White Paper: Preparing Active Directory for Exchange 2007

 

Author: Simon Shepherd, Principal Consultant

March 2007

Summary

Before you can install Microsoft® Exchange Server 2007, you must prepare the Active Directory® directory service for the installation. This white paper provides the information that will help you successfully prepare Active Directory.

Applies To

Microsoft Exchange Server 2007

Introduction

Exchange 2007 can be installed using either the graphical user interface (GUI) command or by typing commands at a command prompt. In both cases, the setup process needs to perform several tasks to prepare Active Directory. There are several reasons to choose a command-line setup. Running tasks from a command prompt allows them to be run with least privilege, by different administrators, and at different locations and times. Separating the tasks allows each task to be individually verified before progressing to the next task.

Adding Exchange 2007 to an existing Exchange Server 2003 or Exchange 2000 Server organization requires the following commands to be completed before installing the first Exchange 2007 server:

  1. Setup /PrepareLegacyExchangePermissions

  2. Setup /PrepareSchema

  3. Setup /PrepareAD

  4. Setup /PrepareDomain

Note

If you are creating a new Exchange 2007 organization, you are only required to perform Steps 2, 3, and 4.

These commands do not have to be run separately. For example, running Setup /PrepareAD will run both Setup /PrepareSchema and Setup /PrepareLegacyExchangePermissions if required. However, in large or complex environments, you may want to divide the Exchange setup into its constituent parts for change management and administrative reasons. Because there are dependencies between each Setup /PrepareXX command, it is also necessary to allow replication to complete before moving to the next task.

Note that if you create a new Exchange 2007 organization, you cannot subsequently introduce Exchange 2003 or Exchange 2000. So if your requirements change and you need functionality such as an X.400 connector or GroupWise connector, you will not be able to add Exchange 2003 or Exchange 2000 to provide this. Consider carefully if you have any future requirement for any of the discontinued Exchange 2003 or Exchange 2000 features.

For a comprehensive list of discontinued Exchange 2003 and Exchange 2000 features, see Discontinued Features and De-Emphasized Functionality.

Note

You can run these procedures on a computer that has either a 32-bit or a 64-bit processor. To run these procedures on a computer that has a 32-bit processor, you must download the 32-bit version of Exchange. For 32-bit download information, see Microsoft Exchange Server 2007 Management Tools (32-Bit).

Note

To print this white paper, click Printer Friendly Version in your Web browser.

Apply Legacy Exchange Permissions

The following sections provide the background, execution, and verification information needed to add an Exchange 2007 server to an existing Exchange 2003 or Exchange 2000 organization.

Background

The following is a review of how the Exchange 2003 or Exchange 2000 Recipient Update Service (RUS) is granted rights to update objects in Active Directory. A property set is a collection of attributes in Active Directory, and each attribute can be a member of only one single property set. The predefined Public Information property set in Active Directory contains attributes such as Proxy Addresses and Email Addresses. The Exchange 2003 or Exchange 2000 RUS is granted rights to update this property set to set e-mail addresses. Exchange 2003 or Exchange 2000 DomainPrep grants the Exchange Enterprise Servers group rights to these property sets at the domain level. The computer account of the Exchange 2003 or Exchange 2000 RUS server is added to the Exchange Domain Servers group and the Exchange Domain Servers group is a member of the Exchange Enterprise Servers group. Hence, the RUS has privileges to modify e-mail addresses on the Public Information property set for a particular domain.

But how can a property set simplify delegated administration? The property set can be used for granting access to a subset of an object's attributes by setting a single access control entry (ACE), rather than setting an ACE for each property. For further details about property sets, see the Exchange Server Team Blog article Property Sets in Exchange Server 2007.

Note

The content of each blog and its URL are subject to change without notice. The content within each blog is provided "AS IS" with no warranties, and confers no rights. Use of included script samples or code is subject to the terms specified in the Microsoft Terms of Use.

Exchange 2007 has more granular delegated administrative roles, such as Recipient Admin, that restrict the scope of tasks an administrator can perform. To facilitate this, the Exchange-Information and Exchange Personal Information property sets are created when the schema is extended for Exchange 2007. These property sets only contain Exchange-related attributes and enable more granular delegation of recipient administration than was possible using the built-in Active Directory property sets. Because an attribute can only be a member of a single property set, attributes such as Proxy Addresses and Email Addresses are moved from the Active Directory Public Information property set to the Exchange-Information property set.

In Exchange 2007, mail-enabled objects are created fully provisioned with e-mail addresses applied immediately, so there is no longer any need for RUS. The challenge is that during coexistence, the Exchange 2003 or Exchange 2000 RUS does not have rights to the Exchange-Information and Personal Information property sets. As soon as the schema is extended for Exchange 2007, the creation of any Exchange 2003 or Exchange 2000 mail-enabled objects cannot be completed. The remainder of this section describes how Setup solves this issue.

Execution

Setup /PrepareLegacyExchangePermissions or Setup /pl can be run from any Active Directory site or domain in the forest. Setup queries the global catalog in the domain where it is executed and confirms that an Exchange legacy (Exchange 2003 or Exchange 2000) server exists in the organization and then identifies domains where Exchange 2003 or Exchange 2000 DomainPrep has been run by looking for the following groups:

  • Exchange Enterprise Servers (EES)

  • Exchange Domain Servers (EDS)

Warning

Do not rename or move these groups.

The Microsoft Exchange Server Best Practices Analyzer Tool Exchange 2007 Readiness Check identifies the types of issues described in Microsoft Knowledge Base article 324949, Redirecting the users and computers containers in Windows Server 2003 domains. Setup does not need to be able to contact every domain in the forest because Setup determines from the global catalog which domains have EES and EDS. Setup only needs to be able to contact domains where Exchange 2003 or Exchange 2000 DomainPrep has been run. Where Setup needs to make contact, Setup will use port 389 to connect to the target domains.

Setup /pl grants the following rights in each Exchange 2003 or Exchange 2000 domain where DomainPrep is identified as having been run:

  • Grants the Exchange Enterprise Servers group write access to the Exchange-Information property set on the root of the domain.

  • Grants Authenticated Users read access to the Exchange-Information property set on the root of the domain.

  • Grants Exchange Enterprise Servers read/write access to the Exchange-Information property set on the AdminSDHolder object. For a description of the AdminSDHolder object, see Microsoft Knowledge Base article 232199, Description and Update of the Active Directory AdminSDHolder Object.

  • Grants Exchange Domain Servers write access to the Exchange-Information property set on the Exchange Organization container in the Active Directory Configuration partition.

If you want to execute Setup /pl from a single location and set permissions in all the identified target domains, you must run the command using an account that has Enterprise Admin permissions. If you prefer not to use an account with Enterprise Admin permissions, you must divide the Setup tasks into individual steps.

If the Active Directory forest has a single domain, you must use an account that has Domain Administrator permissions and Exchange Full Administrator permissions in the root domain. From a command prompt, run the following command.

setup /pl:<root domain's fully qualified domain name>

If Active Directory has multiple domains, Setup /pl can be targeted at a specific domain. To run the command, you must use an account that has Domain Administrator permissions and Exchange Full Administrator permissions in the domain that you specify. From a command prompt, run the following command.

setup /pl:<fully qualified domain name>

After Exchange 2007 has been installed, if Exchange 2003 or Exchange 2000 DomainPrep is run against a newly added domain or an existing domain, you should prepare the legacy Exchange permissions again. In this case, either run Setup /pl with Enterprise Admin rights from the forest root domain, or in the domain in which you ran DomainPrep, execute Setup /pl:<new domain's fully qualified domain name> with new Domain Admins and Exchange Organization Administrators rights. This is shown in Figure 1.

Figure 1   Setup /PrepareLegacyExchangePermissions

setup /pl:edinburgh.northwindtraders.co.uk

Verification

After Setup has completed, you can verify that the permissions have been applied and replicated in Active Directory. To do this, perform the following:

  1. Launch Ldp.exe.

  2. Click Connection, and then click Connect (leave server blank). Click OK.

  3. Click Connection, and then click Bind (leave credentials blank). Click OK.

  4. Click View, and then click Tree.

  5. Enter the fully qualified domain name (FQDN) (for example, DC=northwindtraders,DC=co,DC=uk). Click OK.

  6. Right-click the domain (for example, northwindtraders.co.uk), click Advanced, and then click Security Descriptor. Click OK.

    The GUID for the Exchange-Information extended right is 1F298A89-DE98-47b8-B5CD-572AD53D267E.

  7. Scroll through the results pane and look for Object Ace Type: Unknown with this GUID.

This is shown in Figure 2.

Figure 2   Object Ace Type is unknown

ldp.exe Object Ace Type:Unknown

The Exchange-Information extended right is defined later in the Setup process and initially appears as Unknown. The Exchange-Information property set is created when the schema is extended and the Exchange-Information extended right is created during Setup /PrepareAD.

Extend the Schema

The following sections provide the background, execution, and verification information needed to extend the Active Directory schema.

Background

The Active Directory schema must be extended to include or modify classes and attributes that are required for Exchange 2007. The Exchange 2007 schema extensions are a superset of the Exchange 2003 or Exchange 2000 schema extensions. For a breakdown of the Exchange 2007 specific schema extensions, see Active Directory Schema Changes.

Execution

Setup /PrepareSchema or Setup /ps must be run from a server in the same Active Directory site and domain as the schema master. Typically, the schema master role will be on a domain controller in the first domain created in the forest.

To run Setup /ps, you must use an account that is a member of the Schema Admins group and the Enterprise Admins group. Extending the Active Directory schema is a robust and reliable process, however, it is possible to isolate replication on the schema master by disabling outbound replication. After the 100 .ldf files that comprise the Exchange 2007 schema extensions have been imported, you can verify the schema master and enable outbound replication on the schema master. The .ldf files are written to the Temp folder and then deleted as they are imported.

Verification

The replication of the schema extensions can be verified by connecting to domain controllers and checking the attribute shown in Figure 3.

Figure 3   Verifying the schema version by using ADSI Edit

rangeUpper attribute in ADSI Edit

Prepare Active Directory

The following sections provide the background, execution, and verification information needed to prepare Active Directory.

Background

The prepare Active Directory group of tasks will verify that the schema has been extended, and if joining an existing organization, ensure that legacy permissions have been applied. If these tasks have not been completed and you are a member of the Schema Admins group and the Enterprise Admins group, Setup /PrepareAD will perform the Setup /PrepareLegacyExchangePermissions and Setup /PrepareSchema tasks.

Execution

Exchange 2007 Setup checks if the organization is up to date by checking the objectVersion attribute in the Organization container in the Active Directory Configuration partition. The objectVersion of Exchange 2007 is 10666.

Setup /PrepareAD or Setup /p must be run from the same Active Directory site and domain as schema master. This is separate from extending the schema. Instead, you are using the schema master as a reference point to make configuration changes to avoid conflicts arising from replication latency.

Setup /p has the following requirements:

  • All domains must be available and able to be contacted on port 389.

  • Use an account with Enterprise Admins permissions.

Recognize that all domains in the forest must be able to be contacted regardless of whether they have Exchange 2003 or Exchange 2000 installed. This might be a challenge in complex Active Directory environments where connectivity between domains is restricted by firewalls.

Exchange 2007 has a new delegated administration model. Setup /p creates the following Exchange universal security groups (USG) in the Active Directory root domain in the Microsoft Exchange Security Groups organizational unit (OU):

  • ExchangeLegacyInterop

  • Exchange Organization Administrators

  • Exchange Recipient Administrators

  • Exchange View-Only Administrators

  • Exchange Servers

The ExchangeLegacyInterop group contains Exchange 2003 or Exchange 2000 bridgehead servers. A bridgehead server is added to this group when the first Exchange 2007 Hub Transport server is installed. The remaining groups are used for delegating administrative access to Exchange 2007. The groups can later be moved to different organizational units. Setup makes this possible by adding these groups to the Active Directory otherWellKnownObjects list. A well known GUID for each of the groups is stored along with the distinguished name (DN) of the object, and Active Directory updates the DN of the object if it is moved. The otherWellKnownObjects attribute is located on the CN=Microsoft Exchange, CN=Services, CN=Configuration container. Microsoft Exchange security groups are shown in Figure 4.

Figure 4   Microsoft Exchange security groups

Microsoft Exchange Security Groups in ADUC

For a new organization, you must specify an organization name that will be applied immediately. Setup will not create a placeholder object that is renamed when the first server is installed, as it did in Exchange 2003.

Setup /p creates the following containers in the Active Directory Configuration partition:

  • Exchange Administrative Group (FYDIBOHF23SPDLT)

  • Exchange Routing Group (DWBGZMFD01QNBJR)

These containers are only for Exchange 2007 servers.

Setup /p imports the Rights.ldf file, which adds the Exchange-Information extended right. To view this extended right, run Ldp.exe, and do the following:

  1. Click Connection, and then click Connect (leave server blank). Click OK.

  2. Click Connection, and then click Bind (leave credentials blank). Click OK.

  3. Click View, and then click Tree. Expand Configuration, expand Extended-Rights, and then select Exchange-Information. The right pane in Ldp.exe displays the following information:

    • dn: CN=Exchange-Information,CN=Extended-Rights,<ConfigurationContainerDN>

    • changetype: ntdsSchemaAdd

    • displayName: Exchange Information

    • objectClass: controlAccessRight

    • rightsGuid: 1F298A89-DE98-47b8-B5CD-572AD53D267E

    • validAccesses: 48

You can also view the security descriptors for the domain and scroll to find the rightsGUID 1F298A89-DE98-47b8-B5CD-572AD53D267E. Previously, when you validated the Setup /PrepareLegacyExchangePermissions step, the object type was Unknown. After the Rights.ldf file has been imported, the access control entry for the Exchange-Information extended right is no longer Unknown when viewed with Ldp.exe. This is shown in Figure 5.

Figure 5   Object Ace Type is Exchange-Information

ldp.exe Security Descriptors, Exchange Information

Setup /p creates the following containers in the Active Directory root domain partition:

  • In a new organization, Setup /p creates a Microsoft Exchange System Objects container.

  • The objectVersion attribute on the Microsoft Exchange System Objects container stores the DomainPrep level.

  • The objectVersion is 10628 for Exchange 2007.

  • Grant Exchange Admin rights on domain container and Microsoft Exchange System Objects.

  • Create Exchange Install Domain Servers group and add to the Exchange Servers USG in the root domain. This is shown in Figure 6.

    Figure 6   Install Domain Servers group

    Microsoft Exchange System Objects in ADUC

When an Exchange 2007 server is installed, the computer account is added to the Exchange Servers USG, which is located in the root domain by default. If the server being installed is in a different domain, Exchange services may fail to start during setup because the Exchange Servers membership has not replicated to the local domain. When installing an Exchange 2007 server, Setup adds the computer account to the local domain group Exchange Install Domain Servers and also to the Exchange Servers group, but the permissions given to the local domain group are enough for services to start.

Setup /p grants the seSecurityPrivilege (Manage Auditing and Security Log) to the Exchange Servers group.

Prepare the Domain

The following sections provide the background, execution, and verification information needed to prepare the domain.

Background

The /PrepareAD parameter only runs the prepare domain tasks against the domain where Setup is executed. If you have multiple domains and other domains that host Exchange or mail-enabled objects, it will be necessary to run Setup /PrepareDomain against each of them.

Execution

The prepare domain tasks have three operational scopes:

  • Setup /PrepareDomain or Setup /pd prepares the local domain.

  • Setup /PrepareDomain:<FQDN of target domain> prepares the specified domain.

  • Setup /PrepareAllDomains prepares every domain in the forest.

If Setup /PrepareDomain is run against a specific domain, Domain Admins privileges are required. If Setup /PrepapreDomain is run globally against all domains, Enterprise Admins privileges are necessary.

Depending on the specified scope, Setup /PrepareDomain performs the following tasks:

  • Grants Exchange Servers USG, Authenticated Users, Exchange Organization Administrators, and Exchange Mailbox Administrators access to the Domain container.

  • Creates the Microsoft Exchange System Objects container.

  • Grants Exchange Servers USG , Authenticated Users, and Exchange Organization Administrators access to the Microsoft Exchange System Objects container.

  • Grants the seSecurityPrivilege (Manage Auditing and Security log) to the Exchange Servers group.

  • Creates a new Domain Global group called Exchange Install Domain Servers and puts it in the Microsoft Exchange System Objects container of the local domain.

  • Adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.

Figure 7 shows the results of Setup /PrepareDomain.

Figure 7   Setup /PrepareDomain

setup /pd:edinburgh.northwindtraders.co.uk

Repair the Exchange 2007 Security Groups

If you delete the Exchange security groups, it is possible to use Setup for recovery. The screen shot in Figure 8 shows what happens if you immediately rerun Setup /p after deleting the Exchange security groups.

Figure 8   Running Setup /PrepareAD after deleting the Exchange security groups

setup /P after deleting Exchange security groups

To rectify the situation, you must delete the references to the deleted groups from the otherWellKnownObjects attribute in the following container:

  • CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=northwindtraders,DC=com

Warning

Using Ldp.exe to delete values from the Active Directory Configuration partition is inherently risky. We recommend that the following procedure is carried out on a test domain controller first and that a recent backup of the production Active Directory is available.

Do the following:

  1. Run Ldp.exe and select the Microsoft Exchange container in the Active Directory Configuration partition.

  2. From the Ldp results pane, copy each Exchange security group reference, for example: B:32:9C5B963F67F14A4B936CB8EFB19C4784:CN=ExchangeLegacyInterop\0ADEL:b96fa30e-4fb4-4dae-8e33-feb82dfa3950,CN=Deleted Objects,DC=northwindtraders,DC=co,DC=uk

  • To delete the references to the deleted groups from the otherWellknownObjects attribute, do the following:
  1. Run Ldp.exe, expand Configuration, expand Services, and then double-click Microsoft Exchange.

  2. Right-click Microsoft Exchange and select Modify.

  3. Type otherWellknownObjects in the Edit Entry Attribute text box.

  4. Select the Delete option button.

  5. In the Ldp.exe results pane, find otherWellknownObjects. For each entry, do the following:

    1. Copy the entry, paste the entry into the Values text box of the Modify dialog box, and then press ENTER.

Note

Each of the entries in the otherWellknownObjects attribute will look similar to the following: B:32:9C5B963F67F14A4B936CB8EFB19C4784:CN=ExchangeLegacyInterop\0ADEL:b96fa30e-4fb4-4dae-8e33-feb82dfa3950,CN=Deleted Objects,DC=northwindtraders,DC=co,DC=uk

For more information, see Figure 9 and Figure 10.

Figure 9   OtherWellknownObjects in Ldp.exe

ldp.exe Exchange otherWellknownObjects

Figure 10   Modifying otherWellknownObjects

ldp.exe Modifying otherWellknownObjects attribute

Make sure that you do not leave the Values field and Entry List blank, because this will delete all entries in the otherWellKnownObjects attribute, potentially including values that you did not want to delete. Finally, to execute the command, click Run.

After deleting the Exchange security group references, rerun Setup /p to create groups and populate membership. This will only create the basic groups and membership. It will still be necessary to update the Exchange security groups with membership specific to your environment. Of particular importance is the ExchangeLegacyInterop group, which must be populated with routing group connector bridgehead servers that link to Exchange 2007.

Conclusion

To successfully prepare Active Directory and domains, you must understand the procedures and the permissions required for each procedure. To troubleshoot issues with the preparation steps, it is helpful to have a deeper understanding of exactly what the preparation steps do. With that knowledge, you can plan how the administrators in your organization will prepare for Exchange 2007 and perform the steps with confidence so that you are ready to install Exchange 2007 servers.

For more information about preparing to deploy Exchange 2007, see Preparing to Deploy Exchange 2007.

For information about installing Exchange 2007 servers, see Deploying Server Roles.