Contents Document Overview 1 Setup Changes 2 Setup Architectural Changes 3 Setup Actions Require New Active Directory Permissions 7 New Setup Prerequisite Checks: 21 Lab 1.1: Finding renamed, moved, or deleted groups 26 Cluster-related prerequisite checks 31 Exchange System Manager-only installation prerequisites 33 2000 to 2003 Setup and Upgrade Scenarios blocked 36 New Features/Components in Setup: 39 Setup Changes 44 Security improvements to setup: 49 Troubleshooting Exchange Server 2003 setup failures: 53 General Log Flow 57 Lab 1.2: Logparser and examination of progress logs 68 Lab 1.3: Applying troubleshooting concepts 70 Appendix A: Answers 74 Acknowledgments 76 Module 1: Setup Changes Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server 5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server, Word are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein (Groupwise, Lotus cc:Mail, Lotus Notes) may be the trademarks of their respective owners. Module 1: Setup Changes 1 Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Document Overview This module discusses differences in the setup process between Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003. In addition to discussing bug-level changes, students will focus on troubleshooting the Exchange Server setup progress logs. Topic 1 Setup changes from Exchange 2000 Server Topic 2 Troubleshooting Exchange Server 2003 setup Topic 3 Learning measure/Labs Prerequisites  Experience with installing Exchange 2000 into Exchange Server 5.5 sites.  Experience with creating an Exchange Virtual Server (EVS) on Windows 2000 clusters 2 Module 1: Setup Changes Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Setup Changes This topic discusses differences between the setup architecture from the last product, as well as new features and work items in the setup process. Those accustomed to supporting Exchange 2000 Server will expect some of the same product features and behaviors to exist in Exchange 2003. The goal of this topic is to cover any “gotchas” in differences between the two products that would otherwise cause difficulty in support. Module 1: Setup Changes 3 Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Setup Architectural Changes In Exchange Server 5.5, many customers established administration models so that Exchange administrators were able to administer only Exchange, and domain administrators handled almost everything else. Yet Exchange 2000 Server required the installer to be given blanket permissions to the enterprise forest and the Exchange Server 5.5 directory – to the dismay of many companies migrating from, or coexisting with, Exchange Server 5.5. In order to separate these roles once more, the product group established the following “Full Administrative Group Administrator” setup changes so that network/domain admin roles could be separated from Exchange administrator roles. These changes were so extensive that the process flow of setup is nearly re-architected. Setup /forestprep creates a placeholder object When Exchange 2003 setup is run explicitly in ForestPrep mode (using the /forestprep switch), and there is no existing Exchange organizational object within the configuration naming context, setup will create a “temporary” organization with a hard-coded name. (That name is a GUID: “{335A1087- 5131-4D45-BE3E-3C6C7F76F5EC}”.) Setup can delegate the first Exchange administrator on this object, create the Exchange configuration underneath it, and so on. At a later time, when setup is run to install the first server in the organization – by someone who is an Exchange administrator – setup can rename the existing placeholder object, either to a user-specified name or to match the name of an Exchange 5.5 organization. The final naming is decided by the answer to the “Installation Type” screen. Improving upon Exchange 2000 setup, the organization name deferral was designed so that • Administrators are not forced to make the organization name decision during forestprep. • Enterprise/schema admins are not forced to be given Exchange Server 5.5 admin site permissions to run forestprep. Conversely, Exchange 2003 installers (who are admins of an Exchange 5.5 site) are not required to have enterprise/schema admin permissions when later installing the first Exchange Server 2003 machine. Installers are also no longer 4 Module 1: Setup Changes Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM required to have the Active Directory Connector (ADC) installed when running forestprep. Troubleshooting temporary org object creation: Should there be any problems creating this GUID, it will most likely be a permissions issue, caught at the pre- requisite stage with a descriptive error message. If this is the case, one should ensure that the logged-on user has full control privileges on the cn=Microsoft Exchange,cn=services,cn=configuration,dc=<forest root DN> container. (By default, Enterprise Admins has this permission). Although it is possible to manually-create the temporary org object, it is neither recommended nor supported since it would also require manually creating scores of child objects and setting their permissions appropriately. “Installation Type” prompt moves to server setup mode In Exchange 2000 Server, running setup with the /forestprep switch whilst in a clean forest (where there is no Exchange organization object) would always prompt the installer with the “Installation Type” screen. This page of the setup wizard would ask if a new Exchange organization needed to be created or if setup should join an existing Exchange 5.5 organization. Therefore, Exchange 2000 setup /forestprep not only extended the schema; for the 5.5-joining case, it would also connect and perform intensive sync operations (via a temporary config CA) with the Exchange 5.5 directory. This is why with Exchange 2000 setup, the platinum-osmium synchronizer ran twice: once during explicit forestprep and again during normal server setup. (The exception is if only setup.exe is run without switches, thereby setting the forestprep component to “Install” mode so that the platinum-osmium synchronizer runs only once.) Module 1: Setup Changes 5 Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Figure 1.1: The “Installation Type” prompt is no longer shown during /forestprep mode. In Exchange Server 2003, the “Installation Type” prompt has moved to the server setup mode. That is, the prompt will only occur when running setup.exe without switches, and it will only occur once: when the first Exchange Server 2003 machine is being installed into a forest with no pre-existing Exchange organization object. (The Exchange organization object is located at (cn=<orgname>,cn=Microsoft Exchange, cn=services, cn=configuration, dc=<dn of the forest root>.) If the installer chooses to create a new organization, the placeholder orgname is renamed to whatever the installer desires. If the installer chooses the Exchange 5.5 coexistence option, the temporary orgname is renamed to match the Exchange 5.5 organization name. In Exchange Server 2003, the 5.5 (Osmium) synchronization process with Active Directory will occur only once, so only a permanent config CA comes into existence. (i.e. no temporary config CA will exist). Table 1.1 outlines the different states of the organizational object that can exist in Active Directory: 6 Module 1: Setup Changes Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Setup Action/ Detected State setup /ForestPrep setup (install a server) No organization object Create temporary org Ask user for org type/name; create org Temporary organization object {335A1087-5131-4D45-BE3E- 3C6C7F76F5EC} N/A Ask user for org type/name; rename temporary org Named organization object (exists in place of GUID) N/A N/A Table 1.1: Creation flow for Exchange Organization object in Active Directory This architectural change does not affect manual creation of first Administrative Group through System Manager (per 215930). However, when customers launch Exchange System Manager to manually create their administrative group, they might be surprised to see the GUID, {335A1087-5131-4D45- BE3E-3C6C7F76F5EC}. Note: When the temporary organization object exists, you must not run Exchange 2000 Server setup. Although it does not get blocked through a pre- requisite check, later in the setup process the Exchange 2000 Server setup wizard does not understand the GUID organization object, and the installation is likely to fail catastrophically. Server Setup mode no longer stamps organization-level permissions Previously, the Exchange 2000 Server SETUP program would re-stamp Exchange Organization permissions on each server install. The drawback was that this action would overwrite any custom changes to the permissions structure, such as removing the permission for all users to create top level public folders. So if a customer kept having his/her top-level permissions reset, this was a perceived security risk. In Exchange Server 2003, the setup process has changed so that it will only stamp default permissions on the Exchange Organization object once (on the first server install/upgrade) and will not re-stamp permissions for subsequent installations. Although this resolves the workaround for security, the previous behavior was a useful support tool for quickly fixing customers who have inappropriately modified their Active Directory permissions on containers that cause operational problems in Exchange. A typical problem would be a paranoid administrator removing required access control lists (ACLs) on various objects underneath the “Microsoft Exchange” container. So in order to correct the problem, or to revert back to Exchange 2000 Server settings, one must now manually correct the Active Directory permissions by applying the permissions listed in Table 1.4 under the section entitled “New per-object permissions changes during setup.” If the customer does not mind that the security settings revert back to the Exchange 2000 Server configuration, then run Exchange 2000 setup to “join” a new Exchange 2000 server object to the existing Exchange 2003 organization. Module 1: Setup Changes 7 Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM Setup Actions Require New Active Directory Permissions Because there are several setup modes and component options, setup will require different combinations of Active Directory permissions, depending upon the detected topology. For example, setup operations dealing with a Site Replication Service (SRS) still require Exchange Full Administrator at the Organization level. Table 1.2 outlines the required permissions of the person being logged on. Setup Action Active Directory Permission(s) required Install first Exchange 2003 server in a domain Exchange Full Administrator at Organization level Install first Exchange 2003 server into a 5.5 site (SRS- enable) Exchange Full Administrator at Organization level Uninstall/reinstall Exchange 2003 with an SRS Exchange Full Administrator at Organization level First “ForestPrep” in forest [with schema update] or ADC’s Setup when older schema is detected or ADC’s setup used with the explicit “schemaonly” switch Enterprise Admin [+ Schema Admin] Subsequent “ForestPrep” Exchange Full Administrator at Organization level “DomainPrep” Domain Administrator Install a server to have first instance of a Groupwise/Lotus Notes connector Exchange Full Administrator at Organization level Install, maintain or remove server containing Key Management Server Enterprise Admin Install, maintain or remove server with SRS enabled Exchange Full Administrator at Organization level Install additional server (non-SRSs, clusters EVSs) Exchange Full Administrator at Admin Group level + machine account added to Domain Servers group Run maintenance mode on any server (except Key Management Server or SRS enabled) Exchange Full Administrator at Admin Group level Remove a server (no SRS present) Exchange Full Administrator at Admin Group level + remove machine account from Domain Servers group 8 Module 1: Setup Changes Last Saved: 7/24/2003 1:55 AM Last Printed: 7/24/2003 12:55 PM after setup Remove last server in org Exchange Full Administrator at Organization level Apply service pack Exchange Administrator at Admin Group level Table 1.2: Setup Matrix Several of the above actions require “Exchange Full Administrator” at the organizational level. Although it is possible to manually create and grant Exchange Administrator-like permissions through ADSI Edit, it is not recommended because the specific combination of permissions and inherited rights settings are not easy to set, and setting “Full Control” on the organization object would be overkill. The recommended methods for granting Exchange Full Administrator at the org level are to either:  Rerun /forestprep so that the Exchange setup wizard will prompt for an additional account to be granted Org permissions, or  Use the Exchange System Manager’s delegation wizard by right-clicking on the top-most organization object. The proper method of granting Exchange Full Administrator at the Admin Group level is to launch Exchange System Manager’s delegation wizard by right-clicking on an Administrative Group name. In Exchange 2000, you needed to be a full admin at the organization level to install, maintain, or remove any server. Unfortunately, customers desired to deploy with well-separated admin groups and delegate administrators on those administrative groups who would be able to handle routine tasks like installing and maintaining servers. (This had been the 5.5 model, of course.) Many efforts from our customer experience team and customers, themselves, expended considerable ingenuity in trying to find ways to work around this requirement in Exchange 2000 setup, but all in vain even if you managed to bypass the permission prerequisite, setup would still fail, since it refreshed org- level settings and permissions during every server install; and without org-level rights, you wouldn't have access to those objects. In Exchange 2003, full admin-group level admins can now install, maintain, and remove most servers within their own administrative group. However, there are still exceptions: You still need full org admin permissions when installing the SRS or first Exchange 2003 server into a domain. In the latter case, the first server installed into any given domain must set the access control entries (ACEs) for that domain’s "Exchange Domain Servers" group on the org-level object, which means that setup needs full org permissions. [...]... format to hexadecimal string Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Module 1: Setup Changes 27 3) How easy it is to perform custom LDAP queries without any special tools installed Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM 28 Module 1: Setup Changes New Setup Prerequisite Checks (2 of 2) Disasterrecovery: Setup checks for existence of server object Running... that are Windows 2000 SP3 or later To enforce this requirement, setup uses the process (below) to search for well-versioned domain controllers, or else halt the deployment Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM 30 Module 1: Setup Changes Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Module 1: Setup Changes 31 Cluster-related prerequisite checks Required Resource... permission changes Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Admins running setup must be able to add/remo ve machine accounts from group Module 1: Setup Changes 19 File System Permissions Modified During Setup When setting ACLs in the file system, setup generally first examines the ACL to see if there are any explicit (i.e., non-inherited) ACEs on the folder If there are, then setup. .. check Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM 32 Module 1: Setup Changes blocks this setup switch if the machine is a node of a cluster, thus customers may only run normal setup Additionally, the normal setup routine on a cluster node no longer presents a message indicating that setup will install the clusteraware version, whereas the Exchange 2000 setup version would popup that... explicit ACEs) ANONYMOUS LOGON X Table 1.7: NTFS changes to Installation Directory and Subdirectories Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Module 1: Setup Changes 21 New Setup Prerequisite Checks: Marker Checks During server setup, if the installer chooses to join an Exchange 5.5 site, additional marker checks are enforced This means that setup will check to see if the deployment.. .Module 1: Setup Changes 9 New Per-Object Permissions Changes During Setup: In addition to new permissions requirements, Exchange 2003 setup modifies Access Control Entries that were set by Exchange 2000 Tables 1.5-1.6 describe these Active Directory object-level access control list (ACL) changes, and tables 1.7-1.8 describe the NTFS-ACL changes However, interpreting the... Exchange 2000 To prevent this from happening, Exchange Server 2003’s setup has two improvements: The setup /domainprep modifies the description attribute of these groups to include the string “DO NOT move or rename.” Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Module 1: Setup Changes 25 A prerequisite was added to normal setup (not domainprep) to check for the renaming or movement of... tools Since setup shares the wrapper, you may find that the DLL exists in two places on the CD: within the setup\ i386 folder, and also within \support\exdeploy Upon launching setup, the markers are checked using this logic: Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Module 1: Setup Changes 23 Note References to “Greenfield scenario” or “Pure TI or pure TI/PT” in the diagram above means... DomainPrep phase All existing org-level Full Admins X Full Control Exchange Enterprise Servers X Admins running setup must be able to add/remo ve machine accounts from group Full Control Set by the Recipient Update Service Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM 18 Module 1: Setup Changes All delegated org-level Full Admins X X Full Control Exchange Domain Servers Group cn=Exchange Domain... condensed view of the rights LDP.exe displays the access mask directly, as a numerical value The setup code refers to the rights by predefined constants The following table summarizes the relationships between these values: Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM 10 Module 1: Setup Changes ADSIEdit Summary Page ADSIEdit Advanced Page, #define (“Mask” in LDP) View/Edit Tab Full . Directory: 6 Module 1: Setup Changes Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Setup Action/ Detected State setup /ForestPrep setup. Windows 2000 clusters 2 Module 1: Setup Changes Last Saved: 7/24/2003 1:5 5 AM Last Printed: 7/24/2003 12:55 PM Setup Changes This topic discusses