If you have any computers in your organization running Exchange Server 2003 or Exchange 2000 Server, open a Command Prompt window, and then run one of the following commands:

• To prepare legacy Exchange permissions in every domain in the forest that contains the Exchange Enterprise Servers and Exchange Domain Servers groups, run the following command:
  
  setup /PrepareLegacyExchangePermissions.or setup /pl
  
  
• To prepare legacy Exchange permissions in a specific domain, run the following command:
  
  setup /PrepareLegacyExchangePermissions: < FQDN of domain you want to prepare > or setup /pl:<FQDN of domain you want to prepare>
  
  

Note:
You can skip this step and prepare the legacy Exchange permissions as part of Step 2 or Step 3. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.

Note the following:

• To run this command to prepare every domain in the forest, you must be a member of the Enterprise Admins group. To run this command to prepare a specific domain, or if the forest has only one domain, you must be delegated the Exchange Full Administrator role and you must be a member of the Domain Admins group in the domain that you will prepare.
  
  
• If you do not specify a domain, the domain in which you run this command must be able to contact all domains in the forest. If the server cannot contact a domain that must have legacy Exchange permissions prepared, it prepares the domains that it can contact and then returns an error message that it was unable to contact some domains.
  
  
• You can run this command from any 32-bit or 64-bit Windows Server 2003 SP1 server in the forest.
  
  
• After you run this command, you must wait for the permissions to replicate across your Exchange organization before continuing to the next step. If the permissions have not replicated, the Recipient Update Service on your Exchange Server 2003 or Exchange 2000 Server computers could fail. The amount of time that replication takes depends on your Active Directory site topology.
  
  

  Note:
  To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Microsoft Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools\." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

For detailed information about the permissions that are set by this command, see Preparing Legacy Exchange Permissions.

From a Command Prompt window, run the following command:

setup /PrepareSchema or setup /ps

Note:
You can skip this step and prepare the schema as part of Step 3.

Important:
You must not run this command in a forest in which you do not plan to run setup /PrepareAD. If you do, the forest will be configured incorrectly, and you will not be able to read some attributes on user objects.

Note:
It is not supported to use LDIFDE to manually import the Exchange 2007 schema changes. You must use Setup to update the schema.

This command performs the following tasks:

• Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2007 specific attributes. The LDIF files are copied to the Temp directory and then are deleted after they are imported into the schema.
  
  

  Note:
  The Exchange 2007 schema also includes the Exchange 2000 and Exchange 2003 schema extensions.

• If you have not completed Step 1, setup /PrepareSchema will automatically perform the PrepareLegacyExchangePermissions step.
  
  

Note the following:

• If you want to verify the updates to the schema before the changes are replicated to other servers in the domain, you must disable outbound replication on the computer on which you run the command before you run it, and then enable outbound replication after you have verified that the import completed successfully.
  
  
• To run this command, you must be a member of the Schema Admins group and the Enterprise Admins group.
  
  
• You must run this command on either a 32-bit or a 64-bit computer that is in the same domain and the same Active Directory site as the schema master.
  
  
• If you have not completed Step 1, setup /PrepareSchema will automatically perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.
  
  
• If you use the /DomainController parameter with this command, you must specify the domain controller that is the schema master.
  
  
• After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology.
  
  

  Note:
  To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools\." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

For detailed information about the changes to the schema that are made by running this command, see Active Directory Schema Changes.

From a Command Prompt window, run the following command:

setup /PrepareAD [/OrganizationName: <organization name> ] or setup /p [/on:<organization name>]

This command performs the following tasks:

• If the Microsoft Exchange container does not exist, this command creates it under CN=Services,CN=Configuration,DC=<root domain>.
  
  
• If no Exchange organization container exists under CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain >, you must specify an organization name by using the /OrganizationName parameter. The organization container will be created with the name that you specify.
  
  The Exchange organization name can contain only the following characters:
  
  A through Z
  
  a through z
  
  0 through 9
  
  Space (not leading or trailing)
  
  Hyphen or dash
  
  The organization name cannot contain more than 64 characters. The organization name cannot be blank. If the organization name contains spaces, you must enclose it in quotation marks.
  
  
• Verifies that the schema has been updated and that the organization is up to date by checking the objectVersion property in Active Directory. The objectVersion property is in the CN=<your organization>, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container. The objectVersion value for the release to manufacturing (RTM) version of Exchange 2007 is 10666.
  
  
• If they do not exist, creates the following containers and objects under CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>. These are required for Exchange 2007.
  
  CN=Address Lists Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Addressing,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Client Access,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Connections,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=ELC Folders Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=ELC Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Global Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Mobile Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Recipient Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=System Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=UM AutoAttendant,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=UM DialPlan,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=UM IPGateway Container,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  CN=UM Mailbox Policies,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>
  
  
• If it does not exist, this command creates the default Accepted Domains entry, based on the forest root namespace, under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>.
  
  
• Assigns specific permissions throughout the configuration partition. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.
  
  
• Imports the Rights.ldf file. This adds the extended rights that are required for Exchange to install into Active Directory.
  
  
• Creates the Microsoft Exchange Security Groups organizational unit (OU) in the root domain of the forest and assigns specific permissions on this OU. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.
  
  
• Creates the following universal security groups (USGs) within the Microsoft Exchange Security Groups OU:
  
  Exchange Organization Administrators
  
  Exchange Recipient Administrators
  
  Exchange Servers
  
  Exchange View-Only Administrators
  
  Exchange Public Folder Administrators (New in Exchange Server 2007 Service Pack 1)
  
  ExchangeLegacyInterop
  
  
• Adds the new USGs that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute that is stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.
  
  
• This command creates the Exchange 2007 Administrative Group called Exchange Administrative Group (FYDIBOHF23SPDLT). It also creates the Exchange 2007 Routing Group called Exchange Routing Group (DWBGZMFD01QNBJR).
  
  

  Caution:

  Do not move Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT) and do not rename Exchange Administrative Group (FYDIBOHF23SPDLT) by using a low-level directory editor. Exchange 2007 must use this administrative group for configuration data storage. We do not support moving Exchange 2007 servers out of Exchange Administrative Group (FYDIBOHF23SPDLT) or renaming of Exchange Administrative Group (FYDIBOHF23SPDLT).

  Caution:

  Do not move Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) and do not rename Exchange Routing Group (DWBGZMFD01QNBJR) by using a low-level directory editor. Exchange 2007 must use this routing group for communication with earlier versions of Exchange . We do not support moving Exchange 2007 servers out of Exchange Routing Group (DWBGZMFD01QNBJR) or renaming of Exchange Routing Group (DWBGZMFD01QNBJR).

• This command creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.
  
  
• This command prepares the local domain for Exchange 2007. For information about what tasks are completed to prepare a domain, see Step 4.
  
  

Note the following:

• To run this command, you must be a member of the Enterprise Admins group.
  
  
• The computer where you run this command must be able to contact all domains in the forest on port 389.
  
  
• You must run this command on a computer that is in the same domain and the same Active Directory site as the Schema Master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.
  
  
• If you have not completed Step 1, setup /PrepareAD will automatically perform the PrepareLegacyExchangePermissions step. To complete the PrepareLegacyExchangePermissions step, the domain in which you run this command must be able to contact all domains in the forest. If you are also a member of the Schema Admins group, and if you have not completed Step 2, setup /PrepareAD will automatically perform the PrepareSchema step. The advantages of running each step separately are that you can run each step with an account that has the minimum permissions required for that step, and you can verify completion, success, and replication before continuing to the next step.
  
  
• After you run this command, you should wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes is dependent upon your Active Directory site topology. 
  
  

  Note:
  To track the progress of Active Directory replication, you can use the Active Directory Replication Monitor tool (replmon.exe), which is installed as part of the Windows Server 2003 Support Tools Setup. By default, it is located at "%programfiles%\support tools\." Add your domain controllers as monitored servers so that you can track the progress of replication throughout the domain.

• To verify that this step completed successfully, make sure that there is a new OU in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:
  
  Exchange Organization Administrators
  
  Exchange Recipient Administrators
  
  Exchange View-Only Administrators
  
  Exchange Servers
  
  Exchange Public Folder Administrators (new in Exchange 2007 Service Pack 1)
  
  ExchangeLegacyInterop
  
  

  Note:

  When you install Exchange 2007, Setup will add the Exchange Organization Administrators USG as a member of the local Administrators group on the computer on which you are installing Exchange. Be aware that the local Administrators group on a domain controller has different permissions than the local Administrators group on a member server. If you install Exchange 2007 on a domain controller, the users who are Exchange Organization Administrators will have additional Windows permissions that they do not have if you install Exchange 2007 on a computer that is not a domain controller.

From a Command Prompt window, run one of the following commands:

• Run setup /PrepareDomain or setup /pd to prepare the local domain. Note that you do not need to run this in the domain where you ran Step 3. Running setup /PrepareAD prepares the local domain.
  
  
• Run setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.
  
  
• Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organization.
  
  

These commands perform the following tasks:

• Sets permissions on the domain container for the Exchange Servers, Exchange Organization Administrators, Authenticated Users, and Exchange Mailbox Administrators.
  
  
• If this is a new organization, this command creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organization Administrators, and Authenticated Users. This container is used to store public folder proxy objects and Exchange-related system objects, such as the mailbox database's mailbox. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.
  
  
• This command sets the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain>. This objectVersion property contains the version of domain preparation. The version for Exchange 2007 RTM is 10628.
  
  
• Creates a new domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
  
  

  Note:
  The Exchange Install Domain Servers group is used if you install Exchange 2007 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships have not replicated to the child domain.

• Assigns permissions at the domain level for the Exchange Servers universal security group (USG) and the Exchange Recipient Administrators USG. For more information about which permissions are granted, see Exchange 2007 Server Setup Permissions Reference.
  
  

Note the following:

• For domains that are in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages:
  
  "PrepareDomain for domain <YourDomain> has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for <YourDomain> again."
  
  "Active Directory operation failed on <YourServer>. This error is not retriable. Additional information: The specified group type is invalid.
  
  Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  
  The server cannot handle directory requests."
  
  If you see these messages, wait for or force Active Directory replication between this domain and the root domain, and then run /PrepareDomain again.
  
  
• To run setup /PrepareAllDomains you must be a member of the Enterprise Admins group.
  
  
• To run setup /PrepareDomain, if the domain that you are preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you are preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organization Administrators group, and you must be a member of the Domain Admins group in the domain.
  
  
• You must run this command in every domain in which you will install Exchange 2007. You must also run this command in every domain that will contain mail-enabled users, even if the domain does not have Exchange 2007 installed.
  
  

To verify that this step completed successfully, confirm the following:

• You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers.
  
  

  Note:
  To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.

• The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
  
  
• On each domain controller in a domain in which you will install Exchange 2007, the Exchange Servers USG has permissions on the Domain Controller Security Policy\Local Policies\User Rights Assignment\Manage Auditing and Security Log policy.