Forcing Exchange to use specific Domain Controllers

When you read Microsoft’s sizing guides then the basic advice for mailbox servers, for example, is to use 4 processor cores for Exchange for every 1 Active Directory processor core (Exchange 2007 with AD running on 32 bit). However, the situation you often get is that the domain controllers exist in a data centre servicing many solutions or even in a server room servicing user logons and so you can’t really assign specific domain controllers to service just Exchange. Now, what you can do is tell Exchange to just use certain DC’s but this doesn’t stop those DC’s from servicing other requests. But, there is a solution ….. Active Directory sites.

As you know, Active Directory “knows” which Domain Controller to direct a logon request to by using the clients IP address and directing the request to a domain controller in the same site as the user (or another site assigned to the users IP subnet). But requests are directed to the “most likely” subnet or, to put it another way “best match” subnet. Where this leads us to is that you can use subnets in Active Directory Sites and Services to direct logon requests.

For example, your data centre may have the subnet 10.1.1.0/24 (10.1.1.0, 255.255.255.0) and you may have the following servers.

Server IP Address
DC1 10.1.1.1
DC2 10.1.1.2
SQL1 10.1.1.3
SQL2 10.1.1.4
DC3 10.1.1.5
DC4 10.1.1.6
Exchange1 10.1.1.7
Exchange2 10.1.1.8
Backup1 10.1.1.9

 So, what we don’t want to do is just assign the subnet 10.1.1.0/248 to a site as this will not include Exchange2 and, indeed, will remove all DC’s from our server site. Similarly, we can’t just use 10.1.1.0/240 as a subnet as this will also include our backup server and, once again, all DC’s. That is, we could assign a more specific subnet to the Exchange “site” but, if needs be and for the purposes of this article, we can also assign individual servers. Below is an example of our site setup before we start with all servers assigned to the subnet OU.

The first thing we would do is create a new Site called, for example “Exchange” and, in this case, assign it to our default site link.

We then create a new Site Link to link the Exchange servers back to the Server site. We do this so that we can change the replication schedule as we will want “fast” replication between the DC’s in the Server site and in the Exchange Site (If required the sites can then be removed from the Default Site Link).

We can then create a series of new subnets, one for each server, and assign them to the “Exchange” Site.

In this way, individual servers can be added to the site until all servers that should be treated as one unit exist in the same site.

The Domain Controllers can then be moved to the Active directory site by right clicking the server in Sites and Services and selecting “Move”

This means that all the servers should perform lookups and any authentication against the domain controllers in their own local site. This technique can also be used in any other situation where particular AD servers have to be used by particular servers (for example when a certain level of domain controller must be used in a still mixed environment). All that remains is to change the site link to replicate rapidly.

By default, changes are not replicated between sites when the change is made (with the exception of urgent replication items such as password changes). Instead changes are replicated according to a schedule as defined on the site link. By default the replication interval is set to 180 minutes.

However, as these servers all sit on the same high speed network we can configure change notifications to traverse the site link in near real time as though the servers are in the same site. This is done by setting a value in Active Directory by using the ADSI Edit tool (installed by default in Windows 2008 R2 and part of the support tools pack in Windows 2003.

To enable change notification between sites

  1. In ADSI Edit, expand the Configuration container.

  2. Navigate to the Inter-Site Transports container, and select CN=IP . (You cannot enable change notification for SMTP links.)

  3. Right-click the site link object for the sites for which you want to enable change notification (CN=Exchange Servers in our case), and then click Properties .
  4. In the Select a property to view box, select options .

  5. In the Edit Attribute box, if the Value(s) box shows <not set> , type 1 in the Edit Attribute box. If the Value(s) box contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value  BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR 0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3. In this case, as this is a new site link that we have set up then the value should be set to <not set> and so we can enter 1.

  6. Click OK and the OK again and exit ADSI Edit.

Changes should now be notified across the site link with the same frequency as they would if the servers were in a single site (around 15 seconds for 2003 / 2008).

Leave a Reply