PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE 2013.pdf

PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE 2013 APPLIES TO: EXCHANGE SERVER 2013

Before you install the release to manufacturing (RTM) version of Microsoft Exchange Server 2013 or later cumulative updates (CU) on any servers in your organization, you must prepare Active Directory and domains. setup /PrepareSchema or setup /ps setup /PrepareAD [/OrganizationName: ] or setup /p [/on:] setup /PrepareDomain or setup /pd setup /PrepareAllDomains or setup /pad BEFORE YOU BEGIN ENSURE

 The computers on which you plan to install Exchange 2013 must

meet the system requirements. For details, see Exchange 2013 System Requirements.  Your domains and the domain controllers must meet the system requirements in "Network and directory servers" in Exchange 2013 System Requirements.  For multiple domain organizations running the following /Prepare* commands, we recommend the following:  Run the commands from an Active Directory site that has an Active Directory server from every domain.  Run the first server role installation from an Active Directory site with a writeable global catalog server from every domain.  Verify that replication of objects from the preceding actions is completed on the global catalog server in the Active Directory site before installing the first Exchange 2013 server to that site.  If you run the Exchange 2013 Setup wizard with an account that has the permissions required (Schema Admins, Domain Admins, and

Enterprise Admins) to prepare Active Directory and the domain, the wizard automatically prepares Active Directory and the domain. For more information, see Install Exchange 2013 Using the Setup Wizard. However, you must first install the Active Directory management tools on the computer prior to preparing the schema or domains. To do this, see the Active Directory preparation section in Exchange 2013 Prerequisites.  You must specify the /IAcceptExchangeServerLicenseTerms parameter when you run setup.exe to accept the Exchange 2013 license terms.

 TIP: Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

EXCHANGE 2013 ACTIVE DIRECTORY VERSIONS The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.

PREPARE ACTIVE DIRECTORY AND DOMAINS To track the progress of Active Directory replication, you can use the repadmin tool (repadmin.exe), which is installed as part of the Windows Server 2012 and Windows Server 2008 R2 Active Directory Domain Services Tools (RSAT-ADDS) feature. For more information about how to use repadmin, see Repadmin. From a Command Prompt window, run the following command. (If you want, you can skip this step and prepare the schema as part of Step 2.)

setup /PrepareSchema or setup /ps IMPORTANT: If you have multiple forests in your organization, make sure that you run your forest preparation from the correct Exchange forest. Setup preparation makes configuration changes to your forest, and it could configure a non-Exchange forest incorrectly. NOTE: It is not supported to use the LDIF Directory Exchange tool (LDIFDE) to manually import the Exchange 2013 schema changes. You must use Setup to update the schema. 1. THIS COMMAND PERFORMS THE FOLLOWING TASKS:

 Connects to the schema master and imports LDAP Data

Interchange Format (LDIF) files to update the schema with Exchange 2013 specific attributes. The LDIF files are copied to the Temp directory and then deleted after they are imported into the schema.



 Sets the schema version (ms-Exch-Schema-Verision-Pt). To see the version that should be shown after this command completes, look up the version of Exchange 2013 you are installing in the table in Exchange 2013 Active Directory versions.

NOTE THE FOLLOWING:

 To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.  You must run this command on a 64-bit computer in the same domain and in the same Active Directory site as the schema master.

 If you use the /DomainController parameter with this command, you must specify the domain controller that is the schema master.  After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology. For more information, see Exchange 2013 Active Directory Schema Changes.



2. From a Command Prompt window, run the following command. setup /PrepareAD [/OrganizationName: ] or setup /p [/on:< organization name>] THIS COMMAND PERFORMS THE FOLLOWING TASKS:

 If the Microsoft Exchange container doesn't exist, this

command creates it under CN=Services,CN=Configuration,DC=



 If no Exchange organization container exists under

CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=, you must specify an organization name using the /OrganizationName parameter. The organization container will be created with the name that you specify. The Exchange organization name can contain only the following characters: A through Z a through z 0 through 9 No space (leading or trailing), no hyphen or dash

The organization name can't contain more than 64 characters. The organization name cannot be blank. If the organization name contains spaces, you must enclose the name in quotation marks (").



Verifies that the schema has been updated and that the organization is up to date by checking the objectVersion property in Active Directory. The objectVersion property is in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you are installing in the table in Exchange 2013 Active Directory versions.

Exchange 2013 Active Directory versions The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.

 Sets the msExchProductId value on the Exchange

organization object. The msExchProductId property is in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container.  To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.



 If the containers don't exist, creates the following containers and objects under

CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=, which are required for Exchange 2013: CN=Address Lists Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=AddressBook Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Addressing,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Approval Applications,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Auth Configuration,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Client Access,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

CN=Connections,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ELC Folders Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ELC Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ExchangeAssistance,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Global Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Hybrid Configuration,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Mobile Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Monitoring Settings,CN=,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC= CN=OWA Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Provisioning Policy Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=RBAC,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Recipient Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Remote Accounts Policies Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Retention Policies Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Retention Policy Tag Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

CN=ServiceEndpoints,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=System Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Team Mailbox Provisioning Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM AutoAttendant,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM DialPlan,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM IPGateway,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

CN=Workload Management Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

 If it doesn't exist, creates the default Accepted Domains entry, based on the forest root namespace, under:

CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

 Assigns specific permissions throughout the configuration partition.



 Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Active Directory.



 Creates the Microsoft Exchange Security Groups

organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU.



 Creates the following management role groups within the Microsoft Exchange Security Groups OU: Compliance Management Delegated Setup Discovery Management Help Desk Hygiene Management Managed Availability Servers Organization Management Public Folder Management Recipient Management Records Management Server Management

UM Management View-Only Organization Management



 Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute stored on the 

CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container.



 Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.



 Prepares the local domain for Exchange 2013. For

information about what tasks are completed to prepare a domain, see Step 3.

NOTE THE FOLLOWING: To run this command, you must be a member of the Enterprise Admins group.

 The computer where you run this command must be able to contact all domains in the forest on port 389.  You must run this command on a computer in the same

domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.  After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.  To verify that this step completed successfully, make sure that there is a new OU in the root domain called 

Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs: Compliance Management Delegated Setup Discovery Management Exchange Servers Exchange Trusted Subsystem Exchange Windows Permissions ExchangeLegacyInterop Help Desk Hygiene Management Managed Availability Servers Organization Management Public Folder Management Recipient Management Records Management Server Management UM Management View-Only Organization Management



3. From a Command Prompt window, run one of the following commands:

 Run setup

/PrepareDomain or setup /pd to prepare the local domain. You do not need to run this in the domain where you ran Step 2. Running  setup /PrepareAD prepares the local domain.



 Run setup

/PrepareDomain: to prepare a specific domain.



 Run

setup /PrepareAllDomains or setup /pad to prepare all domains in your organization.

THESE COMMANDS PERFORM THE FOLLOWING TASKS:

 If this is a new organization, creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users groups. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox.



 Sets the objectVersion property in the Microsoft

Exchange System Objects container under DC=. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.



 Creates a domain global group in the current domain called

Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.

NOTE: The Exchange Install Domain Servers group is used if you install Exchange 2013 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships have not replicated to the child domain.

 Assigns permissions at the domain level for the Exchange Servers USG and the Organization Management USG.

NOTE THE FOLLOWING: To run setup /PrepareAllDomains, you must be a member of the Enterprise Admins group.

 To run setup

/PrepareDomain, if the domain that you're preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you are preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.  For domains in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages: "PrepareDomain for domain has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for again."

 "Active Directory operation failed on . This error is not retriable. Additional information: The specified group type is invalid. Active Directory response: 00002141: SvcErr: DSID031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 The server cannot handle directory requests." If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again.

 You must run this command in every domain in which you

will install Exchange 2013. You must also run this command

in every domain that will contain mail-enabled users, even if the domain does not have Exchange 2013 installed. TO VERIFY THAT STEP 3 COMPLETED SUCCESSFULLY, CONFIRM THE FOLLOWING:

 You have a new global group in the Microsoft Exchange

System Objects container called Exchange Install Domain Servers. (To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.)  The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.  On each domain controller in a domain in which you will install Exchange 2013, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

HOW DO YOU KNOW THIS WORKED? DO THE FOLLOWING TO VERIFY THAT ACTIVE DIRECTORY HAS BEEN SUCCESSFULLY PREPARED:

 In the Configuration naming context, verify that

the msExchProductId property in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.



NOTE: If the msExchProductId property is set to the correct value for the version of Exchange 2013 you installed, Active Directory has been successfully prepared. You do not need to check any of remaining values in this list. The information below is for information purposes only and for those who separate the PrepareSchema and PrepareAD steps.

 In the Schema naming context, verify that the rangeUpper property on ms-Exch-Schema-Verision-Pt is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.



 In the Configuration naming context, verify that

the objectVersion property in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.



 In the Default naming context, verify that the objectVersion property in the Microsoft Exchange System Objects container under DC=