Understanding Win2K groups
If you're in charge of designing or upgrading your messaging environment, you've probably skimmed through countless articles and books about Active Directory (AD) to learn how it will ultimately affect your Exchange 2000 Server design. You've probably also read about the latest trends and ideas about how to design your AD domain, site, and infrastructure topology with performance and security in mind. ("Related Reading," page 11, provides resources for background information.) Armed with this knowledge, you should be able to tackle the most challenging deployments and migrations with ease. Migrating your distribution lists (DLs) from Exchange Server 5.5 to Exchange 2000 is no exception—if you know what to watch out for. Let's look at groups in Exchange 5.5 and Exchange 2000, then examine how DLs fit in the new AD group structure.
Exchange 5.5 DLs
In Exchange 5.5, a DL is a group of users in the Exchange directory. Most people use DLs to send email to many people at once. When you send a message to a DL, the Message Transfer Agent (MTA) on the originating server (or an expansion server, if specified) enumerates the recipients, and Exchange 5.5 delivers the message to the appropriate mailboxes. If necessary, the MTA fans out the DL to make sure that multiple copies of the same message aren't sent over the same connections. Exchange 5.5 stores DLs in the directory and replicates them throughout the organization.
When you make any changes to the DL membership (including adding or deleting one member), Exchange must replicate the entire DL membership throughout the Exchange organization. An Exchange 5.5 DL owner (or the Exchange administrator for a site) can change the membership of a DL only if the user object exists in the same site in which the owner created the DL.
You can also use DLs to secure access within your public-folder hierarchy. Many companies secure (and simplify the management of) their public folders by granting DLs the appropriate rights to a particular folder, then simply adding users to these DLs. This technique is similar to adding Windows NT 4.0 users to a group, then granting group rights to a resource.
Exchange 2000 Distribution Groups
Because Exchange 2000 relies on AD for its directory information, you must look to AD for DLs as well. AD uses groups to attain similar functionality. In Windows 2000, groups are either distribution groups or security groups, and these groups can be universal, global, or domain local in scope. You can use a distribution group only for email distribution, not for security. A security group is a security principal; therefore, you can use it for both email distribution and security (i.e., to assign security settings to files or public folders).
The group's scope controls how Exchange replicates objects throughout the forest. In universal groups, the group object and its members are replicated forestwide. In global groups, the group object is replicated forestwide but the membership remains local to the domain. In domain local groups, the group object and its membership stay within the domain in which they're created. Tables 1 and 2 summarize the types and scope of groups.
You can use either security groups or distribution groups as DLs, but you need to decide whether you want those groups to be universal groups or global groups. Many AD designers have pointed out pitfalls of universal groups. One disadvantage is that the entire universal group membership (not just changes in individual members) replicates to every Global Catalog (GC) in a forest. Therefore, if your membership changes often, you could be causing a lot of unnecessary replication, even to domains that rarely use the groups. As a result, you might decide that global groups are a better approach. However, because of the way Exchange chooses and uses GCs in your environment, global groups might not be a good choice.
How Exchange Chooses a GC
Exchange 2000 uses an internal process called DSAccess to determine the working domain controller (DC), the working GC, and the configuration DC. Exchange 2000 uses these categories at various times to access and store directory information. (Kieran McCorry, "MAPI Client Directory Access in Exchange 2000," August 2001, InstantDoc ID 21458, explains this process in detail.) Working GCs play a role in DLs. Exchange uses GCs because of their role in keeping information pertaining to universal groups. (A GC holds a copy of all objects in the forest, a complete copy of all objects from a domain, plus a subset of attributes from all other domains.) Exchange 2000 uses the working GC list that DSAccess provides to choose a GC to enumerate DLs. Exchange 2000 needs to look up each noncached recipient address (or other DL) directly from AD. As part of the System Attendant service, the DSGetDCName API creates this list of up to 10 GCs by querying AD for a list of GCs in that AD site. After the API creates the list, Exchange 2000 uses the GCs in the list in a round-robin fashion whenever it needs to.
Single vs. Multiple Domains
In a single-AD domain environment, all GCs hold the same information as DCs. Because no other domains exist, AD requires no other domain naming contexts (NCs) or partitions. DL expansion in a single AD domain has few or no side effects.
With multiple domains, however, the process becomes more complex; many other factors determine correct delivery of messages addressed to a DL. If your organization has multiple domains (specifically, multiple domains in a single Win2K site), the entire DS Access process, expansion servers, and AD site boundaries become important. You must understand exactly how your Exchange 2000 server uses the working GC list to locate an available GC to fulfill certain requests. Most multiple-domain organizations have multiple GCs from different domains in at least one site that houses an Exchange 2000 server.