Contents
Document Overview ............................................................................................... 1
Setup Changes......................................................................................................... 2
Setup Architectural Changes................................................................................... 3
Setup Actions Require New Active Directory Permissions.................................... 7
New Setup Prerequisite Checks: ........................................................................... 21
Lab 1.1: Finding renamed, moved, or deleted groups........................................... 26
Cluster-related prerequisite checks ....................................................................... 31
Exchange System Manager-only installation prerequisites................................... 33
2000 to 2003 Setup and Upgrade Scenarios blocked............................................ 36
New Features/Components in Setup: .................................................................... 39
Setup Changes....................................................................................................... 44
Security improvements to setup:........................................................................... 49
Troubleshooting Exchange Server 2003 setup failures:........................................ 53
2003 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server
5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server,
Word are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein (Groupwise, Lotus cc:Mail, Lotus
Notes) may be the trademarks of their respective owners. Module 1: Setup Changes 1
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Document Overview This module discusses differences in the setup process between Microsoft
Exchange 2000 Server and Microsoft Exchange Server 2003. In addition to
discussing bug-level changes, students will focus on troubleshooting the
Exchange Server setup progress logs.
Topic 1 Setup changes from Exchange 2000 Server
Topic 2 Troubleshooting Exchange Server 2003 setup
Topic 3 Learning measure/Labs
Prerequisites
Experience with installing Exchange 2000 into Exchange Server 5.5 sites.
network/domain admin roles could be separated from Exchange administrator
roles. These changes were so extensive that the process flow of setup is nearly
re-architected.
Setup /forestprep creates a placeholder object
When Exchange 2003 setup is run explicitly in ForestPrep mode (using the
/forestprep switch), and there is no existing Exchange organizational object
within the configuration naming context, setup will create a “temporary”
organization with a hard-coded name. (That name is a GUID: “{335A1087-
5131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first Exchange
administrator on this object, create the Exchange configuration underneath it,
and so on. At a later time, when setup is run to install the first server in the
organization – by someone who is an Exchange administrator – setup can
rename the existing placeholder object, either to a user-specified name or to
match the name of an Exchange 5.5 organization. The final naming is decided
by the answer to the “Installation Type” screen. Improving upon Exchange
2000 setup, the organization name deferral was designed so that
• Administrators are not forced to make the organization name decision
during forestprep.
• Enterprise/schema admins are not forced to be given Exchange Server
5.5 admin site permissions to run forestprep.
Conversely, Exchange 2003 installers (who are admins of an Exchange 5.5 site)
are not required to have enterprise/schema admin permissions when later
installing the first Exchange Server 2003 machine. Installers are also no longer
4 Module 1: Setup Changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
required to have the Active Directory Connector (ADC) installed when running
forestprep.
Troubleshooting temporary org object creation: Should there be any problems
2003 machine is being installed into a forest with no pre-existing Exchange
organization object. (The Exchange organization object is located at
(cn=<orgname>,cn=Microsoft Exchange, cn=services, cn=configuration,
dc=<dn of the forest root>.) If the installer chooses to create a new
organization, the placeholder orgname is renamed to whatever the installer
desires. If the installer chooses the Exchange 5.5 coexistence option, the
temporary orgname is renamed to match the Exchange 5.5 organization name.
In Exchange Server 2003, the 5.5 (Osmium) synchronization process with
Active Directory will occur only once, so only a permanent config CA comes
into existence. (i.e. no temporary config CA will exist). Table 1.1 outlines the
different states of the organizational object that can exist in Active Directory:
6 Module 1: Setup Changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Setup Action/
Detected State
setup /ForestPrep setup (install a
server)
No organization
object
Create temporary
org
Ask user for org
type/name;
create org
Temporary
organization object
In Exchange Server 2003, the setup process has changed so that it will only
stamp default permissions on the Exchange Organization object once (on the
first server install/upgrade) and will not re-stamp permissions for subsequent
installations. Although this resolves the workaround for security, the previous
behavior was a useful support tool for quickly fixing customers who have
inappropriately modified their Active Directory permissions on containers that
cause operational problems in Exchange. A typical problem would be a
paranoid administrator removing required access control lists (ACLs) on
various objects underneath the “Microsoft Exchange” container. So in order to
correct the problem, or to revert back to Exchange 2000 Server settings, one
must now manually correct the Active Directory permissions by applying the
permissions listed in Table 1.4 under the section entitled “New per-object
permissions changes during setup.” If the customer does not mind that the
security settings revert back to the Exchange 2000 Server configuration, then
run Exchange 2000 setup to “join” a new Exchange 2000 server object to the
existing Exchange 2003 organization. Module 1: Setup Changes 7
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Setup Actions Require New Active Directory Permissions
Because there are several setup modes and component options, setup will
require different combinations of Active Directory permissions, depending
upon the detected topology. For example, setup operations dealing with a Site
Replication Service (SRS) still require Exchange Full Administrator at the
remove machine account from Domain Servers group
8 Module 1: Setup Changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
after setup
Remove last server in org Exchange Full Administrator at Organization level
Apply service pack Exchange Administrator at Admin Group level
Table 1.2: Setup Matrix
Several of the above actions require “Exchange Full Administrator” at the
organizational level. Although it is possible to manually create and grant
Exchange Administrator-like permissions through ADSI Edit, it is not
recommended because the specific combination of permissions and inherited
rights settings are not easy to set, and setting “Full Control” on the organization
object would be overkill. The recommended methods for granting Exchange
Full Administrator at the org level are to either:
Rerun /forestprep so that the Exchange setup wizard will prompt for an
additional account to be granted Org permissions, or
Use the Exchange System Manager’s delegation wizard by right-clicking on
the top-most organization object.
The proper method of granting Exchange Full Administrator at the Admin
Group level is to launch Exchange System Manager’s delegation wizard by
right-clicking on an Administrative Group name.
In Exchange 2000, you needed to be a full admin at the organization level to
install, maintain, or remove any server. Unfortunately, customers desired to
deploy with well-separated admin groups and delegate administrators on those
administrative groups who would be able to handle routine tasks -- like
ForestPrep phase, while installing a server, etc.
In some cases, the ACL is not stamped on the usual property
(ntSecurityDescriptor), but on some other property – e.g.,
“msExchMailboxSecurityDescriptor”. The directory service, of course, cannot
enforce security that is not specified in the NT security descriptor; in most
cases, these ACLs will be picked up and replicated to store ACLs on
appropriate objects by the store service. There is, unfortunately, no tool for
viewing these ACLs as anything other than raw binary data.
The columns of the table are as follows:
Account The security principal granted or denied the
permissions.
A Checked if this is an allow ACE.
D Checked if this is a deny ACE. Allow and Deny are
mutually exclusive.
I Checked if this ACE inherits to child objects.
Right The permissions allowed or denied. Extended rights are
given in italics.
On Property/Applies To In some cases, the permission applies only to a given
property, property set, or object class; if so, that is
specified here.
Reason The reason this permission is required.
Table 1.3: Legend for columns of charts 1.5-1.9
The rights are generally listed in the table by the names used on the ADSIEdit
Security property page, under the “Advanced” view, on the “View/Edit” tab.
The ADSIEdit Security property page lists a much more condensed view of the
rights. LDP.exe displays the access mask directly, as a numerical value. The
setup code refers to the rights by predefined constants.
The following table summarizes the relationships between these values:
Full
Control
Full Control
ACTRL_DS_CREATE_CHILD
0x000F01FF
List
Contents +
ACTRL_DS_LIST |
Read All
Properties +
ACTRL_DS_READ_PROP |
Read
Read
Permissions
READ_CONTROL
0x00020014
Write All
Properties +
ACTRL_DS_WRITE_PROP |
Write
All
Validated
Writes
ACTRL_DS_SELF
0x00000028
List
Contents
ACTRL_DS_LIST 0x00000004
Read All
Properties
Child
Objects
Create All
Child
Objects
ACTRL_DS_CREATE_CHILD 0x00000001
Delete All
Child
Objects
Delete All
Child
Objects
ACTRL_DS_DELETE_CHILD 0x00000002
ACTRL_DS_LIST_OBJECT 0x00000080
Table 1.4: Bit values for tables
Permissions Modified On Active Directory Objects in the
Configuration Naming Context
Microsoft Exchange Container
cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account A D I Right On Property/Applies To Reason
During ForestPrep phase
List Contents Authenticated Users X
Read All Properties
Allow DomainPrep
to read Full Org
Admins
Designated Admin Account X X Full Control Allow Full Org
Admin to
Read All Properties Authenticated Users X
ACTRL_DS_LIST_OBJECT
Allow DomainPrep
to read Full Org
Admins
12 Module 1: Setup Changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Designated admin account X X Send As Exchange admins
are not allowed to
open mailboxes
Designated admin account X X Receive As Exchange admins
are not allowed to
open mailboxes
During server install
Enterprise Admins X X Send As NT admins are not
allowed to open
mailboxes
Enterprise Admins X X Receive As NT admins are not
allowed to open
mailboxes
Domain Admins of root domain X X Send As NT admins are not
allowed to open
mailboxes
Domain Admins of root domain X X Receive As NT admins are not
allowed to open
mailboxes
Everyone X X Create top-level public folder
Everyone X X Create public folder
longer includes
“Anonymous
Logon,” so we
must grant those
rights explicitly
ANONYMOUS LOGON X X Create named properties in the
information store
“
Read Permissions Applies to object class:
Read All Properties msExchPrivateMDB
List Contents
ANONYMOUS LOGON X X
ACTRL_DS_LIST_OBJECT
“
Read Permissions Applies to object class:
Read All Properties msExchPublicMDB
List Contents
ANONYMOUS LOGON X X
ACTRL_DS_LIST_OBJECT
“
Read Permissions Applies to object class:
Read All Properties mTA
List Contents
ANONYMOUS LOGON X X
ACTRL_DS_LIST_OBJECT
Address Lists Container
cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account A D I Right On Property/Applies To Reason
During server install
Authenticated Users X X List Contents Addressing Container
cn=Addressing,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account A D I Right On Property/Applies To Reason
During server install
List Contents
Read All Properties
Authenticated Users X X
Read Permissions
Recipient Update Services Container
cn=Recipient Update Services,cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration...
Account A D I Right On Property/Applies To Reason
During server install
Exchange Domain Servers X X Full Control Administrative Group
Account A D I Right On Property/Applies To Reason
During server install, or during Exchange 2003 setup /ForestPrep
Exchange Domain Servers X X Receive As No server needs to
read mail except
on its own store
During server install (ACEs defined in schema defaultSecurityDescriptor)
Authenticated Users X List Contents Server Object
cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...
Account A D I Right On Property/Applies To Reason
During server install (if the server is NOT a cluster Virtual Machine)
MACHINE$ X X Full Control Server must be
able to maintain
its own config
During server install (if the server IS a cluster Virtual Machine)
NODE1$
NODE2$
etc...
X X Full Control Every node in a
cluster that owns
an EVS must be
able to maintain
the EVS config
Exchange Domain Servers X X Full Control EVS must be able
to maintain its
own config, but
setup can’t tell
Read Permissions
fsdspermUserSendAs
LocalSystem X X
fsdspermUserMailboxOwner
Read Permissions
fsdspermUserSendAs
Exchange Domain Servers X X
fsdspermUserMailboxOwner
5.5 Service Account Read Permissions
(if given) fsdspermUserSendAs
X X
fsdspermUserMailboxOwner
MTA Object
cn=Microsoft MTA,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...
Account A D I Right On Property/Applies To Reason
During server install or when enabling an SRS
5.5 Service Account
(if given)
X X Send As Required to
send/receive mail
from 5.5 servers
5.5 Service Account
(if given)
displayName
Exchange Enterprise Servers X Manage Replication Topology Allow
Recipient
Update
Service to
track
replicatio
n changes
Exchange Enterprise Servers X X List Contents Duplicates
permissio
ns
granted
to “Pre-
Windows
16 Module 1: Setup Changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
2000
Compatibl
e Access”
group
Exchange Enterprise Servers X Read Permissions “
Read Permissions Applies to object class:
Read All Properties user
List Contents
Exchange Enterprise Servers X X
ACTRL_DS_LIST_OBJECT
InetOrgPe
rsons as
on Users Domain Proxy Container
cn=Microsoft Exchange System Objects,dc=<domain>
Account A D I Right On Property/Applies To Reason
During DomainPrep phase
Exchange Enterprise Servers X X Full Control Add/delet
e/modify
proxy
objects
Exchange Domain Servers X X Full Control Add/delet
e/modify
proxy
objects
Authenticated Users X X Read Permissions Allow
access to
PF objects
Authenticated Users X X Read Property garbageCollPeriod Allow
access to
PF objects
Authenticated Users X X Read Property adminDisplayName Allow
access to
PF objects
Authenticated Users X X Read Property modifyTimeStamp Allow
access to
PF objects
List Contents
All delegated org-level and admin-group
level View-Only Admins
X X
ACTRL_DS_LIST_OBJECT
AdminSDHolder Container
cn=AdminSDHolder,cn=System,dc=<domain>
Account A D I Right On Property/Applies To Reason
During DomainPrep phase
Read Property Property Set: Exchange Enterprise Servers X X
Write Property Public Information
This ACL
is applied
to users
with
domain
admin
rights
Read Property Property Set: Exchange Enterprise Servers X X
Write Property Personal Information
“
Read Property On property: Exchange Enterprise Servers X X
Write Property displayName
“
Exchange Enterprise Servers X X List Contents “
running
setup
must be
able to
add/remo
ve
machine
accounts
from
group
Exchange Enterprise Servers X Full Control
Set by the Recipient Update Service
18 Module 1: Setup Changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
All delegated org-level Full Admins X X Full Control Exchange Domain Servers Group
cn=Exchange Domain Servers,cn=Users,dc=<domain>
Account A D I Right On Property/Applies To Reason
During DomainPrep phase
All existing org-level Full Admins X Full Control Admins
running
setup
must be
able to
add/remo
Files.
Authenticated Users X X Read & Execute
Server Operators X X Modify
Administrators X X Full Control
CREATOR OWNER X X Full Control
TERMINAL SERVER USER X X Modify
SYSTEM X X Full Control Mailroot Directory
...\Exchsrvr\Mailroot
Account A D I Right On Property/Applies To Reason
During server install
Everyone X X Full Control
ANONYMOUS LOGON X X Full Control Exchweb Directory
...\Exchsrvr\exchweb
Account A D I Right On Property/Applies To Reason
During server install (if no pre-existing explicit ACEs)
Authenticated Users X X Read Exchweb\bin Directory
...\Exchsrvr\exchweb\bin
Account A D I Right On Property/Applies To Reason
Exchweb\cabs Directory
...\Exchsrvr\exchweb\cabs
Account A D I Right On Property/Applies To Reason
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON X X Read Exchweb\views Directory
...\Exchsrvr\exchweb\views
Account A D I Right On Property/Applies To Reason
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON X X Read Exchweb\help Directory
...\Exchsrvr\exchweb\help
Account A D I Right On Property/Applies To Reason
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON X X Read
Table 1.7: NTFS changes to Installation Directory and Subdirectories
Module 1: Setup Changes 21
Last Saved: 7/24/2003 1:55 AM
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Server 2003 Deployment Tools documentation on your CD for information
about correcting this problem.”
Where the %S string indicates that something has not yet finished replicating,
or has not been run from the deployment tools. Specifically, depending upon
the status of the other completion markers, ADCObjectCheck and
PubfoldCheck the %s string will change accordingly. However, the failure to
pass ADCObjectCheck and PubfoldCheck markers will only warn the installer
of that specific problem, but will not prevent setup from continuing as in the
ADCUserCheck case.
If the customer is halted with the blocking error message,
use ADSI Edit or LDP.exe to view the description attribute. This is where any
of the three completion markers may exist. If ADCUserCheck is present, check
to see if its timestamp is older than two weeks. Note that if you’re not using
credentials of a person who has full exchange org permissions, you may not be
able to see this attribute. If you do not have the marker present, there are three
ways to populate it:
Manual entry through ADSIEdit
Running exdeploy.exe from command line, using the /adcusercheck switch.
(If 5.5-Active Directory objects are not in sync, this method will populate
the %S string with a warning indicating that objects have not replicated.
However, setup will not be blocked.)
Running ADC Tools’ Step 2 button, or Step 4 (Verify button)
Copyright: Tài liệu đại học ©