Forcing an Active Directory update with Exchange 2013 might not be such a good idea

My post of May 4 exploring the question whether the upcoming Exchange 2013 release should force companies to upgrade their Active Directory infrastructures to a modern version generated a considerable number of messages. As you might recall, the question was originally debated at a spirited Q&A session at TEC in San Diego where the folks who were present reached a consensus that it would be acceptable if Microsoft declared that Exchange 2013 required Active Directory to run at Windows 2008 functional level. This approach seemed to offer many benefits, such as freeing up Microsoft engineering resources to work on new features instead of having to test Exchange against a complex matrix of older Active Directory levels. It also appeared sensible to refresh Active Directory as part of the planning process for the deployment of a new version of Exchange.

Paul Robichaux weighed in on the debate by coming down on the side of those who think that Exchange cannot force an update. Paul said that he thought “Microsoft should be working on the lowest-friction migration path possible”. It’s hard to disagree with this sentiment. Paul also didn’t think that my point about testing held water because so much of this is automated today. I still think that it’s valid because people do real work to plan, execute, monitor, and fix tests. If not, tests go wrong or fail to detect conditions – and we have seen the effect of this in some of the roll-up updates Microsoft has released for Exchange 2010.

Lots of email was generated about different aspects of the debate. Quite a few described a situation pertaining in many companies where it appears that the folks who run Active Directory and those who are responsible for applications are disconnected when it comes to infrastructure updates. This seems like a throwback to the era when IT departments operated in silos and I was surprised to see how often correspondents reported that the Active Directory managers did their own thing and didn’t really understand what applications needed. A lot of people noted that their IT infrastructures supported so many applications that it was almost impossible to test what effect an Active Directory upgrade might have. That came as quite a scary thought because it’s an inevitable fact of technology that sooner or later Microsoft will force customers to upgrade Active Directory. What happens then?

For example, some reported infrastructures that contain components (for instance, Samba or Netfiler) that depend on old authentication mechanisms such as NT LAN Manager V1. This is a very old mechanism that has been subsequently revised and largely replaced by more secure authentication mechanisms such as Kerberos. Others told of firewalls that exist between client computers and domain controllers that might cause authentication to break because the RPC dynamic port range changes between Windows 2003 and Windows Server 2008.

One point repeated over and over was that Exchange works fine with Windows 2003 – if it doesn’t break anything why attempt to fix it in Exchange 2013? This point was reinforced by the salient fact that none of the improvements in Active Directory when operated at Windows 2008 functional level impact Exchange in any obvious way (finer-grained password policies, SYSVOL replication, retention of logon data, and so on) and no version of Exchange supports the most obvious recent enhancement (read-only domain controllers). Essentially Exchange treats Active Directory as a highly functional LDAP server that also happens to store a great deal of its configuration data. There’s no great difference between Windows 2003 and Windows 2008 when it comes to LDAP queries and updates. I think this is a fair point that prompts the question “what advantage could Exchange get from modern Active Directory versions”? Cue deafening silence…

Of course, one of the big reasons for upgrading is to maintain support. Windows 2003 extended support finishes in July 2015 while Windows 2008 reaches the end of its extended support in 2018. It’s true that you could keep on running Active Directory on Windows 2008 R2 servers using Windows 2003 functional level well into the next decade and so secure peace of mind that this essential piece of your infrastructure is maintained until then. The support imperative runs into difficulties because Microsoft has done a pretty good job of ensuring that Active Directory can run in old modes on new versions of the O/S.

Although the testing matrix for the Exchange development group would be simpler if they could eliminate support for older versions of Active Directory, the downside from their perspective is that forcing an upgrade might slow adaption of the new release. Customers tend to take their time before they get around to deploying a new version of Exchange. It can take anything from six months to two years before a company is happy that its infrastructure can support a new version, that users have the right clients, that the help desk is ready to support the deployment, and that the migration won’t impact the business. Throwing Active Directory upgrades into the mix would probably create a further delay for a myriad of reasons from internal politics to cost-benefit analyses to the actual work necessary to perform the upgrade. Slowing an Exchange upgrade might also slow the adaption of other products such as new versions of Outlook and the other Office applications.

In a nutshell, I think the discussion can be summarized as follows:

  • There are technical advantages such as longer support in moving Active Directory to a recent version such as Windows 2008 functional level running on Windows 2008 R2 servers. However, there don’t seem to be many business advantages for such a move.
  • There are definite performance advantages in running domain controllers and global catalogs on modern hardware. In other words, it’s time to dump those old 32-bit computers (if you still have any that are still limping along).
  • Even applications like Exchange that make such extensive use of Active Directory cannot impose a requirement to upgrade Active Directory unless the engineering group creates a compelling case for such an upgrade.

So after all the argument and debate, the simple fact is that whereas there are a lot of “nice to have” benefits of running the latest and greatest Active Directory, Exchange 2010 runs fine with Active Directory operating in Windows 2003 functional level. Given the lack of evidence to prove that the newest version of Active Directory delivers anything that Exchange 2013 could exploit, I anticipate that the same forest functional level will continue for Exchange 2013. Time will tell.

Follow Tony @12Knocksinna


About Tony Redmond

Lead author for the Office 365 for IT Pros eBook and writer about all aspects of the Office 365 ecosystem.
This entry was posted in Active Directory, Email, Exchange and tagged , , . Bookmark the permalink.

5 Responses to Forcing an Active Directory update with Exchange 2013 might not be such a good idea

  1. PMP says:

    Reality is that Windows Server 2003 will stay for years (unfortunately) after extended support time, like we it or not. And there will be a lot of different important business applications/systems that rely on Windows Server 2003. Forcing to upgrade AD functional level will work against Exchange itself. You don’t want be in charge for breaking authentication in your AD environment because of Exchange! In my opinion AD is a kind of burden for Microsoft in these days. Because of it’s security models and highly integrated applications such as Exchange. It’s just too inflexible for todays needs (Clouds etc.). By removing Exchange configuration away from AD could solve these kind of problems in the future, maybe. Just like Microsoft did with Lync Server. I understand that there’s a lot of to do to accomplish that but anyway… Another solution is to move away from Exchange and try to find a solution that is not is so depended from AD. We don’t want that either, (at least I).

  2. Claire says:

    I do think a forced upgrade will deter migration, but MSFT ought to work on making the migration process as seamless, reduced, and well-outlined as possible. Perhaps they could put together some sort of tool that scans all of an org’s applications and identifies which ones would/could be effected by an upgrade.

  3. Nutshell – Business advantage & AD performance matters a lot for Org. to take a call for moving to Windows 2008 but again will wait for the time 🙂

    Engineering groups definitely could have a compelling case for such an upgrade better than what I have may be…

  4. Pingback: Forcing an Active Directory update with Exchange 2013 might not be such a good idea - The Microsoft Enterprise Blog

  5. I’ve had a different experience — many of my customers use the Exchange upgrade as an excuse/imperative to upgrade Active Directory (and vice versa). The projects aren’t usually directly tied together as dependencies, but there’s definitely a sense of “while we’re doing X, we might as well do Y too”. I think an increased minimum requirement could drive as many AD upgrades as it might delay Exchange upgrades.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.