Export (0) Print
Expand All
36 out of 51 rated this helpful - Rate this topic

Prepare Active Directory and Domains

 

Applies to: Exchange Server 2013

Topic Last Modified: 2014-02-24

Before you install the release to manufacturing (RTM) version of Microsoft Exchange Server 2013 or later cumulative updates (CU) on any servers in your organization, you must prepare Active Directory and domains.

  • Estimated time to complete: 10-15 minutes (not including Active Directory replication) or more, depending on organization size and number of child domains

  • The computers on which you plan to install Exchange 2013 must meet the system requirements. For details, see Exchange 2013 System Requirements.

  • Your domains and the domain controllers must meet the system requirements in "Network and directory servers" in Exchange 2013 System Requirements.

  • For multiple domain organizations running the following /Prepare* commands, we recommend the following:

    • Run the commands from an Active Directory site that has an Active Directory server from every domain.

    • Run the first server role installation from an Active Directory site with a writeable global catalog server from every domain.

    • Verify that replication of objects from the preceding actions is completed on the global catalog server in the Active Directory site before installing the first Exchange 2013 server to that site.

  • If you run the Exchange 2013 Setup wizard with an account that has the permissions required (Schema Admins, Domain Admins, and Enterprise Admins) to prepare Active Directory and the domain, the wizard automatically prepares Active Directory and the domain. For more information, see Install Exchange 2013 Using the Setup Wizard. However, you must first install the Active Directory management tools on the computer prior to preparing the schema or domains. To do this, see the Active Directory preparation section in Exchange 2013 Prerequisites.

  • You must specify the /IAcceptExchangeServerLicenseTerms parameter when you run setup.exe to accept the Exchange 2013 license terms.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.

 

  Exchange version msExchProductId rangeUpper objectVersion objectVersion

Naming context

 

Configuration

Schema

Default

Configuration

Container

 

CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

ms-Exch-Schema-Verision-Pt

Microsoft Exchange System Objects

CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>

 

Exchange 2013 RTM

15.00.0516.032

15137

13236

15449

 

Exchange 2013 CU1

15.00.0620.029

15254

13236

15614

 

Exchange 2013 CU2

15.00.0712.024

ImportantImportant:
If msExchProductId is 15.00.712.022, you have an out of date version of Exchange 2013 CU2. To avoid problems moving public folder mailboxes and make sure you can install future updates, you need to install the latest version of Exchange 2013 CU2. For more information, see Public folders in Release Notes for Exchange 2013.

15281

13236

15688

 

Exchange 2013 CU3

15.00.0775.038

15283

13236

15763

 

Exchange 2013 SP1

15.00.0847.032

15292

13236

15844

To track the progress of Active Directory replication, you can use the repadmin tool (repadmin.exe), which is installed as part of the Windows Server 2012 and Windows Server 2008 R2 Active Directory Domain Services Tools (RSAT-ADDS) feature. For more information about how to use repadmin, see Repadmin.

  1. From a Command Prompt window, run the following command. (If you want, you can skip this step and prepare the schema as part of Step 2.)

     

    setup /PrepareSchema or setup /ps

     

    ImportantImportant:
    If you have multiple forests in your organization, make sure that you run your forest preparation from the correct Exchange forest. Setup preparation makes configuration changes to your forest, and it could configure a non-Exchange forest incorrectly.
    NoteNote:
    It isn't supported to use the LDIF Directory Exchange tool (LDIFDE) to manually import the Exchange 2013 schema changes. You must use Setup to update the schema.

    This command performs the following tasks:

     

    • Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2013 specific attributes. The LDIF files are copied to the Temp directory and then deleted after they are imported into the schema.

       

    • Sets the schema version (ms-Exch-Schema-Verision-Pt). To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.

     

    Note the following:

     

    • To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.

    • You must run this command on a 64-bit computer in the same domain and in the same Active Directory site as the schema master.

    • If you use the /DomainController parameter with this command, you must specify the domain controller that is the schema master.

    • After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

    • For more information, see Exchange 2013 Active Directory Schema Changes.

       

  2. From a Command Prompt window, run the following command.

     

    setup /PrepareAD [/OrganizationName:<organization name>] or setup /p [/on:<organization name>]

     

    This command performs the following tasks:

     

    • If the Microsoft Exchange container doesn't exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>.

       

    • If no Exchange organization container exists under CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain >, you must specify an organization name using the /OrganizationName parameter. The organization container will be created with the name that you specify.

      The Exchange organization name can contain only the following characters:

      A through Z

      a through z

      0 through 9

      Space (not leading or trailing)

      Hyphen or dash

      The organization name can't contain more than 64 characters. The organization name can't be blank. If the organization name contains spaces, you must enclose the name in quotation marks (").

       

    • Verifies that the schema has been updated and that the organization is up to date by checking the objectVersion property in Active Directory. The objectVersion property is in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.

       

    • Sets the msExchProductId value on the Exchange organization object. The msExchProductId property is in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions .

       

    • If the containers don't exist, creates the following containers and objects under CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>, which are required for Exchange 2013:

       

      CN=Address Lists Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=AddressBook Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Addressing,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Approval Applications,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Auth Configuration,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Availability Configuration,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Client Access,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Connections,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=ELC Folders Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=ELC Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=ExchangeAssistance,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Federation,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Federation Trusts,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Global Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Hybrid Configuration,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Mobile Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Mobile Mailbox Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Monitoring Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=OWA Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Provisioning Policy Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Push Notification Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=RBAC,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Recipient Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Remote Accounts Policies Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Retention Policies Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Retention Policy Tag Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=ServiceEndpoints,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=System Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Team Mailbox Provisioning Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=UM AutoAttendant Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=UM DialPlan Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=UM IPGateway Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=UM Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Workload Management Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

    • If they don't exist, creates the following containers and objects under: CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Accepted Domains,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=ControlPoint Config,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=DNS Customization,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Interceptor Rules,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Malware Filter,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Message Classifications,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Message Hygiene,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=Rules,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

      CN=MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e,CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

       

    • Assigns specific permissions throughout the configuration partition.

       

    • Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Active Directory.

       

    • Creates the Microsoft Exchange Security Groups organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU.

       

    • Creates the following management role groups within the Microsoft Exchange Security Groups OU:

      Compliance Management

      Delegated Setup

      Discovery Management

      Help Desk

      Hygiene Management

      Organization Management

      Public Folder Management

      Recipient Management

      Records Management

      Server Management

      UM Management

      View-Only Organization Management

       

    • Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.

       

    • Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.

       

    • Prepares the local domain for Exchange 2013. For information about what tasks are completed to prepare a domain, see Step 3.

     

    Note the following:

     

    • To run this command, you must be a member of the Enterprise Admins group.

    • The computer where you run this command must be able to contact all domains in the forest on port 389.

    • You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.

    • After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

    • To verify that this step completed successfully, make sure that there is a new OU in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:

      Compliance Management

      Delegated Setup

      Discovery Management

      Exchange Servers

      Exchange Trusted Subsystem

      Exchange Windows Permissions

      ExchangeLegacyInterop

      Help Desk

      Hygiene Management

      Managed Availability Servers

      Organization Management

      Public Folder Management

      Recipient Management

      Records Management

      Server Management

      UM Management

      View-Only Organization Management

       

  3. From a Command Prompt window, run one of the following commands:

     

    • Run setup /PrepareDomain or setup /pd to prepare the local domain. You don't need to run this in the domain where you ran Step 2. Running setup /PrepareAD prepares the local domain.

       

    • Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.

       

    • Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organization.

     

    These commands perform the following tasks:

     

    • If this is a new organization, creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users groups. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox.

       

    • Sets the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain>. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.

       

    • Creates a domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.

      NoteNote:
      The Exchange Install Domain Servers group is used if you install Exchange 2013 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships haven't replicated to the child domain.
    • Assigns permissions at the domain level for the Exchange Servers USG and the Organization Management USG.

     

    Note the following:

     

    • To run setup /PrepareAllDomains, you must be a member of the Enterprise Admins group.

    • To run setup /PrepareDomain, if the domain that you're preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you're preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.

    • For domains in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages:

       

      "PrepareDomain for domain <YourDomain> has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain> again."

      "Active Directory operation failed on <YourServer>. This error is not retriable. Additional information: The specified group type is invalid.

      Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

      The server cannot handle directory requests."

       

      If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again.

    • You must run this command in every domain in which you will install Exchange 2013. You must also run this command in every domain that will contain mail-enabled users, even if the domain doesn't have Exchange 2013 installed.

     

    To verify that step 3 completed successfully, confirm the following:

    • You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. (To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.)

    • The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.

    • On each domain controller in a domain in which you will install Exchange 2013, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

Use Active Directory Service Interfaces Editor (ADSI Edit) to verify that Active Directory has been successfully updated by doing the following. For more information on how to use ADSI Edit, see ADSI Edit (adsiedit.msc).

  • In the Configuration naming context, verify that the msExchProductId property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

     

    NoteNote:
    If the msExchProductId property is set to the correct value for the version of Exchange 2013 you installed, Active Directory has been successfully prepared. You don’t need to check any of remaining values in this list. The information below is for information purposes only and for those who separate the PrepareSchema and PrepareAD steps.
  • In the Schema naming context, verify that the rangeUpper property on ms-Exch-Schema-Verision-Pt is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

     

  • In the Configuration naming context, verify that the objectVersion property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

     

  • In the Default naming context, verify that the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

     

You can also check the Exchange setup log to verify that Active Directory preparation has completed successfully. For more information, see Verify an Exchange 2013 Installation.

NoteNote:
You won't be able to use the Get-ExchangeServer cmdlet mentioned in the Verify an Exchange 2013 Installation topic until you've completed the installation of at least one Mailbox server role and one Client Access server role in an Active Directory site.
 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.