Provision Exchange 2010 Server and Delegate Setup
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-01-06
This topic explains how to provision a server and delegate the setup and installation of Exchange. After the initial installation of the first instance of Exchange Server, you can provision a server for delegated setup of subsequent installations. This procedure allows a delegated account to install single instances of Exchange in your domain, without being a member of the Organization Management management role group.
However, be aware that you must install the first Exchange server in the domain by using an account that is a member of the Organization Management role group and local Administrators group. You can then install subsequent instances of Exchange using a member of the Delegated Setup management role group. (You just can't install the first instance of an Exchange server using a member of the Delegated Setup role group.)
|A delegated user can't uninstall an Exchange server. Uninstalling or removing Exchange servers requires an account that is a member of the Organization Management role group and local Administrators group.|
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2010, see Understanding Permissions, Understanding Role Based Access Control, and Delegated Setup.
|Exchange 2010 needs permissions to deploy and function correctly in your organization. These permissions are stamped on the access control lists (ACL) of the objects used by Exchange 2010 during setup. For more information, see Exchange 2010 Deployment Permissions Reference.|
You can use Setup.com /NewProvisionedServer to provision your server. The Setup.com /NewProvisionedServer command performs the following tasks:
Creates the server object within the configuration partition: CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Root Domain>
Adds the following access control entries (ACE) to the server object within the configuration partition for the Delegated Setup role group:
Full Control on the server object and its children
Deny access control entry for the Send As extended right
Deny access control entry for the Receive As extended right
Deny CreateChild and DeleteChild permissions for Exchange Public Folder Store objects
Note: Public folders are administered at an organizational level; therefore, the creation and deletion of public folder stores is restricted to Exchange Organization Administrators.
Adds the computer account to the Exchange Servers group.
Adds the server as a provisioned server in the Exchange Management Console.
If Exchange Server is installed on the computer you're provisioning, you can run the Setup.com command with associated arguments from the Run line or a command prompt. If the computer that you are running the Setup.com command from doesn't have Exchange installed, you must insert the Exchange 2010 DVD into the computer, and then run the Setup.com command from the root directory of the DVD.
To run Setup.com /NewProvisionedServer, the account you use must be a member of the Organization Management role group.
To provision the local server, run the following command:
|Running this command provisions the local server, but it doesn't delegate a user.|