MS Exchange Server 2007 – Active Directory Preparation

How to Prepare Active Directory for Exchange Server 2007 Installation:

As we all know, Microsoft Exchange Server 2007 uses the Active Directory directory service to store and share directory information with Microsoft Windows, so without Active Directory directory Services, you will not be able to have any version of Exchange Server 200x installed under your network. If you have already Active Directory deployed under your production network and you want to deploy Exchange Server 2007, then continue reading this article to know how to prepare Active Directory Domain Infrastructure for Exchange Server 2007 Deployment and Installation, but If you have NOT yet deployed Active Directory, stop reading this article and go and deploy Active Directory First then come here again to continue : ).

In order to be able to install and deploy MS Exchange Server 2007 under your production or testing lab environment, you need to first prepare your Active Directory for Exchange Server 2007 before doing any kind of Exchange Server 2007 installation. Here I will try to explain how to prepare the Active Directory directory service and domains for installing Microsoft Exchange Server 2007.

As I mentioned on my previous article posted previously in my blog under the name of “Microsoft Exchange Server 2007 Requirements” you have to make sure that you have met all Exchange Server 2007 Hardware, Infrastructure, and System Requirements before you proceed with Active Directory Preparation Steps mentioned on this article.

Now, here are the steps required to prepare your Active Directory for Exchange Server 2007 Deployment and Installation under you Organization:

1. Prepare Exchange Legacy Permissions

If you have Exchange Server 2003 or Exchange 2000 Server running under your Exchange Organization, then open a Command Prompt window from , and then run one of the following commands:

• To prepare legacy Exchange permissions in every domain in the forest that contains the Exchange Enterprise Servers and Exchange Domain Servers groups, run:
  
  setup /PrepareLegacyExchangePermissions
  
  
• To prepare legacy Exchange permissions in a specific domain, run
  
  setup /PrepareLegacyExchangePermissions:
  

Permission required to run these commands:

• To run this command to prepare every domain in the forest, you must be a member of the Enterprise Admins group.
  
  
• To run this command to prepare a specific domain, you must be a member of the Exchange Organization Administrators group and you must be a member of the Domain Admins group in the domain that you will prepare.
  
  
• If you do not specify a domain, the domain in which you run this command must be able to contact all domains in the forest.
  
  
• After you run this command, you must wait for the permissions to replicate across your Exchange organization before continuing to the next step. If the permissions have not replicated, the Recipient Update Service on your Exchange Server 2003 or Exchange 2000 Server computers could fail. The amount of time that replication takes depends on your Active Directory site topology.
  
  
• To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Microsoft Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools\." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain
  
  

2. Prepare Active Directory Schema

From a Command Prompt window, run the following command:

setup /PrepareSchema

Very Important Note: You must NOT run this command in a forest in which you do not plan to run setup /PrepareAD. If you do, the forest will be configured incorrectly, and you will not be able to read some attributes on user objects. So, if you didn’t follow the steps here correctly, Don’t Blame meJ.

Permission required to run these commands:

• This command connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2007 specific attributes.
  
  
• To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.
  
  
• You must run this command on a computer that is in the same domain and the same Active Directory site as the schema master.
  
  
• If you have not completed Step 1, setup /PrepareSchema will perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest.
  
  
• After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.
  

3. Prepare Active Directory directory Service

From a Command Prompt window, run the following command:

setup /PrepareAD [/OrganizationName: ]

What does this command do ?

• This command configures global Exchange objects in Active Directory, creates the Exchange Universal Security Groups (USGs) in the root domain, sets permissions on the Exchange configuration objects, and prepares the current domain. The global objects reside under the Exchange organization container. If no Exchange organization container exists, you must specify an organization name by using the /OrganizationName parameter. The organization container will be created with the name that you specify.
  
  
• This command creates the Exchange 2007 Administrative Group called Exchange Administrative Group (FYDIBOHF23SPDLT). It also creates the Exchange 2007 Routing Group called Exchange Routing Group (DWBGZMFD01QNBJR).
  
  Very Important Notes:
  
  Do not move Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT) and do not rename Exchange Administrative Group (FYDIBOHF23SPDLT) by using a low-level directory editor. Exchange 2007 must use this administrative group for configuration data storage. We do not support moving Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT) or renaming of Exchange Administrative Group (FYDIBOHF23SPDLT).
  
  Do not move Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) and do not rename Exchange Routing Group (DWBGZMFD01QNBJR) by using a low-level directory editor. Exchange 2007 must use this routing group for communication with earlier versions of Exchange . We do not support moving Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) or renaming of Exchange Routing Group (DWBGZMFD01QNBJR).
  
  
• This command creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.
  
  
• This command prepares the local domain for Exchange 2007.
  To run this command, you must be a member of the Enterprise Admins group.
  
  
• If you have Exchange Server 2003 servers in your organization, you must be an Exchange Full Administrator to run this command.
  
  
• The Exchange organization name cannot contain the following characters: ~ (tilde), ` (grave accent), ! (exclamation point), @ (at sign), # (number sign), $ (dollar sign), % (percent sign), ^ (caret), & (ampersand), * (asterisk), () (parentheses), _ (underscore), + (plus sign), = (equal sign), {} (braces), [] (brackets), (vertical bar), \ (backslash), : (colon), ; (semicolon)," (quotation mark), ' (apostrophe), <> (angle brackets), , (comma), . (period), ? (question mark), / (slash mark), White spaces at the beginning or end.
  
  
• You must run this command on a computer that is in the same domain and the same Active Directory site as the Schema Master.
  
  
• If you have not completed Step 1, setup /PrepareAD will perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. If you are also a member of the Schema Admins group, and if you have not completed Step 2, setup /PrepareAD will perform the PrepareSchema step.
  
  
• After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

To verify that this step completed successfully, make sure that there is a new organizational unit (OU) in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:

• Exchange Organization Administrators
• Exchange Recipient Administrators
• Exchange View-Only Administrators
• Exchange Servers
• ExchangeLegacyInterop

When you install Exchange 2007, Setup will add the Exchange Organization Administrators USG as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users who are Exchange Organization Administrators will have additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.

4. Prepare other specific Domains (if exists).

From a Command Prompt window, run one of the following commands:

• Run setup /PrepareDomain to prepare the local domain. Note that you do not need to run this in the domain where you ran Step 3. Running setup /PrepareAD prepares the local domain.
  
  
• Run setup /PrepareDomain: to prepare a specific domain.
  
  
• Run setup /PrepareAllDomains to prepare all domains in your organization.
  

These commands perform the following tasks:

• Sets permissions on the Domain container for the Exchange Servers, Exchange Organization Administrators, Authenticated Users, and Exchange Mailbox Administrators.
  
  
• Creates the Microsoft Exchange System Objects container if it does not exist, and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users.
  
  
• Creates a new domain global group in the current domain called Exchange Install Domain Servers. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
  

Note the following:

• For domains that are in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages:
  
  "PrepareDomain for domain has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for again."
  
  "Active Directory operation failed on . This error is not retriable. Additional information: The specified group type is invalid.Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0The server cannot handle directory requests."
  
  If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again.
  
• To run setup /PrepareAllDomains you must be a member of the Enterprise Admins group.
  
  
• To run setup /PrepareDomain, if the domain that you are preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you are preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.
  

To verify that this step completed successfully, confirm the following:

• You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features. The Exchange Install Domain Servers group is used if you install Exchange 2007 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships have not replicated to the child domain.
  
  
• The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
  
  
• On each domain controller in a domain in which you will install Exchange 2007, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.