Prepare Active Directory and Domains

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Before you install Microsoft Exchange Server 2010 on any servers in your organization, you must prepare Active Directory and domains.

For information about preparing your domains with legacy Exchange permissions, see Prepare Legacy Exchange 2003 Permissions.

Prerequisites

  • The computers on which you plan to install Exchange 2010 must meet the system requirements. For details, see Exchange 2010 System Requirements.

  • Your domains and the domain controllers must meet the system requirements in "Network and Directory Servers" in Exchange 2010 System Requirements.

  • In each domain in which you install Exchange 2010, you must have at least one domain controller running any of the following:

    • Windows Server 2003 Standard Edition with Service Pack 1 (SP1) or later (32-bit or 64-bit)

    • Windows Server 2003 Enterprise Edition with SP1 or later (32-bit or 64-bit)

    • Windows Server 2008 Standard or Enterprise (32-bit or 64-bit)

    • Windows Server 2008 R2 Standard or Enterprise

  • For multiple domain organizations running the following /Prepare* commands, we recommend the following:

    • Run the /Prepare* commands from an Active Directory site with an Active Directory server from every domain.

    • Run the first server role installation or Exchange 2010 service pack upgrade from an Active Directory site with a writeable global catalog server from every domain.

    • Verify that replication of objects from the preceding actions is completed on the global catalog server in the Active Directory site before installing the first Exchange 2010 server (or SP1 upgrade) to that site.

  • If you're running the release to manufacturing (RTM) version of Exchange 2010 Setup.com, in each domain (including child domains) where you have the Exchange Enterprise Servers and Exchange Domains Servers security groups (and therefore must run Setup /PrepareLegacyExchangePermissions), you must have at least one domain controller running any of the following:

    • Windows Server 2003 Standard Edition with SP1 or later (32-bit or 64-bit)

    • Windows Server 2003 Enterprise Edition with SP1 or later (32-bit or 64-bit)

    • Windows Server 2008 Standard or Enterprise (32-bit or 64-bit)

    • Windows Server 2008 R2 Standard or Enterprise

  • If you run the Exchange 2010 Setup wizard with an account that has the permissions required (Schema Admins, Domain Admins, and Enterprise Admins) to prepare Active Directory and the domain, the wizard will automatically prepare Active Directory and the domain. For more information, see Install Exchange Server 2010. However, if you're deploying a new Exchange organization, and you're preparing your Active Directory schema and domains using a computer running Windows Server 2008, you must first install the Active Directory management tools on the Windows Server 2008 computer prior to preparing the schema or domains. To do this, run the following command.

    ServerManagerCmd -i RSAT-ADDS
    

Prepare Active Directory and domains

To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Windows Server 2003 Support Tools Setup. By default, it's located at %programfiles%\support tools\. Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

  1. If you have any computers in your organization running Microsoft Exchange Server 2003, open a Command Prompt window, and then run one of the following commands:

    • To prepare legacy Exchange permissions in every domain in the forest that contains the Exchange Enterprise Servers and Exchange Domain Servers groups, run the following command.

      setup /PrepareLegacyExchangePermissions or setup /pl

    • To prepare legacy Exchange permissions in a specific domain, run the following command.

      setup /PrepareLegacyExchangePermissions:<FQDN of domain you want to prepare> or setup /pl:<FQDN of domain you want to prepare>

    Note

    You can skip this step and prepare the legacy Exchange permissions as part of Step 2 or Step 3. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

    Note the following:

    • To run this command to prepare every domain in the forest, you must be a member of the Enterprise Admins group. To run this command to prepare a specific domain, or if the forest has only one domain, you must be delegated the Exchange Organization Management role, and you must be a member of the Domain Admins group in the domain that you will prepare.

    • If you don't specify a domain, the domain in which you run this command must be able to contact all domains in the forest. If the server can't contact a domain that must have legacy Exchange permissions prepared, it prepares the domains that it can contact, and then returns an error message that it was unable to contact some domains.

    • You can run this command from any Windows Server 2008 server in the forest.

    • You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency. For more information, see Identify the schema master.

    • After you run this command, you must wait for the permissions to replicate across your Exchange organization before continuing to the next step. If the permissions haven't replicated, the Recipient Update Service on your Exchange 2003 computers could fail. The amount of time that replication takes depends on your Active Directory site topology.

    • For detailed information about the permissions set by this command, see Prepare Legacy Exchange 2003 Permissions.

  2. From a Command Prompt window, run the following command.

    setup /PrepareSchema or setup /ps

    Note

    You can skip this step and prepare the schema as part of Step 3.

    Important

    If you have multiple forests in your organization, make sure that you run your forest preparation from the correct Exchange forest. Setup preparation makes configuration changes to your forest, and it could configure a non-Exchange forest incorrectly.

    Note

    It isn't supported to use the LDIF Directory Exchange tool (LDIFDE) to manually import the Exchange 2010 schema changes. You must use Setup to update the schema.

    This command performs the following tasks:

    • Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2010 specific attributes. The LDIF files are copied to the Temp directory, and then deleted after they are imported into the schema.

    Note the following:

    • To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.

    • You must run this command on a 64-bit computer in the same domain and in the same Active Directory site as the schema master.

    • If you haven't completed Step 1, setup /PrepareSchema will automatically perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

    • If you use the /DomainController parameter with this command, you must specify the domain controller that is the schema master.

    • After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

    • For more information, see Exchange Server Changes to the Active Directory Schema.

  3. From a Command Prompt window, run the following command.

    setup /PrepareAD [/OrganizationName:<organization name>] or setup /p [/on:<organization name>]

    This command performs the following tasks:

    • If the Microsoft Exchange container doesn't exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>.

    • If no Exchange organization container exists under CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain >, you must specify an organization name using the /OrganizationName parameter. The organization container will be created with the name that you specify.

      The Exchange organization name can contain only the following characters:

      A through Z

      a through z

      0 through 9

      Space (not leading or trailing)

      Hyphen or dash

      The organization name can't contain more than 64 characters. The organization name can't be blank. If the organization name contains spaces, you must enclose the name in quotation marks (").

    • Verifies that the schema has been updated and that the organization is up to date by checking the objectVersion property in Active Directory. The objectVersion property is in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container. The objectVersion value for Exchange 2010 SP2 is 14247. The objectVersion value for Exchange 2010 SP1 is 13214. The objectVersion value for Exchange 2010 RTM is 12640.

    • If the containers don't exist, creates the following containers and objects under CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>, which are required for Exchange 2010:

      CN=Address Lists Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Addressing,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Client Access,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Connections,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=ELC Folders,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=ELC Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Global Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Mobile Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Recipient Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=System Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM AutoAttendant,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM DialPlan,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM IPGateway,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

    • If it doesn't exist, creates the default Accepted Domains entry, based on the forest root namespace, under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>.

    • Assigns specific permissions throughout the configuration partition.

    • Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Active Directory.

    • Creates the Microsoft Exchange Security Groups organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU.

    • Creates the following management role groups within the Microsoft Exchange Security Groups OU:

      Organization Management

      Recipient Management

      Server Management

      View-Only Organization Management

      Public Folder Management

      UM Management

      Hygiene Management

      Records Management

      Discovery Management

      Delegated Setup

      Exchange All Hosted Organizations

      Exchange Servers

      Exchange Trusted Subsystem

      Exchange Windows Permissions

      Help Desk

      ExchangeLegacyInterop

    • Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.

    • Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.

    • Prepares the local domain for Exchange 2010. For information about what tasks are completed to prepare a domain, see Step 4.

    Note the following:

    • To run this command, you must be a member of the Enterprise Admins group.

    • The computer where you run this command must be able to contact all domains in the forest on port 389.

    • You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.

    • If you haven't completed Step 1, setup /PrepareAD will automatically perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. If you're also a member of the Schema Admins group, and if you haven't completed Step 2, setup /PrepareAD will automatically perform the PrepareSchema step. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

    • After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

    • To verify that this step completed successfully, make sure that there is a new OU in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:

      Exchange Security Groups OU:

      Organization Management

      Recipient Management

      Server Management

      View-Only Organization Management

      Public Folder Management

      UM Management

      Hygiene Management

      Records Management

      Discovery Management

      Delegated Setup

      Exchange All Hosted Organizations

      Exchange Servers

      Exchange Trusted Subsystem

      Exchange Windows Permissions

      Help Desk

      ExchangeLegacyInterop

  4. From a Command Prompt window, run one of the following commands:

    • Run setup /PrepareDomain or setup /pd to prepare the local domain. You don't need to run this in the domain where you ran Step 3. Running setup /PrepareAD prepares the local domain.

    • Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.

    • Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organization.

    These commands perform the following tasks:

    • If this is a new organization, creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users groups. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox.

    • Sets the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain>. This objectVersion property contains the version of domain preparation. The version for Exchange 2010 RTM is 12640. The version for Exchange 2010 SP1 and SP2 is 13040.

    • Creates a domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.

      Note

      The Exchange Install Domain Servers group is used if you install Exchange 2010 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships haven't replicated to the child domain.

    • Assigns permissions at the domain level for the Exchange Servers USG and the Exchange Recipient Administrators USG.

    Note the following:

    • To run setup /PrepareAllDomains, you must be a member of the Enterprise Admins group.

    • To run setup /PrepareDomain, if the domain that you're preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you're preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.

    • For domains in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages:

      "PrepareDomain for domain <YourDomain> has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain> again."

      "Active Directory operation failed on <YourServer>. This error is not retriable. Additional information: The specified group type is invalid.

      Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

      The server cannot handle directory requests."

      If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again.

    • You must run this command in every domain in which you will install Exchange 2010. You must also run this command in every domain that will contain mail-enabled users, even if the domain doesn't have Exchange 2010 installed.

    To verify that this step completed successfully, confirm the following:

    • You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers.

      Note

      To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.

    • The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.

    • On each domain controller in a domain in which you will install Exchange 2010, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

 © 2010 Microsoft Corporation. All rights reserved.