Tài liệu Module 1: Setup Changes pdf
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.16 MB, 78 trang )
Module 1: Setup
Changes
Contents
Document Overview ............................................................................................... 1
Setup Changes......................................................................................................... 2
Setup Architectural Changes................................................................................... 3
Setup Actions Require New Active Directory Permissions .................................... 7
New Setup Prerequisite Checks: ........................................................................... 21
Lab 1.1: Finding renamed, moved, or deleted groups........................................... 26
Cluster-related prerequisite checks ....................................................................... 31
Exchange System Manager-only installation prerequisites................................... 33
2000 to 2003 Setup and Upgrade Scenarios blocked ............................................ 36
New Features/Components in Setup: .................................................................... 39
Setup Changes....................................................................................................... 44
Security improvements to setup:........................................................................... 49
Troubleshooting Exchange Server 2003 setup failures:........................................ 53
General Log Flow ................................................................................................. 57
Lab 1.2: Logparser and examination of progress logs .......................................... 68
Lab 1.3: Applying troubleshooting concepts ........................................................ 70
Appendix A: Answers ........................................................................................... 74
Acknowledgments................................................................................................. 76
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2003 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server
5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server,
Word are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein (Groupwise, Lotus cc:Mail, Lotus
Notes) may be the trademarks of their respective owners.
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
1
Document Overview
This module discusses differences in the setup process between Microsoft
Exchange 2000 Server and Microsoft Exchange Server 2003. In addition to
discussing bug-level changes, students will focus on troubleshooting the
Exchange Server setup progress logs.
Topic 1 Setup changes from Exchange 2000 Server
Topic 2 Troubleshooting Exchange Server 2003 setup
Topic 3 Learning measure/Labs
Prerequisites
Experience with installing Exchange 2000 into Exchange Server 5.5 sites.
Experience with creating an Exchange Virtual Server (EVS) on Windows
2000 clusters
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
2
Module 1: Setup Changes
Setup Changes
This topic discusses differences between the setup architecture from the last
product, as well as new features and work items in the setup process. Those
accustomed to supporting Exchange 2000 Server will expect some of the same
product features and behaviors to exist in Exchange 2003. The goal of this topic
is to cover any “gotchas” in differences between the two products that would
otherwise cause difficulty in support.
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
3
Setup Architectural Changes
In Exchange Server 5.5, many customers established administration models so
that Exchange administrators were able to administer only Exchange, and
domain administrators handled almost everything else. Yet Exchange 2000
Server required the installer to be given blanket permissions to the enterprise
forest and the Exchange Server 5.5 directory – to the dismay of many
companies migrating from, or coexisting with, Exchange Server 5.5. In order to
separate these roles once more, the product group established the following
“Full Administrative Group Administrator” setup changes so that
network/domain admin roles could be separated from Exchange administrator
roles. These changes were so extensive that the process flow of setup is nearly
re-architected.
Setup /forestprep creates a placeholder object
When Exchange 2003 setup is run explicitly in ForestPrep mode (using the
/forestprep switch), and there is no existing Exchange organizational object
within the configuration naming context, setup will create a “temporary”
organization with a hard-coded name. (That name is a GUID: “{335A10875131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first Exchange
administrator on this object, create the Exchange configuration underneath it,
and so on. At a later time, when setup is run to install the first server in the
organization – by someone who is an Exchange administrator – setup can
rename the existing placeholder object, either to a user-specified name or to
match the name of an Exchange 5.5 organization. The final naming is decided
by the answer to the “Installation Type” screen. Improving upon Exchange
2000 setup, the organization name deferral was designed so that
•
Administrators are not forced to make the organization name decision
during forestprep.
•
Enterprise/schema admins are not forced to be given Exchange Server
5.5 admin site permissions to run forestprep.
Conversely, Exchange 2003 installers (who are admins of an Exchange 5.5 site)
are not required to have enterprise/schema admin permissions when later
installing the first Exchange Server 2003 machine. Installers are also no longer
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
4
Module 1: Setup Changes
required to have the Active Directory Connector (ADC) installed when running
forestprep.
Troubleshooting temporary org object creation: Should there be any problems
creating this GUID, it will most likely be a permissions issue, caught at the prerequisite stage with a descriptive error message. If this is the case, one should
ensure that the logged-on user has full control privileges on the cn=Microsoft
Exchange,cn=services,cn=configuration,dc=<forest root DN> container. (By
default, Enterprise Admins has this permission). Although it is possible to
manually-create the temporary org object, it is neither recommended nor
supported since it would also require manually creating scores of child objects
and setting their permissions appropriately.
“Installation Type” prompt moves to server setup mode
In Exchange 2000 Server, running setup with the /forestprep switch whilst in a
clean forest (where there is no Exchange organization object) would always
prompt the installer with the “Installation Type” screen. This page of the setup
wizard would ask if a new Exchange organization needed to be created or if
setup should join an existing Exchange 5.5 organization. Therefore, Exchange
2000 setup /forestprep not only extended the schema; for the 5.5-joining case, it
would also connect and perform intensive sync operations (via a temporary
config CA) with the Exchange 5.5 directory. This is why with Exchange 2000
setup, the platinum-osmium synchronizer ran twice: once during explicit
forestprep and again during normal server setup. (The exception is if only
setup.exe is run without switches, thereby setting the forestprep component to
“Install” mode so that the platinum-osmium synchronizer runs only once.)
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
5
Figure 1.1: The “Installation Type” prompt is no longer shown during
/forestprep mode.
In Exchange Server 2003, the “Installation Type” prompt has moved to the
server setup mode. That is, the prompt will only occur when running setup.exe
without switches, and it will only occur once: when the first Exchange Server
2003 machine is being installed into a forest with no pre-existing Exchange
organization object. (The Exchange organization object is located at
(cn=<orgname>,cn=Microsoft Exchange, cn=services, cn=configuration,
dc=<dn of the forest root>.) If the installer chooses to create a new
organization, the placeholder orgname is renamed to whatever the installer
desires. If the installer chooses the Exchange 5.5 coexistence option, the
temporary orgname is renamed to match the Exchange 5.5 organization name.
In Exchange Server 2003, the 5.5 (Osmium) synchronization process with
Active Directory will occur only once, so only a permanent config CA comes
into existence. (i.e. no temporary config CA will exist). Table 1.1 outlines the
different states of the organizational object that can exist in Active Directory:
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
6
Module 1: Setup Changes
Setup Action/
Detected State
setup /ForestPrep
setup (install a
server)
No organization
object
Create temporary
org
Ask user for org
type/name;
create org
Temporary
organization object
N/A
Ask user for org
type/name;
rename temporary
org
N/A
N/A
{335A1087-5131-4D45-BE3E3C6C7F76F5EC}
Named organization
object (exists in
place of GUID)
Table 1.1: Creation flow for Exchange Organization object in Active Directory
This architectural change does not affect manual creation of first Administrative
Group through System Manager (per 215930). However, when customers
launch Exchange System Manager to manually create their administrative
group, they might be surprised to see the GUID, {335A1087-5131-4D45BE3E-3C6C7F76F5EC}.
Note: When the temporary organization object exists, you must not run
Exchange 2000 Server setup. Although it does not get blocked through a prerequisite check, later in the setup process the Exchange 2000 Server setup
wizard does not understand the GUID organization object, and the installation
is likely to fail catastrophically.
Server Setup mode no longer stamps organization-level permissions
Previously, the Exchange 2000 Server SETUP program would re-stamp
Exchange Organization permissions on each server install. The drawback was
that this action would overwrite any custom changes to the permissions
structure, such as removing the permission for all users to create top level
public folders. So if a customer kept having his/her top-level permissions reset,
this was a perceived security risk.
In Exchange Server 2003, the setup process has changed so that it will only
stamp default permissions on the Exchange Organization object once (on the
first server install/upgrade) and will not re-stamp permissions for subsequent
installations. Although this resolves the workaround for security, the previous
behavior was a useful support tool for quickly fixing customers who have
inappropriately modified their Active Directory permissions on containers that
cause operational problems in Exchange. A typical problem would be a
paranoid administrator removing required access control lists (ACLs) on
various objects underneath the “Microsoft Exchange” container. So in order to
correct the problem, or to revert back to Exchange 2000 Server settings, one
must now manually correct the Active Directory permissions by applying the
permissions listed in Table 1.4 under the section entitled “New per-object
permissions changes during setup.” If the customer does not mind that the
security settings revert back to the Exchange 2000 Server configuration, then
run Exchange 2000 setup to “join” a new Exchange 2000 server object to the
existing Exchange 2003 organization.
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
7
Setup Actions Require New Active Directory Permissions
Because there are several setup modes and component options, setup will
require different combinations of Active Directory permissions, depending
upon the detected topology. For example, setup operations dealing with a Site
Replication Service (SRS) still require Exchange Full Administrator at the
Organization level. Table 1.2 outlines the required permissions of the person
being logged on.
Setup Action
Active Directory Permission(s) required
Install first Exchange 2003 server in a domain
Exchange Full Administrator at Organization level
Install first Exchange 2003 server into a 5.5 site (SRSenable)
Exchange Full Administrator at Organization level
Uninstall/reinstall Exchange 2003 with an SRS
Exchange Full Administrator at Organization level
First “ForestPrep” in forest [with schema update] or
ADC’s Setup when older schema is detected or
Enterprise Admin [+ Schema Admin]
ADC’s setup used with the explicit “schemaonly” switch
Subsequent “ForestPrep”
Exchange Full Administrator at Organization level
“DomainPrep”
Domain Administrator
Install a server to have first instance of a
Groupwise/Lotus Notes connector
Exchange Full Administrator at Organization level
Install, maintain or remove server containing Key
Management Server
Enterprise Admin
Install, maintain or remove server with SRS enabled
Exchange Full Administrator at Organization level
Install additional server (non-SRSs, clusters EVSs)
Exchange Full Administrator at Admin Group level +
machine account added to Domain Servers group
Run maintenance mode on any server (except Key
Management Server or SRS enabled)
Exchange Full Administrator at Admin Group level
Remove a server (no SRS present)
Exchange Full Administrator at Admin Group level +
remove machine account from Domain Servers group
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
8
Module 1: Setup Changes
after setup
Remove last server in org
Exchange Full Administrator at Organization level
Apply service pack
Exchange Administrator at Admin Group level
Table 1.2: Setup Matrix
Several of the above actions require “Exchange Full Administrator” at the
organizational level. Although it is possible to manually create and grant
Exchange Administrator-like permissions through ADSI Edit, it is not
recommended because the specific combination of permissions and inherited
rights settings are not easy to set, and setting “Full Control” on the organization
object would be overkill. The recommended methods for granting Exchange
Full Administrator at the org level are to either:
Rerun /forestprep so that the Exchange setup wizard will prompt for an
additional account to be granted Org permissions, or
Use the Exchange System Manager’s delegation wizard by right-clicking on
the top-most organization object.
The proper method of granting Exchange Full Administrator at the Admin
Group level is to launch Exchange System Manager’s delegation wizard by
right-clicking on an Administrative Group name.
In Exchange 2000, you needed to be a full admin at the organization level to
install, maintain, or remove any server. Unfortunately, customers desired to
deploy with well-separated admin groups and delegate administrators on those
administrative groups who would be able to handle routine tasks -- like
installing and maintaining servers. (This had been the 5.5 model, of course.)
Many efforts from our customer experience team and customers, themselves,
expended considerable ingenuity in trying to find ways to work around this
requirement in Exchange 2000 setup, but all in vain -- even if you managed to
bypass the permission prerequisite, setup would still fail, since it refreshed orglevel settings and permissions during every server install; and without org-level
rights, you wouldn't have access to those objects.
In Exchange 2003, full admin-group level admins can now install, maintain,
and remove most servers within their own administrative group. However, there
are still exceptions: You still need full org admin permissions when installing
the SRS or first Exchange 2003 server into a domain. In the latter case, the first
server installed into any given domain must set the access control entries
(ACEs) for that domain’s "Exchange Domain Servers" group on the org-level
object, which means that setup needs full org permissions.
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
9
New Per-Object Permissions Changes During Setup:
In addition to new permissions requirements, Exchange 2003 setup modifies
Access Control Entries that were set by Exchange 2000. Tables 1.5-1.6 describe
these Active Directory object-level access control list (ACL) changes, and
tables 1.7-1.8 describe the NTFS-ACL changes. However, interpreting the
tables requires a key:
Key to Reading the tables
Permissions that are listed in the tables with a double strike-through are
removed by Exchange 2003 setup. They represent permissions that were set in
Exchange 2000, but which have since been deprecated from the security model.
Each table begins with the distinguished name (also known as DN) of the object
it applies to. After that, the table lists when the right is stamped: during the
ForestPrep phase, while installing a server, etc.
In some cases, the ACL is not stamped on the usual property
(ntSecurityDescriptor), but on some other property – e.g.,
“msExchMailboxSecurityDescriptor”. The directory service, of course, cannot
enforce security that is not specified in the NT security descriptor; in most
cases, these ACLs will be picked up and replicated to store ACLs on
appropriate objects by the store service. There is, unfortunately, no tool for
viewing these ACLs as anything other than raw binary data.
The columns of the table are as follows:
Account
The security principal granted or denied the
permissions.
A
Checked if this is an allow ACE.
D
Checked if this is a deny ACE. Allow and Deny are
mutually exclusive.
I
Checked if this ACE inherits to child objects.
Right
The permissions allowed or denied. Extended rights are
given in italics.
On Property/Applies To
In some cases, the permission applies only to a given
property, property set, or object class; if so, that is
specified here.
Reason
The reason this permission is required.
Table 1.3: Legend for columns of charts 1.5-1.9
The rights are generally listed in the table by the names used on the ADSIEdit
Security property page, under the “Advanced” view, on the “View/Edit” tab.
The ADSIEdit Security property page lists a much more condensed view of the
rights. LDP.exe displays the access mask directly, as a numerical value. The
setup code refers to the rights by predefined constants.
The following table summarizes the relationships between these values:
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
10
Module 1: Setup Changes
ADSIEdit
Summary
Page
ADSIEdit
Advanced
Page,
#define
(“Mask” in
LDP)
View/Edit
Tab
Full
Control
Full Control
Binary
value
WRITE_OWNER |
0x000F01FF
WRITE_DAC |
READ_CONTROL |
DELETE |
ACTRL_DS_CONTROL_ACCESS |
ACTRL_DS_LIST_OBJECT |
ACTRL_DS_DELETE_TREE |
ACTRL_DS_WRITE_PROP |
ACTRL_DS_READ_PROP |
ACTRL_DS_SELF |
ACTRL_DS_LIST |
ACTRL_DS_DELETE_CHILD |
ACTRL_DS_CREATE_CHILD
Read
0x00020014
ACTRL_DS_LIST |
Read All
Properties +
ACTRL_DS_READ_PROP |
Read
Permissions
READ_CONTROL
Write All
Properties +
ACTRL_DS_WRITE_PROP |
All
Validated
Writes
ACTRL_DS_SELF
List
Contents
ACTRL_DS_LIST
0x00000004
Read All
Properties
ACTRL_DS_READ_PROP
0x00000010
Write All
Properties
ACTRL_DS_WRITE_PROP
0x00000020
Delete
DELETE
0x00010000
Delete
Subtree
ACTRL_DS_DELETE_TREE
0x00000040
Read
Permissions
READ_CONTROL
0x00020000
Modify
Permissions
WRITE_DAC
0x00040000
Modify
Owner
WRITE_OWNER
0x00080000
All
Validated
Write
List
Contents +
ACTRL_DS_SELF
0x00000008
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
0x00000028
Module 1: Setup Changes
11
Writes
All
Extended
Rights
ACTRL_DS_CONTROL_ACCESS
0x00000100
Create All
Child
Objects
Create All
Child
Objects
ACTRL_DS_CREATE_CHILD
0x00000001
Delete All
Child
Objects
Delete All
Child
Objects
ACTRL_DS_DELETE_CHILD
0x00000002
ACTRL_DS_LIST_OBJECT
0x00000080
Table 1.4: Bit values for tables
Permissions Modified On Active Directory Objects in the
Configuration Naming Context
Microsoft Exchange Container
cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
During ForestPrep phase
Authenticated Users
X
List Contents
Allow DomainPrep
to read Full Org
Admins
Read All Properties
Designated Admin Account
X
X
Full Control
Allow Full Org
Admin to
administer org
X
X
Read Permissions
Allow Exchange
servers to read
config info
During server install
Exchange Domain Servers
Read All Properties
List Contents
During ADC setup
Exchange Services
X
X
Full Control
Allow ADC servers
to create/delete
objects to keep
Exchange config
up to date
ADC Connection Agreement Container
cn=Active Directory Connections,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account
A
D
I
Right
X
On Property/Applies To
Reason
Full Control
On Property/Applies To
Reason
During server install
Exchange Domain Servers
X
Organization Container
cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account
A
D
I
Right
During ForestPrep phase
Authenticated Users
X
Read All Properties
ACTRL_DS_LIST_OBJECT
Allow DomainPrep
to read Full Org
Admins
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
12
Module 1: Setup Changes
Designated admin account
X
X
Send As
Exchange admins
are not allowed to
open mailboxes
Designated admin account
X
X
Receive As
Exchange admins
are not allowed to
open mailboxes
Enterprise Admins
X
X
Send As
Enterprise Admins
X
X
Receive As
Domain Admins of root domain
X
X
Send As
Domain Admins of root domain
X
X
Receive As
NT admins are not
allowed to open
mailboxes
NT admins are not
allowed to open
mailboxes
NT admins are not
allowed to open
mailboxes
NT admins are not
allowed to open
mailboxes
During server install
Everyone
X
X
Create top-level public folder
Everyone
X
X
Create public folder
Everyone
X
X
Create named properties in the
information store
Everyone
X
X
Read Permissions
Applies to object class:
Read All Properties
msExchPrivateMDB
List Contents
ACTRL_DS_LIST_OBJECT
Everyone
X
X
Read Permissions
Applies to object class:
Read All Properties
msExchPublicMDB
List Contents
ACTRL_DS_LIST_OBJECT
Everyone
X
X
Read Permissions
Applies to object class:
Read All Properties
mTA
List Contents
ACTRL_DS_LIST_OBJECT
ANONYMOUS LOGON
X
X
Create top-level public folder
ANONYMOUS LOGON
X
X
Create public folder
ANONYMOUS LOGON
X
X
Create named properties in the
information store
ANONYMOUS LOGON
X
X
Read Permissions
Applies to object class:
Read All Properties
msExchPrivateMDB
In Windows 2003
“Everyone” no
longer includes
“Anonymous
Logon,” so we
must grant those
rights explicitly
“
“
List Contents
ACTRL_DS_LIST_OBJECT
ANONYMOUS LOGON
X
X
Read Permissions
Applies to object class:
Read All Properties
msExchPublicMDB
“
List Contents
ACTRL_DS_LIST_OBJECT
ANONYMOUS LOGON
X
X
Read Permissions
Applies to object class:
Read All Properties
mTA
“
List Contents
ACTRL_DS_LIST_OBJECT
Exchange Domain Servers
X
X
All Extended Rights
Exchange Domain Servers
X
X
Create All Child Objects
Exchange Domain Servers
X
X
Write Property
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Property Set:
Maintain mail-
Module 1: Setup Changes
Public Information
Exchange Domain Servers
X
X
Write Property
Property Set:
Personal Information
Exchange Domain Servers
X
X
Full Control
13
enabled config
objects (e.g.,
MAD.EXE)
Maintain mailenabled config
objects (e.g.,
MAD.EXE)
Applies to object class:
siteAddressing
When enabling an SRS (ACE is removed when SRS is disabled)
MACHINE$
X
X
Create All Child Objects
SRS must be able
to create/delete
admin groups
Delete All Child Objects
ACTRL_DS_LIST_OBJECT
Address Lists Container
cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account
A
D
I
Right
X
On Property/Applies To
Reason
List Contents
During server install
Authenticated Users
X
Addressing Container
cn=Addressing,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account
A
D
I
Right
X
On Property/Applies To
Reason
List Contents
During server install
Authenticated Users
X
Read All Properties
Read Permissions
Recipient Update Services Container
cn=Recipient Update Services,cn=Address Lists Container,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration...
Account
A
D
I
Right
X
On Property/Applies To
Reason
Full Control
During server install
Exchange Domain Servers
X
Administrative Group
cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
During server install (set on attribute msExchPFDefaultAdminACL)
Authenticated Users
X
X
Create public folder
Default TLH
cn=Public Folders,cn=All Folder Hierarchies,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...
Account
A
D
I
Right
On Property/Applies To
Reason
During server install (set on attribute msExchPFDefaultAdminACL)
Authenticated Users
X
X
Create public folder
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
14
Module 1: Setup Changes
Connections Container
cn=Connections,cn=<routing group>,cn=Routing Groups,cn=<admin group>,cn=Administrative Groups,cn=<org>...
Account
A
D
I
Right
X
On Property/Applies To
Reason
Full Control
During server install
Exchange Domain Servers
X
Servers Container
cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...
Account
A
D
I
Right
On Property/Applies To
Reason
During server install, or during Exchange 2003 setup /ForestPrep
Exchange Domain Servers
X
X
Receive As
No server needs to
read mail except
on its own store
During server install (ACEs defined in schema defaultSecurityDescriptor)
Authenticated Users
X
List Contents
Server Object
cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange,cn=Services...
Account
A
D
I
Right
On Property/Applies To
Reason
During server install (if the server is NOT a cluster Virtual Machine)
MACHINE$
X
X
Full Control
Server must be
able to maintain
its own config
During server install (if the server IS a cluster Virtual Machine)
NODE1$
X
X
Full Control
Every node in a
cluster that owns
an EVS must be
able to maintain
the EVS config
X
X
Full Control
EVS must be able
to maintain its
own config, but
setup can’t tell
which specific
server to grant
control to
NODE2$
etc...
Exchange Domain Servers
During server install (ACEs defined in schema defaultSecurityDescriptor)
Authenticated Users
X
Read Properties
When EDSLOCK script is run; ACE is REMOVED by Titanium ForestPrep
Exchange Domain Servers
X
X
Receive As
No server needs to
read mail except
on its own stores
Protocols
Container
cn=Protocols,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>,cn=Microsoft Exchange...
Account
A
D
I
Right
On Property/Applies To
During server install
Everyone
X
X
List Contents
Everyone
X
X
Read metabase properties
System Attendant Object
cn=Microsoft System Attendant,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Reason
Module 1: Setup Changes
Account
A
D
I
Right
On Property/Applies To
15
Reason
During server install (set on attribute msExchMailboxSecurityDescriptor)
LocalSystem
X
X
Read Permissions
fsdspermUserSendAs
fsdspermUserMailboxOwner
Exchange Domain Servers
X
X
Read Permissions
fsdspermUserSendAs
fsdspermUserMailboxOwner
5.5 Service Account
X
X
(if given)
Read Permissions
fsdspermUserSendAs
fsdspermUserMailboxOwner
MTA Object
cn=Microsoft MTA,cn=<server>,cn=Servers,cn=<admin group>,cn=Administrative Groups,cn=<org>...
Account
A
D
I
Right
On Property/Applies To
Reason
X
X
Send As
Required to
send/receive mail
from 5.5 servers
X
X
Receive As
Required to
send/receive mail
from 5.5 servers
During server install or when enabling an SRS
5.5 Service Account
(if given)
5.5 Service Account
(if given)
Table 1.5: Configuration Naming Context permission changes
Permissions Modified On Active Directory Objects in Domain
Naming Context
Domain Container
dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
X
Write Property
Property Set:
Maintain
mailenabled
user
attributes
Maintain
mailenabled
user
attributes
During DomainPrep phase
Exchange Enterprise Servers
X
Public Information
Exchange Enterprise Servers
X
X
Write Property
Property Set:
Personal Information
Exchange Enterprise Servers
X
X
Write Property
Exchange Enterprise Servers
X
X
Write Property
Exchange Enterprise Servers
X
Exchange Enterprise Servers
X
On property:
groupType
On property:
displayName
Manage Replication Topology
X
List Contents
Allow
Recipient
Update
Service to
track
replicatio
n changes
Duplicates
permissio
ns
granted
to “PreWindows
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
16
Module 1: Setup Changes
Exchange Enterprise Servers
X
Exchange Enterprise Servers
X
2000
Compatibl
e Access”
group
“
Read Permissions
X
Read Permissions
Applies to object class:
Read All Properties
user
“
List Contents
ACTRL_DS_LIST_OBJECT
Exchange Enterprise Servers
X
X
Read Permissions
Applies to object class:
Read All Properties
group
“
List Contents
ACTRL_DS_LIST_OBJECT
Exchange Enterprise Servers
X
X
Modify Permissions
Applies to object class:
group
Maintain
ACLs for
groups
with
Hidden
members
hip
During DomainPrep phase (if running against Whistler schema)
Exchange Enterprise Servers
X
X
Read Permissions
Applies to object class:
Read All Properties
InetOrgPerson
List Contents
ACTRL_DS_LIST_OBJECT
We need
same
perms on
InetOrgPe
rsons as
on Users
Domain Proxy Container
cn=Microsoft Exchange System Objects,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
During DomainPrep phase
Exchange Enterprise Servers
X
X
Full Control
Exchange Domain Servers
X
X
Full Control
Authenticated Users
X
X
Read Permissions
Authenticated Users
X
X
Read Property
garbageCollPeriod
Authenticated Users
X
X
Read Property
adminDisplayName
Authenticated Users
X
X
Read Property
modifyTimeStamp
During DomainPrep (ACEs defined in schema defaultSecurityDescriptor)
Authenticated Users
X
Read Permissions
Read All Properties
List Contents
ACTRL_DS_LIST_OBJECT
Set by the Recipient Update Service
All delegated org-level and admin-group
level Full Admins
X
X
Full Control
All delegated org-level and admin-group
level Admins
X
X
Read Permissions
List Contents
All Validated Writes
Read All Properties
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Add/delet
e/modify
proxy
objects
Add/delet
e/modify
proxy
objects
Allow
access to
PF objects
Allow
access to
PF objects
Allow
access to
PF objects
Allow
access to
PF objects
Module 1: Setup Changes
17
Write All Properties
Create All Child Objects
Delete All Child Objects
All delegated org-level and admin-group
level View-Only Admins
X
X
Read Permissions
Read All Properties
List Contents
ACTRL_DS_LIST_OBJECT
AdminSDHolder Container
cn=AdminSDHolder,cn=System,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
X
Read Property
Property Set:
Write Property
Public Information
Read Property
Property Set:
This ACL
is applied
to users
with
domain
admin
rights
“
During DomainPrep phase
Exchange Enterprise Servers
X
Exchange Enterprise Servers
X
X
Write Property
Personal Information
Exchange Enterprise Servers
X
X
Read Property
On property:
Write Property
displayName
Exchange Enterprise Servers
X
X
List Contents
“
“
Pre-Windows 2000 Compatible Access Group
cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
X
Write Property
On property:
The
Recipient
Update
Service
must add
all
Exchange
Domain
Servers
groups to
every
domains’
Pre-W2K
group
During DomainPrep phase
Exchange Enterprise Servers
X
member
Exchange Enterprise Servers Group
cn=Exchange Enterprise Servers,cn=Users,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
During DomainPrep phase
All existing org-level Full Admins
X
Full Control
Exchange Enterprise Servers
X
Admins
running
setup
must be
able to
add/remo
ve
machine
accounts
from
group
Full Control
Set by the Recipient Update Service
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
18
Module 1: Setup Changes
All delegated org-level Full Admins
X
X
Full Control
Exchange Domain Servers Group
cn=Exchange Domain Servers,cn=Users,dc=<domain>
Account
A
D
I
Right
On Property/Applies To
Reason
During DomainPrep phase
All existing org-level Full Admins
X
Full Control
Exchange Enterprise Servers
X
Full Control
Set by the Recipient Update Service
All delegated org-level Full Admins
X
X
Full Control
Table 1.6: Domain Naming Context permission changes
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Admins
running
setup
must be
able to
add/remo
ve
machine
accounts
from
group
Module 1: Setup Changes
19
File System Permissions Modified During Setup
When setting ACLs in the file system, setup generally first examines the ACL
to see if there are any explicit (i.e., non-inherited) ACEs on the folder. If there
are, then setup assumes that one of two cases applies:
1. Setup has previously stamped ACLs on this folder, and there is no need to
do so again.
2. An administrator has manually adjusted permissions to his or her liking, and
setup should not overwrite those settings.
The effect is that, in the default case, setup stamps file system permissions on a
clean install, but does not modify them on reinstalls.
Installation Directory
C:\Program Files\Exchsrvr (by default; may be chosen during setup)
Account
A
D
I
Right
On Property/Applies To
Reason
During server install (if no pre-existing explicit ACEs)
For this folder, setup reads the ACL from the “Program Files” folder and duplicates it; the permissions shown below are those that exist by default on Program
Files.
Authenticated Users
X
X
Read & Execute
Server Operators
X
X
Modify
Administrators
X
X
Full Control
CREATOR OWNER
X
X
Full Control
TERMINAL SERVER USER
X
X
Modify
SYSTEM
X
X
Full Control
I
Right
Mailroot Directory
...\Exchsrvr\Mailroot
Account
A
D
On Property/Applies To
Reason
On Property/Applies To
Reason
On Property/Applies To
Reason
During server install
Everyone
X
X
Full Control
ANONYMOUS LOGON
X
X
Full Control
I
Right
X
Read
I
Right
X
Read & Execute
Exchweb Directory
...\Exchsrvr\exchweb
Account
A
D
During server install (if no pre-existing explicit ACEs)
Authenticated Users
X
Exchweb\bin Directory
...\Exchsrvr\exchweb\bin
Account
A
D
During server install (if no pre-existing explicit ACEs)
Authenticated Users
X
Exchweb\bin\auth Directory
...\Exchsrvr\exchweb\bin\auth
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
20
Module 1: Setup Changes
Account
A
D
I
Right
X
Read
I
Right
X
On Property/Applies To
Reason
On Property/Applies To
Reason
Read
On Property/Applies To
Reason
On Property/Applies To
Reason
On Property/Applies To
Reason
On Property/Applies To
Reason
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON
X
Exchweb\img Directory
...\Exchsrvr\exchweb\img
Account
A
D
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON
X
Exchweb\controls Directory
...\Exchsrvr\exchweb\controls
Account
A
D
I
Right
X
Read
I
Right
X
Read
I
Right
X
Read
I
Right
X
Read
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON
X
Exchweb\cabs Directory
...\Exchsrvr\exchweb\cabs
Account
A
D
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON
X
Exchweb\views Directory
...\Exchsrvr\exchweb\views
Account
A
D
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON
X
Exchweb\help Directory
...\Exchsrvr\exchweb\help
Account
A
D
During server install (if no pre-existing explicit ACEs)
ANONYMOUS LOGON
X
Table 1.7: NTFS changes to Installation Directory and Subdirectories
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
21
New Setup Prerequisite Checks:
Marker Checks
During server setup, if the installer chooses to join an Exchange 5.5 site,
additional marker checks are enforced. This means that setup will check to see
if the deployment tools have been executed as far as step 2 in the ADC Tools
snap-in. (That step should have written the completion marker,
ADCUserCheck, to the description attribute of cn=Microsoft Exchange,
cn=services, cn=configuration, dc=<forest root DN> object in the configuration
naming context.) If the marker exists, setup will continue; otherwise, the
following error is displayed:
To ensure that an admin reads and performs the preparatory steps using the
deployment and ADC tools, rather than attempting to bypass the process
blindly, setup enforces this check when the first Exchange 2003 joins an admin
group containing any Exchange 5.5 directories (which include SRSs). Marker
checks are not performed on additional installs into mixed AGs where the 1st
Exchange 2003 has already joined an Exchange 5.5 site.
Note that the string “- Error: ADC Tools were not run in your organization.” Is
a variable string (%s) which can be replaced if other conditions are satisfied.
For example, if the ADCUserCheck marker exists, but other markers do not,
then the error message follows this format:
“Setup detected one or more of the following conditions that may affect your
Exchange deployment. Microsoft recommends resolving these conditions
before continuing this installation:\r\n%s\r\nPlease refer to your Exchange
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
22
Module 1: Setup Changes
Server 2003 Deployment Tools documentation on your CD for information
about correcting this problem.”
Where the %S string indicates that something has not yet finished replicating,
or has not been run from the deployment tools. Specifically, depending upon
the status of the other completion markers, ADCObjectCheck and
PubfoldCheck the %s string will change accordingly. However, the failure to
pass ADCObjectCheck and PubfoldCheck markers will only warn the installer
of that specific problem, but will not prevent setup from continuing as in the
ADCUserCheck case.
Troubleshooting Tip If the customer is halted with the blocking error message,
use ADSI Edit or LDP.exe to view the description attribute. This is where any
of the three completion markers may exist. If ADCUserCheck is present, check
to see if its timestamp is older than two weeks. Note that if you’re not using
credentials of a person who has full exchange org permissions, you may not be
able to see this attribute. If you do not have the marker present, there are three
ways to populate it:
Manual entry through ADSIEdit
Running exdeploy.exe from command line, using the /adcusercheck switch.
(If 5.5-Active Directory objects are not in sync, this method will populate
the %S string with a warning indicating that objects have not replicated.
However, setup will not be blocked.)
Running ADC Tools’ Step 2 button, or Step 4 (Verify button)
Although setup enforces the prerequisites, it is a non-setup “glue” DLL
(originally from deployment tools) that passes the prerequisite result back to
setup. Walksdll.dll is the “glue” because it is a wrapper that is called not only
by setup, but also from the deployment tools. Since setup shares the wrapper,
you may find that the DLL exists in two places on the CD: within the
setup\i386 folder, and also within \support\exdeploy. Upon launching setup, the
markers are checked using this logic:
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
Module 1: Setup Changes
23
Note References to “Greenfield scenario” or “Pure TI or pure TI/PT” in the
diagram above means that Pure Exchange 2003 or Exchange 2000/2003 admin
groups do not require marker checks.
Last Saved: 7/24/2003 1:55 AM
Last Printed: 7/24/2003 12:55 PM
