1.4. Preparing Legacy Exchange Permissions
The first step in
preparing your Exchange Server 2003 organization for Exchange Server
2010 is to grant specific Exchange permissions in each domain Exchange
Server 2003 computer. This is required to allow the Recipient Update
Service in Exchange Server 2003 to function correctly after the schema changes for Exchange Server 2010 are applied to your Active Directory forest.
The legacy Exchange
permissions are prepared by running the following command from a command
prompt from the directory containing the Exchange Server 2010 setup
files:
Setup /PrepareLegacyExchangePermissions
To prepare every domain in the
forest, you must be a member of the Enterprise Admins group to run this
command successfully. Otherwise, for a specific domain, or if the forest
has only one domain, you must be an Exchange Full Administrator in the
Exchange Server 2003 organization and a member of the Domain Admins
group in the domain being prepared.
1.5. Extending the Active Directory Schema
The next step in
preparing your environment for Exchange Server 2010 is extending the
Active Directory schema. Exchange Server 2010 modifies a great number of
the existing classes and attributes as well as adding many new
attributes and classes to the schema. If the legacy Exchange permissions
have not been prepared as outlined in the Section 1.4 section of this article, extending the schema will perform the PrepareLegacyExchangePermissions step as well as extend the Active Directory schema.
The following command
extends the schema for Exchange Server 2010; run this from a command
prompt from the Exchange Server 2010 setup directory:
Setup /PrepareSchema
To run this command successfully, you must have Schema Admins and Enterprise Admins privileges in the forest.
Exchange Server 2010
also marks numerous attributes for inclusion in the global catalog,
which can impact your global catalog database size as well as Active
Directory replication in your environment.
1.6. Preparing Active Directory for Exchange Server 2010
The final step in getting your Active Directory environment ready for Exchange Server 2010 is to run the setup/PrepareAD command to prepare Active Directory. This command performs the following steps:
Verifies the Exchange Server 2010 schema updates.
Configures the Active Directory global Exchange objects
Creates the Exchange universal security groups (USGs) in the root domain.
Sets permissions on the Exchange configuration objects.
Prepares the current domain.
An Exchange Server 2003 administrative group called Exchange Administrative Group (FYDIBOHF23SPDLT) and an Exchange Server 2003 routing group called Exchange Routing Group (DWBGZMFD01QNBJR) are created.
Another potential issue surrounding PrepareAD
that should be considered is when, in Exchange Server 2003, an SMTP
address is ambiguously non-authoritative—that is, the address space has
been marked authoritative in one policy but non-authoritative in
another. This configuration is illustrated in Figure 2;
Contoso's primary address space (contoso.com) has been set as
authoritative in the Sales recipient policy, but is set as
non-authoritative in the Engineering policy.
If this is not detected and corrected before you run PrepareAD for Exchange Server 2010, mail flow issues within your Exchange Server 2003 environment may result because the PrepareAD
process attempts to "correct" the ambiguity by making the address space
in question consistently non-authoritative on all recipient policies.
The mail flow
symptoms can include messages accumulating in deferred delivery queues
on bridgeheads and not being delivered, and messages looping a small
number of times between mailbox servers and these same bridgeheads. The
Microsoft Exchange Team has produced a Windows PowerShell script that
can detect these issues, although the corrective steps are a manual
process. The script and a more detailed explanation of this issue can be
found at http://msexchangeteam.com/archive/2008/09/05/449764.aspx.
If the issue is detected before Exchange Server 2010 PrepareAD
is run, you simply need to correct the offending recipient polices to
be either all authoritative or all non-authoritative prior to running PrepareAD. If PrepareAD has already been run, however, editing the offending recipient policies and restarting IIS on all
Exchange Server 2003 computers is necessary to cause the IIS metabase
to recognize the routing changes and resume normal mail flow.
Running the following command from the Exchange Server 2010 setup directory prepares Active Directory for Exchange Server 2010:
Setup /PrepareAD
If the Setup /PrepareLegacyExchangePermissions and Setup /PrepareSchema commands have not yet been run, PrepareAD
will perform those steps as well. You need Enterprise Admins privileges
to run this command, and the computer this command is run from must be
able to contact all domains in the forest on port 389. You must also be
an Exchange Full Administrator if you have Exchange Server 2003 servers
in your organization, and the computer this command is run from must be
in the same Active Directory site and domain as the schema master.