Recipe17.1.Preparing Active Directory for Exchange

Recipe 17.1. Preparing Active Directory for Exchange

Problem

You want to prepare your Active Directory forest and domains for installation of your first Exchange Server.

Solution

Using a graphical user interface

The first phase of the installation is called ForestPrep and needs to be run once on the Schema flexible single master operations (FSMO) domain controller:

Log on to the Schema FSMO forest root domain controller with an account that has both Enterprise and Schema Admin rights.
Prepare the domain controller for a schema update. See Recipe 10.2 in Active Directory Cookbook (O'Reilly).
Per your corporate standards, create either a global or universal group for the initial Exchange administration delegation. Name the group in a descriptive way like ExchangeRootAdmins. See Chapter 7 in Active Directory Cookbook (O'Reilly) for assistance on creating groups.
Insert the Exchange Server CD into the CD-ROM.
On the Start menu, click Run and type:
```
<driveletter> :\setup\i386\setup.exe /forestprep
```
where <driveletter> is your CD-ROM's drive letter. This path may vary for certain versions of Exchange Server, such as MSDN or Select versions.
On the Welcome screen, click Next.
On the License Agreement screen, read through the agreement and if you agree, click I agree and click Next.
If the Product Identification screen is presented, enter your Exchange Server product key and click Next.

This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.
On the Component Selection screen, verify that the action specified is ForestPrep and click Next.
On the Server Administrator Account screen, enter the group created in step 3 and click Next.
On the Completing the Microsoft Exchange Wizard screen, click Finish.

The second phase is called DomainPrep and needs to be run once for the forest root domain and once for every domain in the forest that will contain mail-enabled objects. Preferably you will run this process on every domain in the forest. Prior to starting DomainPrep, wait for the schema updates from the ForestPrep to replicate.

Log on to a machine that is part of the domain with an account that is a member of the Domain Admins group.
Insert the Exchange Server CD into CD-ROM.
On the Start menu, click Run and type:
```
<driveletter> :\setup\i386\setup.exe /domainprep
```
where <driveletter> is your CD-ROM's drive letter. This path may vary for certain versions of Exchange Server, such as MSDN or Select versions.
On the Welcome screen, click Next.
On the License Agreement screen, read through the agreement and if you agree, click I agree and click Next.
If the Product Identification screen is presented, enter your Exchange Server product key and click Next.

This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.
On the Component Selection screen, verify that the action specified is DomainPrep and click Next.
Depending on how your domain is configured for Pre-Windows 2000 Compatible Access, you may get a pop-up with a message saying "The domain `<domainname>' has been identified as an insecure domain for mail-enabled groups with hidden distribution list (DL) membership..." If you get this pop-up, click OK.
On the Completing the Microsoft Exchange Wizard screen, click Finish.

Using a command-line interface

You cannot run ForestPrep from the command line. You can, however, run an unattended DomainPrep. You will need to create an unattended installation configuration file, which is described in Recipe 17.5. For further details on this process, see the Exchange Server 2003 Deployment Guide.

You can load the Exchange schema additions to your forest before running ForestPrep. With this method, you can import the Exchange-specific schema modifications months in advance. For details on this process, see MS KB 327757.

Discussion

Microsoft Exchange will not run in an Active Directory forest unless the forest and the domains have been properly prepared. Microsoft did not make the assumption that everyone would use Exchange and therefore did not include all of the Exchange attributes and classes in the base Active Directory schema. The ability to dynamically extend the schema for Active Directory makes it possible for only those people running Exchange to install the Exchange infrastructure.

In addition to schema changes, you have to make security changes to Active Directory and the domain policy, as well as create some basic Exchange infrastructure objects. All of this is completed in the Exchange ForestPrep and DomainPrep processes. Do not confuse these with the Windows 2003 ForestPrep and DomainPrep processes (using the adprep command); the concept is the same, but the specific changes are different.

You need to run the ForestPrep process once per forest to make the schema changes, create the Exchange organization structure in the Configuration container, and set up Exchange-specific permissions. The ForestPrep process is also responsible for the initial delegation of Exchange rights to a specific user or group for administrative control. I recommend that you create a security group in your root domain for this delegation. In a single domain forest, which will never get another domain, you could use a domain local group. In a multidomain forest, you must use a global or universal group. The group assigns rights to objects in the Configuration container. Whether you use a global or universal group is up to you; either will do the job. The ForestPrep process requires the user to be part of both the Enterprise and Schema Admins groups.

You need to run the DomainPrep process in the root domain of the forest and for every domain that will contain mail-enabled objects. Normally, you run DomainPrep on every domain in an Active Directory forest. The process creates Exchange-security principals, modifies the domain security policy, creates some Exchange specific infrastructure objects, and assigns permissions to the domain's Active Directory partition. The DomainPrep process requires the user to be a member of the Domain Admins group of the domain being prepared.

Depending on whether your domain has Pre-Windows 2000 Compatible Access enabled or not, you may get a scary looking message during the DomainPrep process that tells you your domain is insecure for mail-enabled groups with hidden distribution list membership. Instead of making quick changes to your domain that could break other applications, investigate if you need that compatibility access. If you do not need the access, by all means, lock down the Pre-Windows 2000 Compatible Access group as specified.

Just like any application, there are requirements for the installation of Exchange Server 2003. The requirements are broken into forest and machine requirements. For ForestPrep and DomainPrep, there are no machine requirements. However, the forest requirements are:

Domain controllers must run Windows 2000 Server Service Pack 3 or Windows Server 2003.
Global catalog servers must run Windows 2000 Server Service Pack 3 or Windows Server 2003. You should have at least one global catalog server per domain where you intend to install Exchange.
DNS and WINS must be properly configured.

Due to the depth of changes made to the overall structure of Active Directory, the ForestPrep process requires Schema and Enterprise Admin rights and the DomainPrep requires Domain Admin rights. This prevents anyone but the centralized administration group responsible for the overall Active Directory forest from initially installing Exchange into the forest.

For a more in-depth discussion of the Exchange Server 2003 deployment requirements, considerations, and the specifics of what the "prep" processes do, please see the Exchange Server 2003 Deployment Guide. This is a free download from Microsoft available at http://www.microsoft.com/downloads. Type Exchange Server 2003 Deployment Guide in the keywords and click Go.