In some large organizations, you may find it
necessary to prepare your Active Directory prior to installing Exchange
Server 2010. You may need to do this for a number of reasons. Remember
that the various steps to prepare the forest require membership in the
Schema Admins and Enterprise Admins groups as well as Domain Admins
membership in each of the forests' domains.
In a small or medium-sized business, you may be the
person where the proverbial buck stops. You may have a user account
that has all of these permissions, and you can run everything easily by
yourself. In that case, simply log on as a user with the necessary
permissions and run Setup.
However, large organizations are a bit different. Here are a few points you should consider:
Large organizations may have configuration
control and change management in place. Configuration management and
change control are best practices that should be followed. You may need
to document the steps that you will take, request permissions to
proceed, and schedule the forest preparation.
Large Active Directories may have many Active Directory sites and domain controllers.
Organizations
that are distributed across large geographic areas may have replication
delays on their domain controllers of anywhere from 15 minutes to seven
days. Replication of schema and domain changes may need to be completed
prior to proceeding with Exchange server installations.
Permissions
to update the schema, configuration partition, and child domains are
sometimes spread across a number of different individuals or
departments. You may need to have another administrator log in for you
to run various preparation steps.
If you have to prepare the Active Directory forest
ahead of time, there are a few steps you will need to take. The number
of steps will vary depending on the following factors:
Whether or not you have a previous version of Exchange Server running
The number of domains that you have in your forest
The permissions you have within the forest root domain and the child domains
|
Before running any of the Active Directory preparation steps, make sure that the machine from which you are running the setup.exe
program is in the same Active Directory site as the Schema Master and
has good connectivity to the Schema Master as well as a domain
controller from each domain within the forest. The Windows 2008 R2 or
SP2 server must meet all of the Exchange Server 2010 prerequisites.
Further, ensure that you have installed the Active Directory management
tools on your Windows 2008 SP2 or R2 server by running ServerManagerCmd -I RSAT-ADDS.
|
1. Existing Exchange Organizations
If you have any Exchange 2003 servers in your
organization, you must first prepare each domain so that Exchange
Server 2010 can properly communicate with Exchange 2003 and so that
Exchange 2003 can access certain newly created attribute sets in Active
Directory. This must be done for each domain that has Exchange 2003
servers or that was prepared for Exchange 2003. You can determine this
by searching the domain for the Exchange Domain Servers or Exchange
Enterprise Servers groups.
The process of preparing the legacy Exchange
permissions gives the Exchange Enterprise Servers and Exchange Domain
Servers groups read and write permissions to the attributes in the
Active Directory Exchange-Information property set. It also provides authenticated users with the ability to read information in the Exchange-Information property set.
To prepare a specific domain, use an account that is
a member of that domain's Domain Admins group. For example, to
configure the legacy Exchange permissions for the domain somorita.local from the Exchange installation files folder, run the following command:
setup.com /PrepareLegacyExchangePermissions:somorita.local
If you are logged on as an account that is a member of the Enterprise Admins group, you can run setup.com one time and prepare all the domains in the forest by running this command:
setup.com /PrepareLegacyExchangePermissions
2. Preparing the Schema
Next is the step that usually scares Active
Directory administrators the most: extending the Active Directory
schema. Essentially the schema is the set of rules that define the
structure (the objects and the attributes of those objects) for Active
Directory. This operation requires the user account running this
operation to have both Enterprise Admins and Schema Admins group
memberships.
This scares Active Directory administrators for a
couple of reasons. First, schema changes cannot be undone. Ever.
Second, once the schema changes are made, they replicate to every
domain controller in the entire forest.
Naturally, schema changes are not done to an Active
Directory forest very often. When schema changes are performed, often
the Active Directory administrators do want to know exactly what is
being changed. This is a bit more difficult to document for Exchange
due to the sheer number of changes. The number of changes will depend
on whether you are running any previous version of Exchange and which
particular version. An Active Directory that has never been prepped for
Exchange will have more than 3,000 changes made to the schema,
including new classes (object types), new attributes, new attributes
being flagged for the global catalog replication, and existing
attributes being flagged to replicate to the global catalog. If you
want to point your Active Directory administrators to a specific list
of changes, this document is helpful:
www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3d44de93-3f21-44d0-a0a1-35ff5dbabd0b
If you, or your Active Directory administrators, are curious about what is being changed, take a look at the LDF files in the \Setup\Data
folder within the Exchange 2010 setup files. For the most part, you
probably don't have to worry about this unless you have done something
nonstandard with your Active Directory, such as defining your own
classes or attributes without giving them unique names and unique
object identifiers.
To extend the schema effectively, the server from
which you are running the schema preparation must be in the same Active
Directory site as the Schema Master domain controller. You can locate
the schema master domain controller using the Schema Management
console; the console is not available by default, so you first must
register it. At the command prompt, type regsvr32.exe schmmgmt.dll; you will see a message indicating the schmmgmt.dll registration succeed.
Then you can run the management console program (mmc.exe) and add the Active Directory Schema snap-in. This snap-in will not appear unless the schmmgmt.dll
registered properly. Once you have the Active Directory Schema console
open, right-click on Active Directory Schema and choose Operations
Master. The Change Schema Master dialog (shown in Figure 1) will show you which server currently holds the Schema Master role.
To extend the schema, run the following command from within the Exchange 2010 setup folder:
Setup.com /PrepareSchema
Note that this can take between 15 and 30 minutes
depending on the speed of the computer on which you are running Setup,
the speed of the Schema Master domain controller, and the network
connection between the computers. If Setup detects that the forest has
Exchange 2003, it will automatically perform the /PrepareLegacyExchangePermissions step if it has not already been done.
