Recipe 2.5. Preparing an Active Directory Domain for Exchange Problem You want to prepare an Active Directory domain for the installation of an Exchange server. Solution Using a graphical user interface Log in with a domain account that is a member of the Domain Admins and Administrators (if running from a member server) groups. Start Exchange Setup from the product CD. Select Exchange Deployment Tools. Select DomainPrep and click Next. Accept the license agreement and, if prompted, enter your product key. On the Component Selection page, be sure that the Action is set to DomainPrep. If it is not, select DomainPrep from the drop-down list, then click Next. Allow the process to finish.
Discussion Like forestprep, domainprep is normally a one-time operation performed before Exchange is installed. It performs several necessary actions: It creates the Exchange Domain Servers global security group in the Users container. This security-sensitive group will eventually contain all of the Exchange servers in the domain and is required for the Recipient Update Service (RUS) to work because the RUS runs as a child of the System Attendant, which runs in the LocalSystem context. For the RUS to touch directory objects, this group must exist and the local machine account must be in it. However, adding an ordinary account to this group gives that account full access to Exchange 2000 mailbox data. For that reason, Exchange Server 2003 adds an explicit deny ACE on the Servers container for this group. To accomplish the same thing for Exchange 2000 servers, you'll need to run the EDSLock script described in MS KB 313807. It creates the Exchange Enterprise Servers local security group in the Users container. This group is used to allow Exchange services to work across multiple domains within a forest. It nests Exchange Domain Servers inside Exchange Enterprise Servers. It assigns permissions to these two groups on the domain object. It creates the Microsoft Exchange System Objects container in the domain naming context. It updates the default domain controller policy for the domain so that Exchange Enterprise Servers are granted the right to manage auditing and security logs. This is necessary to allow the information store service to read system ACLs on AD objects. If you later remove this right, you'll have all sorts of problems as described in MS KB 314294.
Domainprep must be run after the forestprep operation has been completedit relies on the schema updates and the existence of the Exchange organization container object. Domainprep does not need to be run in every domain in a forest; however, it must be run in: The root domain of the forest Any domain that will contain Exchange servers Any domains that will contain Exchange recipients, such as users, security groups, and distribution groups Any domains that will contain users and groups who will be managing Exchange servers
You must run domainprep top-down, starting with the root domain and working your way from parent to child domain. DomainPrep requires no Exchange permissions delegations; only Domain Admins and local machine administrator permissions are necessary. It can be run from any machine in the target domain. See Also Recipe 2.4 for preparing the forest, Recipe Recipe 2.6 for more on how to verify when forestprep and domainprep have completed, and MS KB 313807 (XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group) |
