The following is a review of how the Exchange 2003 or Exchange 2000 Recipient Update Service (RUS) is granted rights to update objects in Active Directory. A property set is a collection of attributes in Active Directory, and each attribute can be a member of only one single property set. The predefined Public Information property set in Active Directory contains attributes such as Proxy Addresses and Email Addresses. The Exchange 2003 or Exchange 2000 RUS is granted rights to update this property set to set e-mail addresses. Exchange 2003 or Exchange 2000 DomainPrep grants the Exchange Enterprise Servers group rights to these property sets at the domain level. The computer account of the Exchange 2003 or Exchange 2000 RUS server is added to the Exchange Domain Servers group and the Exchange Domain Servers group is a member of the Exchange Enterprise Servers group. Hence, the RUS has privileges to modify e-mail addresses on the Public Information property set for a particular domain.

But how can a property set simplify delegated administration? The property set can be used for granting access to a subset of an object's attributes by setting a single access control entry (ACE), rather than setting an ACE for each property. For further details about property sets, see the Exchange Server Team Blog article Property Sets in Exchange Server 2007.

Note:
The content of each blog and its URL are subject to change without notice. The content within each blog is provided "AS IS" with no warranties, and confers no rights. Use of included script samples or code is subject to the terms specified in the Microsoft Terms of Use.

Exchange 2007 has more granular delegated administrative roles, such as Recipient Admin, that restrict the scope of tasks an administrator can perform. To facilitate this, the Exchange-Information and Exchange Personal Information property sets are created when the schema is extended for Exchange 2007. These property sets only contain Exchange-related attributes and enable more granular delegation of recipient administration than was possible using the built-in Active Directory property sets. Because an attribute can only be a member of a single property set, attributes such as Proxy Addresses and Email Addresses are moved from the Active Directory Public Information property set to the Exchange-Information property set.

In Exchange 2007, mail-enabled objects are created fully provisioned with e-mail addresses applied immediately, so there is no longer any need for RUS. The challenge is that during coexistence, the Exchange 2003 or Exchange 2000 RUS does not have rights to the Exchange-Information and Personal Information property sets. As soon as the schema is extended for Exchange 2007, the creation of any Exchange 2003 or Exchange 2000 mail-enabled objects cannot be completed. The remainder of this section describes how Setup solves this issue.

Setup /PrepareLegacyExchangePermissions or Setup /pl can be run from any Active Directory site or domain in the forest. Setup queries the global catalog in the domain where it is executed and confirms that an Exchange legacy (Exchange 2003 or Exchange 2000) server exists in the organization and then identifies domains where Exchange 2003 or Exchange 2000 DomainPrep has been run by looking for the following groups:

• Exchange Enterprise Servers (EES)
  
• Exchange Domain Servers (EDS)
  

Caution:
Do not rename or move these groups.

The Microsoft Exchange Server Best Practices Analyzer Tool Exchange 2007 Readiness Check identifies the types of issues described in Microsoft Knowledge Base article 324949, Redirecting the users and computers containers in Windows Server 2003 domains. Setup does not need to be able to contact every domain in the forest because Setup determines from the global catalog which domains have EES and EDS. Setup only needs to be able to contact domains where Exchange 2003 or Exchange 2000 DomainPrep has been run. Where Setup needs to make contact, Setup will use port 389 to connect to the target domains.

Setup /pl grants the following rights in each Exchange 2003 or Exchange 2000 domain where DomainPrep is identified as having been run:

• Grants the Exchange Enterprise Servers group write access to the Exchange-Information property set on the root of the domain.
  
• Grants Authenticated Users read access to the Exchange-Information property set on the root of the domain.
  
• Grants Exchange Enterprise Servers read/write access to the Exchange-Information property set on the AdminSDHolder object. For a description of the AdminSDHolder object, see Microsoft Knowledge Base article 232199, Description and Update of the Active Directory AdminSDHolder Object.
  
• Grants Exchange Domain Servers write access to the Exchange-Information property set on the Exchange Organization container in the Active Directory Configuration partition.
  

If you want to execute Setup /pl from a single location and set permissions in all the identified target domains, you must run the command using an account that has Enterprise Admin permissions. If you prefer not to use an account with Enterprise Admin permissions, you must divide the Setup tasks into individual steps.

If the Active Directory forest has a single domain, you must use an account that has Domain Administrator permissions and Exchange Full Administrator permissions in the root domain. From a command prompt, run the following command.

setup /pl:<root domain's fully qualified domain name>

If Active Directory has multiple domains, Setup /pl can be targeted at a specific domain. To run the command, you must use an account that has Domain Administrator permissions and Exchange Full Administrator permissions in the domain that you specify. From a command prompt, run the following command.

setup /pl:<fully qualified domain name>

After Exchange 2007 has been installed, if Exchange 2003 or Exchange 2000 DomainPrep is run against a newly added domain or an existing domain, you should prepare the legacy Exchange permissions again. In this case, either run Setup /pl with Enterprise Admin rights from the forest root domain, or in the domain in which you ran DomainPrep, execute Setup /pl:<new domain's fully qualified domain name> with new Domain Admins and Exchange Organization Administrators rights. This is shown in Figure 1.

Figure 1   Setup /PrepareLegacyExchangePermissions

After Setup has completed, you can verify that the permissions have been applied and replicated in Active Directory. To do this, perform the following:

1. Launch Ldp.exe.
   
2. Click Connection, and then click Connect (leave server blank). Click OK.
   
3. Click Connection, and then click Bind (leave credentials blank). Click OK.
   
4. Click View, and then click Tree.
   
5. Enter the fully qualified domain name (FQDN) (for example, DC=northwindtraders,DC=co,DC=uk). Click OK.
   
6. Right-click the domain (for example, northwindtraders.co.uk), click Advanced, and then click Security Descriptor. Click OK.
   The GUID for the Exchange-Information extended right is 1F298A89-DE98-47b8-B5CD-572AD53D267E.
   
7. Scroll through the results pane and look for Object Ace Type: Unknown with this GUID.
   

This is shown in Figure 2.

Figure 2   Object Ace Type is unknown

The Exchange-Information extended right is defined later in the Setup process and initially appears as Unknown. The Exchange-Information property set is created when the schema is extended and the Exchange-Information extended right is created during Setup /PrepareAD.

The Active Directory schema must be extended to include or modify classes and attributes that are required for Exchange 2007. The Exchange 2007 schema extensions are a superset of the Exchange 2003 or Exchange 2000 schema extensions. For a breakdown of the Exchange 2007 specific schema extensions, see Active Directory Schema Changes.

Setup /PrepareSchema or Setup /ps must be run from a server in the same Active Directory site and domain as the schema master. Typically, the schema master role will be on a domain controller in the first domain created in the forest.

To run Setup /ps, you must use an account that is a member of the Schema Admins group and the Enterprise Admins group. Extending the Active Directory schema is a robust and reliable process, however, it is possible to isolate replication on the schema master by disabling outbound replication. After the 100 .ldf files that comprise the Exchange 2007 schema extensions have been imported, you can verify the schema master and enable outbound replication on the schema master. The .ldf files are written to the Temp folder and then deleted as they are imported.

The replication of the schema extensions can be verified by connecting to domain controllers and checking the attribute shown in Figure 3.

Figure 3   Verifying the schema version by using ADSI Edit

The prepare Active Directory group of tasks will verify that the schema has been extended, and if joining an existing organization, ensure that legacy permissions have been applied. If these tasks have not been completed and you are a member of the Schema Admins group and the Enterprise Admins group, Setup /PrepareAD will perform the Setup /PrepareLegacyExchangePermissions and Setup /PrepareSchema tasks.

Exchange 2007 Setup checks if the organization is up to date by checking the objectVersion attribute in the Organization container in the Active Directory Configuration partition. The objectVersion of Exchange 2007 is 10666.

Setup /PrepareAD or Setup /p must be run from the same Active Directory site and domain as schema master. This is separate from extending the schema. Instead, you are using the schema master as a reference point to make configuration changes to avoid conflicts arising from replication latency.

Setup /p has the following requirements:

• All domains must be available and able to be contacted on port 389.
  
• Use an account with Enterprise Admins permissions.
  

Recognize that all domains in the forest must be able to be contacted regardless of whether they have Exchange 2003 or Exchange 2000 installed. This might be a challenge in complex Active Directory environments where connectivity between domains is restricted by firewalls.

Exchange 2007 has a new delegated administration model. Setup /p creates the following Exchange universal security groups (USG) in the Active Directory root domain in the Microsoft Exchange Security Groups organizational unit (OU):

• ExchangeLegacyInterop
  
• Exchange Organization Administrators
  
• Exchange Recipient Administrators
  
• Exchange View-Only Administrators
  
• Exchange Servers
  

The ExchangeLegacyInterop group contains Exchange 2003 or Exchange 2000 bridgehead servers. A bridgehead server is added to this group when the first Exchange 2007 Hub Transport server is installed. The remaining groups are used for delegating administrative access to Exchange 2007. The groups can later be moved to different organizational units. Setup makes this possible by adding these groups to the Active Directory otherWellKnownObjects list. A well known GUID for each of the groups is stored along with the distinguished name (DN) of the object, and Active Directory updates the DN of the object if it is moved. The otherWellKnownObjects attribute is located on the CN=Microsoft Exchange, CN=Services, CN=Configuration container. Microsoft Exchange security groups are shown in Figure 4.

Figure 4   Microsoft Exchange security groups

For a new organization, you must specify an organization name that will be applied immediately. Setup will not create a placeholder object that is renamed when the first server is installed, as it did in Exchange 2003.

Setup /p creates the following containers in the Active Directory Configuration partition:

• Exchange Administrative Group (FYDIBOHF23SPDLT)
  
• Exchange Routing Group (DWBGZMFD01QNBJR)
  

These containers are only for Exchange 2007 servers.

Setup /p imports the Rights.ldf file, which adds the Exchange-Information extended right. To view this extended right, run Ldp.exe, and do the following:

1. Click Connection, and then click Connect (leave server blank). Click OK.
   
2. Click Connection, and then click Bind (leave credentials blank). Click OK.
   
3. Click View, and then click Tree. Expand Configuration, expand Extended-Rights, and then select Exchange-Information. The right pane in Ldp.exe displays the following information:
   
   • dn: CN=Exchange-Information,CN=Extended-Rights,<ConfigurationContainerDN>
     
   • changetype: ntdsSchemaAdd
     
   • displayName: Exchange Information
     
   • objectClass: controlAccessRight
     
   • rightsGuid: 1F298A89-DE98-47b8-B5CD-572AD53D267E
     
   • validAccesses: 48
     

You can also view the security descriptors for the domain and scroll to find the rightsGUID 1F298A89-DE98-47b8-B5CD-572AD53D267E. Previously, when you validated the Setup /PrepareLegacyExchangePermissions step, the object type was Unknown. After the Rights.ldf file has been imported, the access control entry for the Exchange-Information extended right is no longer Unknown when viewed with Ldp.exe. This is shown in Figure 5.

Figure 5   Object Ace Type is Exchange-Information

Setup /p creates the following containers in the Active Directory root domain partition:

• In a new organization, Setup /p creates a Microsoft Exchange System Objects container.
  
• The objectVersion attribute on the Microsoft Exchange System Objects container stores the DomainPrep level.
  
• The objectVersion is 10628 for Exchange 2007.
  
• Grant Exchange Admin rights on domain container and Microsoft Exchange System Objects.
  
• Create Exchange Install Domain Servers group and add to the Exchange Servers USG in the root domain. This is shown in Figure 6.
  
  Figure 6   Install Domain Servers group
  

When an Exchange 2007 server is installed, the computer account is added to the Exchange Servers USG, which is located in the root domain by default. If the server being installed is in a different domain, Exchange services may fail to start during setup because the Exchange Servers membership has not replicated to the local domain. When installing an Exchange 2007 server, Setup adds the computer account to the local domain group Exchange Install Domain Servers and also to the Exchange Servers group, but the permissions given to the local domain group are enough for services to start.

Setup /p grants the seSecurityPrivilege (Manage Auditing and Security Log) to the Exchange Servers group.

The /PrepareAD parameter only runs the prepare domain tasks against the domain where Setup is executed. If you have multiple domains and other domains that host Exchange or mail-enabled objects, it will be necessary to run Setup /PrepareDomain against each of them.

The prepare domain tasks have three operational scopes:

• Setup /PrepareDomain or Setup /pd prepares the local domain.
  
• Setup /PrepareDomain:<FQDN of target domain> prepares the specified domain.
  
• Setup /PrepareAllDomains prepares every domain in the forest.
  

If Setup /PrepareDomain is run against a specific domain, Domain Admins privileges are required. If Setup /PrepapreDomain is run globally against all domains, Enterprise Admins privileges are necessary.

Depending on the specified scope, Setup /PrepareDomain performs the following tasks:

• Grants Exchange Servers USG, Authenticated Users, Exchange Organization Administrators, and Exchange Mailbox Administrators access to the Domain container.
  
• Creates the Microsoft Exchange System Objects container.
  
• Grants Exchange Servers USG , Authenticated Users, and Exchange Organization Administrators access to the Microsoft Exchange System Objects container.
  
• Grants the seSecurityPrivilege (Manage Auditing and Security log) to the Exchange Servers group.
  
• Creates a new Domain Global group called Exchange Install Domain Servers and puts it in the Microsoft Exchange System Objects container of the local domain.
  
• Adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
  

Figure 7 shows the results of Setup /PrepareDomain.

Figure 7   Setup /PrepareDomain