IgNiTeD SoUL

Problem

You want to install the first Exchange Server of an Exchange organization.

Solution

Using a graphical user interface

1. Install and configure prerequisite services. See the “Discussion” section for more on these services.
2. Log on to a server that is a member of an Exchange-enabled domain with an account that is a member of the delegated group. This account should also be a local administrator of the server.
3. Go to the Windows Update site and install any critical security patches, or use your organization’s existing patch management solution such as WSUS. Click on Start All Programs Windows Update.
4. Insert the Exchange Server CD into CD-ROM.
5. On the Start menu, click Run, type <driveletter>:\setup\i386\setup.exe, and click OK. <driveletter> is the drive letter of your CD-ROM drive. The path to setup.exe may vary for certain versions of Exchange Server such as MSDN or Select versions.
6. On the Welcome screen, click Next.
7. On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next.
8. If presented, on the Product Identification screen, enter your Exchange Server product key and click Next.

This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.

2. On the Component Selection screen in the Action column, verify that the action selected is Typical. Verify the install path is correct for your installation and click Next. It is a common practice to load Exchange onto a drive other than the system drive.
3. On the Installation Type screen, verify Create a new Exchange Organization is selected, and click Next.
4. On the Organization Name screen, enter the name you want for your Exchange organization, and click Next. You can leave the default name of ” First Organization” or name it something specific to your installation (e.g., “RALLENCORP-MAIL”).
5. On the License Agreement screen, select “I agree” and then click Next.
6. Review the Installation Summary screen and click Next.
7. On the Completing the Microsoft Exchange Wizard screen, click Finish.
8. Stop and disable the NNTP service unless you specifically wish to use newsfeeds within your Messaging environment.
9. Download and install the latest Exchange 2003 service pack. (As of the time of this writing it is Service Pack 2.)
10. Download and run the Exchange Best Practices Analyzer to determine its compliance with security and performance best practices.

Using a command-line interface

You cannot install the first Exchange Server of the Organization via the command line. However, you can install subsequent Exchange servers using an unattended installation.

Discussion

The first Exchange server you install is special. This is because in addition to installing the Exchange Server software on the server, the process is also creating Active Directory objects in the Configuration container for the Exchange organization. As such, the install is slightly different from any other Exchange Server installation you will do in the forest . The difference is in Steps 10 and 11, which will not be present for any other Exchange Server Installations within the Exchange organization. In these steps you will choose whether you want to create a new Exchange organization or join an existing Exchange 5.5 organization. The additional considerable amount of work involved in joining an existing Exchange 5.5 organization is outside the scope of this chapter.

Problem

You want to prepare your Active Directory forest and domains for installation of your first Exchange Server.

Solution

Using a graphical user interface

The first phase of the installation is ForestPrep and it needs to be run once on the Schema FSMO domain controller.

1. Log on to the Schema FSMO forest root domain controller with an account that has both Enterprise Admin and Schema Admin rights.
2. Prepare the domain controller for a schema update.
3. Per your corporate standards, create either a global or universal group for the initial Exchange administration delegation. Name the group in a descriptive way like ExchangeRootAdmins.
4. Insert the Exchange Server CD into the CD-ROM.
5. On the Start menu, click Run, and type:

6.    <driveletter>:\setup\i386\setup.exe /forestprep

where <driveletter> is the drive letter of your CD-ROM drive. This path may vary for certain versions of Exchange Server such as MSDN or Select versions.

1. On the Welcome screen, click Next.
2. On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next.
3. If the Product Identification screen is presented, enter your Exchange Server product key and click Next.

This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.

2. On the Component Selection screen, verify that the action specified is Forest-Prep, and click Next.
3. On the Server Administrator Account screen, enter the group created in Step 3 and click Next.
4. On the Completing the Microsoft Exchange Wizard screen, click Finish.

The second phase is DomainPrep and it needs to be run once for the forest root domain and once for every domain in the forest that will contain mail-enabled objects. Preferably you will run this process on every domain in the forest. You will want to wait for the schema updates from the ForestPrep to replicate prior to starting DomainPrep.

1. Log on to a machine that is part of the domain with an account that is a member of the Domain Admins group.
2. Insert the Exchange Server CD into CD-ROM.
3. On the Start menu, click Run, and then type:

4.    <driveletter>:\setup\i386\setup.exe /domainprep

where <driveletter> is the drive letter of your CD-ROM drive. This path may vary for certain versions of Exchange Server such as MSDN or Select versions.

1. On the Welcome screen, click Next.
2. On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next.
3. If presented, on the Product Identification screen, enter your Exchange Server product key and click Next.

This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.

2. On the Component Selection screen, verify that the action specified is Domain-Prep and click Next.
3. Depending on how your domain is configured for Pre-Windows 2000 Compatible Access, you may get a pop-up with a message saying “The domain “<domainname>” has been identified as an insecure domain for mail-enabled groups with hidden DL membership. …” If you get this pop-up, click OK.
4. On the Completing the Microsoft Exchange Wizard screen, click Finish.

Using a command-line interface

You cannot run ForestPrep from the command-line. You can, however, run an unattended DomainPrep. You will need to create an unattended installation configuration file, which is described in “Creating Unattended Installation Files for Exchange and Exchange Service Pack Installations.” For further details on this process, see the Exchange Server 2003 Deployment Guide.

You can load the Exchange schema extensions to your forest before running ForestPrep, allowing you to import the Exchange-specific schema modifications months in advance without needing to specify an organization name as you had to do in Exchange 2000.

Discussion

Microsoft Exchange will not run in an Active Directory forest unless the forest and the domains have been properly prepared. Microsoft did not make the assumption that everyone would use Exchange and therefore did not include all of the Exchange attributes and classes in the base Active Directory schema. The ability to dynamically extend the schema for Active Directory makes it possible for only those people running Exchange to install the Exchange infrastructure.

In addition to schema changes, you have to make security changes to Active Directory and the domain policy, as well as create some basic Exchange infrastructure objects. All of this is completed in the Exchange ForestPrep and DomainPrep processes. Do not confuse these with the Windows 2003 ForestPrep and DomainPrep processes (using the adprep command); the concept is the same but the specific changes are different.

You need to run the ForestPrep process once per forest to make the schema changes, create the Exchange organization structure in the Configuration container, and set up Exchange-specific permissions. The ForestPrep process is also responsible for the initial delegation of Exchange rights to a specific user or group for administrative control. We recommend that you create a security group in your root domain for this delegation. You could use a domain local group in a single domain forest in which you will never create another domain. In a multidomain forest, you must use a global group or a universal group. The group is used to assign rights to objects in the Configuration container. Whether you use a global or universal group is up to youeither will do the job. The ForestPrep process requires the person running the process to be part of both the Enterprise Admins and Schema Admins groups.

You need to run the DomainPrep process in the root domain of the forest and for every domain that will contain mail-enabled objects. Normally, DomainPrep is run on every domain in an Active Directory forest. The process creates Exchange security principals, modifies the domain security policy, creates some Exchange specific infrastructure objects, and assigns permissions to the domain’s Active Directory partition. The DomainPrep process requires the person running the process to be a member of the Domain Admins group of the domain being prepared.

Depending on whether your domain has Pre-Windows 2000 Compatible Access enabled, you may get a scary looking message during the DomainPrep process that tells you your domain is insecure for mail-enabled groups with hidden distribution list membership. Instead of making quick changes to your domain that could break other applications, investigate whether you need that compatibility access. If you do not need the access, by all means lock down the Pre-Windows 2000 Compatible Access group as specified.

Just like any application, there are requirements for the installation of Exchange Server 2003. The requirements are split into forest requirements and machine requirements.

For ForestPrep and DomainPrep, there are no machine requirements. However, the requirements for the forest are:

• Domain controllers must be running Windows 2000 Server Service Pack 3 or Windows Server 2003.
• Global catalog servers must be running Windows 2000 Server Service Pack 3 or Windows Server 2003. You should have at least one global catalog server per site that you intend to install Exchange into.
• DNS and NetBIOS name resolution (typically using WINS) must be properly configured.

Due to the depth of changes made to the overall structure of Active Directory, the ForestPrep process requires Schema Admin and Enterprise Admin rights and the DomainPrep requires Domain Admin rights. This prevents anyone but the centralized administration group responsible for the overall Active Directory forest from initially installing Exchange into the forest.

For a more in-depth discussion of the Exchange Server 2003 deployment requirements, considerations, and the specifics of what the preparation processes do, please see the Exchange Server 2003 Deployment Guide. This is a free download from Microsoft and can be obtained by going to http://www.microsoft.com/exchange/library. You should also review the Exchange Server 2003 Deployment Tools and the Exchange Best Practices Analyzer, available from the same site.

Managing Exchange is a little different from managing most other Microsoft applications. The computer where you run the tools or scripts must be a member of a domain in the forest where the Exchange organization resides. This is true whether you are using a script or the GUI. Exchange doesn’t allow you to select other organizations to manage. This can be troublesome for someone managing multiple Exchange organizations or a mobile worker who moves between sites or companies and likes to run her workstation in workgroup mode instead of being a member of any specific domain.

Permissions are very important and often misunderstood in Exchange. Permissions can be set up very simply or in a very complicated way; it is tough to find a middle ground. The simplest method is to give your Exchange administrators Domain Admin access. This is pretty standard in small companies where the Exchange admins are doing all aspects of administration. But this practice is usually unacceptable in larger companies where separation of duties and more security is required.

Exchange Server has several software prerequisites that must be installed prior to its installation. You must have these prerequisites in place prior to installing Exchange or Exchange will refuse to install. The prerequisites vary by operating system.

Windows 2000 SP3+ prerequisites:

• Windows Server 2003 Administration Tools Pack (adminpak.msi)
• Internet Information Services (IIS)
• World Wide Web (WWW) Publishing Service
• Simple Mail Transport Protocol (SMTP) Service
• Network News Transfer Protocol (NNTP) Service

Window Server 2003 requires the Windows 2000 prerequisites plus:

• .NET Framework
• ASP.NET