Widnetwork Solution is a company that provide ICT solutions and Collaboration of Auto-mobile Sales Like Motor-Cycles.
Tuesday, August 25, 2009
Monday, August 3, 2009
ACTIVE DIRECTORY AND EXCHAGE DOCUMENTATION
Upgrade to Windows 2008 Domain Controllers (ADPREP)
Preparing to Run ADPREP /forestprep
ADPREP /forestprep makes modifications to the schema. In order to successfully run it you should:
Have a good system state backup for every domain controller in your forest, or at the very least a good system state backup for one domain controller for each domain in the forest.
Be logged on as a user that belongs to the Domain Admin, Schema Admin and Enterprise Admin groups in the forest root domain.
Ensure that you are running Windows 2000 SP4 or later on all domain controllers in the forest.
You must run ADPREP /forestprep on your schema master.
If you are running Exchange 2000 in your environment refer to KB article 325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003.
Ensure replication is working throughout the entire forest, including that all domain controllers are up and running and that the schema master has been up long enough for a complete replication cycle to happen for the Schema partition.
So let’s go through all these preparatory steps in detail
First you should perform a system state backup on all of your domain controllers using either Windows Backup (NTBackup) or a third-party backup tool. This step is necessary if you find that your schema is incompatible and you need to roll back to a previous state.
Next, check to see if your account has the appropriate group memberships. Open Active Directory Users and Computers, right-click the account you are using to do the upgrade and choose Properties. Select the Member Of tab. If you do not see Domain Admins, Enterprise Admins and Schema Admins, add the ones you are missing. Log off and back on, then run whoami /groups in a command prompt to verify the groups are in your security token.
ADPREP /forestprep will check to see if you are running at least Windows 2000 SP4. If you have Windows 2000 domain controllers in your environment you should upgrade them all to SP4. You can download SP4 from here - Windows 2000 Service Pack 4 for IT professionals.
Next, check to see if you are logged on to your schema master. There are two ways to accomplish this. One is to run regsvr32 schmmgmt.dll so you can load the Active Directory Schema snap-in. Open a new MMC and add Active Directory Schema. Right-click on the words Active Directory Schema and choose Operations Master. Another alternative is to run netdom query fsmo from a command prompt. Netdom is part of the Windows Server 2003 Support Tools.
There are known issues with upgrading a Windows 2000 domain with Exchange 2000 running in the environment. There are different scenarios with different steps in KB article 325379 to address problems that have been encountered in the upgrade process. You will be performing one of the scenarios regardless. It is just a matter of which scenario you will have to perform.
The final verification is to check and make sure replication is working. To do this install the Windows Server 2003 Support Tools if you do not have them already installed. Run repadmin /showreps from a command prompt. You are looking for Last attempt @ date\time was successful. Any errors should be addressed before attempting to run ADPREP /forestprep. NOTE: ADPREP /forestprep will only check to see if replication is working on your schema master. It will not check the replication status of all DCs in your environment. Repadmin /showreps will only check the DC that you focus it on. In order to check the entire environment you will want to run repadmin /replsum. This command will give you the status of your entire environment. You will want to fix any errors you have with replication prior to running ADPREP /forestprep.
Running ADPREP /forestprep
Now you are ready to prepare your forest. This procedure takes a while depending on the speed of your computer so do not interrupt it. Insert your Windows Server 2008 DVD into the DVD drive on the schema master.
Open a command prompt.
Change your drive letter to the DVD drive. If you do not have a DVD drive on your schema master you can copy the Sources\Adprep folder to your local drive and run it from the copy.
Change into the Sources\Adprep directory.
Run ADPREP /forestprep.
You will get a warning that you need to be running Windows 2000 SP4 or later.
Type C and press Enter.
You will see a series of updates from LDF files.
If all goes well, you will see ADPREP successfully updated the forest-wide information.
Preparing to Run ADPREP /domainprep
After a successful completion of ADPREP /forestprep, you will be ready to run ADPREP /domainprep. ADPREP /domainprep must be run against each domain that you wish to upgrade.
Prerequisites
In order to run ADPREP /domainprep you should:
Have successfully completed ADPREP /forestprep.
Be a domain admin for the domain you are running it on.
Be at Windows 2000 Native Mode Domain Functional level.
Have access to the Infrastructure Master.
Wait for the schema changes to replicate throughout the environment, or at least the Infrastructure Master must have the schema updates replicated to it.
Note: Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.
Running ADPREP /Domainprep
Insert the Windows Server 2008 DVD. Open a command prompt.
Change your drive letter to the DVD drive.
Change your directory to Sources\Adprep.
Run ADPREP /domainprep.
For a better understanding of what will occur running the ADPREP /Domainprep command, I have referenced the KB article Enhancements to ADPREP.exe in Windows Server 2003 Service Pack 1(Q324392). The More Information section describes the functionality post-Windows 2003 SP1, including the Windows 2008 ADPREP.
Preparing to Run ADPREP /domainprep /gpprep
ADPREP /domainPrep /gpprep only adds the inheritable access control entries on Group Policy objects in the Sysvol share. If you run it prior to running adprep /domainprep it will run both functions, first the domain prep and then the GP prep.
Prerequisites
In order to run ADPREP /domainprep /gpprep you should:
Have completed the prerequisites for ADPREP /domainprep.
Have Sysvol\Sysvol\Policies\{Default Domain and Default Domain Controller GPO guids} in place. a. In Windows Explorer Navigate to your Sysvol\Sysvol\Domain\Policies folder b. Verify the following GUIDs are inplace {31B2F340-016D-11D2-945F-00C04FB984F9} {6AC1786C-016F-11D2-945F-00C04FB984F9}
Note Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.
Running ADPREP /domainprep /gpprep
Insert the Windows Server 2008 DVD.
Open a command prompt.
Change your drive letter to the DVD drive.
Change your directory to Sources\Adprep.
Run ADPREP /domainprep /gpprep.
ADPREP /domainprep /gpprep without running adprep /domainprep first.
ADPREP /domainprep /gpprep after running adprep /domainprep
Preparing to Run ADPREP /rodcprep
RODC’s (Read-Only Domain Controllers) are a cool new feature added in Windows Server 2008. The benefits of a RODC in certain domain configurations are well worth the effort of learning and implementing them. For more information on the benefits, see RODC Features on TechNet. If you intend to introduce them into your environment you will have to run ADPREP /rodcprep. This command prepares partitions in Active Directory so RODC’s can be used by adding security to the ForestDNS, DomainDNS, and Domain partitions.
Prerequisites
In order to run ADPREP /domainprep /rodcprep you should:
Be a Domain Admin and Enterprise Admin.
Be able to contact all Infrastructure Master role holders in the forest.
Note ADPREP /rodcprep will let you run without first running ADPREP /forestprep and ADPREP /domainprep, however it is not recommended.
Running ADPREP /rodcprep
Insert the Windows Server 2008 DVD.
Open a command prompt.
Change your drive letter to the DVD drive.
Change your directory to Sources\Adprep.
Run ADPREP /domainprep /rodcprep.
That concludes this post on running ADPREP. Running through the steps in order should eliminate many of the problems you might otherwise encounter
DOCUMENTATION ON EXCHANGE AND ACTIVE DIRECTORY
Before installing Microsoft Exchange 2003 Server, you must prepare your Windows 2003 forest. The Microsoft Active Directory Schema must be extended to save Exchange 2003 attributes and claases and permissions must be granted to the user or group who will be installing the first Exchange 2003 server in the forest. In every domain that will host either an Exchange 2003 server or mail-enabled users, two security groups must be created.
These security groups are used to perform administrative functions when the Exchange team members are different from the Windows team member – which is normal in larger enterprises – but later.
The Exchange 2003 Server CD contains two Setup Switches to accomplish these tasks:
ForestPrep and
DomainPrep.
When you use the /ForestPrep option, the Exchange Setup program extends the Active Directory schema to add Exchange-specific classes and attributes.
ForestPrep also creates the container object for the Exchange 2003 organization in the domain naming context of Active Directory, and it assigns, to the account that you specify, Exchange Full Administrative permissions to the organization object.
This account now has the authority to install and manage Exchange 2003 throughout the forest, along with the authority to assign other administrators Exchange Full Administrative permissions after the first Exchange server is installed.Requirements
Forest wide permissions to manage Active Directory
Member of the Enterprise Administrators and Schema Administrators groups
Member of the local Administrators group
Why Do You Need ForestPrep and DomainPrep?
Larger organizations do not want their messaging administrator team to have high-level domain or enterprise rights because these tasks will be done by experienced Windows Administrators
It is common for Exchange administrators to be in a separate team from the Windows / Active Directory Administration team.
For organizations that don’t have a structure like this stated, ForestPrep and DomainPrep separates the Exchange 2003 setup tasks that require high-level network permissions from those that do not.
For example, Windows 2003 administrators with EnterpriseAdmin and SchemaAdmin permissions run ForestPrep, during which they designate an account as the Exchange 2003 administrator. This Exchange administrator will have enough rights (after both utilities are run) to perform the actual Exchange 2003 installation.
Note:If the user who installs Exchange is a member of the EnterpriseAdmin and SchemaAdmin groups, Forestprep and Domainprep will be automatically executed.
Most deployment scenarios require you to run ForestPrep for successful Exchange 2003 installation. As a general formula keep in mind that when the administrator doesn’t have EnterpriseAdmin and SchemaAdmin permissions, you must run ForestPrep.
When you install Exchange 2003 in a child domain, you must first run ForestPrep in the parent domain. If you don’t do this, Setup will prompt you to do so when you attempt to install in the child domain.
ForestPrep in detail
ForestPrep performs all Exchange 2003 setup tasks that require EnterpriseAdmin and SchemaAdmin permissions, as it makes changes in the configuration naming container in Active Directory. ForestPrep extends your Active Directory schema to include Exchange-specific information. ForestPrep also creates objects in Active Directory and gives permissions on those objects to the account designated as the Exchange 2003 administrator. This administrator will have enough permission to install the first Exchange 2003 server in your organization.
ForestPrep also creates the Exchange organization name and object in Active Directory. New in Exchange 2003 Forestprep is the creation of a placeholder Organization object. Setup will create a “temporary” organization with a hard-coded name. (That name is a GUID: “{335A1087-5131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first Exchange administrator on this object; create the Exchange configuration underneath it, and so on. Later, when setup is run to install the first server in the organization – by someone who is an Exchange administrator – setup can rename the existing placeholder object, either to a user-specified name or to match the name of an Exchange 5.5 organization. The final naming is decided by the answer to the “Installation Type” screen.
You need to run ForestPrep only once per Windows 2003 forest.
Be sure to type the command exactly as in Figure1 because a wrong typed command will start a normal Exchange setup without the /Forestprep option.
Figure 1: SETUP /FORESTPREP
ImportantAfter ForestPrep and DomainPrep are run, the designated Exchange administrator has only enough permission to install Exchange. By default, this account is not able to create accounts or give users mailboxes unless this account is also a member of the Account Operators group.
You can grant administrators permissions to create and administer Windows accounts within your Exchange organization by making them Account Operators or by using the following two methods. Both methods use the Active Directory Users and Computers snap-in. The first is to run the Windows 2003 Delegation of Control Wizard and grant your Exchange administrator control of the Users container. The second is to create a new group specifically for Exchange users within the Users container and grant the Exchange administrator full control of that new group.
You need to gather the following information before running this utility. ForestPrep prompts for different information depending on whether you are installing a new Exchange 2003 organization or joining an existing Exchange 5.5 organization.
New Installation
For a new installation of Exchange 2003 Server, the network administrator needs to have the following information before running ForestPrep:
The name of the Exchange 2003 organization
The account of the person or group who will install the first Exchange 2003 server in your organization
Note:Once Exchange is installed, this person or group is able to create other Exchange administrators by using the Exchange Administration Delegation Wizard.
Graphical Setup mode of Forestprep
Figure 2: Graphical Forestprep option
When Is It Unnecessary to Run ForestPrep?
You should run ForestPrep before installing your first Exchange 2003 server—regardless of your organization’s topology. However, there are some scenarios (such as in a small business) in which ForestPrep might not be required.
ForestPrep and DomainPrep both run automatically during Setup, but only if the Exchange administrator account is a member of the SchemaAdmin and EnterpriseAdmin groups and if the first Exchange 2003 server installation takes place in the same domain as the Schema Master.
When this is the case, you do not need to manually execute either utility. By default, the account with which you have logged on becomes the designated Exchange 2003 administrator.
Allow Time for Replication
After you run ForestPrep, be sure to allow enough time for the schema extensions to replicate throughout all the domains and sub-domains in your organization. Depending on the geography of your organization and the speed of your network connections between Windows 2003 sites or domains, this could take some time. You should run DomainPrep only after you’re sure that the Exchange-specific information has been replicated across your organization.
DomainPrep in detail
The DomainPrep utility performs the Exchange setup tasks that require DomainAdmin permissions; it should be run by a member of the DomainAdmin group. You need to run DomainPrep once in each domain that contains an Exchange 2003 server and in any domain that hosts Exchange users. These are domains without Exchange servers but with mail enabled users. Domainprep is necessary for the recipient update service (RUS) and to create the groups and permissions necessary for Exchange servers to read and modify user attributes.
DomainPrep creates two new domain groups: Exchange Domain Servers (a Windows 2003 global security group) and Exchange Enterprise Servers (a Windows 2003 domain local security group).
DomainPrep also creates the Public Folder proxy container in Active Directory. While ForestPrep works in the forest-wide configuration naming container, the Public Folder object (a Microsoft Exchange System Object) exists outside this container (this is the reason why you can’t see public folders with ADSIEDIT, LDP or other LDAP tools). DomainPrep creates this object on a per-domain basis, under the domain container.
Exchange Domain Servers Group
The Exchange Domain Servers global security group contains the computer accounts of all Exchange servers in the domain. Though it is created by DomainPrep, the Exchange Domain Servers group is not populated until the actual installation of Exchange 2003.
The Exchange Domain Servers group is necessary for the Recipient Update Service, which is needed in every domain of your Exchange organization. This includes user domains, which do not contain Exchange servers but do have mail-enabled users. Recipient Update Service is used by Exchange to generate and update default and customized address lists and to process changes made to recipient policies.
Exchange Enterprise Servers Group
The Exchange Enterprise Servers group (a domain local group type) contains every Exchange Domain Servers group (a domain local group type) in your organization. In other words, every domain with an Exchange server, along with every domain in which DomainPrep has been run and that has an active Recipient Update Service, belongs to the Exchange Enterprise Servers group.
This group is populated immediately when DomainPrep adds the Exchange Domain Servers group from the current domain to it. Recipient Update Service adds the Exchange Domain Servers groups from all other domains that have an active Recipient Update Service.
You must meet the following requirements before you run DomainPrep:
The account that runs DomainPrep must belong to the domain’s DomainAdmin group.
ForestPrep must have already been run in your Windows 2003 forest.
The schema extensions made by ForestPrep to Active Directory must have already replicated throughout your organization.
When is it unnecessary to Run DomainPrep?
DomainPrep should be executed before installing the first Exchange 2003 server. DomainPrep is not necessary when:
The account that is installing the first Exchange 2003 server in the domain is an Exchange Full Administrator and a member of the DomainAdmins group
The person who is installing Exchange has EnterpriseAdmin permissions.
In both scenarios, DomainPrep runs automatically as a hidden process during the Exchange 2003 setup.
When must you Run DomainPrep?
For DomainPrep to work correctly, you must run it:
After running ForestPrep, and after all ForestPrep changes are replicated throughout the forest.
Before the through Forestprep designated Exchange 2003 administrator can install the first Exchange 2003 server in the domain.
Whenever you must create a Recipient Update Service (RUS) for a domain with mail-enabled users.
It is also necessary to run Domainprep in an empty Forest Root Domain because RUS must use it.
Active Directory Connector (ADC)
ADC, first introduced in Exchange 2003, updates the Active Directory Schema during installation, regardless if the Active Directory was updated through the Exchange 2003 Forestprep and Domainprep process.
The Exchange 2003 version of ADC uses the same schema extensions as Exchange 2003. So if you install ADC, the setup process updates the Active Directory Schema so you don’t need to update the Schema with Exchange 2003 Forestprep and vica verse.
How to see if FORESTPREP and DOMAINPREP were successful
In Exchange 2000 you have to use tools like ADSIEDIT to see if FORESTPREP and DOMAINPREP were successfully.
With Exchange 2003 you can use the ORGPREPCHECK switch from the EXDEPLOY tools.
ORGPREPCHECK
Run ORGPREPCHECK at a command prompt
CD-ROM_Drive_Letter:\support\exdeploy\exdeploy.exe /gc:global catalog server name /t:orgprepcheck
View the EXDEPLOY.LOG file in C:\EXDEPLOY LOGS to see if the setup /forestprep command and the setup /domainprep command have completed successfully.
Figure 3: EXDEPLOY /ORGPREPCHK Switch
ORGPREPCHECK verifies the Exchange extensions to the Active Directory Schema, the existence and membership of the Exchange Domain Servers group and Exchange Enterprise Servers Group and checks that a global catalog Server is available in a domain in which DOMAINPREP has been run. The result is displayed in the EXDEPLOY.LOG file.
Figure 4: EXDEPLOY.LOG file
Conclusion
As you have seen in this article, FORESTPREP and DOMAINPREP are not so mystical when you understand the basics. FORESTPREP and DOMAINPREP are necessary components to update the Active Directory Schema to support Exchange 2000 / 2003.
Please keep in mind that Forestprep updates the Windows 2003 Active Directory Schema and ALL this information must be replicated to all Domain Controllers in the Forest.
Related Links
How to verify successful Exchange 2003 Forestprephttp://hellomate.typepad.com/exchange/2003/10/forestprep_and_.html
Manual Schema Changes Are Lost When You Apply Exchange Server 2003 Schema over Exchange 2000 Server Schemahttp://support.microsoft.com/default.aspx?scid=kb;en-us;818583
How the Exchange 2003 Active Directory Connector Setup Process Updates the Schemahttp://support.microsoft.com/default.aspx?scid=kb;en-us;822589
Permissions that you must have to install Active Directory Connector in Exchange Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;818473
Security Setting Changes and Updates That Are Introduced in Exchange Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;818473
Security Setting Changes and Updates That Are Introduced in Exchange Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;824111
Exchange 2003 Setup Program Does Not Display the Installation Type Screen After You Run the /Forestprep Switchhttp://support.microsoft.com/default.aspx?scid=kb;en-us;829360
Running Exchange 2000 FORESTPREP after You Run Exchange 2003 FORESTPREP Allows You to Install Exchange 2000 but Creates a GUID for the Organization Namehttp://support.microsoft.com/default.aspx?scid=kb;en-us;820112
Preparing to Run ADPREP /forestprep
ADPREP /forestprep makes modifications to the schema. In order to successfully run it you should:
Have a good system state backup for every domain controller in your forest, or at the very least a good system state backup for one domain controller for each domain in the forest.
Be logged on as a user that belongs to the Domain Admin, Schema Admin and Enterprise Admin groups in the forest root domain.
Ensure that you are running Windows 2000 SP4 or later on all domain controllers in the forest.
You must run ADPREP /forestprep on your schema master.
If you are running Exchange 2000 in your environment refer to KB article 325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003.
Ensure replication is working throughout the entire forest, including that all domain controllers are up and running and that the schema master has been up long enough for a complete replication cycle to happen for the Schema partition.
So let’s go through all these preparatory steps in detail
First you should perform a system state backup on all of your domain controllers using either Windows Backup (NTBackup) or a third-party backup tool. This step is necessary if you find that your schema is incompatible and you need to roll back to a previous state.
Next, check to see if your account has the appropriate group memberships. Open Active Directory Users and Computers, right-click the account you are using to do the upgrade and choose Properties. Select the Member Of tab. If you do not see Domain Admins, Enterprise Admins and Schema Admins, add the ones you are missing. Log off and back on, then run whoami /groups in a command prompt to verify the groups are in your security token.
ADPREP /forestprep will check to see if you are running at least Windows 2000 SP4. If you have Windows 2000 domain controllers in your environment you should upgrade them all to SP4. You can download SP4 from here - Windows 2000 Service Pack 4 for IT professionals.
Next, check to see if you are logged on to your schema master. There are two ways to accomplish this. One is to run regsvr32 schmmgmt.dll so you can load the Active Directory Schema snap-in. Open a new MMC and add Active Directory Schema. Right-click on the words Active Directory Schema and choose Operations Master. Another alternative is to run netdom query fsmo from a command prompt. Netdom is part of the Windows Server 2003 Support Tools.
There are known issues with upgrading a Windows 2000 domain with Exchange 2000 running in the environment. There are different scenarios with different steps in KB article 325379 to address problems that have been encountered in the upgrade process. You will be performing one of the scenarios regardless. It is just a matter of which scenario you will have to perform.
The final verification is to check and make sure replication is working. To do this install the Windows Server 2003 Support Tools if you do not have them already installed. Run repadmin /showreps from a command prompt. You are looking for Last attempt @ date\time was successful. Any errors should be addressed before attempting to run ADPREP /forestprep. NOTE: ADPREP /forestprep will only check to see if replication is working on your schema master. It will not check the replication status of all DCs in your environment. Repadmin /showreps will only check the DC that you focus it on. In order to check the entire environment you will want to run repadmin /replsum. This command will give you the status of your entire environment. You will want to fix any errors you have with replication prior to running ADPREP /forestprep.
Running ADPREP /forestprep
Now you are ready to prepare your forest. This procedure takes a while depending on the speed of your computer so do not interrupt it. Insert your Windows Server 2008 DVD into the DVD drive on the schema master.
Open a command prompt.
Change your drive letter to the DVD drive. If you do not have a DVD drive on your schema master you can copy the Sources\Adprep folder to your local drive and run it from the copy.
Change into the Sources\Adprep directory.
Run ADPREP /forestprep.
You will get a warning that you need to be running Windows 2000 SP4 or later.
Type C and press Enter.
You will see a series of updates from LDF files.
If all goes well, you will see ADPREP successfully updated the forest-wide information.
Preparing to Run ADPREP /domainprep
After a successful completion of ADPREP /forestprep, you will be ready to run ADPREP /domainprep. ADPREP /domainprep must be run against each domain that you wish to upgrade.
Prerequisites
In order to run ADPREP /domainprep you should:
Have successfully completed ADPREP /forestprep.
Be a domain admin for the domain you are running it on.
Be at Windows 2000 Native Mode Domain Functional level.
Have access to the Infrastructure Master.
Wait for the schema changes to replicate throughout the environment, or at least the Infrastructure Master must have the schema updates replicated to it.
Note: Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.
Running ADPREP /Domainprep
Insert the Windows Server 2008 DVD. Open a command prompt.
Change your drive letter to the DVD drive.
Change your directory to Sources\Adprep.
Run ADPREP /domainprep.
For a better understanding of what will occur running the ADPREP /Domainprep command, I have referenced the KB article Enhancements to ADPREP.exe in Windows Server 2003 Service Pack 1(Q324392). The More Information section describes the functionality post-Windows 2003 SP1, including the Windows 2008 ADPREP.
Preparing to Run ADPREP /domainprep /gpprep
ADPREP /domainPrep /gpprep only adds the inheritable access control entries on Group Policy objects in the Sysvol share. If you run it prior to running adprep /domainprep it will run both functions, first the domain prep and then the GP prep.
Prerequisites
In order to run ADPREP /domainprep /gpprep you should:
Have completed the prerequisites for ADPREP /domainprep.
Have Sysvol\Sysvol\Policies\{Default Domain and Default Domain Controller GPO guids} in place. a. In Windows Explorer Navigate to your Sysvol\Sysvol\Domain\Policies folder b. Verify the following GUIDs are inplace {31B2F340-016D-11D2-945F-00C04FB984F9} {6AC1786C-016F-11D2-945F-00C04FB984F9}
Note Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.
Running ADPREP /domainprep /gpprep
Insert the Windows Server 2008 DVD.
Open a command prompt.
Change your drive letter to the DVD drive.
Change your directory to Sources\Adprep.
Run ADPREP /domainprep /gpprep.
ADPREP /domainprep /gpprep without running adprep /domainprep first.
ADPREP /domainprep /gpprep after running adprep /domainprep
Preparing to Run ADPREP /rodcprep
RODC’s (Read-Only Domain Controllers) are a cool new feature added in Windows Server 2008. The benefits of a RODC in certain domain configurations are well worth the effort of learning and implementing them. For more information on the benefits, see RODC Features on TechNet. If you intend to introduce them into your environment you will have to run ADPREP /rodcprep. This command prepares partitions in Active Directory so RODC’s can be used by adding security to the ForestDNS, DomainDNS, and Domain partitions.
Prerequisites
In order to run ADPREP /domainprep /rodcprep you should:
Be a Domain Admin and Enterprise Admin.
Be able to contact all Infrastructure Master role holders in the forest.
Note ADPREP /rodcprep will let you run without first running ADPREP /forestprep and ADPREP /domainprep, however it is not recommended.
Running ADPREP /rodcprep
Insert the Windows Server 2008 DVD.
Open a command prompt.
Change your drive letter to the DVD drive.
Change your directory to Sources\Adprep.
Run ADPREP /domainprep /rodcprep.
That concludes this post on running ADPREP. Running through the steps in order should eliminate many of the problems you might otherwise encounter
DOCUMENTATION ON EXCHANGE AND ACTIVE DIRECTORY
Before installing Microsoft Exchange 2003 Server, you must prepare your Windows 2003 forest. The Microsoft Active Directory Schema must be extended to save Exchange 2003 attributes and claases and permissions must be granted to the user or group who will be installing the first Exchange 2003 server in the forest. In every domain that will host either an Exchange 2003 server or mail-enabled users, two security groups must be created.
These security groups are used to perform administrative functions when the Exchange team members are different from the Windows team member – which is normal in larger enterprises – but later.
The Exchange 2003 Server CD contains two Setup Switches to accomplish these tasks:
ForestPrep and
DomainPrep.
When you use the /ForestPrep option, the Exchange Setup program extends the Active Directory schema to add Exchange-specific classes and attributes.
ForestPrep also creates the container object for the Exchange 2003 organization in the domain naming context of Active Directory, and it assigns, to the account that you specify, Exchange Full Administrative permissions to the organization object.
This account now has the authority to install and manage Exchange 2003 throughout the forest, along with the authority to assign other administrators Exchange Full Administrative permissions after the first Exchange server is installed.Requirements
Forest wide permissions to manage Active Directory
Member of the Enterprise Administrators and Schema Administrators groups
Member of the local Administrators group
Why Do You Need ForestPrep and DomainPrep?
Larger organizations do not want their messaging administrator team to have high-level domain or enterprise rights because these tasks will be done by experienced Windows Administrators
It is common for Exchange administrators to be in a separate team from the Windows / Active Directory Administration team.
For organizations that don’t have a structure like this stated, ForestPrep and DomainPrep separates the Exchange 2003 setup tasks that require high-level network permissions from those that do not.
For example, Windows 2003 administrators with EnterpriseAdmin and SchemaAdmin permissions run ForestPrep, during which they designate an account as the Exchange 2003 administrator. This Exchange administrator will have enough rights (after both utilities are run) to perform the actual Exchange 2003 installation.
Note:If the user who installs Exchange is a member of the EnterpriseAdmin and SchemaAdmin groups, Forestprep and Domainprep will be automatically executed.
Most deployment scenarios require you to run ForestPrep for successful Exchange 2003 installation. As a general formula keep in mind that when the administrator doesn’t have EnterpriseAdmin and SchemaAdmin permissions, you must run ForestPrep.
When you install Exchange 2003 in a child domain, you must first run ForestPrep in the parent domain. If you don’t do this, Setup will prompt you to do so when you attempt to install in the child domain.
ForestPrep in detail
ForestPrep performs all Exchange 2003 setup tasks that require EnterpriseAdmin and SchemaAdmin permissions, as it makes changes in the configuration naming container in Active Directory. ForestPrep extends your Active Directory schema to include Exchange-specific information. ForestPrep also creates objects in Active Directory and gives permissions on those objects to the account designated as the Exchange 2003 administrator. This administrator will have enough permission to install the first Exchange 2003 server in your organization.
ForestPrep also creates the Exchange organization name and object in Active Directory. New in Exchange 2003 Forestprep is the creation of a placeholder Organization object. Setup will create a “temporary” organization with a hard-coded name. (That name is a GUID: “{335A1087-5131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first Exchange administrator on this object; create the Exchange configuration underneath it, and so on. Later, when setup is run to install the first server in the organization – by someone who is an Exchange administrator – setup can rename the existing placeholder object, either to a user-specified name or to match the name of an Exchange 5.5 organization. The final naming is decided by the answer to the “Installation Type” screen.
You need to run ForestPrep only once per Windows 2003 forest.
Be sure to type the command exactly as in Figure1 because a wrong typed command will start a normal Exchange setup without the /Forestprep option.
Figure 1: SETUP /FORESTPREP
ImportantAfter ForestPrep and DomainPrep are run, the designated Exchange administrator has only enough permission to install Exchange. By default, this account is not able to create accounts or give users mailboxes unless this account is also a member of the Account Operators group.
You can grant administrators permissions to create and administer Windows accounts within your Exchange organization by making them Account Operators or by using the following two methods. Both methods use the Active Directory Users and Computers snap-in. The first is to run the Windows 2003 Delegation of Control Wizard and grant your Exchange administrator control of the Users container. The second is to create a new group specifically for Exchange users within the Users container and grant the Exchange administrator full control of that new group.
You need to gather the following information before running this utility. ForestPrep prompts for different information depending on whether you are installing a new Exchange 2003 organization or joining an existing Exchange 5.5 organization.
New Installation
For a new installation of Exchange 2003 Server, the network administrator needs to have the following information before running ForestPrep:
The name of the Exchange 2003 organization
The account of the person or group who will install the first Exchange 2003 server in your organization
Note:Once Exchange is installed, this person or group is able to create other Exchange administrators by using the Exchange Administration Delegation Wizard.
Graphical Setup mode of Forestprep
Figure 2: Graphical Forestprep option
When Is It Unnecessary to Run ForestPrep?
You should run ForestPrep before installing your first Exchange 2003 server—regardless of your organization’s topology. However, there are some scenarios (such as in a small business) in which ForestPrep might not be required.
ForestPrep and DomainPrep both run automatically during Setup, but only if the Exchange administrator account is a member of the SchemaAdmin and EnterpriseAdmin groups and if the first Exchange 2003 server installation takes place in the same domain as the Schema Master.
When this is the case, you do not need to manually execute either utility. By default, the account with which you have logged on becomes the designated Exchange 2003 administrator.
Allow Time for Replication
After you run ForestPrep, be sure to allow enough time for the schema extensions to replicate throughout all the domains and sub-domains in your organization. Depending on the geography of your organization and the speed of your network connections between Windows 2003 sites or domains, this could take some time. You should run DomainPrep only after you’re sure that the Exchange-specific information has been replicated across your organization.
DomainPrep in detail
The DomainPrep utility performs the Exchange setup tasks that require DomainAdmin permissions; it should be run by a member of the DomainAdmin group. You need to run DomainPrep once in each domain that contains an Exchange 2003 server and in any domain that hosts Exchange users. These are domains without Exchange servers but with mail enabled users. Domainprep is necessary for the recipient update service (RUS) and to create the groups and permissions necessary for Exchange servers to read and modify user attributes.
DomainPrep creates two new domain groups: Exchange Domain Servers (a Windows 2003 global security group) and Exchange Enterprise Servers (a Windows 2003 domain local security group).
DomainPrep also creates the Public Folder proxy container in Active Directory. While ForestPrep works in the forest-wide configuration naming container, the Public Folder object (a Microsoft Exchange System Object) exists outside this container (this is the reason why you can’t see public folders with ADSIEDIT, LDP or other LDAP tools). DomainPrep creates this object on a per-domain basis, under the domain container.
Exchange Domain Servers Group
The Exchange Domain Servers global security group contains the computer accounts of all Exchange servers in the domain. Though it is created by DomainPrep, the Exchange Domain Servers group is not populated until the actual installation of Exchange 2003.
The Exchange Domain Servers group is necessary for the Recipient Update Service, which is needed in every domain of your Exchange organization. This includes user domains, which do not contain Exchange servers but do have mail-enabled users. Recipient Update Service is used by Exchange to generate and update default and customized address lists and to process changes made to recipient policies.
Exchange Enterprise Servers Group
The Exchange Enterprise Servers group (a domain local group type) contains every Exchange Domain Servers group (a domain local group type) in your organization. In other words, every domain with an Exchange server, along with every domain in which DomainPrep has been run and that has an active Recipient Update Service, belongs to the Exchange Enterprise Servers group.
This group is populated immediately when DomainPrep adds the Exchange Domain Servers group from the current domain to it. Recipient Update Service adds the Exchange Domain Servers groups from all other domains that have an active Recipient Update Service.
You must meet the following requirements before you run DomainPrep:
The account that runs DomainPrep must belong to the domain’s DomainAdmin group.
ForestPrep must have already been run in your Windows 2003 forest.
The schema extensions made by ForestPrep to Active Directory must have already replicated throughout your organization.
When is it unnecessary to Run DomainPrep?
DomainPrep should be executed before installing the first Exchange 2003 server. DomainPrep is not necessary when:
The account that is installing the first Exchange 2003 server in the domain is an Exchange Full Administrator and a member of the DomainAdmins group
The person who is installing Exchange has EnterpriseAdmin permissions.
In both scenarios, DomainPrep runs automatically as a hidden process during the Exchange 2003 setup.
When must you Run DomainPrep?
For DomainPrep to work correctly, you must run it:
After running ForestPrep, and after all ForestPrep changes are replicated throughout the forest.
Before the through Forestprep designated Exchange 2003 administrator can install the first Exchange 2003 server in the domain.
Whenever you must create a Recipient Update Service (RUS) for a domain with mail-enabled users.
It is also necessary to run Domainprep in an empty Forest Root Domain because RUS must use it.
Active Directory Connector (ADC)
ADC, first introduced in Exchange 2003, updates the Active Directory Schema during installation, regardless if the Active Directory was updated through the Exchange 2003 Forestprep and Domainprep process.
The Exchange 2003 version of ADC uses the same schema extensions as Exchange 2003. So if you install ADC, the setup process updates the Active Directory Schema so you don’t need to update the Schema with Exchange 2003 Forestprep and vica verse.
How to see if FORESTPREP and DOMAINPREP were successful
In Exchange 2000 you have to use tools like ADSIEDIT to see if FORESTPREP and DOMAINPREP were successfully.
With Exchange 2003 you can use the ORGPREPCHECK switch from the EXDEPLOY tools.
ORGPREPCHECK
Run ORGPREPCHECK at a command prompt
CD-ROM_Drive_Letter:\support\exdeploy\exdeploy.exe /gc:global catalog server name /t:orgprepcheck
View the EXDEPLOY.LOG file in C:\EXDEPLOY LOGS to see if the setup /forestprep command and the setup /domainprep command have completed successfully.
Figure 3: EXDEPLOY /ORGPREPCHK Switch
ORGPREPCHECK verifies the Exchange extensions to the Active Directory Schema, the existence and membership of the Exchange Domain Servers group and Exchange Enterprise Servers Group and checks that a global catalog Server is available in a domain in which DOMAINPREP has been run. The result is displayed in the EXDEPLOY.LOG file.
Figure 4: EXDEPLOY.LOG file
Conclusion
As you have seen in this article, FORESTPREP and DOMAINPREP are not so mystical when you understand the basics. FORESTPREP and DOMAINPREP are necessary components to update the Active Directory Schema to support Exchange 2000 / 2003.
Please keep in mind that Forestprep updates the Windows 2003 Active Directory Schema and ALL this information must be replicated to all Domain Controllers in the Forest.
Related Links
How to verify successful Exchange 2003 Forestprephttp://hellomate.typepad.com/exchange/2003/10/forestprep_and_.html
Manual Schema Changes Are Lost When You Apply Exchange Server 2003 Schema over Exchange 2000 Server Schemahttp://support.microsoft.com/default.aspx?scid=kb;en-us;818583
How the Exchange 2003 Active Directory Connector Setup Process Updates the Schemahttp://support.microsoft.com/default.aspx?scid=kb;en-us;822589
Permissions that you must have to install Active Directory Connector in Exchange Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;818473
Security Setting Changes and Updates That Are Introduced in Exchange Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;818473
Security Setting Changes and Updates That Are Introduced in Exchange Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;824111
Exchange 2003 Setup Program Does Not Display the Installation Type Screen After You Run the /Forestprep Switchhttp://support.microsoft.com/default.aspx?scid=kb;en-us;829360
Running Exchange 2000 FORESTPREP after You Run Exchange 2003 FORESTPREP Allows You to Install Exchange 2000 but Creates a GUID for the Organization Namehttp://support.microsoft.com/default.aspx?scid=kb;en-us;820112
Subscribe to:
Posts (Atom)