Exchange 2013 in Azure: Part 2 (Preparing Active Directory)

In this part of the posting, we will prepare the Active Directory environment for Exchange 2013. Before you begin, make sure to read the posting in the previous section in order to take note of Exchange 2013 prerequisites.

Domain Considerations:
– If you are going to install Exchange Server 2013 on in a Forest that hosts multiple domains, Microsoft recommends that you perform the preparation steps in a Active Directory Site that hosts all of the domains. This will greatly facilitate replication across Domain boundaries. In several production sites that I’ve worked in, we deployed a number of virtualized child domain controllers in a physical hub network site to facilitate replication.

Installation Steps:

1. Extend the Active Directory Schema
The schema is an essential part of Active Directory, as it ensures that attributes for each class of objects in the forest are standardized and consistent, to prevent replication errors from happening. Before you can install Exchange 2013, you need to update the schema so that existing object classes (such as users) can now have email-enabled attributes and new object classes specific to Microsoft Exchange can be created.

To perform this task, you will need to:
– Log into a DC that has the schema master FSMO role†, with an Administrative account that has both Enterprise Admin and Schema Admin privileges.

  • †You can locate the Schema Master role by connecting to a Domain Controller and using the dcdiag /test:knowsofroleholders /v command. The identity of the schema master is listed as:
  • Role Schema Owner = CN=NTDS Settings,CN=XYZDC01, CN=Servers,CN=Default First-Site-Name,CN=Sites,CN=Configuration,DC=CorpXYZ,DC=com

There are a number of alternative ways to obtain the identity of the Schema Master and other FSMO role holders, check out this Knowledge Base article for more information.

– After logging in, ensure that you download the Microsoft Exchange Server installation file locally to the DC and extract the contents into a local folder.

– I’ve also fired up ADSI edit in order to review the Schema changes.

– From a command line prompt, navigate to the directory that you extracted the installation files to and type in the following command:

setup /IAcceptExchangeServerLicenseTerms /Prepareschema

This command will connect to the Schema Master and update the schema with Exchange 2013 Specific Attributes.

You can see this in action by viewing the Schema Partition in ADSI Edit and looking for attributes with the following prefix “CN=ms-Exch”. You can track the progress of the schema updates via ms-Exch-Schema-Version-Pt, which is a pointer that increments as each schema update is made. When the RangeUpper value gets to 15137, you will know that all of the schema updates have run smoothly. has a great posting on the schema versions corresponding to the different builds of Microsoft Exchange here.

Okay, now that we’ve completed updating our Schema, it might take a bit of time for replication to complete. There are a number of ways to verify that the Exchange 2013 schema updates have successfully replicated across the domain. One simple way is to check your replication event logs on destination DCs. Another way is to use the Repadm command line tool. Within the same domain, I like to use the command:

 Get-ADReplicationUpToDatenessVectorTable :domaincontrollername

You can validate replication consistency by comparing the UsnFilter attributes of the various domain controllers in the domain.

2. Prepare Active Directory for Exchange
The Active Directory Configuration Partition contains information about specific services (like Microsoft Exchange or Certificate Services) that Active Directory is aware of. We need to prepare the Active Directory Configuration partition to support Exchange 2013 servers by running the command:

     setup /IAcceptExchangeServerLicenseTerms/PrepareAD

The OrganizationName refers to the Instance name of your Microsoft Exchange Server installation. Note that you can only have one OrganizationName value per Active Directory Forest, so if you have an existing Exchange implementation in your AD forest, you would specify the OrganizationName of that implementation here.

In order to perform this task, you need to log on to a Domain Controller in the same domain as the Schema Master, and with Enterprise Admin group credentials. (As you will be making modifications to the Configuration partition of Active Directory which get replicated throughout the forest).

The PrepareAD process performs the following actions:

  • Creates the Microsoft Exchange Services container under  CN=Services,CN=Configuration,DC=<root domain>.
  • Creates the Exchange organization container with the OrganizationName parameter that you specify above, under CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain >
  • Validates the schema has been updated in CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container to 15449.
  • Sets the msExchProductId of the Exchange organization object in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container to 15.00.0516.032.
  • Creates the following containers which are required for Exchange Server 2013 to function in the Configuration Partition of Active Directory: Address Lists Container, AddressBook Mailbox Policies, Addressing, Administrative Groups, Auth Configuration, Client Access, Connections, ELC Folders Container, ELC Mailbox Policies, ExchangeAssistanceGlobal Settings, Hybrid Configuration, Mobile Mailbox Policies, Monitoring Settings, OWA Mailbox Policies, Provisioning Policy Container, RBAC, Recipient Policies, Remote Accounts Policies Container, Retention Policies Container, Retention Policy Tag Container, ServiceEndpoints, System Policies, Team Mailbox Provisioning Policies, Transport Settings, UM AutoAttendant, UM DialPlan, UM IPGateway, UM Mailbox Policies, Workload Management Settings.
  • Assigns extended rights for Exchange to install into Active Directory and creates the “Microsoft Exchange Security Groups” OU for each domain that you run this command in.
  • Creates a number of Management Role Groups into the “Microsoft Exchange Security Groups” OU and adds them to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>.
  • Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.
  • Prepares the local domain for Exchange 2013. For information about what tasks are completed to prepare a domain, see Step 3.

You can view the updates to the Configuration Partition by firing up ADSIEdit.msc and connecting to the Configuration Partition. (Rightclick > ADSI Edit > Select Connect to > Select a well known Naming Context > Configuration).

Note that the configuration partition of Active Directory is consistent throughout the entire Forest, so note that any changes you make may take time to replicate throughout the forest too.

3. Prepare Active Directory Domains
We now need to prepare the individual Active Directory domains that will be hosting Exchange 2013 servers by running the command:

     setup /PrepareDomain:<FQDN of Domain>
     setup /PrepareAllDomains

The former command prepares a single domain and requires Domain Admin credentials for the specified domain; while the latter command prepares all domains in your forest and requires Enterprise Admin credentials.

Either variant of the PrepareDomain command performs the following tasks:

  • Creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users groups. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database’s mailbox.
  • Sets the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain>. This objectVersion property contains the version of domain preparation. The version for Exchange 2013 is 13236.
  • Creates a domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
  • Assigns permissions at the domain level for the Exchange Servers USG and the Organization Management USG.

Run the command from a command prompt and at completion you should see the following:

To verify that this command successfully worked, you should be able to verify the following:

  • A new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. (Don’t forget to click Advanced Features in the View menu in Active Directory User and computers first.)
  • The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
  • The Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.

So to summarize, we performed the following tasks so far:

1. Performed /setup PrepareSchema on the Schema Master DC to extend the AD Schema
2. Performed /setup PrepareAD to prepare the Configuration Partition
3. Performed /setup PrepareDomain to create specific Security Groups and assign permissions to these groups

As you can see, the preparation steps are fairly straightforward and also similar to installation steps for older versons of Microsoft Exchange. In the next post, we will install Exchange 2013.

Road Chimp, over and out.


One thought on “Exchange 2013 in Azure: Part 2 (Preparing Active Directory)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s