From Sites to Groups

In Exchange 2000 Server, Microsoft replaces Exchange Server sites with new structures called administrative groups and routing groups. Although this change might take some time to get used to, it adds granularity, reduces the likelihood of administrative errors, simplifies routing, and increases flexibility. The extent to which you experience the benefits of administrative and routing groups depends on the stage of your migration to Exchange 2000.

Changing Needs
An initial goal of the Exchange Server 4.0 release was to migrate users from Microsoft Mail (MS Mail) post offices, most of which served very small user communities. Exchange 2000 has different goals.

Exchange Server has gathered an installed base of approximately 35 million clients. Commonly, large corporate email systems use numerous servers to host thousands of mailboxes, yet many corporations want to consolidate user populations to achieve economy of scale. Microsoft clearly understands the enterprise market's needs (and also wants to move Exchange Server into other markets, such as the ISP or application service provider—ASP—space), so Exchange 2000 addresses many of the earlier versions' architectural restrictions. For example, Exchange 2000 partitions the Information Store (IS) into multiple databases and offers front-end and back-end configurations that support server farms when connecting to Internet clients (i.e., IMAP, POP, or WWW Distributed Authoring and Versioning—WebDAV). Base OS features, such as 4-way clustering in Windows 2000 Datacenter Server (Datacenter), present many new options to help system designers build large Exchange 2000 servers.

The first server to support 10,000 real-life (as opposed to simulated) mailboxes is on the horizon—a fact that highlights another problem: Although Exchange Server 5.5's site model simplifies administration and works well for small organizations, it can be inefficient for large-scale or widely distributed deployments. Free administrative rein is convenient until you want some granularity. If you authorize a person to use the Microsoft Exchange Administrator program, that person can perform any administrative, routing, or security task. A huge gap exists between the skills that administrators need to perform different operations (e.g., changing a user's phone number vs. altering checkpoint settings for an X.400 connector), but Exchange Server 5.5 offers no means of defining administrative access according to skill level. Some companies put mailbox servers and connector servers in separate sites to isolate and protect connectors from inexperienced administrators' errors: The company can give one set of permissions to administrators who handle mailbox operations and another set of permissions to administrators who handle connectors.

Also, Exchange Server 5.5's organizational structure and message routing are extremely inflexible. For example, to move a server from one site or organization to another, you must run the Move Server Wizard—a procedure that can require many days of preparation (and recovery) and many hours of execution. In an environment in which companies constantly split up and amalgamate, such a time-consuming feature is a bad idea. Routing suffers from the inflexible nature of the Gateway Address Routing Table (GWART), which works well if the connectors that transport messages are reliable and constantly available but performs poorly when connectors fail. In such a situation, the Message Transfer Agent (MTA) would ideally detect problems and immediately reroute messages through the most efficient alternative route. Unfortunately, the MTA can't make effective rerouting decisions because the GWART is static and reflects a limited view (i.e., the network's state when the Routing Information Daemon—RID—master generated the GWART).

Aside from solving Exchange Server 5.5's scalability limitations, Exchange 2000 makes these granularity and flexibility problems obsolete. You can use administrative and routing groups to refine administrative and routing access to servers within an organization and to easily move servers from one group to another.

Site Primer
Most Exchange Server administrators know the definition of a site: a collection of connected servers that forms a full-mesh high-speed network. Sites provide administrative, routing, and security boundaries for Exchange Server 5.5 organizations. For administrative purposes, a site's servers share a common configuration and directory. Exchange Administrator lets anyone with administrative permissions for a site perform any administrative task on any server in that site.

For routing purposes, each site has one server that acts as the RID master and builds the GWART each night and each time someone changes a connector. (You can also use Exchange Administrator to rebuild the GWART: Select a server's MTA object, then click Recalculate Routing.) Exchange Server 5.5 replicates the GWART to all the site's servers, then the MTA uses the GWART to make message-routing decisions. Sites simplify routing—each server knows about every other server in its site, and they all share the site's installed connectors—unless you restrict the connectors' scope to specific servers or subsites. (The GWART considers connector scope when it determines the valid paths for a message, and Exchange Server 5.5 uses a server's location property to define the subsite to which the server belongs.)

For security purposes, site-owned objects typically inherit permissions from the site object. Unless you experiment with permissions to restrict administrative access to specific servers or other objects, someone with administrative permission for a site can work with any object in the site.

Introducing Administrative and Routing Groups
In Exchange Server 5.5's decentralized management model, each site exerts control over the servers that it contains. Exchange 2000 implements a similar model but replaces sites with a combination of administrative and routing groups. Microsoft defines an administrative group as a set of Active Directory (AD) objects that simplifies permission management. In practice, an administrative group is a set of servers that you use to manage permissions and administration according to a common policy. After you create an administrative group and assign permissions for it, any object that you add to the group automatically inherits those permissions. As Screen 1 shows, administrative groups can contain objects such as servers, policies, public folder trees, conferencing services, and routing groups.

Routing groups manage message routing only. The permissions that you assign to routing groups are unrelated to the permissions that you assign to the servers and other objects in an administrative group. A routing group is a set of servers that have point-to-point persistent connectivity and share a common view of routing. A routing group is similar to an Exchange Server 5.5 site, with two major differences: First, the servers in a routing group don't perform directory replication; second, Exchange 2000 uses SMTP rather than remote procedure calls (RPCs) to make connections between a routing group's servers. (In Exchange Server 5.5, you must group servers into sites according to the network's ability to carry RPCs in a reliable and robust manner.)

Seeing Is Believing
To help you visualize how administrative groups and routing groups offer increased granularity, let's look at the example Exchange 2000 organization that Screen 2, page 162, shows. The organization defines administrative groups for different countries in the organization and one administrative group, called Routing Administrative Group, to serve as a container for the organization's routing topology. Look at the three expanded administrative groups. The first group, France, contains two servers; the second group, Ireland, contains one server. The third group, Routing Administrative Group, contains three routing groups, so this organization has three major message routing centers—Americas, Asia Pacific, and Europe (HUB). As Screen 2 shows, the Europe (HUB) routing group includes servers from the France and Ireland administrative groups, so these servers share a common routing scheme.