Prepare Legacy Exchange 2003 Permissions

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-04-28

When upgrading from Exchange Server 2003 to Exchange Server 2010, you must first grant specific Exchange permissions in each domain in which you have run Exchange 2003 DomainPrep. To do this, you run the setup /PrepareLegacyExchangePermissions command. Granting these permissions is part of preparing Active Directory and your domains for installing Exchange Server 2010. For detailed instructions, see Prepare Active Directory and Domains.

This topic explains why you must run the setup /PrepareLegacyExchangePermissions command, when you run it, and what permissions are set by the command in your Exchange Server 2010 organization.

Why Run Setup /PrepareLegacyExchangePermissions

Essentially, you must run the setup /PrepareLegacyExchangePermissions command so that the Exchange 2003 Recipient Update Service functions correctly after you update the Active Directory schema for Exchange Server 2010. This section explains the main issue and how running the command resolves this issue.

Issue

In Exchange Server 2003, the Recipient Update Service updates some mailbox attributes, such as the proxy address, on mail-enabled user objects. The Recipient Update Service has permission to modify these attributes because the computer account (named <ServerName>) for the server on which the Recipient Update Service runs is in the Exchange Enterprise Servers (EES) group. The EES group is created when you run Exchange Server 2003 DomainPrep. Instead of granting the EES group permissions to each individual mailbox attribute that the Recipient Update Service must modify, the mailbox attributes are grouped together in property sets. When you run Exchange Server 2003 DomainPrep, Exchange provides the EES group with permissions to modify the property sets through access control entries (ACEs) that Exchange sets on the domain container in Active Directory.

Exchange Server 2010 has a management role called Recipient Management. This role contains permissions to manage the e-mail attributes of all users. Exchange administrators who are members of the Exchange Recipient Management role can manage only users' e-mail properties.

To enable this functionality, Exchange Server 2010 must move some e-mail attributes of users into a property set called the "Exchange-Information property set." Exchange does this by redefining the attribute schemas in Active Directory when importing the new Exchange Server 2010 schema. However, the legacy EES group doesn't have permissions to the Exchange-Information property set. Therefore, when you import the new Exchange Server 2010 schema, the Recipient Update Service will no longer have permissions to the users' e-mail attributes and will stop functioning correctly. (For example, it will not be able to set proxy addresses for newly created Exchange Server 2003 users.)

Resolution

Running the setup /PrepareLegacyExchangePermissions command enables the legacy Recipient Update Service to function correctly. Before importing the new Exchange Server 2010 schema, Exchange Server 2010 must grant new permissions in each domain in which you have run Exchange Server 2003 DomainPrep. The setup /PrepareLegacyExchangePermissions command grants these new permissions. Before you run setup /PrepareSchema, you must run setup /PrepareLegacyExchangePermissions and allow the permissions to replicate across your Exchange organization.

The server where you run setup /PrepareLegacyExchangePermissions contacts the local global catalog to locate the domains in which you have run Exchange Server 2003 DomainPrep by checking for the EES and Exchange Domain Servers (EDS) groups. The server must be able to communicate with every domain in the forest in which you ran Exchange Server 2003 DomainPrep. Also, the account that you use to run setup /PrepareLegacyExchangePermissions must have the permissions assigned to the Enterprise Admins universal security group (USG) so that it can set the ACEs in each domain and in the Exchange organization.

Permissions Set By Setup /PrepareLegacyExchangePermissions

Running setup /PrepareLegacyExchangePermissions finds every domain in the forest that has the EES group and the Exchange Domain Servers (EDS) group. For each domain that has these groups, setup /PrepareLegacyExchangePermissions does the following:

Adds an ACE to the domain root access control list (ACL) to provide the EES group with WRITE_PROP permissions on the Exchange-Information property set.
Adds an ACE to the domain root ACL to provide authenticated users with READ_PROP permissions on the Exchange-Information property set.
Adds an ACE to the AdminSDHolder container of the domain to provide the EES group with WRITE_PROP and READ_PROP permissions on the Exchange-Information property set.
Adds an ACE to the Exchange organization container ACL to provide the EDS group with WRITE_PROP permissions on the Exchange-Information property set.

Running Setup /PrepareLegacyExchangePermissions Again

There are some cases in which you will need to run setup /PrepareLegacyExchangePermissions again:

You have a domain that contains Exchange Server 2003 servers, and you have not run DomainPrep.
In an existing domain, you have mailbox-enabled users who will log on to mailboxes on Exchange Server 2003 servers in domains in which you have not run DomainPrep.

In these cases, you must run setup /PrepareLegacyExchangePermissions again after you run Exchange Server 2003 DomainPrep. This allows the Exchange Server 2003 Recipient Update Service to function correctly in this domain.

Exchange 2010 Deployment Permissions Reference

Exchange 2010 needs permissions to deploy and function properly in your organization. These permissions are stamped on the access control lists (ACL) of the objects used by Exchange 2010 during setup. For more information, see Exchange 2010 Deployment Permissions Reference.