As groups get moved around, their location is updated on this attribute, giving you a way to always find out where the groups are. Neat!
Q I found a Global Security group called "Exchange Install Domain Servers" in my domain. What is it for?
A You are definitely keeping tabs on your Active Directory®. Indeed, there will be a group called Exchange Install Domain Servers in every domain that has Exchange 2007 servers installed. This group is created in the Microsoft Exchange System Objects (MESO) OU. If you examine this group, you will see that it is being made a member of the root domain’s Exchange Servers group, which is a Universal Security Group.
To put it succinctly, Exchange Install Domain Servers is a group used to work around possible long Active Directory replication cycles if you are running Exchange 2007 setup in one of your child domains. For example, say you have a root domain called Root, a child domain called Child, and a child domain of Child called Grandchild. (We know, the naming scheme is brilliant! Think you can guess what our passwords are?)
To start setting up Exchange 2007 in this org, you first have to extend the schema and prepare your Root domain. This creates the original five USGs we discussed in the previous answer.
Then, say you need to run setup in the Grandchild domain. In order to be able to start the Exchange 2007 services in the local domain, setup puts a computer account of the Exchange 2007 machine into the Exchange Servers group from the Root domain. But since you are now in the Grandchild domain, the membership of the Exchange Servers group might take a while to replicate.
Exchange Servers is a universal group and its membership replicates throughout the forest. Due to potential replication latency, it is possible that setup in the Grandchild domain could fail to start services, as permissions would not be replicated by the time setup was done. That is why when the first Exchange 2007 server is set up in a domain, it will create the Exchange Install Domain Servers group in the local domain.
The Exchange computer account will be placed as a member in that group as part of the setup. A membership in this group gives services enough permissions to start at the end of setup, even if the membership of the Exchange Servers group has not yet replicated from the Root domain. Note that local domain replication is usually faster than replication between domains.
Q The Exchange 2007 documentation tells me I should be running setup with the /PrepareLegacyExchangePermissions switch, even before I extend my schema for Exchange 2007. Why is that? (And could you have made the name of this switch any longer?)
A We’re glad to hear you are reading the documentation before running Setup. How do you like it?
The /PrepareLegacyExchangePermissions (or /pl for short) is a switch that, in so many words, gives Exchange 2000 and Exchange 2003 Recipient Update Services (RUSes) permissions to write to the Exchange Information and Personal Information property sets. During the Exchange 2007 schema extension process, several attributes (such as Proxy Addresses) are moved from the Active Directory Public Information property set into the Exchange Information property set. By default, Exchange 2000 and Exchange 2003 RUSes don’t have the rights to write to the Exchange Information property set. In real life, this means that if you run your Exchange 2007 schema extension first, you will break your Exchange 2000 and Exchange 2003 RUSes because they will be unable to stamp any new recipients! (If you want to read more about those property sets, please go to our blog at
Therefore, it is very important that you run the /pl switch before the schema is extended for Exchange 2007. You should also make sure that this change replicates to all domains that have Exchange 2000 or Exchange 2003 recipients (so RUSes exist for those domains). If new domains are added to the forest at a later time and you need to put Exchange 2000 or Exchange 2003 RUSes into them, you should run /pl switch in those domains too.
On that note, when running a /pl switch for the first time, life will be much simpler if you run the switch with an account that has Enterprise Admin rights. Then, setup from root domain will identify which domains need to have /pl run on them and it will run the /pl switch on all of those domains. If you are not using an Enterprise Admin account, you will have to run a /pl switch using a Domain Admin for each domain individually. Fortunately, the Exchange 2007 documentation lays out all the permissions requirements.
And finally, you asked whether we could have made this switch any longer. Just try to say /PrepareLegacyExchangePermissions three times quickly:
We thought of making this /Prepare-LegacyExchangePermissionsWOWThisIsaReallyLongname, but then we opted for the shorter and friendlier /PrepareLegacyExchangePermissions.
OK, we just made that up. But you can always use the much shorter /pl. And that one is true—we swear!
KC Lemson is the User Experience Manager for Exchange Server. She spends her free time waiting for e-mail to arrive to tell her where she should invest her kids’ college funds.
Nino Bilic, a Technical Lead for Exchange Server, is busy keeping tabs on how many games of Halo he can get away with during a typical work day.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.