Contents
Overview 1
Lesson 1: Deployment Tools 2
Lesson 2: ADC Tools 39
Lab 6.1 Exchange 2003 ADC replication
featuring Deployment and ADC Tools 71

Appendix A: Sample log files 86
Appendix B: Learning Measure Answers 107
Acknowledgments 107

Module 6: Deployment
Tools and ADC Tools

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
Lesson 1: Deployment Tools Basic Overview History:
Customers that installed Exchange 2000 experienced a paradigm shift in the
complexity of the underlying operating system. With Windows 2000
introducing several new concepts, installers were burdened with learning the
differences in how Active Directory uses Domain Name System (DNS),
Lightweight Directory Access Protocol (LDAP), and a variety of new server
roles for establishing suitable infrastructures for Exchange 2000. Microsoft
Product Support Services learned that these infrastructures failed too often, or
were never configured correctly at their inception. Although many of the
support calls were caused by platform-level mishaps (such as improper DNS
configurations, Active Directory permission-misconfigurations, and lack of
connectivity to operations masters), more daunting challenges existed for
migrations from Exchange 5.5. These Exchange 5.5 migration challenges were
often
 discouraging customers from deploying Exchange 2000. (For example, a
customer might find it extremely difficult to roll back after a failed disaster
recovery scenario following a failed in-place upgrade.)
 completely ignored or skipped by customers. For example, NTDSNoMatch
is supposed to be written on Exchange 5.5 objects, yet customers didn’t
know of the existence of NTDSNoMatch due to delayed documentation
when Exchange 2000’s retail version shipped. Additionally, many
customers skipped configuration of Connection Agreements due to their

topologies, leading to improving deployment success rates.
The solution:
Efforts to prevent Exchange 2000 deployment mistakes of the past have
culminated into the creation of the Exchange 2003 deployment tools. A
multipurpose effort, the deployment tools not only avoids the huge gap in
customer education when Exchange 2003 ships; it also proactively scans the
Active Directory and Exchange 5.5 infrastructures for possible problems that
may prevent successful Exchange 2003 deployments. The customer education
effort is achieved through a comprehensive help file/installation guide, which
takes into consideration four major deployment scenarios and provides
prescriptive deployment steps for each. A picture of the help file is shown in
figure 1.1:
4 Module 6: Deployment Tools and ADC Tools
Figure 1.1: An example of the deployment tools step-by-step deployment guide, in the form of a
compiled HTML help file. (pre-release version)
Although the user-education portion may appear informational at first glance,
there are ActiveX controls embedded within each HTML page that, when
clicked, will spawn scripts to proactively check for problems on the local
system, within Exchange 5.5 directory, within Active Directory, or all of the
above. Technically, the scripts call upon the deployment tools, but the
collection of tools plus help file is most commonly-referred as the “Deployment
Tools.”
Module 6: Deployment Tools and ADC Tools 5 Tool Execution


information into exdeploy.log file, typically located in c:\exdeploy logs. Log
files are appended-to, not overwritten, when tools are run more than once.
Although exdeploy.chm contains links to launch the tools, the tools themselves
may not be launched without the existence of binaries (DLLs and EXEs) within
the same directory as the CHM file. The deployment tools help file and binaries
are located on the Exchange 2003 CD, underneath the \support\exdeploy
directory.
Method 2 – From the command prompt: The error-checking tools may also
be launched from the command line by running exdeploy.exe. Exdeploy.exe is
an executable that can launch various deployment tools depending upon the
switches used. In fact, all of the deployment tools may be launched using
exdeploy.exe, without requiring the CHM file. However, none of the tools may
be launched from the CHM/HTA file if the CHM/HTA exists in a directory
without exdeploy.exe supporting it.
Using Method 2 to manually execute a deployment tool should only be used
when troubleshooting, or when someone is already familiar with the ordering of
the help file (since some tools will fail unless you have performed certain steps
only mentioned in the CHM file). Here is an example of running a deployment
tool from the command prompt:
D:\SUPPORT\EXDEPLOY>exdeploy /s:55server /gc:gc01
/t:adcusercheck
Results of these tools will be logged to 'exdeploy.log'.
Exchange Deployment Tools documentation provides information
on how to solve encountered issues.
Calling ADCUserCheck
ADCUserCheck completed successfully.

Module 6: Deployment Tools and ADC Tools 7
The Exchange 2000/2003 setup program runs through prerequisite checks upon
launch, and if any prerequisite checks fail, their associated errors (possible
8 Module 6: Deployment Tools and ADC Tools reasons/recommended actions) are displayed as a popup on the setup wizard’s
component selection screen.
[10:44:03] ********** Beginning Exchange Deployment Tools
**********
[10:44:03] Starting Exchange 6851 Deployment Tools on Windows
5.0.2195 at 10:44:03 01/13/2003
[10:44:03] Entering HrDirPreReq_Initialize
[10:44:03] Init called with Domain Controller tilab-dc and
Exchange 5.5 server root55. Setup's language ID is 0
[10:44:03] Entering HrRegisterAXDLL
[10:44:03] Leaving HrRegisterAXDLL
[10:44:03] Entering HrRegisterAXDLL
[10:44:03] Leaving HrRegisterAXDLL
[10:44:03] Leaving HrDirPreReq_Initialize
[10:44:21] Entering HrDirPreReq_ConfigInit
[10:44:55] Leaving HrDirPreReq_ConfigInit
[10:44:55] Entering HrDirPreReq_ObjectInit
[10:45:46] Leaving HrDirPreReq_ObjectInit
[10:45:46] Entering HrDirPreReq_UserInit
[10:46:20] Leaving HrDirPreReq_UserInit
[10:46:20] Entering HrDSConfigSum
[10:46:21] Leaving HrDSConfigSum
[10:46:21] Entering HrDSObjectSum
[10:46:21] Leaving HrDSObjectSum
[10:46:21] Entering HrUserCount
dissect multiple runs of the exdeploy-progress.log so that you can view each
run by itself. Another minor thing to note here is that a lot of the same entries
you find in exdeploy-progress.log will also be logged into the setup wizard’s
progress.log file. Search for HrDirPreReq anytime setup is joining an Exchange
5.5 site, and you’ll get to the deployment tools section of the Exchange Server
Setup Progress.log.
On the right-hand side of figure 1.3, the glue DLL will call into the actual tools
themselves. The tools are EXEs, DLLs, or even scripts. If the individual tool is
a script or separate EXE (such as policytest.exe), then the glue DLL makes a
call to CreateProcess.
10 Module 6: Deployment Tools and ADC Tools Markers: Before discussing the process flow, consider that several phases of the
deployment tools will create markers in Active Directory. These “completion”
markers are intended to ensure that customers use the deployment tools and
ADC Tools. Without them in place, setup will block customers from installing
the first Exchange 2003 server any organization containing Exchange 5.5 or
Site Replication services. Without Exchange 2003 setup logic to detect these
markers, installers would skip the proper deployment steps and tools, thereby
encountering the same deployment problems that existed with Exchange 2000.
Also, one of the main differences from Exchange 2000 is that in Exchange
2003, installers will no longer be able to launch the setup wizard from setup.exe
at the root of the CD without being forced into deployment tools. This single
entry-point initiative for setup was deemed necessary for several reasons: 1)

rerun the tool. The purpose of the timestamp is to prevent the tool’s result from
becoming stale, since customer environments may have changed drastically
over weeks or months, and it is highly likely they have more unreplicated
objects from the time they originally passed ADCUserCheck. Specifically, the
purpose of rerunning the tool is that after a time threshold, customers may need
to rereplicate or configure new Connection Agreements.

12 Module 6: Deployment Tools and ADC Tools
As an installer and for the purposes of saving time, you
could manually insert the ADCUserCheck marker using ADSIEdit and skip all
of the deployment tools. However, normal customers should not utilize this
shortcut since you want them to utilize deptools/adctools. Troubleshootin
g
Tip
Module 6: Deployment Tools and ADC Tools 13 Process Flow The deployment process begins when customers insert their Exchange 2003 CD
or run setup.exe from the root of the CD. Either action launches the intro/splash
screen, which in previous versions of Exchange provided a direct link to
setup.exe within the \setup\i386 folder. In Exchange 2003, the splash screen no

scenario covers installing Exchange 2003 as another member of a mixed-
mode organization. This option also applies when there are Site Replication
Servers running in the organization, even if there are no more Exchange 5.5
servers.
3. Upgrade from Exchange 2000 Native mode – This scenario’s name not only
implies in-place upgrading an Exchange 2000 server to Exchange 2003; it
also covers joining an Exchange 2003 server as another member of a pure
Exchange 2000 organization with no running Site Replication Servers.
4. New Exchange 2003 – This scenario is the simplest of all, as no preparatory
work is necessary for any existing Exchange servers.

16 Module 6: Deployment Tools and ADC Tools Figure 1.6: Process flow for all of the steps covered by exdeploy.chm
Figure 1.6 illustrates the process flow, which contains scenarios identified at the
top of the screen, enclosed by borders. The most full-featured scenario for
installing the first Exchange 2003 server is “Coexistence with Exchange 5.5.”
In the coexistence scenario, deptools examines the existing Exchange 5.5 and
Active Directory infrastructure for Exchange 2003 suitability. Note that inter-
organizational (cross-forest) migrations or deployments of multiple Exchange
organizations are too advanced and are not discussed by exdeploy.chm. Cross-
forest deployments is discussed in another training module.
Module 6: Deployment Tools and ADC Tools 17 DSScopeScan

 VerCheck: Determines if any Exchange 5.5 server versions are not
compatible with the Active Directory connector. (At least one must be
Exchange 5.5 SP3). Outputs to vercheck.log.
18 Module 6: Deployment Tools and ADC Tools  Orgreport: Determines if an existing object, whose objectclass is
msExchOrganizationContainer, exists underneath cn=Microsoft
Exchange,cn=services,cn=configuration,dc=<dn of forest root> If one is
found, the tool does not qualify it as an error. However, it will write the
displayname of the object to exdeploy.log if it was not created by Exchange
2003 forestprep. The existence of an org object means that an Exchange
2000 installation attempt, either through a forestprep or typical setup, was
performed in the past. Additionally, this signifies the possible existence of a
rogue Exchange 2000 server object in Active Directory. If this is the case,
rollback using the removeorg switch (Q312878).
 GCVerCheck: Checks local and adjacent Windows sites for a Windows
global catalog that is SP3 or greater. If none is found, then setup will not
proceed. Although Exchange 2003 setup has a prerequisite check for this
situation, it is convenient to scan for this prior to setup, so that
administrators can plan upgrades of their domain controllers accordingly.
 OrgNameCheck: Determines if the Exchange 5.5 organization or site
names exceed 64 characters or contain any of the following (excluding the
surrounding braces). { , = + < > # \ " ~ ! @ # $ % ^ & * ( ) _ + = { } [ ] | \ : ;
" ' < , > . ? / }. Additionally, this tool determines if an Exchange 5.5 SMTP
address generator (from site addressing) contains the same invalid
characters that do not follow RFC 821. Exchange 2003 setup will run this
tool also as a part of setup, and will not proceed unless the Exchange 5.5 site
addressing is corrected, as invalid characters would cause problems with
recipient policies if replicated to Active Directory. OrgNameCheck logs

In the output above, the entries “TestEXConnect” and “TestNTConnect” are the
result of the additional debug logging. Enabling this environment variable also
causes exdeploy.log to be produced with debug output whenever Exchange
2003 setup.exe calls upon the deployment tools glue DLL.

20 Module 6: Deployment Tools and ADC Tools DCDiag/NetDiag Following the DSScopeScan tool group, the installer is instructed to download
the Windows 2000/2003 support tool, dcdiag, or alternatively, install it from the
Windows server CD’s support tools. This utility comes in two operating
system-specific versions, and is used to search for Active directory-related
problems. This tool checks for a variety of domain controller issues, but most
importantly, it checks for any operations master role holders which cannot be
contacted.
Troubleshooting DCDiag:
If DCDiag fails to run due to a “DsIsMangledDnW error,” check to see if the
version of dcdiag.exe is compatible with the operating system. The file version
for the Windows 2003 DCDiag is 5.2.xxxx, whereas the Windows 2000 version
should be 5.0.xxxx.
If dcdiag reports that, for example, a schema role holder is not available,
forestprep will not be able to run. In this instance, one would utilize Q324801
or Q255504 to transfer or seize the role. Forestprep will also have problems if
DCDiag reports that a domain controller is not contactable, when in fact it has
been removed from the forest (but its metadata remained). In that scenario, one
would remove the orphaned domain or domain controller via q230306.
If there are any other errors output by DCDiag, one would run dcdiag with the

Forestprep/Domainprep
The next steps are for the user to run setup /forestprep and /domainprep.
Traditionally, these switches were executed only from the command prompt.
The exdeploy.chm now includes an embedded script to launch these modes
from the ActiveX® control, provided that the path is populated correctly.
Running the help file from a file share or a path that contains a space will most
likely output an Internet Explorer popup saying “An invalid server name was
entered.” For this reason, the HTA is used to run the CHM file to slightly alter
the behavior.
22 Module 6: Deployment Tools and ADC Tools OrgPrepCheck Once these actions are completed, the user is prompted to run the
OrgPrepCheck tool group - comprised of the following tools:
 OrgCheck: verifies the Exchange extensions to the Active Directory
schema, checks the existence and membership of the Exchange Domain
Servers group and Exchange Enterprise servers group, and checks that a
global catalog server is available in a domain in which DomainPrep has
been run. There is no additional logfile.
 PolCheck: This exdeploy command simply runs a Createprocess to launch
policycheck.exe (inherited from the support directory of the Exchange 2000
CD). PolCheck will determine if the Exchange Enterprise Servers group has
been granted the SeSecurityPrivilege (a.k.a. “Manage Auditing and Security
Logs”). Effectively, this determines if the domainprep procedure has
completed successfully, and ample time has been given for this right to
propagate to the domain controllers of the present domain. The extended
output of all domain controllers rights will be logged to exdeploy-

Right found: "SeSecurityPrivilege"
[17:43:03] Entering HrFindPrintErrorMessage
[17:43:03] Leaving HrFindPrintErrorMessage
[17:43:03] PolCheck completed successfully.
[17:43:03] #*** Policy Check finished: ***#

Install Active Directory Connector and Run ADC Tools
The next step in the deployment process is for the deployment
administrator/consultant to install the Exchange 2003 ADC Service, and then
use the ADC tools to prepare for and then create connection agreements. The
ADC Tools process is somewhat lengthy, so we will discuss its internals in
more detail in Lesson 2. At this point, it is only important to note that when the
installer completes the second or last step of the ADC Tools, completion
markers are written to Active Directory. These markers, though hidden from the
user, are read by the setup engine later in the deployment process to determine
whether the proper preparatory steps have been accomplished. If the installer
does not complete the second or last steps of the ADC Tools, the completion
marker will not exist and setup will block installation into an Exchange 5.5 site.