Forestprep and Domainprep Explained in Detail

by [Published on 7 Oct. 2004 / Last Updated on 7 Oct. 2004]

In this article I will give you a detailed overview of the Microsoft Exchange Forestprep and Domainprep process.

What is Forestprep and Domainprep

Before installing Microsoft Exchange 2003 Server, you must prepare your Windows 2003 forest. The Microsoft Active Directory Schema must be extended to save Exchange 2003 attributes and claases and permissions must be granted to the user or group who will be installing the first Exchange 2003 server in the forest. In every domain that will host either an Exchange 2003 server or mail-enabled users, two security groups must be created.

These security groups are used to perform administrative functions when the Exchange team members are different from the Windows team member – which is normal in larger enterprises – but later.

The Exchange 2003 Server CD contains two Setup Switches to accomplish these tasks:

  • ForestPrep and
  • DomainPrep.

When you use the /ForestPrep option, the Exchange Setup program extends the Active Directory schema to add Exchange-specific classes and attributes.

ForestPrep also creates the container object for the Exchange 2003 organization in the domain naming context of Active Directory, and it assigns, to the account that you specify, Exchange Full Administrative permissions to the organization object.

This account now has the authority to install and manage Exchange 2003 throughout the forest, along with the authority to assign other administrators Exchange Full Administrative permissions after the first Exchange server is installed.

Requirements

  • Forest wide permissions to manage Active Directory
  • Member of the Enterprise Administrators and Schema Administrators groups
  • Member of the local Administrators group

Why Do You Need ForestPrep and DomainPrep?

Larger organizations do not want their messaging administrator team to have high-level domain or enterprise rights because these tasks will be done by experienced Windows Administrators

It is common for Exchange administrators to be in a separate team from the Windows / Active Directory Administration team.

For organizations that don’t have a structure like this stated, ForestPrep and DomainPrep separates the Exchange 2003 setup tasks that require high-level network permissions from those that do not.

For example, Windows 2003 administrators with EnterpriseAdmin and SchemaAdmin permissions run ForestPrep, during which they designate an account as the Exchange 2003 administrator. This Exchange administrator will have enough rights (after both utilities are run) to perform the actual Exchange 2003 installation.

Note:
If the user who installs Exchange is a member of the EnterpriseAdmin and SchemaAdmin groups, Forestprep and Domainprep will be automatically executed.

Most deployment scenarios require you to run ForestPrep for successful Exchange 2003 installation. As a general formula keep in mind that when the administrator doesn’t have EnterpriseAdmin and SchemaAdmin permissions, you must run ForestPrep.

When you install Exchange 2003 in a child domain, you must first run ForestPrep in the parent domain. If you don’t do this, Setup will prompt you to do so when you attempt to install in the child domain.

ForestPrep in detail

ForestPrep performs all Exchange 2003 setup tasks that require EnterpriseAdmin and SchemaAdmin permissions, as it makes changes in the configuration naming container in Active Directory. ForestPrep extends your Active Directory schema to include Exchange-specific information. ForestPrep also creates objects in Active Directory and gives permissions on those objects to the account designated as the Exchange 2003 administrator. This administrator will have enough permission to install the first Exchange 2003 server in your organization.

ForestPrep also creates the Exchange organization name and object in Active Directory. New in Exchange 2003 Forestprep is the creation of a placeholder Organization object. Setup will create a “temporary” organization with a hard-coded name. (That name is a GUID: “{335A1087-5131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first Exchange administrator on this object; create the Exchange configuration underneath it, and so on. Later, when setup is run to install the first server in the organization – by someone who is an Exchange administrator – setup can rename the existing placeholder object, either to a user-specified name or to match the name of an Exchange 5.5 organization. The final naming is decided by the answer to the “Installation Type” screen.

You need to run ForestPrep only once per Windows 2003 forest.

Be sure to type the command exactly as in Figure1 because a wrong typed command will start a normal Exchange setup without the /Forestprep option.


Figure 1: SETUP /FORESTPREP

Important
After ForestPrep and DomainPrep are run, the designated Exchange administrator has only enough permission to install Exchange. By default, this account is not able to create accounts or give users mailboxes unless this account is also a member of the Account Operators group.

You can grant administrators permissions to create and administer Windows accounts within your Exchange organization by making them Account Operators or by using the following two methods. Both methods use the Active Directory Users and Computers snap-in. The first is to run the Windows 2003 Delegation of Control Wizard and grant your Exchange administrator control of the Users container. The second is to create a new group specifically for Exchange users within the Users container and grant the Exchange administrator full control of that new group.

You need to gather the following information before running this utility. ForestPrep prompts for different information depending on whether you are installing a new Exchange 2003 organization or joining an existing Exchange 5.5 organization.

New Installation

For a new installation of Exchange 2003 Server, the network administrator needs to have the following information before running ForestPrep:

  • The name of the Exchange 2003 organization
  • The account of the person or group who will install the first Exchange 2003 server in your organization

Note:
Once Exchange is installed, this person or group is able to create other Exchange administrators by using the Exchange Administration Delegation Wizard.

Graphical Setup mode of Forestprep


Figure 2: Graphical Forestprep option

When Is It Unnecessary to Run ForestPrep?

You should run ForestPrep before installing your first Exchange 2003 server—regardless of your organization’s topology. However, there are some scenarios (such as in a small business) in which ForestPrep might not be required.

ForestPrep and DomainPrep both run automatically during Setup, but only if the Exchange administrator account is a member of the SchemaAdmin and EnterpriseAdmin groups and if the first Exchange 2003 server installation takes place in the same domain as the Schema Master.

When this is the case, you do not need to manually execute either utility. By default, the account with which you have logged on becomes the designated Exchange 2003 administrator.

Allow Time for Replication

After you run ForestPrep, be sure to allow enough time for the schema extensions to replicate throughout all the domains and sub-domains in your organization. Depending on the geography of your organization and the speed of your network connections between Windows 2003 sites or domains, this could take some time. You should run DomainPrep only after you’re sure that the Exchange-specific information has been replicated across your organization.

DomainPrep in detail

The DomainPrep utility performs the Exchange setup tasks that require DomainAdmin permissions; it should be run by a member of the DomainAdmin group. You need to run DomainPrep once in each domain that contains an Exchange 2003 server and in any domain that hosts Exchange users. These are domains without Exchange servers but with mail enabled users. Domainprep is necessary for the recipient update service (RUS) and to create the groups and permissions necessary for Exchange servers to read and modify user attributes.

DomainPrep creates two new domain groups: Exchange Domain Servers (a Windows 2003 global security group) and Exchange Enterprise Servers (a Windows 2003 domain local security group).

DomainPrep also creates the Public Folder proxy container in Active Directory. While ForestPrep works in the forest-wide configuration naming container, the Public Folder object (a Microsoft Exchange System Object) exists outside this container (this is the reason why you can’t see public folders with ADSIEDIT, LDP or other LDAP tools). DomainPrep creates this object on a per-domain basis, under the domain container.

Exchange Domain Servers Group

The Exchange Domain Servers global security group contains the computer accounts of all Exchange servers in the domain. Though it is created by DomainPrep, the Exchange Domain Servers group is not populated until the actual installation of Exchange 2003.

The Exchange Domain Servers group is necessary for the Recipient Update Service, which is needed in every domain of your Exchange organization. This includes user domains, which do not contain Exchange servers but do have mail-enabled users. Recipient Update Service is used by Exchange to generate and update default and customized address lists and to process changes made to recipient policies.

Exchange Enterprise Servers Group

The Exchange Enterprise Servers group (a domain local group type) contains every Exchange Domain Servers group (a domain local group type) in your organization. In other words, every domain with an Exchange server, along with every domain in which DomainPrep has been run and that has an active Recipient Update Service, belongs to the Exchange Enterprise Servers group.

This group is populated immediately when DomainPrep adds the Exchange Domain Servers group from the current domain to it. Recipient Update Service adds the Exchange Domain Servers groups from all other domains that have an active Recipient Update Service.

You must meet the following requirements before you run DomainPrep:

  • The account that runs DomainPrep must belong to the domain’s DomainAdmin group.
  • ForestPrep must have already been run in your Windows 2003 forest.
  • The schema extensions made by ForestPrep to Active Directory must have already replicated throughout your organization.

When is it unnecessary to Run DomainPrep?

DomainPrep should be executed before installing the first Exchange 2003 server. DomainPrep is not necessary when:

  • The account that is installing the first Exchange 2003 server in the domain is an Exchange Full Administrator and a member of the DomainAdmins group
  • The person who is installing Exchange has EnterpriseAdmin permissions.

In both scenarios, DomainPrep runs automatically as a hidden process during the Exchange 2003 setup.

When must you Run DomainPrep?

For DomainPrep to work correctly, you must run it:

  • After running ForestPrep, and after all ForestPrep changes are replicated throughout the forest.
  • Before the through Forestprep designated Exchange 2003 administrator can install the first Exchange 2003 server in the domain.
  • Whenever you must create a Recipient Update Service (RUS) for a domain with mail-enabled users.
  • It is also necessary to run Domainprep in an empty Forest Root Domain because RUS must use it.

Active Directory Connector (ADC)

ADC, first introduced in Exchange 2003, updates the Active Directory Schema during installation, regardless if the Active Directory was updated through the Exchange 2003 Forestprep and Domainprep process.

The Exchange 2003 version of ADC uses the same schema extensions as Exchange 2003. So if you install ADC, the setup process updates the Active Directory Schema so you don’t need to update the Schema with Exchange 2003 Forestprep and vica verse.

How to see if FORESTPREP and DOMAINPREP were successful

In Exchange 2000 you have to use tools like ADSIEDIT to see if FORESTPREP and DOMAINPREP were successfully.

With Exchange 2003 you can use the ORGPREPCHECK switch from the EXDEPLOY tools.

ORGPREPCHECK

Run ORGPREPCHECK at a command prompt

CD-ROM_Drive_Letter:\support\exdeploy\exdeploy.exe /gc:global catalog server name /t:orgprepcheck

View the EXDEPLOY.LOG file in C:\EXDEPLOY LOGS to see if the setup /forestprep command and the setup /domainprep command have completed successfully.


Figure 3: EXDEPLOY /ORGPREPCHK Switch

ORGPREPCHECK verifies the Exchange extensions to the Active Directory Schema, the existence and membership of the Exchange Domain Servers group and Exchange Enterprise Servers Group and checks that a global catalog Server is available in a domain in which DOMAINPREP has been run. The result is displayed in the EXDEPLOY.LOG file.


Figure 4: EXDEPLOY.LOG file

Conclusion

As you have seen in this article, FORESTPREP and DOMAINPREP are not so mystical when you understand the basics. FORESTPREP and DOMAINPREP are necessary components to update the Active Directory Schema to support Exchange 2000 / 2003.

Please keep in mind that Forestprep updates the Windows 2003 Active Directory Schema and ALL this information must be replicated to all Domain Controllers in the Forest.   

Related Links

How to verify successful Exchange 2003 Forestprep
http://hellomate.typepad.com/exchange/2003/10/forestprep_and_.html

Manual Schema Changes Are Lost When You Apply Exchange Server 2003 Schema over Exchange 2000 Server Schema
http://support.microsoft.com/default.aspx?scid=kb;en-us;818583

How the Exchange 2003 Active Directory Connector Setup Process Updates the Schema
http://support.microsoft.com/default.aspx?scid=kb;en-us;822589

Permissions that you must have to install Active Directory Connector in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;818473

Security Setting Changes and Updates That Are Introduced in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;818473

Security Setting Changes and Updates That Are Introduced in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;824111

Exchange 2003 Setup Program Does Not Display the Installation Type Screen After You Run the /Forestprep Switch
http://support.microsoft.com/default.aspx?scid=kb;en-us;829360

Running Exchange 2000 FORESTPREP after You Run Exchange 2003 FORESTPREP Allows You to Install Exchange 2000 but Creates a GUID for the Organization Name
http://support.microsoft.com/default.aspx?scid=kb;en-us;820112

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.

Latest Contributions

Advertisement

Featured Links