/forestprep and /domainprep described in detail

(not my own work but something useful I found on the internet)

What is Forestprep and Domainprep

Before installing Microsoft Exchange 2003 Server, you must prepare your Windows 2003 forest. The Microsoft Active Directory Schema must be extended to save Exchange 2003 attributes and claases and permissions must be granted to the user or group who will be installing the first Exchange 2003 server in the forest. In every domain that will host either an Exchange 2003 server or mail-enabled users, two security groups must be created.

These security groups are used to perform administrative functions when the Exchange team members are different from the Windows team member – which is normal in larger enterprises – but later.

The Exchange 2003 Server CD contains two Setup Switches to accomplish these tasks:

• ForestPrep and
  
• DomainPrep.
  

When you use the /ForestPrep option, the Exchange Setup program extends the Active Directory schema to add Exchange-specific classes and attributes.

ForestPrep also creates the container object for the Exchange 2003 organization in the domain naming context of Active Directory, and it assigns, to the account that you specify, Exchange Full Administrative permissions to the organization object.

This account now has the authority to install and manage Exchange 2003 throughout the forest, along with the authority to assign other administrators Exchange Full Administrative permissions after the first Exchange server is installed.

Requirements

• Forest wide permissions to manage Active Directory
  
• Member of the Enterprise Administrators and Schema Administrators groups
  
• Member of the local Administrators group
  

Why Do You Need ForestPrep and DomainPrep?

Larger organizations do not want their messaging administrator team to have high-level domain or enterprise rights because these tasks will be done by experienced Windows Administrators

It is common for Exchange administrators to be in a separate team from the Windows / Active Directory Administration team.

For organizations that don't have a structure like this stated, ForestPrep and DomainPrep separates the Exchange 2003 setup tasks that require high-level network permissions from those that do not.

For example, Windows 2003 administrators with EnterpriseAdmin and SchemaAdmin permissions run ForestPrep, during which they designate an account as the Exchange 2003 administrator. This Exchange administrator will have enough rights (after both utilities are run) to perform the actual Exchange 2003 installation.

Note:
If the user who installs Exchange is a member of the EnterpriseAdmin and SchemaAdmin groups, Forestprep and Domainprep will be automatically executed.

Most deployment scenarios require you to run ForestPrep for successful Exchange 2003 installation. As a general formula keep in mind that when the administrator doesn't have EnterpriseAdmin and SchemaAdmin permissions, you must run ForestPrep.

When you install Exchange 2003 in a child domain, you must first run ForestPrep in the parent domain. If you don't do this, Setup will prompt you to do so when you attempt to install in the child domain.

ForestPrep in detail

ForestPrep performs all Exchange 2003 setup tasks that require EnterpriseAdmin and SchemaAdmin permissions, as it makes changes in the configuration naming container in Active Directory. ForestPrep extends your Active Directory schema to include Exchange-specific information. ForestPrep also creates objects in Active Directory and gives permissions on those objects to the account designated as the Exchange 2003 administrator. This administrator will have enough permission to install the first Exchange 2003 server in your organization.

ForestPrep also creates the Exchange organization name and object in Active Directory. New in Exchange 2003 Forestprep is the creation of a placeholder Organization object. Setup will create a "temporary" organization with a hard-coded name. (That name is a GUID: "{335A1087-5131-4D45-BE3E-3C6C7F76F5EC}".) Setup can delegate the first Exchange administrator on this object; create the Exchange configuration underneath it, and so on. Later, when setup is run to install the first server in the organization – by someone who is an Exchange administrator – setup can rename the existing placeholder object, either to a user-specified name or to match the name of an Exchange 5.5 organization. The final naming is decided by the answer to the "Installation Type" screen.

You need to run ForestPrep only once per Windows 2003 forest.

Important
After ForestPrep and DomainPrep are run, the designated Exchange administrator has only enough permission to install Exchange. By default, this account is not able to create accounts or give users mailboxes unless this account is also a member of the Account Operators group.

You can grant administrators permissions to create and administer Windows accounts within your Exchange organization by making them Account Operators or by using the following two methods. Both methods use the Active Directory Users and Computers snap-in. The first is to run the Windows 2003 Delegation of Control Wizard and grant your Exchange administrator control of the Users container. The second is to create a new group specifically for Exchange users within the Users container and grant the Exchange administrator full control of that new group.

You need to gather the following information before running this utility. ForestPrep prompts for different information depending on whether you are installing a new Exchange 2003 organization or joining an existing Exchange 5.5 organization.

New Installation

For a new installation of Exchange 2003 Server, the network administrator needs to have the following information before running ForestPrep:

• The name of the Exchange 2003 organization
  
• The account of the person or group who will install the first Exchange 2003 server in your organization
  

Note:
Once Exchange is installed, this person or group is able to create other Exchange administrators by using the Exchange Administration Delegation Wizard.

When Is It Unnecessary to Run ForestPrep?

You should run ForestPrep before installing your first Exchange 2003 server—regardless of your organization's topology. However, there are some scenarios (such as in a small business) in which ForestPrep might not be required.

ForestPrep and DomainPrep both run automatically during Setup, but only if the Exchange administrator account is a member of the SchemaAdmin and EnterpriseAdmin groups and if the first Exchange 2003 server installation takes place in the same domain as the Schema Master.

When this is the case, you do not need to manually execute either utility. By default, the account with which you have logged on becomes the designated Exchange 2003 administrator.

Allow Time for Replication

After you run ForestPrep, be sure to allow enough time for the schema extensions to replicate throughout all the domains and sub-domains in your organization. Depending on the geography of your organization and the speed of your network connections between Windows 2003 sites or domains, this could take some time. You should run DomainPrep only after you're sure that the Exchange-specific information has been replicated across your organization.

DomainPrep in detail

The DomainPrep utility performs the Exchange setup tasks that require DomainAdmin permissions; it should be run by a member of the DomainAdmin group. You need to run DomainPrep once in each domain that contains an Exchange 2003 server and in any domain that hosts Exchange users. These are domains without Exchange servers but with mail enabled users. Domainprep is necessary for the recipient update service (RUS) and to create the groups and permissions necessary for Exchange servers to read and modify user attributes.

DomainPrep creates two new domain groups: Exchange Domain Servers (a Windows 2003 global security group) and Exchange Enterprise Servers (a Windows 2003 domain local security group).

DomainPrep also creates the Public Folder proxy container in Active Directory. While ForestPrep works in the forest-wide configuration naming container, the Public Folder object (a Microsoft Exchange System Object) exists outside this container (this is the reason why you can't see public folders with ADSIEDIT, LDP or other LDAP tools). DomainPrep creates this object on a per-domain basis, under the domain container.

Exchange Domain Servers Group

The Exchange Domain Servers global security group contains the computer accounts of all Exchange servers in the domain. Though it is created by DomainPrep, the Exchange Domain Servers group is not populated until the actual installation of Exchange 2003.

The Exchange Domain Servers group is necessary for the Recipient Update Service, which is needed in every domain of your Exchange organization. This includes user domains, which do not contain Exchange servers but do have mail-enabled users. Recipient Update Service is used by Exchange to generate and update default and customized address lists and to process changes made to recipient policies.

Exchange Enterprise Servers Group

The Exchange Enterprise Servers group (a domain local group type) contains every Exchange Domain Servers group (a domain local group type) in your organization. In other words, every domain with an Exchange server, along with every domain in which DomainPrep has been run and that has an active Recipient Update Service, belongs to the Exchange Enterprise Servers group.

This group is populated immediately when DomainPrep adds the Exchange Domain Servers group from the current domain to it. Recipient Update Service adds the Exchange Domain Servers groups from all other domains that have an active Recipient Update Service.

You must meet the following requirements before you run DomainPrep:

• The account that runs DomainPrep must belong to the domain's DomainAdmin group.
  
• ForestPrep must have already been run in your Windows 2003 forest.
  
• The schema extensions made by ForestPrep to Active Directory must have already replicated throughout your organization.
  

When is it unnecessary to Run DomainPrep?

DomainPrep should be executed before installing the first Exchange 2003 server. DomainPrep is not necessary when:

• The account that is installing the first Exchange 2003 server in the domain is an Exchange Full Administrator and a member of the DomainAdmins group
  
• The person who is installing Exchange has EnterpriseAdmin permissions.
  

In both scenarios, DomainPrep runs automatically as a hidden process during the Exchange 2003 setup.

When must you Run DomainPrep?

For DomainPrep to work correctly, you must run it:

• After running ForestPrep, and after all ForestPrep changes are replicated throughout the forest.
  
• Before the through Forestprep designated Exchange 2003 administrator can install the first Exchange 2003 server in the domain.
  
• Whenever you must create a Recipient Update Service (RUS) for a domain with mail-enabled users.
  
• It is also necessary to run Domainprep in an empty Forest Root Domain because RUS must use it.
  

Active Directory Connector (ADC)

ADC, first introduced in Exchange 2003, updates the Active Directory Schema during installation, regardless if the Active Directory was updated through the Exchange 2003 Forestprep and Domainprep process.

The Exchange 2003 version of ADC uses the same schema extensions as Exchange 2003. So if you install ADC, the setup process updates the Active Directory Schema so you don't need to update the Schema with Exchange 2003 Forestprep and vica verse.

How to see if FORESTPREP and DOMAINPREP were successful

In Exchange 2000 you have to use tools like ADSIEDIT to see if FORESTPREP and DOMAINPREP were successfully.

With Exchange 2003 you can use the ORGPREPCHECK switch from the EXDEPLOY tools.

ORGPREPCHECK

Run ORGPREPCHECK at a command prompt

CD-ROM_Drive_Letter:\support\exdeploy\exdeploy.exe /gc:global catalog server name /t:orgprepcheck

View the EXDEPLOY.LOG file in C:\EXDEPLOY LOGS to see if the setup /forestprep command and the setup /domainprep command have completed successfully.

ORGPREPCHECK verifies the Exchange extensions to the Active Directory Schema, the existence and membership of the Exchange Domain Servers group and Exchange Enterprise Servers Group and checks that a global catalog Server is available in a domain in which DOMAINPREP has been run. The result is displayed in the EXDEPLOY.LOG file.

Conclusion

As you have seen in this article, FORESTPREP and DOMAINPREP are not so mystical when you understand the basics. FORESTPREP and DOMAINPREP are necessary components to update the Active Directory Schema to support Exchange 2000 / 2003.

Please keep in mind that Forestprep updates the Windows 2003 Active Directory Schema and ALL this information must be replicated to all Domain Controllers in the Forest.   

Related Links

How to verify successful Exchange 2003 Forestprep
http://hellomate.typepad.com/exchange/2003/10/forestprep_and_.html

Manual Schema Changes Are Lost When You Apply Exchange Server 2003 Schema over Exchange 2000 Server Schema
http://support.microsoft.com/default.aspx?scid=kb;en-us;818583

How the Exchange 2003 Active Directory Connector Setup Process Updates the Schema
http://support.microsoft.com/default.aspx?scid=kb;en-us;822589

Permissions that you must have to install Active Directory Connector in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;818473

Security Setting Changes and Updates That Are Introduced in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;818473

Security Setting Changes and Updates That Are Introduced in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;824111

Exchange 2003 Setup Program Does Not Display the Installation Type Screen After You Run the /Forestprep Switch
http://support.microsoft.com/default.aspx?scid=kb;en-us;829360

Running Exchange 2000 FORESTPREP after You Run Exchange 2003 FORESTPREP Allows You to Install Exchange 2000 but Creates a GUID for the Organization Name
http://support.microsoft.com/default.aspx?scid=kb;en-us;820112

70-284 Notes 9 (EXAM TOMORROW!)

• To enable all hosts on a network to communicate with each other and with hosts on the internet, you should ensure that each hosts routing table is properly configured. The routing table on each host, including the routers, should contain one default route.
  
• The default route is the most general route through which a host can reach the largest number of destinations. To configure the default route, the default gateway should be specified. The default gateway address is the address of the near side of the router that can receive TCP/IP packets directly from the host and forward them to the appropriate destinations.
  

  
   

• For optimal I/O performance, you should place the transaction logs for each storage group on a separate physical disk or RAID device.
  

  
   

• To extract information from a recovered mailbox in the RSG and to merge it with the new user's mailbox, you must use the Exmerge utility. To perform this task, you must have at least the 'Receive As' permission for the mailbox store
  

  
   

• Archiving (keeping mail sent or received for a specific amount of time) is configured on the mailbox store level. On the general tab of the properties sheet for that store, you should select 'Archive all messages sent or received by mailboxes on that store' and specify the recipient that will be used as the destination of the archived messages
  
• You cannot remove the 'Deleted Items' Folder from users mailboxes
  

  
   

• Active/Passive configuration:
  
  • 'Create a single Exchange virtual server, and specify both nodes as possible owners'
    

    
     

• To perform the first installation of an exchange server 2003 You need to be a member of the enterprise admins and schema admins group in the forest root domain and a member of the local admin group on the member server
  

  
   

• Eseutil /r = recovery mode, /p = repair mode
  

  
   

• To migrate data from an Internet messaging system to Exchange 2003, the
  

  Exchange Migration Wizard requires mailbox access for each user who is
  

  migrated. To provide this access, including information about the user
  

  accounts and passwords, you must create an imapusr.csv file. For each IMAP4
  

  user that you want to migrate, you must specify the mailbox name, SMTP
  

  address, password, and the IMAP server on which the mailbox resides. You can
  

  specify the fully qualified server name or the IP address for the server.
  

  The values must be separated by commas. If you have performed an LDAP export
  

  using the Exchange Migration Wizard, you can find a basic imapusr.csv file in the resulting migration folder.
  

 

 

• By creating contacts in each organization for the users in the other domain, the users can access any users' contact from their own GAL without requiring permissions.
  

  
   

• Because of the tight integration between Exchange and ActiveDirectory, the ActiveDirectory forest structure directly affects your Exchange planning. There is a one-to-one relationship between an ActiveDirectory forest and an Exchange organization. An Exchange organization can span only a single ActiveDirectory forest. Likewise, an ActiveDirectory forest can host only a single Exchange organization.
  

 

• The use of the Transport Layer Security (TLS) protocol over SMTP offers
  

  certificate-based authentication and helps provide security-enhanced data
  

  transfers by using symmetric encryption keys. In symmetric-key encryption
  

  (also known as shared secret), the same key is used to encrypt and to
  

  decrypt the message. TLS applies a Hash-based Message Authentication Code
  

  (HMAC). HMAC uses a hash algorithm in combination with a shared secret key
  

  to help make sure that the data has not been modified during transmission.
  

  The shared secret key is appended to the data to be hashed. This helps
  

  enhance the security of the hash because both parties must have the same
  

  shared secret key to verify that the data is authentic.
  

  To enable TLS encryption for a specific remote domain in Exchange Server,
  

  you install an X.509 server certificate on the exchange server and create a
  

  new SMTP Connector with TLS encryption enabled. Offcourse you must do the
  

  same installation on the remote exchange server.
  

  
   

• The default cost of an SMTP connector is 1
  

  
   

• The Calendar Connector always stores free and busy information in its administrative group's public folder, specifically the Schedule+ Free Busy public folder. If there are multiple administrative groups on an Exchange 2003 server, each administrative group has its own public folder. In this case, free and busy information for Exchange 2003 users may be stored in a different public folder than the free and busy information for users on partner computers.
  

  
   

• To import data into exchange mailboxes, you need the 'Send As' permission
  

To extract information you need the 'Receive As' permission

70-284 Notes 8

• Recovery Storage Group can only be used with mailbox stores not public folder stores
  
• Recovery server must have the same server name as original server. Can use legacyDN to change name
  
• Need to click checkbox 'This database can be overwritten' when restoring database to original server. Need to do this for each restore
  

  
   

• To enable EVS to be moved between the nodes (failover), each node must be specified as a possible owner of all EVS resources. To ensure that the EVS is automatically moved back to the first node as soon as that node is brought back online, you should enable failback for the EVS
  
• When a node that hosts a cluster group fails, the group fails over to another node automatically, as long as another node is listed as a possible owner of all the resources in the group exists. You cannot directly enable/disable failover
  

  
   

• The Global Address list (GAL) is stored in the global catalog. To resolve usernames to email addresses, Exchange uses the GAL. Therefore exchange requires access to the global catalog. To minimize the amount of time it takes to resolve usernames, all Exchange servers that host user mailboxes should be well connected to a global catalog sever. Therefore you should enable at least one domain controller in each site as a global catalog server.
  

  
   

• When full-text indexing is enabled, users can perform searches more quickly. In exchange 2003, full-text indexing indexes each word in a database. You cannot create an index for a subset of mailboxes in a store
  

  
   

• You can install exchange system manager before installing the first exchange server 2003, so you can create administrative groups that can be selected during installation
  

  
   

• Public folders that are created on one server can be replicated to other servers. To provide faster access
  
• You cannot move public folders between different trees.
  

  
   

• Generally SMTP connectors are not required to deliver internet e-mail. If there are no SMTP connectors, then an SMTP virtual server can use DNS or a smart host to route messages to the appropriate SMTP servers. However, it is recommended that one or more SMTP connectors be used to send outbound email because SMTP connectors have more configurable options. SMTP connector can also be configured to use DNS or a smart host. The settings that are configured on an SMTP connector override those set on its bridgehead SMTP virtual server.
  
• When configuring a connector to use an external smart host, you should specify the IP address and NOT the FQDN.
  

  
   

• The account that is used to perform a migration must be assigned the appropriate level of access to both the original and destination messaging systems. To import the data into the exchange mailboxes, the migration account should be granted the 'Send As' permission for the destination mailbox stores
  

  
   

• In exchange 2003, SMTP protocol is used to deliver all internal and internet email messages. SMTP virtual servers are responsible for routing all messages that are transferred by using SMTP. All relevant delivery options can be configured on the 'Delivery' tab of the SMTP virtual server 'Properties' sheet. There are two groups of settings on this tab: 'Outbound' and 'Local'
  

  
   

• Outlook express supports the following protocols: POP3, IMAP4, NNTP and LDAP
  
• A POP3 client does not support viewing the contents of a user's mailbox online. It can only download messages from the Inbox folder. Additionally POP3 clients use SMTP to send email.
  
• IMAP4 clients provide the same functionality as POP3 clients; however users with IMAP4 clients are able to view online and manipulate items that are located in any personal folders in their respective mailboxes, as well as items that are located in the public folders in the default public folder tree, including newsgroup public folders. However IMAP4 clients cannot view newsgroups or any public folders outside of the default public tree
  
• NNTP clients can view any newsgroups, they can view newsgroups that are hosted in NTFS folders or in any public folders
  

  
   

• You need to configure the routing group connector costs and IP routing to ensure the packets of data are routed in the most efficient manner possible
  

  
   

• It is recommended that each of the following be placed on a separate physical disk: the OS and program files, the paging file, each exchange store, each set of transaction logs, each full-text index and full-text temporary directory
  
• Typically, a full-text index on a store should require disk space that equals approximately 20-25%     of the amount of data in the store.
  
• You cannot change the location of a full-text index after it has been created. In order to move an index, you must delete it and create a new one.
  

  
   

SSL encryption and decryption mostly affects CPU and memory usage

70-284 Notes 7

• Eseutil /p = repair, Eseutil will repair broken links between tables and will most likely discard corrupted pages. This should bring the database to a consistent state; however some data loss is inevitable. Therefore it should only be used as a last resort.
  

  
   

• To perform the first installation of Exchange server 2003 in a forest on a member server, you must be a member of the 'Enterprise Admins' and 'Schema Admins' groups in the forest root domain and a member of the local administrators group on the member server on which you will install exchange server 2003
  

  
   

• Forestprep must be run on a computer in the domain in which the schema master resides
  

  
   

• Front end servers communicate with the appropriate DC's by using LDAP, to determine the back-end server on which the users mailbox resides
  

  
   

• You should place transaction logs for different storage groups on separate hard drives
  

 

70-284 Notes 6

• When performance monitor indicates that a server is experiencing a high level of paging activity = usually means there is not enough physical memory
  

  
   

• HTTP, NNTP, POP3, IMAP4, and SMTP virtual servers are available on an exchange server 2003 server
  
• POP3 and IMAP4 retrieve but do not send email. SMTP is used to send mail
  
• POP3 manages email on the client. IMAP4 manages it on the server
  
• HTTP virtual servers support WebDAV and OWA
  
• POP3 – TCP 110, POP3 SSL – TCP 995
  
• IMAP4 – TCP 119, IMAP4 SSL – TCP 993
  
• NNTP – TCP 119, NNTP SSL – TCP 563
  
• The default HTTP virtual server is configured using IIS manager rather than exchange system manager
  

  
   

• You can encrypt emails, including authentication information, if you obtain install, and associate a certificate
  
• You can control client access by IP number, subnet, or domain name
  

  
   

• To allow a user to send mail on your behalf, you can add them to your user account as a delegate
  

  
   

  
   

• Remote users need to download and install the S/MIME control to use digital signatures and encryption
  

  
   

• Although Unix users do not log on to any windows domain, they can have accounts in AD, and they can have exchange mailboxes
  
• Unix users can access their mailboxes by using the POP3 protocol as regular internet users do
  
• The winmail.dat attachment appears in all unix users incoming email messages because outlook users routinely send email messages in RTF format and the unix POP3 clients do not support it. To properly display the messages without affecting other users, configure POP3 settings on the 'Exchange features Tab' on the properties sheet for each unix users AD account
  

  
   

• Exchange server 2003 supports 2 types of policies: recipient policies and system policies. System Policies include mailbox store, public store and server policies.
  

  
   

• A DNS A record cannot be assigned a priority. You assign priority to the MX record. A lower priority number indicates higher preference
  

  
   

• ETRN (Extended Turn) is an extension to the Simple Mail Transfer Protocol that allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow integration with dial-up mail servers.
  

 

• To enable message tracking, you need to enable message tracking on all servers that the message will pass through
  

 

• To extract information from the recovered mailboxes in the recovery storage group and merge it with the new users mailboxes, you need to use the exmerge utility. You need to be assigned at least the 'Receive As' permissions for the mailbox store
  

  
   

• SMTP virtual server is the exchange component that routes email messages to their destinations. When an exchange user creates an email message, it is passed on to the default SMTP virtual server on the users home exchange server or to another SMTP virtual server in the organization. The SMTP virtual server analyzes the destination email address in the message and determines whether the recipient is internal or external. If the recipient is internal, the message is routed through the appropriate messaging infrastructure to the correct destination SMTP virtual server, which places the message in the recipients exchange mailbox. If the recipient is external, then the originating SMTP virtual server analyzes the existing messaging topology. If there is an SMTP connector that has an address space that matches the destination address in the message, the SMTP virtual server sends the message to the local bridgehead server, which handles the message in accordance with the routing configuration of the connector.

70-284 Notes 5

• Archiving can be enabled on the mailbox store level
  
• You cannot remove the deleted items folder from users mailboxes
  

  
   

• You can configure an SMTP filter to limit the emails that come into your organization
  

  
   

• Outlook express sends outgoing messages directly to the SMTP server that is specified in its email account properties
  
• By default, the SMTP virtual server allows anonymous connections, but does not allow relay to anonymous users. Therefore to allow outlook express users to send mail to the internet, you should instruct them to enable the 'My server requires authentication' option in the 'Outgoing mail server' area on the servers tab of the email account properties sheet.
  

 

• Both a SMTP virtual server and SMTP connector can use DNS to route mail, or they can forward all outbound mail to a specific SMTP server (Smart Host)
  
• If you use SMTP connectors, then you can define one or more address spaces on each connector and assign costs to those address spaces. Costs are numeric values that indicate relative preference among the address spaces
  
• Each connector can be configured to use a different method to deliver mail
  
• Can configure the connector to deliver mail according to a schedule
  

  
   

• The function of a SMTP virtual server is to receive messages from mail clients and other SMTP servers and to relay those messages toward their final destination.
  
• You should not allow unauthorized users from the internet to use your SMTP server to forward their email to destinations outside your organization. Theefore you should configure the server to relay messages only from internal network IP addresses. However you should allow connection from anywhere
  
• If you configure the SMTP server to use only integrated windows authentication then anonymous mail will not be accepted, therefore internet mail will be blocked unless the users sending can be authenticated
  

  
   

• To be able to encrypt or digitally sign message, users must be issued the appropriate digital certificates.
  
• Certificates are issued by certification authorities (CA's)
  
• You can either purchase certificates for all users from a commercial CA or install a private CA on your company network
  
• An enterprise CA is a CA that is integrated with AD. Only an enterprise CA can be configured for autoenrollment
  
• Autoenrollment is the process of issuing certificates to users or computers automatically without any manual interaction on the part of the user
  
• To enable autoenrollment, you should configure the appropriate certificate template, add it to the CA and enable the autoenrollement policy in a domain level group policy object (GPO)
  

If you implemented a standalone CA, then you would not be able to configure autoenrollment. Stand alone CA's do not support certificate templates which are required for autoenrollment

70-284 Basics 2

Exchange Modes:

• Mixed
  
  • Default, Designed for backwards compatibility
    
  • Overall exchange functionality limited to features shared by all servers in organization
    
  • Exchange 2003 appears as just another server to earlier versions of exchange
    
• Native
  
  • Contains only exchange 2000, 2003 or later servers
    
  • All DCs that communicate with exchange must be running 2000 server sp3 or later
    
  • When you switch to native you cannot go back
    
  • Use native mode to take advantage of the following features
    
    • Moving servers between routing groups in different admin groups
      
    • Create query-based distribution groups
      
    • Moving mailboxes between admin groups
      
    • Mail-enabling or mailbox enabling the interorgperson object
      

To change the mode of exchange:

Exchange system manager à Properties of organization object àedit the setting on the general tab

 

Administrative Groups and Permissions:

• You can set up admin groups prior to installation of first exchange server (allows you to select multiple admin groups during the installation of first exchange servers)
  
• Run /forestprep à then use adsiedit to create admin groups in AD
  
• You cannot change admin groups after installation
  
• If exchange is running in native mode you can rename admin groups using exchange system manager, otherwise use Adsiedit
  

Permissions

Using permissions you can delegate exchange server administrative tasks to other users. Keep in mind the following facts for managing exchange permissions:

• Permissions are assigned at either the organizational level or the administrative group level
  
• Use exchange delegation wizard in exchange system manager to manage delegations
  
• While running /forestprep or during exchange installation, you identify default exchange system administrator. This administrator has all permissions to the exchange organization
  
• Exchange administrators must have specific permissions in AD for the objects and levels they are working on. They must also have permissions on the local computer
  

Exchange Administrative Modes:

• Full admin
  
  • Full control over all objects with hierarchy
    
  • Change all permissions
    
  • Delegate permissions
    
  • Read mailboxes
    
• Administrator
  
  • Same except cannot change permissions
    
• View only administrator
  
  • Can view configuration of entire organization
    

When assigning full administrator/administrator to an administrative group, user also receives view only permission to the entire organization. Allowing the administrator to view configuration of the entire organization

System Policies

= collection of configuration settings that are applied to multiple objects

Exchange includes 3 different types of system policy:

• Public store policy
  
• Mailbox store policy
  
• Server policy
  

System policies are created inside an administrative group. To configure a system policy, take the following steps:

1. Add system policy container
   

   àright-click administrative group
   

   à New
   

   à System Policy Container
   

   
    

2. Add policy to system Policy container (SPC)
   

   à right-click SPC
   

   àNew
   

   àChoose the type of policy
   

   Then select the property pages the policy will define
   

   
    

3. Edit policy settings
   

   àGive Policy a name
   

   àModify the property setting that will be controlled by the policy
   

   
    

4. Add objects that will be controlled by the policy
   

   àRight-click the policy
   

   àadd servers, public stores or mailbox stores
   

Although system policies are defined inside an administrative group, policies can apply to objects outside of administrative group

You can move/copy policies between administrative groups. However can't move/copy system policy container à after copying Policy you must apply it to corresponding objects

When a policy is applied to an object, properties controlled by policy are disabled in the corresponding objects

When you remove an object from policy/delete policy, settings remain on the corresponding object