Recipe2.4.Preparing an Active Directory Forest for Exchange

Recipe 2.4. Preparing an Active Directory Forest for Exchange

Problem

You want to prepare an Active Directory forest for the installation of Exchange. You must do this even if you have an existing Exchange 2000 organization and are preparing to install your first Exchange Server 2003 server.

Solution

Using a graphical user interface for Exchange 2000

Log in with a domain account that is a member of the Schema Admins and Enterprise Admins group (and has local machine administrative rights, if running forestprep from a member server).
Start Exchange Setup from the product CD.
Select Exchange Server Setup from the initial splash screen.
Accept the license agreement and click Next.
Select ForestPrep.
If prompted, enter your 25-character product key. Note that you won't see this screen in Setupeverif you're installing an evaluation version or a version that contains a Microsoft Volume Licensing key, which is common at large organizations that have volume license agreements in place.
On the Component Selection page, be sure that the Action is set to ForestPrep. If it is not, select ForestPrep from the drop-down list and click Next.
In the Installation Type page, make sure that the Create a New Exchange Organization radio button is selected, then click Next.
In the Organization Name page, name your Exchange organization and select the account or security group within your organization that will be used as the first account granted Exchange administrative privileges. You should create a separate security group for this purpose before you reach this step. Don't use the built-in administrator account. Click Next.
On the Component Summary page, click OK.
Allow the process to finish; it may take a while depending on the particulars of your network topology and domain controllers. Do not interrupt it.

When installing Exchange 2000, you can also use the /schemaonly switch for Exchange setup; that forces the schema changes but skips the other ForestPrep steps.

Using a graphical user interface for Exchange Server 2003

Log in with a domain account that is a member of the Schema Admins and Enterprise Admins group.
Start Exchange Setup from the product CD.
Select Exchange Deployment Tools.
Select ForestPrep.
Accept the license agreement, then (if prompted) enter your product key.
On the Component Selection page, be sure that the Action is set to ForestPrep. If it is not, select ForestPrep from the drop-down list and click Next.
On the Administrator Account page, provide the name of the account or security group within your organization that will be used as the first account granted Exchange administrative privileges, then click Next. You should create a separate security group for this purpose before you reach this step. Don't use the built-in administrator account.
On the Component Summary page, click OK.
Allow the process to finish; it may take a while depending on the particulars of your network topology and domain controllers. Do not interrupt it.

Using a command-line interface with Exchange 2000 or Exchange Server 2003

Log in with a domain account that is a member of the Schema Admins and Enterprise Admins group.
Create a new temporary folder on your local hard drive.
Insert the Exchange CD-ROM and navigate to the \SETUP\I386\EXCHANGE directory.
Copy the 10 LDIF schema files (named schema0.ldf through schema9.ldf) from this directory to your temporary folder:
```
> copy schema?.ldf  c:\schema-temp 
```
Change to your temporary folder and concatenate all ten schema files together into one big file:
```
> copy *.ldf  exchangeschema.ldf 
```
Use the ldifde command to import the schema changes into Active Directory, while replacing the <SchemaContainerDN> placeholder in with your actual schema container distinguished name (DN):
```
 > ldifde -I -f exchangeschema.ldf -c <SchemaContainerDN> cn=Schema, cn=Configuration,dc=<domain>,dc=<tld> -s <SchemaMasterFSMOservername>
```
At some later date, you will still need to perform a forestprep. Exchange Setup will at that time recognize the schema has already been updated and skip that task.

Discussion

ForestPrep does several things:

It creates an Exchange organization object (/o=organization name) in the forest-wide configuration naming context (NC) in Active Directory (CN=First Organization, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=<domain>, DC=<tld>). In Exchange 2000, this organization object is immediately given the name you specify during setup; in Exchange Server 2003, the forestprep operation gives the organization object a temporary name (it's actually a globally unique ID, or GUID) that is replaced when you install the first server. The temporary GUID of the placeholder object is {335A1087-5131-4D45-BE3E-3C6C7F76F5EC}.
It grants Exchange Full Administrator permissions on the Exchange organization object to whatever account or group you specified during step 7 of the GUI instructions above. The account or security group you name will be able to maintain all Exchange servers throughout the Active Directory forest, as well as delegate other full administrators. Choose this entity carefully. Since this group performs functionality at a forest-wide level, it needs to be a global security group. This gives the most functionality in the future, as individuals can be added or removed from this group as Exchange administration tasks require.
It extends the schema.
It turns off Outlook Mobile Access (OMA) for all users in the forest by setting the default value of the msExchOmaAdminWirelessEnable attribute on the user account to 0.

When you run forestprep against an Exchange 2000 organization to get it ready for Exchange Server 2003, an additional change takes place: the Create top level public folder permission on the Exchange organization container is removed for the Everyone and Anonymous Logon groups. No other permissions are changed.

It is much easier to allow forestprep to perform the schema upgrade along with its other tasks. However, because schema upgrades must replicate to all domain controllers in a forest, you may want to perform the schema update at some time when the replication traffic won't be a problem. In fact, the best time to update the schema in a newly created AD forest is before you install any additional DCs, since in that case no inter-server replication is required. If you need to upgrade the schema without creating the Exchange organization object, you can use the manual procedure outlined above. If your domain controllers are still running Windows 2000, you will need to modify the registry on the domain controller that holds the Schema Master FSMO role before you can perform the schema modifications (as described in MS KB 216060). This step is not necessary on Windows 2003 domain controllers.

Because forestprep needs to contact the schema master, it needs to be run in the domain where the schema master resides; this will be the first domain controller installed in the root domain of the forest, unless you have moved the role to another domain controller. When possible, you should run forestprep on the schema master computer itself; this provides a significant speed boost because all of the schema updates can be written directly to the local disk.

The impact of Active Directory replication after forestprep is more severe in Windows 2000 Active Directory than in Windows 2003 because in Windows 2000, any change to the partial attribute set (PAS) stored on global catalog servers results in a full synchronization of all global catalog servers. Windows Server 2003 global catalog servers only replicate attributes that have changed, so the impact of the global catalog updates is lessened.

The account you use to run forestprep needs to be a member of both the Enterprise Admins and Schema Admins built-in groups. The schema changes made by Exchange Server 2003 are a superset of the changes made by Exchange 2000, so it is necessary to run the Exchange Server 2003 ForestPrep in your existing Exchange 2000 organization before installing your first Exchange Server 2003 server.