September 2, 2011 by Rakesh Boraiah
Exchange 2000 and Exchange 2003 are dependent on Windows Active Directory (AD). Active Directory consists of three separate partitions: the schema partition, the configuration partition, and the domain partition. In a default Windows Server installation, none of these partitions are equipped to handle an Exchange server until ForestPrep and DomainPrep are run.
ForestPrep and DomainPrep can be run either manually before Exchange Server is installed, or automatically during the Setup.exe process. Which option is right for you depends on the size and administrative security parameters of your organization.
After you install Exchange Server, Active Directory Users and Computers (ADUC) displays some Exchange-related tabs on the users’ properties sheets. These tabs contain information related to Exchange Server’s configuration.
For instance, the Exchange Features tab allows you to control whether or not the currently selected user is allowed to use Outlook Web Access (OWA). To put it another way, the switch that allows or prohibits the use of Outlook Web Access is an attribute of the currently selected user object. This attribute does not exist by default. It can only exist after the Active Directory’s schema and configuration partitions have been extended.
An Active Directory forest can accommodate one Exchange Server organization. ForestPrep’s job is to prepare the forest to accommodate an Exchange organization. This preparatory work only has to happen once though.
Once the forest has been prepared, it is able to accommodate an Exchange organization, regardless of the number of Exchange servers included in it. You do not have to run ForestPrep prior to installing every individual Exchange server.
Just as ForestPrep prepares the Active Directory forest, DomainPrep prepares the domain Exchange server will be a member of. DomainPrep only has to be run once per domain.
When you run DomainPrep, it will create two security groups within the domain: Exchange Enterprise Servers and Exchange Domain Servers. The first Exchange server to be installed within a domain will automatically get added to both groups.
Like ForestPrep, DomainPrep can be run completely independently of the Exchange installation process. In order to run DomainPrep, the currently logged on user must be a member of the Domain Admins group for the domain being prepared. Once a domain has been prepped, Exchange servers can be installed to that domain without having to run DomainPrep again.
Running ForestPrep and DomainPrep in an enterprise
In an IT department at a large enterprise, it is almost impossible for one person to manage the entire network. As such, you probably have other administrators to whom you’ve delegated administrative authority over smaller portions of the network, such as a domain.
If Exchange Server were not previously installed on your network, and one of your domain administrators installed it, that administrator’s installation would create the Active Directory forest’s one and only Exchange organization.
The choices that administrator made when installing Exchange would set the precedent for any other Exchange servers subsequently installed on your network. For example, when the first Exchange server is installed on the network, Setup asks for an organization name — which cannot be changed and is shared by all of the other Exchange servers in the entire forest.
Needless to say, you probably wouldn’t want one of your domain administrators to be able to make a change that would have such a drastic and long-term impact on your Active Directory.
ForestPrep creates the attributes and classes that define Exchange Server objects, such as mailboxes. It also adds Exchange-related attributes to existing objects. These operations require ForestPrep to update the Active Directory’s Schema and Configuration partitions.
Before someone can make these kinds of modifications though, they must be a member of the Schema Admins group. If you are an administrator over the entire network, then you would probably be a member of the Schema Admins group, but a domain administrator usually wouldn’t be.
What this means is that none of your domain administrators would be able to create an Exchange organization without your permission, because they lack the necessary permissions to run ForestPrep.
Since ForestPrep can be run independently of the Exchange installation process, you could run ForestPrep once you have laid out the ground rules for domain administrators. They would be free to install Exchange Server once you’ve prepared the forest.
So, as you can see, the option to manually run ForestPrep and DomainPrep is more suitable to a large organization, because it gives you greater administrative control and security, and allows you to define who is allowed to install Exchange servers.
Running ForestPrep and DomainPrep in a small business
If you work for a small company with a single domain within a single forest, and you are the only administrator, you are most likely already a member of the Schema Admins and Domain Admins groups.
This means that you don’t even have to worry about running ForestPrep or DomainPrep. Just run Setup.exe, and your Exchange Server installation will automatically run ForestPrep or DomainPrep if necessary.
One thing you do need to know though is that, depending on the size of your Active Directory, ForestPrep and DomainPrep can take a while to run. In a large organization, it’s not uncommon for these utilities to take over an hour to complete.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft’s MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.