000%2Fplan%2Fexchange.mspx%23XSLTsection125121120120%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fwww.microsoft.com%2Ftechnet%2Fprodtechnol%2Fexchange%2F2000%2Fplan%2Fexchange.mspx%23XSLTsection125121120120%3C%2FA%3E%3C%2FP%3E%3CP%3EXADM%3A%20Exchange%202000%20May%20Experience%20Performance%20Problems%20When%20PDC%20Emulator%20Is%20Used%20for%20DSAccess%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2F%3Fid%3D298879%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2F%3Fid%3D298879%3C%2FA%3E%3C%2FP%3E%3CP%3EXGEN%3A%20Optimizing%20Windows%202000%20Active%20Directory%20Servers%20with%20Six%20or%20Eight%20Processors%20to%20Run%20with%20Exchange%202000%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%2Fkb%2F271088%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%2Fkb%2F271088%3C%2FA%3E%3C%2FP%3E%3CP%3EWithin%20few%20days%2C%20I%20will%20talk%20more%20about%20measuring%20the%20AD%20performance.%3C%2FP%3E%3CP%3E-%20%3CA%20href%3D%22http%3A%2F%2Fmsexchangeteam.com%2Farchive%2F2006%2F06%2F15%2F427969.aspx%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EPaul%20Flaherty%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jul 01 2019 03:17 PM
Updated by: