Microsoft Exchange 2000 Enterprise Server

This section explains how Microsoft Provisioning System works with Exchange to provision e-mail services. For more information about provisioning features, see Exchange 2000 Enterprise Server provisioning.

As discussed in Active Directory and Exchange services, Exchange uses Active Directory to store all of its configuration data. When you create an organization or a user account, Microsoft Provisioning System creates corresponding objects in Active Directory. When you provision Exchange services, Microsoft Provisioning System sets appropriate attributes on these objects that are required by Exchange.

Exchange provisioning tasks

When you enable Exchange services for an organization, Microsoft Provisioning System performs basic provisioning tasks to set up Exchange for the organization, as follows:

• Creates a recipient policy for the organization.
• Creates a Simple Mail Transfer Protocol (SMTP) domain using the organization's domain name. This is the name you specified for the organization when you created it, and it should be a valid Internet domain name.
• Within Resource Manager, allocates storage space on the mailbox store for the organization's mailboxes.

When you create a mailbox for a user account, Microsoft Provisioning System sets the following attributes on the Active Directory object, which Exchange uses to provide e-mail services:

• E-mail address
• Location of the user's mailbox storage
• Root organization, in other words, the organization in which the user account resides

When users log on to their mailbox for the first time, Exchange creates the mailbox in the location specified on the Active Directory object.

Exchange access control

It is important that only authorized users are able to configure Exchange for an organization and create user mailboxes. For this purpose, Microsoft Provisioning System implements security features that control access to Exchange.

Before enabling Exchange for an organization, Microsoft Provisioning System explicitly checks to verify that the caller is a member of one of the following groups:

• admins@organization_name group, for the parent organization of the organization for which Exchange is to be enabled
• admins@hosting_organization group
• csradmins@organization_name group, for the parent organization of the organization for which Exchange is to be enabled

Before creating a mailbox, Microsoft Provisioning System explicitly checks to verify that the caller is a member of one of the following groups:

• admins@organization_name group, for the organization in which the mailbox is to be created
• admins@organization_name group, for the parent organization of the organization in which the mailbox is to be created
• admins@hosting_organization group
• csradmins@organization_name group, for the parent organization of the organization in which the mailbox is to be created

If the caller is a member of one of these groups, Microsoft Provisioning System passes the request to Exchange 2000 Server. The procedure runs using the credentials of the Microsoft Provisioning System privileged account, MPSPrivAcct. This account is given Exchange administrator privileges during installation. For more information about the Microsoft Provisioning System privileged account, see "Installing Microsoft Provisioning System."