PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE 2013.pdf
Content
PREPARE ACTIVE DIRECTORY AND
DOMAINS FOR EXCHANGE 2013
APPLIES TO: EXCHANGE SERVER 2013
Before you install the release to manufacturing (RTM) version of Microsoft
Exchange Server 2013 or later cumulative updates (CU) on any servers in
your organization, you must prepare Active Directory and domains.
setup /PrepareSchema or setup /ps
setup /PrepareAD [/OrganizationName: <organization
name> ] or setup /p [/on:<organization name>]
setup /PrepareDomain or setup /pd
setup /PrepareAllDomains or setup /pad
BEFORE YOU BEGIN ENSURE
The computers on which you plan to install Exchange 2013 must
meet the system requirements. For details, see Exchange 2013
System Requirements.
Your domains and the domain controllers must meet the system
requirements in "Network and directory servers" in Exchange 2013
System Requirements.
For multiple domain organizations running the following /Prepare*
commands, we recommend the following:
Run the commands from an Active Directory site that has an
Active Directory server from every domain.
Run the first server role installation from an Active Directory
site with a writeable global catalog server from every
domain.
Verify that replication of objects from the preceding actions
is completed on the global catalog server in the Active
Directory site before installing the first Exchange 2013 server
to that site.
If you run the Exchange 2013 Setup wizard with an account that has
the permissions required (Schema Admins, Domain Admins, and
Enterprise Admins) to prepare Active Directory and the domain, the
wizard automatically prepares Active Directory and the domain. For
more information, see Install Exchange 2013 Using the Setup
Wizard. However, you must first install the Active Directory
management tools on the computer prior to preparing the schema
or domains. To do this, see the Active Directory preparation section
in Exchange 2013 Prerequisites.
You must specify
the /IAcceptExchangeServerLicenseTerms parameter when you run
setup.exe to accept the Exchange 2013 license terms.
TIP:
Having problems? Ask for help in the Exchange forums. Visit the
forums at: Exchange Server, Exchange Online, or Exchange Online
Protection
EXCHANGE 2013 ACTIVE DIRECTORY VERSIONS
The following table shows you the Exchange 2013 objects in Active
Directory that get updated each time you install a new version of Exchange
2013. You can compare the object versions you see with the values in the
table below to verify that the version of Exchange 2013 you installed
successfully updated Active Directory during installation.
PREPARE ACTIVE DIRECTORY AND DOMAINS
To track the progress of Active Directory replication, you can use the
repadmin tool (repadmin.exe), which is installed as part of the Windows
Server 2012 and Windows Server 2008 R2 Active Directory Domain
Services Tools (RSAT-ADDS) feature. For more information about how to
use repadmin, see Repadmin.
From a Command Prompt window, run the following command.
(If you want, you can skip this step and prepare the schema as
part of Step 2.)
setup /PrepareSchema or setup /ps
IMPORTANT:
If you have multiple forests in your organization, make sure that
you run your forest preparation from the correct Exchange
forest. Setup preparation makes configuration changes to your
forest, and it could configure a non-Exchange forest incorrectly.
NOTE:
It is not supported to use the LDIF Directory Exchange tool
(LDIFDE) to manually import the Exchange 2013 schema
changes. You must use Setup to update the schema.
1. THIS COMMAND PERFORMS THE FOLLOWING TASKS:
Connects to the schema master and imports LDAP Data
Interchange Format (LDIF) files to update the schema with
Exchange 2013 specific attributes. The LDIF files are copied
to the Temp directory and then deleted after they are
imported into the schema.
Sets the schema version (ms-Exch-Schema-Verision-Pt). To
see the version that should be shown after this command
completes, look up the version of Exchange 2013 you are
installing in the table in Exchange 2013 Active Directory
versions.
NOTE THE FOLLOWING:
To run this command, you must be a member of the Schema
Admins group and the Enterprise Admins group.
You must run this command on a 64-bit computer in the
same domain and in the same Active Directory site as the
schema master.
If you use the /DomainController parameter with this
command, you must specify the domain controller that is the
schema master.
After you run this command, you should wait for the changes
to replicate across your Exchange organization before
continuing to the next step. The amount of time this takes is
dependent upon your Active Directory site topology.
For more information, see Exchange 2013 Active Directory
Schema Changes.
2. From a Command Prompt window, run the following command.
setup /PrepareAD [/OrganizationName: <organization
name> ] or setup /p [/on:< organization name>]
THIS COMMAND PERFORMS THE FOLLOWING TASKS:
If the Microsoft Exchange container doesn't exist, this
command creates it under
CN=Services,CN=Configuration,DC=<root domain>
If no Exchange organization container exists under
CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain >, you must specify an organization name using
the /OrganizationName parameter. The organization
container will be created with the name that you specify.
The Exchange organization name can contain only the
following characters:
A through Z
a through z
0 through 9
No space (leading or trailing), no hyphen or dash
The organization name can't contain more than 64
characters. The organization name cannot be blank. If the
organization name contains spaces, you must enclose the
name in quotation marks (").
Verifies that the schema has been updated and that the organization is up
to date by checking the objectVersion property in Active Directory.
The objectVersion property is in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain>
container.
To see the version that should be shown after this command completes,
look up the version of Exchange 2013 you are installing in the table in
Exchange 2013 Active Directory versions.
Exchange 2013 Active Directory versions
The following table shows you the Exchange 2013 objects in Active Directory that get
updated each time you install a new version of Exchange 2013. You can compare the
object versions you see with the values in the table below to verify that the version of
Exchange 2013 you installed successfully updated Active Directory during installation.
Sets the msExchProductId value on the Exchange
organization object. The msExchProductId property is in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<dom
ain> container.
To see the version that should be shown after this command
completes, look up the version of Exchange 2013 you're
installing in the table in Exchange 2013 Active Directory
versions.
If the containers don't exist, creates the following containers
and objects under
CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>, which are required for Exchange
2013:
CN=Address Lists Container,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=AddressBook Mailbox
Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Addressing,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Administrative Groups,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Approval Applications,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Auth Configuration,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Client Access,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Connections,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ELC Folders Container,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ELC Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ExchangeAssistance,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Global Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Hybrid Configuration,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Mobile Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Monitoring Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=OWA Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Provisioning Policy
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=RBAC,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Recipient Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Remote Accounts Policies
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Retention Policies
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Retention Policy Tag
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ServiceEndpoints,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=System Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Team Mailbox Provisioning
Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Transport Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM AutoAttendant,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM DialPlan,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM IPGateway,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Workload Management
Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
If it doesn't exist, creates the default Accepted Domains
entry, based on the forest root namespace, under:
CN=Transport
Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
Assigns specific permissions throughout the configuration
partition.
Imports the Rights.ldf file. This adds the extended rights
required for Exchange to install into Active Directory.
Creates the Microsoft Exchange Security Groups
organizational unit (OU) in the root domain of the forest and
assigns specific permissions on this OU.
Creates the following management role groups within the
Microsoft Exchange Security Groups OU:
Compliance Management
Delegated Setup
Discovery Management
Help Desk
Hygiene Management
Managed Availability Servers
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
Adds the new universal security groups (USGs) that are
within the Microsoft Exchange Security Groups OU to
the otherWellKnownObjects attribute stored on the
CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain> container.
Creates the Unified Messaging Voice Originator contact in the
Microsoft Exchange System Objects container of the root
domain.
Prepares the local domain for Exchange 2013. For
information about what tasks are completed to prepare a
domain, see Step 3.
NOTE THE FOLLOWING:
To run this command, you must be a member of the Enterprise Admins
group.
The computer where you run this command must be able to
contact all domains in the forest on port 389.
You must run this command on a computer in the same
domain and in the same Active Directory site as the schema
master. Setup will make all configuration changes to the
schema master to avoid conflicts because of replication
latency.
After you run this command, you should wait for the changes
to replicate across your Exchange organization before
continuing to the next step. The amount of time this takes is
dependent upon your Active Directory site topology.
To verify that this step completed successfully, make sure
that there is a new OU in the root domain called
Microsoft Exchange Security Groups.
This OU should contain the following new Exchange USGs:
Compliance Management
Delegated Setup
Discovery Management
Exchange Servers
Exchange Trusted Subsystem
Exchange Windows Permissions
ExchangeLegacyInterop
Help Desk
Hygiene Management
Managed Availability Servers
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
3. From a Command Prompt window, run one of the following
commands:
Run setup
/PrepareDomain or setup /pd to prepare
the local domain. You do not need to run this in the domain
where you ran Step 2. Running
setup /PrepareAD prepares the local domain.
Run setup
/PrepareDomain:<FQDN of domain you
want to prepare> to prepare a specific domain.
Run
setup /PrepareAllDomains or setup /pad to
prepare all domains in your organization.
THESE COMMANDS PERFORM THE FOLLOWING TASKS:
If this is a new organization, creates the Microsoft Exchange
System Objects container in the root domain partition in
Active Directory and sets permissions on this container for
the Exchange Servers, Exchange Organization
Administrators, and Authenticated Users groups. This
container is used to store public folder proxy objects and
Exchange-related system objects, such as the mailbox
database's mailbox.
Sets the objectVersion property in the Microsoft
Exchange System Objects container under DC=<root
domain>. To see the version that should be shown after this
command completes, look up the version of Exchange 2013
you're installing in the table in Exchange 2013 Active
Directory versions.
Creates a domain global group in the current domain called
Exchange Install Domain Servers. The command places this
group in the Microsoft Exchange System Objects container. It
also adds the Exchange Install Domain Servers group to the
Exchange Servers USG in the root domain.
NOTE:
The Exchange Install Domain Servers group is used if you
install Exchange 2013 in a child domain that is an Active
Directory site other than the root domain. The creation of
this group allows you to avoid installation errors if group
memberships have not replicated to the child domain.
Assigns permissions at the domain level for the Exchange
Servers USG and the Organization Management USG.
NOTE THE FOLLOWING:
To run setup /PrepareAllDomains, you must be a member of the
Enterprise Admins group.
To run setup
/PrepareDomain, if the domain that you're
preparing existed before you ran setup /PrepareAD, you
must be a member of the Domain Admins group in the
domain. If the domain that you are preparing was created
after you ran setup /PrepareAD, you must be a member
of the Exchange Organization Administrators group, and you
must be a member of the Domain Admins group in the
domain.
For domains in an Active Directory site other than the root
domain, /PrepareDomain might fail with the following
messages:
"PrepareDomain for domain <YourDomain> has
partially completed. Because of the Active Directory site
configuration, you must wait at least 15 minutes for
replication to occur, and run PrepareDomain for
<YourDomain> again."
"Active Directory operation failed on <YourServer>.
This error is not retriable. Additional information: The
specified group type is invalid.
Active Directory response: 00002141: SvcErr: DSID031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
The server cannot handle directory requests."
If you see these messages, wait for or force Active Directory
replication between this domain and the root domain, and
then run /PrepareDomain again.
You must run this command in every domain in which you
will install Exchange 2013. You must also run this command
in every domain that will contain mail-enabled users, even if
the domain does not have Exchange 2013 installed.
TO VERIFY THAT STEP 3 COMPLETED SUCCESSFULLY, CONFIRM
THE FOLLOWING:
You have a new global group in the Microsoft Exchange
System Objects container called Exchange Install Domain
Servers. (To view the Microsoft Exchange System Objects
container in Active Directory Users and Computers, on
the View menu, click Advanced Features.)
The Exchange Install Domain Servers group is a member of
the Exchange Servers USG in the root domain.
On each domain controller in a domain in which you will
install Exchange 2013, the Exchange Servers USG has
permissions on the Domain Controller Security Policy\Local
Policies\User Rights Assignment\Manage Auditing and
Security Log policy.
HOW DO YOU KNOW THIS WORKED?
DO THE FOLLOWING TO VERIFY THAT ACTIVE DIRECTORY HAS BEEN
SUCCESSFULLY PREPARED:
In the Configuration naming context, verify that
the msExchProductId property in the CN=<your
organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container
is set to the value shown for your version of Exchange 2013 in the
table in Exchange 2013 Active Directory versions.
NOTE:
If the msExchProductId property is set to the correct value
for the version of Exchange 2013 you installed, Active Directory
has been successfully prepared. You do not need to check any
of remaining values in this list. The information below is for
information purposes only and for those who separate
the PrepareSchema and PrepareAD steps.
In the Schema naming context, verify that
the rangeUpper property on ms-Exch-Schema-Verision-Pt is
set to the value shown for your version of Exchange 2013 in the
table in Exchange 2013 Active Directory versions.
In the Configuration naming context, verify that
the objectVersion property in the CN=<your
organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container
is set to the value shown for your version of Exchange 2013 in the
table in Exchange 2013 Active Directory versions.
In the Default naming context, verify that
the objectVersion property in the Microsoft Exchange System
Objects container under DC=<root domain is set to the value shown
for your version of Exchange 2013 in the table in Exchange 2013
Active Directory versions.
You can also check the Exchange setup log to verify that Active Directory
preparation has completed successfully. For more information, see Verify
an Exchange 2013 Installation.
NOTE:
You will not be able to use the Get-ExchangeServer cmdlet
mentioned in the Verify an Exchange 2013 Installation topic until you
have completed the installation of at least one Mailbox server role and
one Client Access server role in an Active Directory site.
DOMAINS FOR EXCHANGE 2013
APPLIES TO: EXCHANGE SERVER 2013
Before you install the release to manufacturing (RTM) version of Microsoft
Exchange Server 2013 or later cumulative updates (CU) on any servers in
your organization, you must prepare Active Directory and domains.
setup /PrepareSchema or setup /ps
setup /PrepareAD [/OrganizationName: <organization
name> ] or setup /p [/on:<organization name>]
setup /PrepareDomain or setup /pd
setup /PrepareAllDomains or setup /pad
BEFORE YOU BEGIN ENSURE
The computers on which you plan to install Exchange 2013 must
meet the system requirements. For details, see Exchange 2013
System Requirements.
Your domains and the domain controllers must meet the system
requirements in "Network and directory servers" in Exchange 2013
System Requirements.
For multiple domain organizations running the following /Prepare*
commands, we recommend the following:
Run the commands from an Active Directory site that has an
Active Directory server from every domain.
Run the first server role installation from an Active Directory
site with a writeable global catalog server from every
domain.
Verify that replication of objects from the preceding actions
is completed on the global catalog server in the Active
Directory site before installing the first Exchange 2013 server
to that site.
If you run the Exchange 2013 Setup wizard with an account that has
the permissions required (Schema Admins, Domain Admins, and
Enterprise Admins) to prepare Active Directory and the domain, the
wizard automatically prepares Active Directory and the domain. For
more information, see Install Exchange 2013 Using the Setup
Wizard. However, you must first install the Active Directory
management tools on the computer prior to preparing the schema
or domains. To do this, see the Active Directory preparation section
in Exchange 2013 Prerequisites.
You must specify
the /IAcceptExchangeServerLicenseTerms parameter when you run
setup.exe to accept the Exchange 2013 license terms.
TIP:
Having problems? Ask for help in the Exchange forums. Visit the
forums at: Exchange Server, Exchange Online, or Exchange Online
Protection
EXCHANGE 2013 ACTIVE DIRECTORY VERSIONS
The following table shows you the Exchange 2013 objects in Active
Directory that get updated each time you install a new version of Exchange
2013. You can compare the object versions you see with the values in the
table below to verify that the version of Exchange 2013 you installed
successfully updated Active Directory during installation.
PREPARE ACTIVE DIRECTORY AND DOMAINS
To track the progress of Active Directory replication, you can use the
repadmin tool (repadmin.exe), which is installed as part of the Windows
Server 2012 and Windows Server 2008 R2 Active Directory Domain
Services Tools (RSAT-ADDS) feature. For more information about how to
use repadmin, see Repadmin.
From a Command Prompt window, run the following command.
(If you want, you can skip this step and prepare the schema as
part of Step 2.)
setup /PrepareSchema or setup /ps
IMPORTANT:
If you have multiple forests in your organization, make sure that
you run your forest preparation from the correct Exchange
forest. Setup preparation makes configuration changes to your
forest, and it could configure a non-Exchange forest incorrectly.
NOTE:
It is not supported to use the LDIF Directory Exchange tool
(LDIFDE) to manually import the Exchange 2013 schema
changes. You must use Setup to update the schema.
1. THIS COMMAND PERFORMS THE FOLLOWING TASKS:
Connects to the schema master and imports LDAP Data
Interchange Format (LDIF) files to update the schema with
Exchange 2013 specific attributes. The LDIF files are copied
to the Temp directory and then deleted after they are
imported into the schema.
Sets the schema version (ms-Exch-Schema-Verision-Pt). To
see the version that should be shown after this command
completes, look up the version of Exchange 2013 you are
installing in the table in Exchange 2013 Active Directory
versions.
NOTE THE FOLLOWING:
To run this command, you must be a member of the Schema
Admins group and the Enterprise Admins group.
You must run this command on a 64-bit computer in the
same domain and in the same Active Directory site as the
schema master.
If you use the /DomainController parameter with this
command, you must specify the domain controller that is the
schema master.
After you run this command, you should wait for the changes
to replicate across your Exchange organization before
continuing to the next step. The amount of time this takes is
dependent upon your Active Directory site topology.
For more information, see Exchange 2013 Active Directory
Schema Changes.
2. From a Command Prompt window, run the following command.
setup /PrepareAD [/OrganizationName: <organization
name> ] or setup /p [/on:< organization name>]
THIS COMMAND PERFORMS THE FOLLOWING TASKS:
If the Microsoft Exchange container doesn't exist, this
command creates it under
CN=Services,CN=Configuration,DC=<root domain>
If no Exchange organization container exists under
CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain >, you must specify an organization name using
the /OrganizationName parameter. The organization
container will be created with the name that you specify.
The Exchange organization name can contain only the
following characters:
A through Z
a through z
0 through 9
No space (leading or trailing), no hyphen or dash
The organization name can't contain more than 64
characters. The organization name cannot be blank. If the
organization name contains spaces, you must enclose the
name in quotation marks (").
Verifies that the schema has been updated and that the organization is up
to date by checking the objectVersion property in Active Directory.
The objectVersion property is in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain>
container.
To see the version that should be shown after this command completes,
look up the version of Exchange 2013 you are installing in the table in
Exchange 2013 Active Directory versions.
Exchange 2013 Active Directory versions
The following table shows you the Exchange 2013 objects in Active Directory that get
updated each time you install a new version of Exchange 2013. You can compare the
object versions you see with the values in the table below to verify that the version of
Exchange 2013 you installed successfully updated Active Directory during installation.
Sets the msExchProductId value on the Exchange
organization object. The msExchProductId property is in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<dom
ain> container.
To see the version that should be shown after this command
completes, look up the version of Exchange 2013 you're
installing in the table in Exchange 2013 Active Directory
versions.
If the containers don't exist, creates the following containers
and objects under
CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>, which are required for Exchange
2013:
CN=Address Lists Container,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=AddressBook Mailbox
Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Addressing,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Administrative Groups,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Approval Applications,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Auth Configuration,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Client Access,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Connections,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ELC Folders Container,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ELC Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ExchangeAssistance,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Global Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Hybrid Configuration,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Mobile Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Monitoring Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=OWA Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Provisioning Policy
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=RBAC,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Recipient Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Remote Accounts Policies
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Retention Policies
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Retention Policy Tag
Container,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=ServiceEndpoints,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=System Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Team Mailbox Provisioning
Policies,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Transport Settings,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM AutoAttendant,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM DialPlan,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM IPGateway,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=UM Mailbox Policies,CN=<Organization
Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
CN=Workload Management
Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
If it doesn't exist, creates the default Accepted Domains
entry, based on the forest root namespace, under:
CN=Transport
Settings,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain>
Assigns specific permissions throughout the configuration
partition.
Imports the Rights.ldf file. This adds the extended rights
required for Exchange to install into Active Directory.
Creates the Microsoft Exchange Security Groups
organizational unit (OU) in the root domain of the forest and
assigns specific permissions on this OU.
Creates the following management role groups within the
Microsoft Exchange Security Groups OU:
Compliance Management
Delegated Setup
Discovery Management
Help Desk
Hygiene Management
Managed Availability Servers
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
Adds the new universal security groups (USGs) that are
within the Microsoft Exchange Security Groups OU to
the otherWellKnownObjects attribute stored on the
CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<roo
t domain> container.
Creates the Unified Messaging Voice Originator contact in the
Microsoft Exchange System Objects container of the root
domain.
Prepares the local domain for Exchange 2013. For
information about what tasks are completed to prepare a
domain, see Step 3.
NOTE THE FOLLOWING:
To run this command, you must be a member of the Enterprise Admins
group.
The computer where you run this command must be able to
contact all domains in the forest on port 389.
You must run this command on a computer in the same
domain and in the same Active Directory site as the schema
master. Setup will make all configuration changes to the
schema master to avoid conflicts because of replication
latency.
After you run this command, you should wait for the changes
to replicate across your Exchange organization before
continuing to the next step. The amount of time this takes is
dependent upon your Active Directory site topology.
To verify that this step completed successfully, make sure
that there is a new OU in the root domain called
Microsoft Exchange Security Groups.
This OU should contain the following new Exchange USGs:
Compliance Management
Delegated Setup
Discovery Management
Exchange Servers
Exchange Trusted Subsystem
Exchange Windows Permissions
ExchangeLegacyInterop
Help Desk
Hygiene Management
Managed Availability Servers
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
3. From a Command Prompt window, run one of the following
commands:
Run setup
/PrepareDomain or setup /pd to prepare
the local domain. You do not need to run this in the domain
where you ran Step 2. Running
setup /PrepareAD prepares the local domain.
Run setup
/PrepareDomain:<FQDN of domain you
want to prepare> to prepare a specific domain.
Run
setup /PrepareAllDomains or setup /pad to
prepare all domains in your organization.
THESE COMMANDS PERFORM THE FOLLOWING TASKS:
If this is a new organization, creates the Microsoft Exchange
System Objects container in the root domain partition in
Active Directory and sets permissions on this container for
the Exchange Servers, Exchange Organization
Administrators, and Authenticated Users groups. This
container is used to store public folder proxy objects and
Exchange-related system objects, such as the mailbox
database's mailbox.
Sets the objectVersion property in the Microsoft
Exchange System Objects container under DC=<root
domain>. To see the version that should be shown after this
command completes, look up the version of Exchange 2013
you're installing in the table in Exchange 2013 Active
Directory versions.
Creates a domain global group in the current domain called
Exchange Install Domain Servers. The command places this
group in the Microsoft Exchange System Objects container. It
also adds the Exchange Install Domain Servers group to the
Exchange Servers USG in the root domain.
NOTE:
The Exchange Install Domain Servers group is used if you
install Exchange 2013 in a child domain that is an Active
Directory site other than the root domain. The creation of
this group allows you to avoid installation errors if group
memberships have not replicated to the child domain.
Assigns permissions at the domain level for the Exchange
Servers USG and the Organization Management USG.
NOTE THE FOLLOWING:
To run setup /PrepareAllDomains, you must be a member of the
Enterprise Admins group.
To run setup
/PrepareDomain, if the domain that you're
preparing existed before you ran setup /PrepareAD, you
must be a member of the Domain Admins group in the
domain. If the domain that you are preparing was created
after you ran setup /PrepareAD, you must be a member
of the Exchange Organization Administrators group, and you
must be a member of the Domain Admins group in the
domain.
For domains in an Active Directory site other than the root
domain, /PrepareDomain might fail with the following
messages:
"PrepareDomain for domain <YourDomain> has
partially completed. Because of the Active Directory site
configuration, you must wait at least 15 minutes for
replication to occur, and run PrepareDomain for
<YourDomain> again."
"Active Directory operation failed on <YourServer>.
This error is not retriable. Additional information: The
specified group type is invalid.
Active Directory response: 00002141: SvcErr: DSID031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
The server cannot handle directory requests."
If you see these messages, wait for or force Active Directory
replication between this domain and the root domain, and
then run /PrepareDomain again.
You must run this command in every domain in which you
will install Exchange 2013. You must also run this command
in every domain that will contain mail-enabled users, even if
the domain does not have Exchange 2013 installed.
TO VERIFY THAT STEP 3 COMPLETED SUCCESSFULLY, CONFIRM
THE FOLLOWING:
You have a new global group in the Microsoft Exchange
System Objects container called Exchange Install Domain
Servers. (To view the Microsoft Exchange System Objects
container in Active Directory Users and Computers, on
the View menu, click Advanced Features.)
The Exchange Install Domain Servers group is a member of
the Exchange Servers USG in the root domain.
On each domain controller in a domain in which you will
install Exchange 2013, the Exchange Servers USG has
permissions on the Domain Controller Security Policy\Local
Policies\User Rights Assignment\Manage Auditing and
Security Log policy.
HOW DO YOU KNOW THIS WORKED?
DO THE FOLLOWING TO VERIFY THAT ACTIVE DIRECTORY HAS BEEN
SUCCESSFULLY PREPARED:
In the Configuration naming context, verify that
the msExchProductId property in the CN=<your
organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container
is set to the value shown for your version of Exchange 2013 in the
table in Exchange 2013 Active Directory versions.
NOTE:
If the msExchProductId property is set to the correct value
for the version of Exchange 2013 you installed, Active Directory
has been successfully prepared. You do not need to check any
of remaining values in this list. The information below is for
information purposes only and for those who separate
the PrepareSchema and PrepareAD steps.
In the Schema naming context, verify that
the rangeUpper property on ms-Exch-Schema-Verision-Pt is
set to the value shown for your version of Exchange 2013 in the
table in Exchange 2013 Active Directory versions.
In the Configuration naming context, verify that
the objectVersion property in the CN=<your
organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container
is set to the value shown for your version of Exchange 2013 in the
table in Exchange 2013 Active Directory versions.
In the Default naming context, verify that
the objectVersion property in the Microsoft Exchange System
Objects container under DC=<root domain is set to the value shown
for your version of Exchange 2013 in the table in Exchange 2013
Active Directory versions.
You can also check the Exchange setup log to verify that Active Directory
preparation has completed successfully. For more information, see Verify
an Exchange 2013 Installation.
NOTE:
You will not be able to use the Get-ExchangeServer cmdlet
mentioned in the Verify an Exchange 2013 Installation topic until you
have completed the installation of at least one Mailbox server role and
one Client Access server role in an Active Directory site.
