prepare active directory and domains for exchange 2013.pdf

PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE 2013

APPLIES TO: EXCHANGE SERVER 2013

Before you install the release to manufacturing (RTM) version of Microsoft Exchange Server 2013 or later cumulative updates (CU) on any servers in your organization, you must prepare Active Directory and domains.

setup /PrepareSchema or setup /ps

setup /PrepareAD [/OrganizationName: <organization

name> ] or setup /p [/on:<organization name>]

setup /PrepareDomain or setup /pd

setup /PrepareAllDomains or setup /pad

BEFORE YOU BEGIN ENSURE

The computers on which you plan to install Exchange 2013 must meet the system requirements. For details, see Exchange 2013 System Requirements.

Your domains and the domain controllers must meet the system requirements in "Network and directory servers" in Exchange 2013 System Requirements.

For multiple domain organizations running the following /Prepare* commands, we recommend the following:

Run the commands from an Active Directory site that has an Active Directory server from every domain.

Run the first server role installation from an Active Directory site with a writeable global catalog server from every domain.

Verify that replication of objects from the preceding actions is completed on the global catalog server in the Active Directory site before installing the first Exchange 2013 server to that site.

If you run the Exchange 2013 Setup wizard with an account that has the permissions required (Schema Admins, Domain Admins, and

http://technet.microsoft.com/en-us/library/aa996719%28v=exchg.150%29.aspx




Enterprise Admins) to prepare Active Directory and the domain, the wizard automatically prepares Active Directory and the domain. For more information, see Install Exchange 2013 Using the Setup Wizard. However, you must first install the Active Directory management tools on the computer prior to preparing the schema or domains. To do this, see the Active Directory preparation section in Exchange 2013 Prerequisites.

You must specify the /IAcceptExchangeServerLicenseTerms parameter when you run setup.exe to accept the Exchange 2013 license terms.

TIP:

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

EXCHANGE 2013 ACTIVE DIRECTORY VERSIONS

The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.

PREPARE ACTIVE DIRECTORY AND DOMAINS

To track the progress of Active Directory replication, you can use the repadmin tool (repadmin.exe), which is installed as part of the Windows Server 2012 and Windows Server 2008 R2 Active Directory Domain Services Tools (RSAT-ADDS) feature. For more information about how to use repadmin, see Repadmin.

From a Command Prompt window, run the following command. (If you want, you can skip this step and prepare the schema as part of Step 2.)

http://technet.microsoft.com/en-us/library/bb124778%28v=exchg.150%29.aspx


http://technet.microsoft.com/en-us/library/e21cf744-7813-48b3-9293-5cecd89a6c25%28v=exchg.150%29%20/l%20ADPrep


http://go.microsoft.com/fwlink/p/?linkId=60612




http://go.microsoft.com/fwlink/p/?LinkId=257879

setup /PrepareSchema or setup /ps

IMPORTANT:

If you have multiple forests in your organization, make sure that

you run your forest preparation from the correct Exchange

forest. Setup preparation makes configuration changes to your

forest, and it could configure a non-Exchange forest incorrectly.

NOTE:

It is not supported to use the LDIF Directory Exchange tool

(LDIFDE) to manually import the Exchange 2013 schema

changes. You must use Setup to update the schema.

1. THIS COMMAND PERFORMS THE FOLLOWING TASKS:

Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2013 specific attributes. The LDIF files are copied to the Temp directory and then deleted after they are imported into the schema.

Sets the schema version (ms-Exch-Schema-Verision-Pt). To see the version that should be shown after this command completes, look up the version of Exchange 2013 you are installing in the table in Exchange 2013 Active Directory versions.

NOTE THE FOLLOWING:

To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.

You must run this command on a 64-bit computer in the same domain and in the same Active Directory site as the schema master.

http://technet.microsoft.com/en-us/library/bb125224%28v=exchg.150%29.aspx%20/l%20ADversions


If you use the /DomainController parameter with this

command, you must specify the domain controller that is the schema master.

After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

For more information, see Exchange 2013 Active Directory Schema Changes.

2. From a Command Prompt window, run the following command. setup /PrepareAD [/OrganizationName: <organization

name> ] or setup /p [/on:< organization name>]

THIS COMMAND PERFORMS THE FOLLOWING TASKS:

If the Microsoft Exchange container doesn't exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>

If no Exchange organization container exists under CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=<roo

t domain >, you must specify an organization name using

the /OrganizationName parameter. The organization

container will be created with the name that you specify. The Exchange organization name can contain only the following characters:

A through Z

a through z

0 through 9

No space (leading or trailing), no hyphen or dash



The organization name can't contain more than 64 characters. The organization name cannot be blank. If the organization name contains spaces, you must enclose the name in quotation marks (").

Verifies that the schema has been updated and that the organization is up

to date by checking the objectVersion property in Active Directory.

The objectVersion property is in the

CN=<your organization>,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=<domain>

container.

To see the version that should be shown after this command completes,

look up the version of Exchange 2013 you are installing in the table in

Exchange 2013 Active Directory versions.

Exchange 2013 Active Directory versions

The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.


Sets the msExchProductId value on the Exchange organization object. The msExchProductId property is in the CN=<your organization>,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=<dom

ain> container.

To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.

If the containers don't exist, creates the following containers and objects under



CN=<Organization Name>,CN=Microsoft


t domain>, which are required for Exchange

2013:

CN=Address Lists Container,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=AddressBook Mailbox

Policies,CN=<Organization Name>,CN=Microsoft


t domain>

CN=Addressing,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Administrative Groups,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Approval Applications,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Auth Configuration,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Client Access,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Connections,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=ELC Folders Container,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=ELC Mailbox Policies,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=ExchangeAssistance,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Global Settings,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Hybrid Configuration,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Mobile Mailbox Policies,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Monitoring Settings,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=OWA Mailbox Policies,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Provisioning Policy

Container,CN=<Organization Name>,CN=Microsoft


t domain>

CN=RBAC,CN=<Organization Name>,CN=Microsoft


t domain>

CN=Recipient Policies,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Remote Accounts Policies



t domain>

CN=Retention Policies



t domain>

CN=Retention Policy Tag



t domain>

CN=ServiceEndpoints,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=System Policies,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Team Mailbox Provisioning

Policies,CN=<Organization Name>,CN=Microsoft


t domain>

CN=Transport Settings,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=UM AutoAttendant,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=UM DialPlan,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=UM IPGateway,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=UM Mailbox Policies,CN=<Organization

Name>,CN=Microsoft


t domain>

CN=Workload Management

Settings,CN=<Organization Name>,CN=Microsoft


t domain>

If it doesn't exist, creates the default Accepted Domains entry, based on the forest root namespace, under:

CN=Transport

Settings,CN=<Organization Name>,CN=Microsoft


t domain>

Assigns specific permissions throughout the configuration partition.

Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Active Directory.

Creates the Microsoft Exchange Security Groups organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU.

Creates the following management role groups within the Microsoft Exchange Security Groups OU: Compliance Management Delegated Setup Discovery Management Help Desk Hygiene Management Managed Availability Servers Organization Management Public Folder Management Recipient Management Records Management Server Management

UM Management View-Only Organization Management

Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute stored on the

CN=Microsoft


t domain> container.

Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.

Prepares the local domain for Exchange 2013. For information about what tasks are completed to prepare a domain, see Step 3.

NOTE THE FOLLOWING: To run this command, you must be a member of the Enterprise Admins group.

The computer where you run this command must be able to contact all domains in the forest on port 389.

You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.

After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.

To verify that this step completed successfully, make sure that there is a new OU in the root domain called

Microsoft Exchange Security Groups.

This OU should contain the following new Exchange USGs: Compliance Management

Delegated Setup

Discovery Management

Exchange Servers

Exchange Trusted Subsystem

Exchange Windows Permissions

ExchangeLegacyInterop

Help Desk

Hygiene Management

Managed Availability Servers

Organization Management

Public Folder Management

Recipient Management

Records Management

Server Management

UM Management

View-Only Organization Management

3. From a Command Prompt window, run one of the following commands:

Run setup /PrepareDomain or setup /pd to prepare

the local domain. You do not need to run this in the domain where you ran Step 2. Running

setup /PrepareAD prepares the local domain.

Run setup /PrepareDomain:<FQDN of domain you

want to prepare> to prepare a specific domain.

Run setup /PrepareAllDomains or setup /pad to

prepare all domains in your organization.

THESE COMMANDS PERFORM THE FOLLOWING TASKS:

If this is a new organization, creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users groups. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox.

Sets the objectVersion property in the Microsoft

Exchange System Objects container under DC=<root domain>. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.

Creates a domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.

NOTE:

The Exchange Install Domain Servers group is used if you install Exchange 2013 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships have not replicated to the child domain.

Assigns permissions at the domain level for the Exchange Servers USG and the Organization Management USG.



NOTE THE FOLLOWING:

To run setup /PrepareAllDomains, you must be a member of the

Enterprise Admins group.

To run setup /PrepareDomain, if the domain that you're

preparing existed before you ran setup /PrepareAD, you

must be a member of the Domain Admins group in the domain. If the domain that you are preparing was created

after you ran setup /PrepareAD, you must be a member

of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.

For domains in an Active Directory site other than the root

domain, /PrepareDomain might fail with the following

messages:

"PrepareDomain for domain <YourDomain> has

partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for

replication to occur, and run PrepareDomain for

<YourDomain> again."

"Active Directory operation failed on <YourServer>.

This error is not retriable. Additional information: The specified group type is invalid. Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 The server cannot handle directory requests." If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and

then run /PrepareDomain again.

You must run this command in every domain in which you will install Exchange 2013. You must also run this command

in every domain that will contain mail-enabled users, even if the domain does not have Exchange 2013 installed.

TO VERIFY THAT STEP 3 COMPLETED SUCCESSFULLY, CONFIRM

THE FOLLOWING:

You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. (To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on

the View menu, click Advanced Features.)

The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.

On each domain controller in a domain in which you will install Exchange 2013, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

HOW DO YOU KNOW THIS WORKED?

DO THE FOLLOWING TO VERIFY THAT ACTIVE DIRECTORY HAS BEEN SUCCESSFULLY PREPARED:

In the Configuration naming context, verify that

the msExchProductId property in the CN=<your organization>,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.


NOTE:

If the msExchProductId property is set to the correct value

for the version of Exchange 2013 you installed, Active Directory has been successfully prepared. You do not need to check any of remaining values in this list. The information below is for information purposes only and for those who separate

the PrepareSchema and PrepareAD steps.

In the Schema naming context, verify that

the rangeUpper property on ms-Exch-Schema-Verision-Pt is

set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

In the Configuration naming context, verify that

the objectVersion property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

In the Default naming context, verify that

the objectVersion property in the Microsoft Exchange System

Objects container under DC=<root domain is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.

You can also check the Exchange setup log to verify that Active Directory preparation has completed successfully. For more information, see Verify an Exchange 2013 Installation.







NOTE:

You will not be able to use the Get-ExchangeServer cmdlet

mentioned in the Verify an Exchange 2013 Installation topic until you have completed the installation of at least one Mailbox server role and one Client Access server role in an Active Directory site.


prepare active directory and domains for exchange 2013.pdf

Documents