Export (0) Print
Expand All
Expand Minimize

Exchange Server 2007 Setup Switches

 

Topic Last Modified: 2010-11-29

Occasionally, you might have to run separate Exchange Server 2007 Setup switches before you run the actual setup of the first Exchange Server 2007 server. This scenario depends on several factors, such as the organization size and complexity, the layout of Active Directory domains, and the Active Directory replication latency.

You should consider that this scenario might occur when you set up the first Exchange 2007 server. If you do not follow the recommended procedure, you can experience downtime or problems that affect existing Microsoft Exchange servers in the organization. In all except the smallest setups, we recommend that you run setup switches separately. We also recommend that you allow for Active Directory replication instead of just running Setup from the Exchange 2007 DVD.

  1. If you have any computers in your organization that run Exchange Server 2003 or Exchange 2000 Server, open a Command Prompt window, and then run the appropriate command:
    • To prepare legacy Exchange permissions in every domain in the forest that contains the Exchange Enterprise Servers and Exchange Domain Servers groups, run the following command:
      setup /PrepareLegacyExchangePermissions
      
    • To prepare legacy Exchange permissions in a specific domain, run the following command:
      setup /PrepareLegacyExchangePermissions: <FQDN of domain you want to prepare>
      
    You have the option to skip this step if you prefer, instead, to prepare the legacy Exchange permissions as part of step 2 or 3 in this procedure.
    To run this command to prepare every domain in the forest, you must be a member of the Enterprise Admins group. To run this command to prepare a specific domain, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain that you prepare.
    If you do not specify a domain, the domain in which you run this command must be able to contact all domains in the forest.
    After you run this command, you must wait for the permissions to replicate across your Microsoft Exchange organization before you continue to the next step. If the permissions have not replicated, the Recipient Update Service on your Exchange Server 2003 or Exchange 2000 Server computers could fail. The time that the replication takes to complete depends on your Exchange site topology.
    noteNote:
    To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe). This tool is installed as part of the Microsoft Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools\." Add the domain controllers as monitored servers so that you can track the progress of replication throughout the domain.
  2. Open a Command Prompt window, and run the following command at the command prompt:
    setup /PrepareSchema
    
    importantImportant:
    You must not run this command in a forest in which you do not plan to run setup /PrepareAD. If you do this, the forest is configured incorrectly, and you cannot read some attributes on user objects.

    Notes   
    • This command connects to the schema master, and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2007 specific attributes.
    • To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.
    • You must run this command on a computer that is in the same domain and in the same Active Directory site as the schema master.
    • If you do not complete step 1 before you run this command, Setup /PrepareSchema runs the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest.
    • After you run this command, wait for the changes to replicate across your Exchange organization before you continue to the next step. The time that the replication takes to complete depends on your Active Directory site topology.
    To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe). This tool is installed as part of the Windows Server 2003 Support Tools Setup. By default, the tool is in the following location:
    "%programfiles%\support tools\"
    Add the domain controllers as monitored servers so that you can track the progress of replication throughout the domain.
  3. At a command prompt, run the following command:
    setup /PrepareAD [/OrganizationName <organization name>]
    
    This command does the following:
    • Configures global Exchange objects in Active Directory
    • Creates the Exchange Universal Security Groups (USGs) in the root domain
    • Sets permissions on the Exchange configuration objects
    • Prepares the current domain
    The global objects are located under the Exchange organization container. If no Exchange organization container exists, you must specify an organization name by using the /OrganizationName parameter. The organization container is created by using the name that you specify.
    This command also creates the Exchange 2007 Administrative Group that is named Exchange Administrative Group (FYDIBOHF23SPDLT). It also creates the Exchange 2007 Routing Group that is named Exchange Routing Group (DWBGZMFD01QNBJR).
    CautionCaution:
    Do not move Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT). Also, do not rename Exchange Administrative Group (FYDIBOHF23SPDLT) by using a low-level directory editor. Exchange 2007 must use this administrative group for configuration data storage. We do not support moving Exchange 2007 servers out of the Exchange Administrative Group (FYDIBOHF23SPDLT). We also do not support renaming the Exchange Administrative Group (FYDIBOHF23SPDLT).
    CautionCaution:
    Do not move Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) and do not rename Exchange Routing Group (DWBGZMFD01QNBJR) by using a low-level directory editor. Exchange 2007 must use this routing group to communicate with earlier versions of Exchange. We do not support moving Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR). We also do not support renaming the Exchange Routing Group (DWBGZMFD01QNBJR).
    Notes   
    • This command creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.
    • This command prepares the local domain for Exchange 2007.
    • To run this command, you must be a member of the Enterprise Admins group.
    • If you have Exchange Server 2003 servers in your organization, you must be an Exchange Full Administrator to run this command.
    • You must run this command on a computer that is in the same domain and in the same Active Directory site as the Schema Master.
    • If you do not complete step 1 before you run this command, Setup /PrepareAD runs the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. If you are also a member of the Schema Admins group, and if you did not complete step 2, Setup /PrepareAD finishes the PrepareSchema step.
    • After you run this command, wait for the changes to replicate across your Exchange organization before you continue to the next step. The time that this takes to complete depends on your Active Directory site topology.
    To verify that this step completed successfully, make sure that there is a new organizational unit (OU) in the root domain named Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:
    • Exchange Organization Administrators
    • Exchange Recipient Administrators
    • Exchange View-Only Administrators
    • Exchange Servers
    • ExchangeLegacyInterop
    noteNote:
    When you install Exchange 2007, Setup adds the Exchange Organization Administrators USG as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users who are Exchange Organization Administrators receive additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.
  4. At a command prompt, run one of the following commands:
    • Run setup /PrepareDomain to prepare the local domain. Notice that you do not have to run this in the domain in which you ran step 3. Running setup /PrepareAD prepares the local domain.
    • Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.
    • Run setup /PrepareAllDomains to prepare all domains in your organization.
    These commands complete the following tasks:
    • Sets permissions on the Domain container for the Exchange Servers, for the Exchange Organization Administrators, for the Authenticated Users, and for the Exchange Mailbox Administrators.
    • Creates the Microsoft Exchange System Objects container if it does not exist, and sets permissions on this container for the Exchange Servers, for the Exchange Organization Administrators, and for the Authenticated Users.
    • Creates a new domain global group in the current domain, and name it Exchange Install Domain Servers. The command also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
    For domains that are in an Active Directory site other than the root domain, /PrepareDomain may fail, and display one or more of the following messages.

     

    • PrepareDomain for domain <YourDomain> has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain> again.
    • Active Directory operation failed on <YourServer>. This error is not retriable. Additional information: The specified group type is invalid.
    • Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0.
    • The server cannot handle directory requests.
    If you see these messages, you must wait for or force Active Directory replication between this domain and the root domain. Then, you must run /PrepareDomain again.

    To verify that this step completed successfully, verify that you have a new global group in the Microsoft Exchange System Objects container that is named Exchange Install Domain Servers.
    Note the following:
    • To run setup /PrepareAllDomains, you must be a member of the Enterprise Admins group.
    • To run setup /PrepareDomain, you must be a member of the Domain Admins group in the domain if the domain that you are preparing existed before you ran setup /PrepareAD. If the domain that you are preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.
    • The Exchange Install Domain Servers group is used if you install Exchange 2007 in a child domain that is an Active Directory site other than the root domain. Creating this group lets you avoid installation errors if group memberships have not replicated to the child domain.
    • The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
    • On each domain controller in a domain in which you install Exchange 2007, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security log policy.
    For more information about /prepareschema, see the following TechNet topic:
    Active Directory Schema Changes

The following switches perform the listed tasks and require the indicated permissions.

/PrepareLegacyExchangePermissions

  • Finds every domain in the forest that has the Exchange Enterprise Servers groups and the Exchange Domain Servers group
  • In each domain that has these groups, does the following:
    • Add an access control entry (ACE) to the domain root ACL to grant the EES group WRITE_PROP permissions on the Email-information property set
    • Add an access control entry to the domain root ACL to grant Authenticated Users READ_PROP permissions on the Email-information property set
    • Add an access control entry to the AdminSDHolder of the domain ACL to grant the EES group WRITE_PROP and READ_PROP permissions on the Email-information property set
    • Add an access control entry to the Exchange Org container ACL to grant the EDS group permissions WRITE_PROP on the Email-information property set
      noteNote:
      If the domain does not have to be prepared by having the legacy Exchange permissions, or if it is already prepared, this task does nothing.

Permissions required:

Enterprise Administrator: required to write the access control entry on each domain container and on the Exchange Organization container in the Active Directory

/PrepareLegacyExchangePermissions <FQDN>

Performs the same task as /PrepareLegacyExchangePermissions on the specified domain only. If the domain does not have to be prepared by having the legacy Exchange permissions, or if it has already been prepared, this task is not required.

Permissions required:

One of the following:

  • Enterprise Administrator: required to write the access control entries on the domain containers and on the Exchange Organization container
  • Domain Administrator of the specified domain and Exchange Organization Administrator: required to write the access control entries on the domain containers and on the Exchange Organization container in the active directory

/PrepareSchema

Runs the PrepareLegacyExchangePermissions task, and imports the Exchange Server 2007 schema, which is broken into 100 ldf files (therefore, it calls the "install-ExchangeSchema" task 100 times)

Permissions required:

Both of the following:

  • Enterprise Administrator: required for PrepareLegacyExchangePermissions
  • Schema Administrator: required for updating the Schema

/PrepareAD

  • Runs the ExchangeLegacyPermissions task when the Schema is not up to date
  • Runs the import schema task when the schema is not up to date`
  • Creates the Microsoft Exchange configuration containers in the Active Directory, including the Org and global containers
    • If no Exchange Organization container exists in Active Directory , Setup requires that an organization name be passed in by using the /OrganizationName:<YourOrgName> parameter
    • Imports the Rights.ldf file that adds to the extended rights in the Active Directory
  • Creates the Microsoft Exchange Security Groups OU in the root domain and in the following global Exchange USGs:
    • Exchange Organization Administrators
    • Exchange Recipient Administrators
    • Exchange View-Only Administrators
    • Exchange Servers
    • ExchangeLegacyInterop
  • Creates the Exchange Server 2007 Administrative Group "Exchange Administrative Group (FYDIBOHF23SPDLT)" and the Exchange Server 2007 Routing Group "Exchange Routing Group (DWBGZMFD01QNBJR)"
  • Sets permissions on the Exchange configuration objects and groups
  • Prepares the local domain for Exchange Server 2007
  • Runs initialize-DomainPermissions on the current domain, where initialize-DomainPermissions does the following:
    • Sets ACEs on the Domain container for the Exchange Servers USG, for Authenticated Users, for Exchange Organization Administrators, and for Exchange Mailbox Administrators
    • Creates the Microsoft Exchange System Objects container (MESO), if it does not already exist
    • Sets ACEs on the MESO for the Exchange Servers USG, for Authenticated Users, and for Exchange Organization Administrators
    • Adds the Exchange Servers USG to the Manage Auditing and Security Log in User Rights Assignment under Local Policies under Default Domain Controller Policy.
      noteNote:
      This setting is known as the "SACL rights" for this domain.
    • Creates a new Domain Global Group that is named Exchange Install Domain Servers, and put this group in the Microsoft Exchange System Objects container of the local domain
    • Adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain

Permissions required:

One or more of the following:

  • If /PrepareLegacyExchangePermissions and /PrepareSchema were not yet run, both of the following:
    • Enterprise Administrator: required for /PrepareLegacyExchangePermissions, to extend the rights, to create global configuration, and to set permissions
    • Schema Administrator: required to update the schema
  • If /PrepareSchema was not yet run and if /PrepareLegacyExchangePermissions is not required or was already run, both of the following:
    • Enterprise Administrator: required for /PrepareLegacyExchangePermissions, to extend the rights, to create global configuration, and to set permissions
    • Schema Administrator: required to update the schema
  • If /PrepareLegacyExchangePermissions and /PrepareSchema were already run:
    • Enterprise Administrator: required to create global configuration and to set permissions
  • If /PrepareAD was previously run:
    • Enterprise Administrator: required to reset global configuration and to reset permissions

/PrepareDomain

  • Prepares the local domain for Exchange Sever 2007
  • Runs "initialize-DomainPermissions" on the current domain
  • Initialize-DomainPermissions does the following:
    • Sets ACEs on the Domain container for the Exchange Servers USG, for Authenticated Users, for Exchange Organization Administrators, and for Exchange Mailbox Administrators
    • Creates the Microsoft Exchange System Objects container (MESO), if it does not already exist.
    • Sets ACEs on the MESO for the Exchange Servers USG, for Authenticated Users, and for Exchange Organization Administrators
    • Adds the Exchange Servers USG to the Manage Auditing and Security Log in User Rights Assignment under Local Policies under Default Domain Controller Policy
      noteNote:
      This setting is known as the "SACL rights" for this domain.
    • Creates a new Domain Global Group that is named Exchange Install Domain Servers, and puts the group in the Microsoft Exchange System Objects container of the local domain
    • Adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain

Permissions required:

  • If the domain existed before running /prepareAD:
    • Domain Administrator of the domain to be prepared: required to create new objects and groups, and to set permissions in the Domain container
  • If the domain was created after /prepareAD was run, both of the following:
    • Domain Administrator: required to create new objects and groups, and to sett permissions in the domain container
    • Exchange Organization Administrator: minimum requirement to add the Exchange Install Domain Servers group to the Exchange Servers USG

/PrepareDomain:<FQDN of some domain>

Performs the same task as /PrepareDomain on the domain specified.

Permissions required:

  • If the domain existed prior to running /prepareAD:
    • Domain Administrator of the domain to be prepared: required to create new objects and groups, and to set permissions in the Domain container
  • If the domain was created after /prepareAD was run, both of the following:
    • Domain Administrator of the domain to be prepared: required to create new objects and groups, and to set permissions in the Domain container
    • Exchange Organization Administrator: minimum requirement to add the Exchange Install Domain Servers group to the Exchange Servers USG

/PrepareAllDomains

Performs the same task as /PrepareDomain on every domain in the forest

Permissions required:

  • Enterprise Administrator: required to create new objects and groups, and to set permissions in every domain
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft