A Closer Look at Preparing Active Directory for Exchange 2007 (Part 5)

Introduction

This is the fifth and final part of an article series covering the preparation of Active Directory to receive the first Exchange 2007 server. So far in this article series we’ve covered the preparation of legacy permissions, the schema and Active Directory. This just leaves the final part which is the preparation of the Active Directory domains that will contain either Exchange 2007 servers or Exchange 2007 users.

Preparing The Domains

So here we are at the very last part of the process, namely the preparation of the Active Directory domains to receive Exchange 2007. If you have deployed legacy versions of Exchange you may remember the DomainPrep process that existed with Exchange 2000 and Exchange 2003. Well, preparing the domains for Exchange 2007 is similar in that the process must be performed in two locations:

In each domain that you will install an Exchange 2007 server into
In each domain that will contain mail-enabled users

To prepare a domain you use the setup /PrepareDomain command, or setup /pd for short. This prepares the domain from where you are running the command, although as I said earlier in this article the setup /p process prepares the domain in which the setup /p process was run so you don’t need to repeat this process in that domain. You can also choose to prepare a specific domain by adding the Fully Qualified Domain Name (FQDN) of that domain to the command, such as:

setup /pd:sales.neilhobson.com

To successfully complete this process you must be running the command from an account that has Domain Admin rights. You may be thinking that this could be a laborious process if you have many domains across your Active Directory infrastructure. Fortunately, you can prepare all domains in one go via the setup /PrepareAllDomains command, or setup /pad for short. Obviously, to prepare all domains the account you use must be a member of the Enterprise Admins group.

Running the setup /pd process for just the sales.neilhobson.com domain can be seen in Figure 28.

Figure 28: Running The Setup /pd Process

Note the warning message which, in this case, has occurred because I have not configured a domain Recipient Update Service in the root domain.

What exactly does the domain preparation process do and how can you check for success? Essentially the process assigns various permissions and also creates additional objects that you can check visually. For example, in the domain that has been prepared you will see a new group called Exchange Install Domain Servers. To see this group, bring up the Active Directory Users and Computers snap-in and make sure that advanced features are being displayed by selecting the Advanced Features option from the View menu. Select the Microsoft Exchange System Objects container from the left-hand pane and in the right-hand pane you should be able to locate the Exchange Install Domain Servers group as you can see from Figure 29.

Figure 29: Exchange Install Domain Servers Group

Back in your root domain, locate the Exchange Servers group found in the Microsoft Exchange Security Groups Organizational Unit and bring up its properties. On the Members tab, confirm that the Exchange Install Domain Servers group from the child domain that has just been prepared is a member of this group, as you can see from Figure 30.

Figure 30: Membership of The Exchange Servers Group

You will notice in Figure 30 that the root domain’s Exchange Install Domain Servers group is already a member of the Exchange Servers group. This is because the setup /p process, which had to be run in the root domain, automatically prepared this domain. As you can see, the presence of the Exchange Install Domain Servers group is a good indication that the domain preparation process has run and has completed successfully.

However, there are other things that you can check to be sure. The domain preparation process also updates one of the properties of the Microsoft Exchange System Objects container as you are about to see. By running ADSIEdit and connecting to a domain controller in the child domain, it’s possible to bring up the properties of the Microsoft Exchange System Objects container as you can see from Figure 31. I won’t detail all the steps for doing this as use of ADSIEdit is covered in the previous parts of this article. All I will say is that you need to connect to the domain naming context, locate the Microsoft Exchange System Objects container, right-click it and choose Properties from the context menu. In the resulting window, scroll down until you find the objectVersion attribute.

Figure 31: objectVersion Attribute

In Figure 31 you can see a value of 6936 which is the value assigned after Exchange 2003 RTM has been installed. Once you have performed the Exchange 2007 domain preparation process you should see this number change. For Exchange 2007 RTM it’s 10628 whilst for Exchange 2007 SP1 it’s 11221.

Finally, there is one last check that you can make which Microsoft does detail in its documentation. After the domain preparation process for Exchange 2007, the Exchange Servers Universal Security Group is granted permission on the Manage Auditing and Security Log found in the domain controller’s security policy.
To locate this, perform the following steps:

Choose Start and then Administrative Tools

In the Administrative Tools folder, choose Domain Controller Security Policy.

Under Security Settings, expand Local Policies and then select User Rights Assignment. In the right-hand pane you should now see the policies and the policy settings listed as shown in Figure 32.

Figure 32: User Rights Assignment

Scroll down the list of policies until you reach the policy called Manage auditing and security log. Double-click this policy which brings up the properties window and note that the Exchange Servers Universal Security Group now has permissions set as shown in Figure 33.

Figure 33: Exchange Servers USG Permissions

Summary

There you have it, all four Active Directory preparation steps covered; how to perform the steps and what to look for. I must admit that I have taken the time to write these four steps over five parts of this article which does seem a lot. However, I’ve felt that it has been useful to explain the preparation processes in some depth with plenty of screen shots since these processes are vital to a successful deployment of Exchange 2007. If you’ve still to deploy Exchange 2007, hopefully this should help you understand what is going on during these processes. If you’ve already deployed Exchange 2007 but not yet taken any of the Microsoft exams, note that the skills being measured include Active Directory preparation.