How to Prepare Active Directory and Domains

  • Article

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to prepare the Active Directory directory service and domains for installing Microsoft Exchange Server 2007. You must complete this procedure before you install Exchange 2007 on any servers in your organization.

Note

If you run the Exchange Server 2007 Setup wizard with an account that has the permissions required to prepare Active Directory and the domain, the wizard will automatically prepare Active Directory and the domain.

Before You Begin

Before you prepare Active Directory and your domain for Exchange 2007, confirm the following:

  • The computer on which you perform this procedure has the Microsoft .NET Framework 2.0 and the Microsoft Command Shell installed.

  • Your domains and the domain controllers meet the system requirements in the "Network and Directory Servers" section of Exchange 2007 System Requirements.

  • In each domain in which you will install Exchange 2007, (or will contain mail-enabled users), you have at least one domain controller that is running Windows Server 2003 Service Pack 1 (SP1).

  • If you are running the release to manufacturing (RTM) version of Exchange 2007 Setup.com, in each domain (including child domains) where you have the Exchange Enterprise Servers and Exchange Domains Servers security groups and therefore must run Setup /PrepareLegacyExchangePermissions, you must have at least one domain controller that is running Windows Server 2003 SP1 or a later version.

  • If you have any domain controllers that are running Windows 2000 Server and you are using the Exchange 2007 RTM Setup.com, you must run each of the steps below with the /DomainController parameter to specify a domain controller that is running Windows Server 2003 SP1. If you are using Setup.com from Exchange 2007 SP1, you do not have to specify a domain controller that is running Windows Server 2003 SP1.

  • If you are deploying a new Exchange organization, and you are preparing your Active Directory schema and domains by using a computer running Windows Server 2008, you must first install the Active Directory management tools on the Windows Server 2008 computer prior to preparing the schema or domains. To do this, run the following command:

    ServerManagerCmd -i RSAT-ADDS

  • The computers on which you will install Exchange 2007 meet the system requirements in the "Hardware" and "Operating System" sections of Exchange 2007 System Requirements.

Note

You can run this procedure on a computer that has either a 32-bit or a 64-bit processor. For more information about platform versions, see Exchange Server 2007: Platforms, Editions, and Versions.

Procedure

To prepare Active Directory and the domain

  1. If you have any computers in your organization running Exchange Server 2003 or Exchange 2000 Server, open a Command Prompt window, and then run one of the following commands:

    • To prepare legacy Exchange permissions in every domain in the forest that contains the Exchange Enterprise Servers and Exchange Domain Servers groups, run the following command:

      setup /PrepareLegacyExchangePermissions.or setup /pl

    • To prepare legacy Exchange permissions in a specific domain, run the following command:

      setup /PrepareLegacyExchangePermissions: <FQDN of domain you want to prepare> or setup /pl:<FQDN of domain you want to prepare>

    Note

    You can skip this step and prepare the legacy Exchange permissions as part of Step 2 or Step 3. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

    Note the following:

    • To run this command to prepare every domain in the forest, you must be a member of the Enterprise Admins group. To run this command to prepare a specific domain, or if the forest has only one domain, you must be delegated the Exchange Full Administrator role and you must be a member of the Domain Admins group in the domain that you will prepare.

    • If you do not specify a domain, the domain in which you run this command must be able to contact all domains in the forest. If the server cannot contact a domain that must have legacy Exchange permissions prepared, it prepares the domains that it can contact and then returns an error message that it was unable to contact some domains.

    • You can run this command from any 32-bit or 64-bit Windows Server 2003 SP1 server in the forest.

    • After you run this command, you must wait for the permissions to replicate across your Exchange organization before continuing to the next step. If the permissions have not replicated, the Recipient Update Service on your Exchange Server 2003 or Exchange 2000 Server computers could fail. The amount of time that replication takes depends on your Active Directory site topology.

      Note

      To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Microsoft Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

    For detailed information about the permissions that are set by this command, see Preparing Legacy Exchange Permissions.

  2. From a Command Prompt window, run the following command:

    setup /PrepareSchema or setup /ps

    Note

    You can skip this step and prepare the schema as part of Step 3.

    Important

    You must not run this command in a forest in which you do not plan to run setup /PrepareAD. If you do, the forest will be configured incorrectly, and you will not be able to read some attributes on user objects.

    Note

    It is not supported to use LDIFDE to manually import the Exchange 2007 schema changes. You must use Setup to update the schema.

    This command performs the following tasks:

    • Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2007 specific attributes. The LDIF files are copied to the Temp directory and then are deleted after they are imported into the schema.

      Note

      The Exchange 2007 schema also includes the Exchange 2000 and Exchange 2003 schema extensions.

    • If you have not completed Step 1, setup /PrepareSchema will automatically perform the PrepareLegacyExchangePermissions step.

    Note the following:

    • If you want to verify the updates to the schema before the changes are replicated to other servers in the domain, you must disable outbound replication on the computer on which you run the command before you run it, and then enable outbound replication after you have verified that the import completed successfully.

    • To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.

    • You must run this command on either a 32-bit or a 64-bit computer that is in the same domain and the same Active Directory site as the schema master.

    • If you have not completed Step 1, setup /PrepareSchema will automatically perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

    • If you use the /DomainController parameter with this command, you must specify the domain controller that is the schema master.

    • After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

      Note

      To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

    For detailed information about the changes to the schema that are made by running this command, see Active Directory Schema Changes.

  3. From a Command Prompt window, run the following command:

    setup /PrepareAD [/OrganizationName:<organization name>] or setup /p [/on:<organization name>]

    This command performs the following tasks:

    • If the Microsoft Exchange container does not exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>.

    • If no Exchange organization container exists under CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain >, you must specify an organization name by using the /OrganizationName parameter. The organization container will be created with the name that you specify.

      The Exchange organization name can contain only the following characters:

      A through Z

      a through z

      0 through 9

      Space (not leading or trailing)

      Hyphen or dash

      The organization name cannot contain more than 64 characters. The organization name cannot be blank. If the organization name contains spaces, you must enclose it in quotation marks.

    • Verifies that the schema has been updated and that the organization is up to date by checking the objectVersion property in Active Directory. The objectVersion property is in the CN=<your organization>, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container. The objectVersion value for the release to manufacturing (RTM) version of Exchange 2007 is 10666.

    • If they do not exist, creates the following containers and objects under CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>. These are required for Exchange 2007.

      CN=Address Lists Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Addressing,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Client Access,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Connections,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=ELC Folders Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=ELC Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Global Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Mobile Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Recipient Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=System Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM AutoAttendant,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM DialPlan,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM IPGateway Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

      CN=UM Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

    • If it does not exist, this command creates the default Accepted Domains entry, based on the forest root namespace, under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>.

    • Assigns specific permissions throughout the configuration partition. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.

    • Imports the Rights.ldf file. This adds the extended rights that are required for Exchange to install into Active Directory.

    • Creates the Microsoft Exchange Security Groups organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.

    • Creates the following universal security groups (USGs) within the Microsoft Exchange Security Groups OU:

      Exchange Organization Administrators

      Exchange Recipient Administrators

      Exchange Servers

      Exchange View-Only Administrators

      Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)

      ExchangeLegacyInterop

    • Adds the new USGs that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute that is stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.

    • This command creates the Exchange 2007 Administrative Group called Exchange Administrative Group (FYDIBOHF23SPDLT). It also creates the Exchange 2007 Routing Group called Exchange Routing Group (DWBGZMFD01QNBJR).

      Warning

      Do not move Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT) and do not rename Exchange Administrative Group (FYDIBOHF23SPDLT) by using a low-level directory editor. Exchange 2007 must use this administrative group for configuration data storage. We do not support moving Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT) or renaming of Exchange Administrative Group (FYDIBOHF23SPDLT).

      Warning

      Do not move Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) and do not rename Exchange Routing Group (DWBGZMFD01QNBJR) by using a low-level directory editor. Exchange 2007 must use this routing group for communication with earlier versions of Exchange . We do not support moving Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) or renaming of Exchange Routing Group (DWBGZMFD01QNBJR).

    • This command creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.

    • This command prepares the local domain for Exchange 2007. For information about what tasks are completed to prepare a domain, see Step 4.

    Note the following:

    • To run this command, you must be a member of the Enterprise Admins group.

    • The computer where you run this command must be able to contact all domains in the forest on port 389.

    • You must run this command on a computer that is in the same domain and the same Active Directory site as the Schema Master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.

    • If you have not completed Step 1, setup /PrepareAD will automatically perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. If you are also a member of the Schema Admins group, and if you have not completed Step 2, setup /PrepareAD will automatically perform the PrepareSchema step. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

    • After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology. 

      Note

      To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

    • To verify that this step completed successfully, make sure that there is a new OU in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:

      Exchange Organization Administrators

      Exchange Recipient Administrators

      Exchange View-Only Administrators

      Exchange Servers

      Exchange Public Folder Administrators (new in Exchange 2007 Service Pack 1)

      ExchangeLegacyInterop

      Note

      When you install Exchange 2007, Setup will add the Exchange Organization Administrators USG as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users who are Exchange Organization Administrators will have additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.

  4. From a Command Prompt window, run one of the following commands:

    • Run setup /PrepareDomain or setup /pd to prepare the local domain. Note that you do not need to run this in the domain where you ran Step 3. Running setup /PrepareAD prepares the local domain.

    • Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.

    • Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organization.

    These commands perform the following tasks:

    • Sets permissions on the domain container for the Exchange Servers, Exchange Organization Administrators, Authenticated Users, and Exchange Mailbox Administrators.

    • If this is a new organization, this command creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.

    • This command sets the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain>. This objectVersion property contains the version of domain preparation. The version for Exchange 2007 RTM is 10628.

    • Creates a new domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.

      Note

      The Exchange Install Domain Servers group is used if you install Exchange 2007 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships have not replicated to the child domain.

    • Assigns permissions at the domain level for the Exchange Servers universal security group (USG) and the Exchange Recipient Administrators USG. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.

    Note the following:

    • For domains that are in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages:

      "PrepareDomain for domain <YourDomain> has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain> again."

      "Active Directory operation failed on <YourServer>. This error is not retriable. Additional information: The specified group type is invalid.

      Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

      The server cannot handle directory requests."

      If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again.

    • To run setup /PrepareAllDomains you must be a member of the Enterprise Admins group.

    • To run setup /PrepareDomain, if the domain that you are preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you are preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.

    • You must run this command in every domain in which you will install Exchange 2007. You must also run this command in every domain that will contain mail-enabled users, even if the domain does not have Exchange 2007 installed.

    To verify that this step completed successfully, confirm the following:

    • You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers.

      Note

      To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.

    • The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.

    • On each domain controller in a domain in which you will install Exchange 2007, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.