Exchange 2000 Administrative Groups

Having said that, we should look at HOW permissions flow in Exchange 2000, because as I have mentioned before, things have changed a bit since Exchange 5.5. First thing that we have to take into account with Exchange 2000 is the tight integration between Exchange and Windows 2000. Exchange no longer maintains its own configuration database, instead storing its information in the Configuration partition of Active Directory. If you will remember from some of the basic Windows 2000 books and classes, Windows 2000 is broken down into three separate partitions. There is the Schema partition, the Domain Naming Partition, and the Configuration Partition. It is this last one where our information is stored, and here is where we should take a look at permissions. But first I want to look back at our Administrative Groups.

The first thing I want to show is the view from ESM (Exchange System Manager) when we have selected to view the Administrative Groups. Once again, in order to display Administrative Groups, we go to the Organization object in ESM, right-click and select Properties, and then put a check in the box to display Administrative Groups. What we should see, given a default installation, should look like this:


Next up, we create a second Administrative Group, to show you how permissions might work (and flow) in a company with distributed administration. We right click on the Administrative Groups, select New, Administrative Group, provide a name, and voila! Our new Administrative Group, Tampa has been created.


Now at this point, there is nothing in Tampa. It is simply a container, awaiting the day when we, the noble Exchange Admins, find it worthy of our Exchange servers and place the servers, along with public folder trees, and recipient policies amongst other things, into the administrative group. What we as Exchange Administrators have to be aware of is that once we have defined multiple Administrative Groups in our organization, this will become part of the installation procedure in that we will have to select which Administrative Group we want a particular server to belong to during installation. Another thing to note is that by default, you won’t have the option of creating a Servers Container under the new Administrative Group. You also won’t be able to move servers from the Default First Administrative Group into any other Administrative Groups that you later create. And that brings up another issue. Some people will want to create administrative groups prior to installing any Exchange Servers into their organization. This is possible after you have run the ForestPrep and DomainPrep utilities in your Windows 2000 forest. Open an mmc, Select the ESM, and then follow the instructions listed above to create a new (or several new) Administrative Groups. You can even rename the default Administrative Group to something other than First Administrative Group, but to do so requires going into the Configuration partition, which we will be looking at later.