The Windows Server 2003 Security Guide recommends an organizational unit structure that allows you to easily adopt the security templates supplied with that guide. Because Exchange 2003 is a directory-enabled application, the Windows Server 2003 organizational unit structure can be easily extended to incorporate the new server roles defined in this section.

  • Within the Member Servers organizational unit, create two new organizational units called Exchange Back-end Servers and Exchange Front-end Servers. If you have numerous NNTP servers, you may want to create an organizational unit for them within the Exchange Back-end Servers organizational unit.
  • Within the Exchange Front-end Servers organizational unit, create separate organizational units for the following (as necessary for the client services in your organization):
    • Exchange 2003 SMTP Servers
    • Exchange 2003 HTTP Servers
    • Exchange 2003 POP3 Servers
    • Exchange 2003 IMAP4 Servers

You can also combine server roles into a single organizational unit. For example, if your organization runs IMAP4 and POP3 services on the same computer, you can create a single organizational unit called IMAP4 and POP3 Servers. The security policies included with this guide are additive; therefore, providing that you pay close attention to the sequence of the policies, you can apply multiple policies to a single organizational unit.

The following figure illustrates the recommended organizational unit structure to accommodate the new server roles, including which security policy and security template (.inf file) corresponds to each organizational unit.

Organizational unit structure with additional Exchange 2003 organizational units
Organizational Unit Hierarchy with Exchange Cluste
Creating the organizational unit structure to support the recommendations in this guide is discussed in much more detail in the Windows Server 2003 Security Guide.

Because the Exchange 2003 servers reside in organizational units below the Member Servers organizational unit, the servers inherit settings that are defined in the Windows Server 2003 Member Server Baseline Policy. The Exchange policies modify these settings in two ways:

  • Some services that are not required for basic Windows Server 2003 functionality are necessary in Exchange 2003.
  • Exchange 2003 introduces many additional services, not all of which are required to allow the Exchange servers to function in their particular roles.