16.2 Preparing Active Directory for Exchange 2000

Before you can install the first Exchange 2000 server in Active Directory, you have to prepare your forest. The Exchange setup program provides two options called /forestprep and /domainprep, which perform various tasks such as extending the schema, creating groups, creating containers for Exchange, and setting permissions on those containers. Due to the extent of changes caused by running these commands and the elevated privileges required to do so, it is imperative that AD administrators have a thorough understanding of what they do.

16.2.1 Forestprep

The Forestprep option of the Exchange 2000 setup extends the schema and makes some changes to the Configuration container. Forestprep must be run before Domainprep can be executed and subsequently before you can install your first Exchange 2000 server. The user that runs Forestprep must be a member of both the Enterprise Admins and Schema Admins groups. Here is a list of some of the tasks Forestprep takes care of:

  • Extends the schema with close to 2000 schema additions and modifications. Forestprep effectively doubles the number of classes and attributes in the default Active Directory schema. Several attributes are also added to the Global Catalog, which will cause a GC resync with Windows 2000 Active Directory.

  • Creates the Exchange organization with the following distinguished name:

  • This container is where Exchange stores most of its data in Active Directory, including the address lists, administrative groups, recipient policies, and other global settings.

  • Grants full control rights to the designated user or group over the Exchange organization. The rights granted are equivalent to the Exchange Full Administrator rights when using the Exchange Delegation of Control wizard.

Due to the massive number of schema extensions, you should consider running Forestprep on the Schema FSMO role owner. This can speed up the time it takes for complete Forestprep. Before moving forward to Domainprep, you must ensure that the schema extensions and objects injected by Forestprep have replicated across the forest.

16.2.2 Domainprep

After you've successfully run Forestprep, you need to run Domainprep in any domain in which you plan to install an Exchange 2000 server or have mail-enabled users. The user that runs Domainprep must be a member of the Domain Admins group for the target domain. Some of the tasks performed during Domainprep include the following:

  • Creates a container for the System mailboxes under cn=Microsoft Exchange System Objects,<DomainDN>

  • Creates the Exchange Domain Servers global group, which is the default location for new Exchange 2000 servers in the domain.

  • Creates the Exchange Enterprise Servers domain local group. The Recipient Update Service eventually adds all the Exchange Domain Servers groups from each domain to this group.

  • The Exchange admin account specified during Forestprep is granted administrative control over the Exchange Domain Servers and Exchange Enterprise Servers groups.

  • Grants the "Manage audit and security log" privilege to the Exchange Enterprise Servers group on the Domain Controller Security Policy.

Note that after Domainprep completes, the Exchange administrators will only have the rights to add Exchange servers to the domain. They will not have the privileges to create mailboxes for users. To do that, you will need to grant them Account Operators or equivalent rights.

16.2.3 Running Forestprep and Domainprep

To run Forestprep or Domainprep, insert an Exchange 2000 Server CD into a computer where you are logged in with the appropriate credentials as described earlier. To run Forestprep, run the following command (replace E: with your CD drive letter):

> E:\setup\i386\setup /forestprep

To complete the Forestprep wizard, you will need to know the name of the Exchange organization you want to create and the user or group account that should be given Exchange Full Administrator rights. If you are joining an existing Exchange 5.5 organization, you'll need to know the name of that organization and the Exchange 5.5 service account and password.

After Forestprep completes, you should wait until the schema extensions have replicated across your forest. Domainprep will fail to complete if the targeted server has not received the Forestprep changes. If you are still running Windows 2000, the replication delay may be significant due to the Global Catalog sync that is caused by Forestprep adding to the partial attribute set. You may even want to run Domainprep several days after Forestprep to ensure that everything has replicated. Because of replication improvements and the fact that a Global Catalog sync is no longer required in Windows Server 2003 Active Directory, you can expect a shorter replication period if you've upgraded your forest to the Windows Server 2003 forest functional level.

To run Domainprep, run the following command (replace E: with your CD drive letter):

> E:\setup\i386\setup /domainprep

After Domainprep has run and replicated throughout the domain, your Exchange administrators should then be able to install Exchange 2000 servers. One other caveat to be aware of when installing Exchange servers is that the subnet the Exchange servers are on must be in the Active Directory site topology or else the setup process will fail.

16.2.4 Other Considerations

Microsoft went the route of splitting up the install process for Exchange, but you have the option of doing it all at the same time. If the user you install Exchange with for the first time is a member of the Enterprise Admins and Schema Admins group, the setup process perform both the Forestprep and Domainprep functions. While it is generally a good practice to split up the install, you do have the option of doing it all at once.

When you implement Exchange 2000, keeping the Active Directory site topology up to date becomes even more important. The Exchange installation process will abort if the server does not have a subnet that maps to a site in the topology. Exchange uses the site topology to determine which domain controller clients should be querying. If a client doesn't map to a site, they could be performing email-based lookups against a remote domain controller.

Perhaps the most significant impact of Exchange 2000 on Active Directory is the dependencies it places in regard to domain controller location. The general best practice recommendation is to have domain controllers on the same subnet as your Exchange servers. This isn't feasible in all situations, so as long as the domain controllers are relatively close from a network perspective, you should be OK. The latency between the Exchange servers and domain controllers should be less than 100 ms.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI