Preparing Active Directory for Exchange

Posted: March 27, 2010 in Active Directory, Exchange Server, Server, System Information
Tags: ,


Problem

You want to prepare your Active Directory forest and domains for installation of your first Exchange Server.

Solution

Using a graphical user interface

The first phase of the installation is ForestPrep and it needs to be run once on the Schema FSMO domain controller.

  1. Log on to the Schema FSMO forest root domain controller with an account that has both Enterprise Admin and Schema Admin rights.
  2. Prepare the domain controller for a schema update.
  3. Per your corporate standards, create either a global or universal group for the initial Exchange administration delegation. Name the group in a descriptive way like ExchangeRootAdmins.
  4. Insert the Exchange Server CD into the CD-ROM.
  5. On the Start menu, click Run, and type:

6.    <driveletter>:\setup\i386\setup.exe /forestprep

where <driveletter> is the drive letter of your CD-ROM drive. This path may vary for certain versions of Exchange Server such as MSDN or Select versions.

  1. On the Welcome screen, click Next.
  2. On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next.
  3. If the Product Identification screen is presented, enter your Exchange Server product key and click Next.
This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.
  1. On the Component Selection screen, verify that the action specified is Forest-Prep, and click Next.
  2. On the Server Administrator Account screen, enter the group created in Step 3 and click Next.
  3. On the Completing the Microsoft Exchange Wizard screen, click Finish.

The second phase is DomainPrep and it needs to be run once for the forest root domain and once for every domain in the forest that will contain mail-enabled objects. Preferably you will run this process on every domain in the forest. You will want to wait for the schema updates from the ForestPrep to replicate prior to starting DomainPrep.

  1. Log on to a machine that is part of the domain with an account that is a member of the Domain Admins group.
  2. Insert the Exchange Server CD into CD-ROM.
  3. On the Start menu, click Run, and then type:

4.    <driveletter>:\setup\i386\setup.exe /domainprep

where <driveletter> is the drive letter of your CD-ROM drive. This path may vary for certain versions of Exchange Server such as MSDN or Select versions.

  1. On the Welcome screen, click Next.
  2. On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next.
  3. If presented, on the Product Identification screen, enter your Exchange Server product key and click Next.
This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.
  1. On the Component Selection screen, verify that the action specified is Domain-Prep and click Next.
  2. Depending on how your domain is configured for Pre-Windows 2000 Compatible Access, you may get a pop-up with a message saying “The domain “<domainname>” has been identified as an insecure domain for mail-enabled groups with hidden DL membership. …” If you get this pop-up, click OK.
  3. On the Completing the Microsoft Exchange Wizard screen, click Finish.

Using a command-line interface

You cannot run ForestPrep from the command-line. You can, however, run an unattended DomainPrep. You will need to create an unattended installation configuration file, which is described in “Creating Unattended Installation Files for Exchange and Exchange Service Pack Installations.” For further details on this process, see the Exchange Server 2003 Deployment Guide.

You can load the Exchange schema extensions to your forest before running ForestPrep, allowing you to import the Exchange-specific schema modifications months in advance without needing to specify an organization name as you had to do in Exchange 2000.

Discussion

Microsoft Exchange will not run in an Active Directory forest unless the forest and the domains have been properly prepared. Microsoft did not make the assumption that everyone would use Exchange and therefore did not include all of the Exchange attributes and classes in the base Active Directory schema. The ability to dynamically extend the schema for Active Directory makes it possible for only those people running Exchange to install the Exchange infrastructure.

In addition to schema changes, you have to make security changes to Active Directory and the domain policy, as well as create some basic Exchange infrastructure objects. All of this is completed in the Exchange ForestPrep and DomainPrep processes. Do not confuse these with the Windows 2003 ForestPrep and DomainPrep processes (using the adprep command); the concept is the same but the specific changes are different.

You need to run the ForestPrep process once per forest to make the schema changes, create the Exchange organization structure in the Configuration container, and set up Exchange-specific permissions. The ForestPrep process is also responsible for the initial delegation of Exchange rights to a specific user or group for administrative control. We recommend that you create a security group in your root domain for this delegation. You could use a domain local group in a single domain forest in which you will never create another domain. In a multidomain forest, you must use a global group or a universal group. The group is used to assign rights to objects in the Configuration container. Whether you use a global or universal group is up to youeither will do the job. The ForestPrep process requires the person running the process to be part of both the Enterprise Admins and Schema Admins groups.

You need to run the DomainPrep process in the root domain of the forest and for every domain that will contain mail-enabled objects. Normally, DomainPrep is run on every domain in an Active Directory forest. The process creates Exchange security principals, modifies the domain security policy, creates some Exchange specific infrastructure objects, and assigns permissions to the domain’s Active Directory partition. The DomainPrep process requires the person running the process to be a member of the Domain Admins group of the domain being prepared.

Depending on whether your domain has Pre-Windows 2000 Compatible Access enabled, you may get a scary looking message during the DomainPrep process that tells you your domain is insecure for mail-enabled groups with hidden distribution list membership. Instead of making quick changes to your domain that could break other applications, investigate whether you need that compatibility access. If you do not need the access, by all means lock down the Pre-Windows 2000 Compatible Access group as specified.

Just like any application, there are requirements for the installation of Exchange Server 2003. The requirements are split into forest requirements and machine requirements.

For ForestPrep and DomainPrep, there are no machine requirements. However, the requirements for the forest are:

  • Domain controllers must be running Windows 2000 Server Service Pack 3 or Windows Server 2003.
  • Global catalog servers must be running Windows 2000 Server Service Pack 3 or Windows Server 2003. You should have at least one global catalog server per site that you intend to install Exchange into.
  • DNS and NetBIOS name resolution (typically using WINS) must be properly configured.

Due to the depth of changes made to the overall structure of Active Directory, the ForestPrep process requires Schema Admin and Enterprise Admin rights and the DomainPrep requires Domain Admin rights. This prevents anyone but the centralized administration group responsible for the overall Active Directory forest from initially installing Exchange into the forest.

For a more in-depth discussion of the Exchange Server 2003 deployment requirements, considerations, and the specifics of what the preparation processes do, please see the Exchange Server 2003 Deployment Guide. This is a free download from Microsoft and can be obtained by going to http://www.microsoft.com/exchange/library. You should also review the Exchange Server 2003 Deployment Tools and the Exchange Best Practices Analyzer, available from the same site.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s