Recipe 3.9. Checking Which Account or Group Has Been Assigned Permissions During ForestPrepProblemExchange ForestPrep was run at the time that the AD forest was first implemented and you now need to know which account or group has been granted Exchange Full Administrator permissions. SolutionUsing graphical user interface
Using a command-line interfaceFind the Exchange organization name using the following command: > dsquery * forestroot "CN=Microsoft Exchange,CN=Services,CN=Configuration, <ForestDN>" -scope subtree -filter "(objectclass=msExchOrganizationContainer)" For example, this will produce the organization name for the robichaux.net domain: > dsquery * "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=robichaux,DC=net" -scope subtree -filter "(objectclass=msExchOrganizationContainer)" This query will return a distinguished name that you can use as the target for the dsacls.exe utility. For Exchange 2000, this will be the friendly organization name; for Exchange Server 2003, it may be a GUID. Use the returned DN in a dsacls query: > dsacls "CN<orgName>,CN=Microsoft Exchange,CN=Services,CN=Configuration, <ForestDN>" For example: > dsacls "CN={335A1087-5131-4D45-BE3E-3C6C7F76F5EC},CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=robichaux,DC=net" The output from dsacls will show the permissions on the object. Look for the same account or group as suggested in the GUI solution. DiscussionMany larger organizations tend to run Exchange ForestPrep at the time the AD forest is implemented. They do this to avoid the replication impact caused by running ForestPrep in a fully populated, live AD infrastructure. This may precede the installation of the first Exchange Server 2003 Server by some time and it may not be well documented. At the time Exchange ForestPrep is run, the setup program prompts for an account (or group) name. This account or group is then given Exchange Full Administrator permissions. When you want to install the first Exchange server, you may need to check, and optionally change, the account or group has been assigned these permissions. The reason Exchange Server 2003 ForestPrep stamps a GUID instead of an organization is quite sensible. It gives you more flexibility to change your mind about the name in the time between running ForestPrep and installing the first Exchange Server 2003 Server. The Exchange 2000 ForestPrep would assign an organization name as one of its tasks, making it necessary to run setup with the /removeorg option if you subsequently wanted to change the organization name. See AlsoMS KB 312371 (HOW TO: Prepare the Forest by Using ForestPrep in Exchange 2000 Server) |