Introduction
This is the fourth part of an article series covering the preparation of Active Directory to receive Exchange 2007. So far in parts one to three we’ve looked at the preparation of the legacy permissions, followed by the preparation of the schema. Throughout these three parts we’ve also looked at how to confirm each step has completed successfully, using additional tools such as log files, LDP.EXE and ADSIEdit. Some administrators consider it important to confirm that the various processes have completed successfully rather than just relying on ‘success’ messages given at the end of each step.
We are now going to continue or look at the overall preparation process by examining what is required for the step known as Active Directory preparation.
Preparing Active Directory
The third of the four steps covered in this article is the step where Active Directory is prepared by the creation of various objects and the assignment of further permissions. As we’ve already seen in the other parts of this article, the running of one particular command will execute the steps of the previous command if that previous command hasn’t been run individually, and the particular command we’re about to discuss is no different. In other words, this command will automatically prepare the legacy permissions and the schema if this hasn’t already been done.
The command to use to prepare Active Directory is setup /PrepareAD or setup /p for short. If you are coexisting with legacy versions of Exchange then the organization container will already exist within Active Directory. If you are installing Exchange for the first time, then you will need to add the /OrganizationName or /on switch and specify the chosen Exchange organization name. For example:
setup /p /on:Exchange
This command will ensure that Active Directory is prepared with an Exchange organization name of Exchange. You can see from Figure 23 what the process of preparing Active Directory looks like.
Since this command is not making any schema changes you do not need to be a member of Schema Admins to run it in the same way as you did with setup /ps. However, you still need to be a member of Enterprise Admins so factor this in when considering who will be running this command. Also, like the setup /ps process, you still need to execute this command on a server that is located in the same Active Directory site and domain as that of the schema master. Although you are not making schema changes, the setup /p process writes the changes specifically to the schema master before propagation around the remainder of the domain controllers.
You have seen throughout the other parts of this article that you can use tools such as LDP and ADSIEdit to check that processes have completed successfully. With setup /p, several very visible changes are made that you can see from applications such as Active Directory Users and Computers and Exchange System Manager. For example, in the root domain of your Active Directory infrastructure you will see a new Organizational Unit (OU) created called Microsoft Exchange Security Groups and within that OU you will see the following six security groups:
Exchange Organization Administrators
Exchange Public Folder Administrators
Exchange Recipient Administrators
Exchange Servers
Exchange View-Only Administrators
ExchangeLegacyInterop
You can see this OU and the groups within it in Figure 24. Remember, this OU is only created in the root domain of your Active Directory infrastructure. In my case, this is the neilhobson.com domain so this means that this OU won’t be seen in the sales.neilhobson.com domain.
Figure 24: Microsoft Exchange Security Groups OU
Also, after having performed the setup /p process, it may become very apparent to administrators of Exchange 2000 or Exchange 2003 that something has changed and the upcoming deployment of Exchange 2007 is just around the corner. This is because the new Exchange 2007 administrative and routing groups will now be present in the Exchange System Manager as you can see from Figure 25.
Figure 25: Exchange 2007 Administrative and Routing Groups
The Exchange Administrative Group (FYDIBOHF23SPDLT) and Exchange Routing Group (DWBGZMFD01QNBJR) objects are created to house all Exchange 2007 servers so that legacy versions of Exchange will understand how to contact the new Exchange 2007 servers. You will not see these administrative and routing group objects in the Exchange 2007 Management Console since the concept of administrative and routing groups are deprecated features as far as Exchange 2007 is concerned. Obviously there will be no server objects under the Exchange 2007 administrative group at this stage since we’ve not actually installed an Exchange 2007 server yet, but nevertheless the administrative and routing group objects exist at this time. This is confirmed in Figure 25 where you will notice there is no Servers container directly under the Exchange Administrative Group (FYDIBOHF23SPDLT) object.
Finally, one other easy check you can make at this time is to examine the contents of the Exchange organization container using ADSIEdit. Consider Figure 26 below which is the container contents prior to the running of setup /p. Then compare this to Figure 27 which is the container after the running of setup /p. Note that there are more items in Figure 27, such as the Client Access, ELC and UM containers. These are created as a result of running setup /p.
Figure 26: Organization Container Prior to Setup /p
Figure 27: Organization Container After Setup /p
The setup /p process also configures many additional permissions, far too many for me to list here. Checking the above configuration elements should be enough for you to be sure that the process has completed successfully. As ever, don’t forget that you can check the setup logs for much more additional information.
In the last part of the process which I’ll cover in the final part of this article series we are going to be looking at the preparation of the Active Directory domains. You should note that the setup /p process actually prepares the domain from which it is run, so that’s one less domain to worry about later on.
One word of caution about the setup /p process is the fact that Microsoft states this process must contact all domains within your Active Directory forest, even those that have not had legacy Exchange servers installed into them; you will need to plan for this if you have a large or complex Active Directory infrastructure.
Summary
In this penultimate part of the article series, we have looked at the step of preparing Active Directory and what to check for to make sure that this command has completed correctly. Several key changes are made during this step, such as the creation of the Microsoft Exchange Security Groups OU in the root domain, as well the creation of legacy administrative and routing groups. In the final part of this article we’ll be looking at the last step, namely the preparation of Active Directory domains.