prepare active directory and domains for exchange 2013.pdf
TRANSCRIPT
PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE 2013
APPLIES TO: EXCHANGE SERVER 2013
Before you install the release to manufacturing (RTM) version of Microsoft Exchange Server 2013 or later cumulative updates (CU) on any servers in your organization, you must prepare Active Directory and domains.
setup /PrepareSchema or setup /ps
setup /PrepareAD [/OrganizationName: <organization
name> ] or setup /p [/on:<organization name>]
setup /PrepareDomain or setup /pd
setup /PrepareAllDomains or setup /pad
BEFORE YOU BEGIN ENSURE
The computers on which you plan to install Exchange 2013 must meet the system requirements. For details, see Exchange 2013 System Requirements.
Your domains and the domain controllers must meet the system requirements in "Network and directory servers" in Exchange 2013 System Requirements.
For multiple domain organizations running the following /Prepare* commands, we recommend the following:
Run the commands from an Active Directory site that has an Active Directory server from every domain.
Run the first server role installation from an Active Directory site with a writeable global catalog server from every domain.
Verify that replication of objects from the preceding actions is completed on the global catalog server in the Active Directory site before installing the first Exchange 2013 server to that site.
If you run the Exchange 2013 Setup wizard with an account that has the permissions required (Schema Admins, Domain Admins, and
Enterprise Admins) to prepare Active Directory and the domain, the wizard automatically prepares Active Directory and the domain. For more information, see Install Exchange 2013 Using the Setup Wizard. However, you must first install the Active Directory management tools on the computer prior to preparing the schema or domains. To do this, see the Active Directory preparation section in Exchange 2013 Prerequisites.
You must specify the /IAcceptExchangeServerLicenseTerms parameter when you run setup.exe to accept the Exchange 2013 license terms.
TIP:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection
EXCHANGE 2013 ACTIVE DIRECTORY VERSIONS
The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.
PREPARE ACTIVE DIRECTORY AND DOMAINS
To track the progress of Active Directory replication, you can use the repadmin tool (repadmin.exe), which is installed as part of the Windows Server 2012 and Windows Server 2008 R2 Active Directory Domain Services Tools (RSAT-ADDS) feature. For more information about how to use repadmin, see Repadmin.
From a Command Prompt window, run the following command. (If you want, you can skip this step and prepare the schema as part of Step 2.)
setup /PrepareSchema or setup /ps
IMPORTANT:
If you have multiple forests in your organization, make sure that
you run your forest preparation from the correct Exchange
forest. Setup preparation makes configuration changes to your
forest, and it could configure a non-Exchange forest incorrectly.
NOTE:
It is not supported to use the LDIF Directory Exchange tool
(LDIFDE) to manually import the Exchange 2013 schema
changes. You must use Setup to update the schema.
1. THIS COMMAND PERFORMS THE FOLLOWING TASKS:
Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2013 specific attributes. The LDIF files are copied to the Temp directory and then deleted after they are imported into the schema.
Sets the schema version (ms-Exch-Schema-Verision-Pt). To see the version that should be shown after this command completes, look up the version of Exchange 2013 you are installing in the table in Exchange 2013 Active Directory versions.
NOTE THE FOLLOWING:
To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.
You must run this command on a 64-bit computer in the same domain and in the same Active Directory site as the schema master.
If you use the /DomainController parameter with this
command, you must specify the domain controller that is the schema master.
After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.
For more information, see Exchange 2013 Active Directory Schema Changes.
2. From a Command Prompt window, run the following command. setup /PrepareAD [/OrganizationName: <organization
name> ] or setup /p [/on:< organization name>]
THIS COMMAND PERFORMS THE FOLLOWING TASKS:
If the Microsoft Exchange container doesn't exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>
If no Exchange organization container exists under CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain >, you must specify an organization name using
the /OrganizationName parameter. The organization
container will be created with the name that you specify. The Exchange organization name can contain only the following characters:
A through Z
a through z
0 through 9
No space (leading or trailing), no hyphen or dash
The organization name can't contain more than 64 characters. The organization name cannot be blank. If the organization name contains spaces, you must enclose the name in quotation marks (").
Verifies that the schema has been updated and that the organization is up
to date by checking the objectVersion property in Active Directory.
The objectVersion property is in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain>
container.
To see the version that should be shown after this command completes,
look up the version of Exchange 2013 you are installing in the table in
Exchange 2013 Active Directory versions.
Exchange 2013 Active Directory versions
The following table shows you the Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.
Sets the msExchProductId value on the Exchange organization object. The msExchProductId property is in the CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<dom
ain> container.
To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.
If the containers don't exist, creates the following containers and objects under
CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>, which are required for Exchange
2013:
CN=Address Lists Container,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=AddressBook Mailbox
Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Addressing,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Administrative Groups,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Approval Applications,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Auth Configuration,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Client Access,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Connections,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ELC Folders Container,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ELC Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ExchangeAssistance,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Global Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Hybrid Configuration,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Mobile Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Monitoring Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=OWA Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Provisioning Policy
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=RBAC,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Recipient Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Remote Accounts Policies
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Retention Policies
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Retention Policy Tag
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ServiceEndpoints,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=System Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Team Mailbox Provisioning
Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Transport Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM AutoAttendant,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM DialPlan,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM IPGateway,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Workload Management
Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
If it doesn't exist, creates the default Accepted Domains entry, based on the forest root namespace, under:
CN=Transport
Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
Assigns specific permissions throughout the configuration partition.
Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Active Directory.
Creates the Microsoft Exchange Security Groups organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU.
Creates the following management role groups within the Microsoft Exchange Security Groups OU: Compliance Management Delegated Setup Discovery Management Help Desk Hygiene Management Managed Availability Servers Organization Management Public Folder Management Recipient Management Records Management Server Management
UM Management View-Only Organization Management
Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute stored on the
CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain> container.
Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.
Prepares the local domain for Exchange 2013. For information about what tasks are completed to prepare a domain, see Step 3.
NOTE THE FOLLOWING: To run this command, you must be a member of the Enterprise Admins group.
The computer where you run this command must be able to contact all domains in the forest on port 389.
You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.
After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.
To verify that this step completed successfully, make sure that there is a new OU in the root domain called
Microsoft Exchange Security Groups.
This OU should contain the following new Exchange USGs: Compliance Management
Delegated Setup
Discovery Management
Exchange Servers
Exchange Trusted Subsystem
Exchange Windows Permissions
ExchangeLegacyInterop
Help Desk
Hygiene Management
Managed Availability Servers
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
3. From a Command Prompt window, run one of the following commands:
Run setup /PrepareDomain or setup /pd to prepare
the local domain. You do not need to run this in the domain where you ran Step 2. Running
setup /PrepareAD prepares the local domain.
Run setup /PrepareDomain:<FQDN of domain you
want to prepare> to prepare a specific domain.
Run setup /PrepareAllDomains or setup /pad to
prepare all domains in your organization.
THESE COMMANDS PERFORM THE FOLLOWING TASKS:
If this is a new organization, creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users groups. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox.
Sets the objectVersion property in the Microsoft
Exchange System Objects container under DC=<root domain>. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.
Creates a domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
NOTE:
The Exchange Install Domain Servers group is used if you install Exchange 2013 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships have not replicated to the child domain.
Assigns permissions at the domain level for the Exchange Servers USG and the Organization Management USG.
NOTE THE FOLLOWING:
To run setup /PrepareAllDomains, you must be a member of the
Enterprise Admins group.
To run setup /PrepareDomain, if the domain that you're
preparing existed before you ran setup /PrepareAD, you
must be a member of the Domain Admins group in the domain. If the domain that you are preparing was created
after you ran setup /PrepareAD, you must be a member
of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.
For domains in an Active Directory site other than the root
domain, /PrepareDomain might fail with the following
messages:
"PrepareDomain for domain <YourDomain> has
partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for
replication to occur, and run PrepareDomain for
<YourDomain> again."
"Active Directory operation failed on <YourServer>.
This error is not retriable. Additional information: The specified group type is invalid. Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 The server cannot handle directory requests." If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and
then run /PrepareDomain again.
You must run this command in every domain in which you will install Exchange 2013. You must also run this command
in every domain that will contain mail-enabled users, even if the domain does not have Exchange 2013 installed.
TO VERIFY THAT STEP 3 COMPLETED SUCCESSFULLY, CONFIRM
THE FOLLOWING:
You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. (To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on
the View menu, click Advanced Features.)
The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
On each domain controller in a domain in which you will install Exchange 2013, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.
HOW DO YOU KNOW THIS WORKED?
DO THE FOLLOWING TO VERIFY THAT ACTIVE DIRECTORY HAS BEEN SUCCESSFULLY PREPARED:
In the Configuration naming context, verify that
the msExchProductId property in the CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
NOTE:
If the msExchProductId property is set to the correct value
for the version of Exchange 2013 you installed, Active Directory has been successfully prepared. You do not need to check any of remaining values in this list. The information below is for information purposes only and for those who separate
the PrepareSchema and PrepareAD steps.
In the Schema naming context, verify that
the rangeUpper property on ms-Exch-Schema-Verision-Pt is
set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
In the Configuration naming context, verify that
the objectVersion property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
In the Default naming context, verify that
the objectVersion property in the Microsoft Exchange System
Objects container under DC=<root domain is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
You can also check the Exchange setup log to verify that Active Directory preparation has completed successfully. For more information, see Verify an Exchange 2013 Installation.
NOTE:
You will not be able to use the Get-ExchangeServer cmdlet
mentioned in the Verify an Exchange 2013 Installation topic until you have completed the installation of at least one Mailbox server role and one Client Access server role in an Active Directory site.