Delegate the installation of Exchange servers
In large companies, people who install and configure new Windows servers often aren't Exchange administrators. In Exchange 2016 and Exchange 2019, these users can still install Exchange on Windows servers, but only after an Exchange administrator provisions the Exchange server object in Active Directory. Provisioning an Exchange server object makes all of the required Active Directory changes independently of the actual installation of Exchange on a server. An Exchange administrator can provision a new Exchange server object hours or even days before Exchange is installed.
After an Exchange administrator provisions the Exchange server object, the only requirement for installing Exchange on the server is membership in the Delegated Setup role group, which allows members to install Exchange on provisioned servers. If this sounds like something you want to do, then this topic is for you.
What do you need to know before you begin?
Estimated time to complete this procedure: Less than 10 minutes.
You can only provision an Exchange server from the command line (Unattended Setup). You can't use the Exchange Setup wizard.
You can't provision the first Exchange server object in your organization for the installation of Exchange by a delegate. An Exchange administrator needs to install the first Exchange server in the organization. After that, you can provision additional Exchange server objects so users who aren't Exchange administrators can install Exchange using delegated setup.
A delegated user can't uninstall an Exchange server. To uninstall an Exchange server, you need to be an Exchange administrator.
Download and use the latest available release of Updates for Exchange Server.
To provision an Exchange server object, you need to be a member of the Organization Management role group.
You can provision the Exchange server object in Active Directory from the target server itself, or from another computer.
Use the Command Prompt to provision Exchange 2019 servers
In File Explorer, right-click on the Exchange ISO image file that you downloaded, and then select Mount. Note the virtual DVD drive letter that's assigned.
Open a Windows Command Prompt window. For example:
Press the Windows key + 'R' to open the Run dialog, type cmd.exe, and then press OK.
Press Start. In the Search box, type Command Prompt, then in the list of results, select Command Prompt.
In the Command Prompt window, use the following syntax:
The previous /IAcceptExchangeServerLicenseTerms switch will not work starting with the September 2021 Cumulative Updates (CUs). You now must use either /IAcceptExchangeServerLicenseTerms_DiagnosticDataON or /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF for unattended and scripted installs.
The examples below use the /IAcceptExchangeServerLicenseTerms_DiagnosticDataON switch. It's up to you to change the switch to /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF.
<Virtual DVD drive letter>:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /NewProvisionedServer[:<ServerName>]
If you run the command on the target server, you can use the /NewProvisionedServer switch by itself. Otherwise, you need to specify the Name of the server to provision.
This example uses the Exchange installation files on drive E: to provision the server Mailbox01:
E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /NewProvisionedServer:Mailbox01
This example uses the Exchange installation files on drive E: to provision the local server where you're running the command:
E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /NewProvisionedServer
Note: To remove a provisioned Exchange server object from Active Directory before Exchange is installed on it, replace the /NewProvisionedServer switch with /RemoveProvisionedServer.
Add the appropriate users to the Delegated Setup role group so they can install Exchange on the provisioned server. To add users to a role group, see Add members to a role group. The delegates can use the procedures in Install Exchange Mailbox servers using the Setup wizard to install Exchange on the provisioned server.
How do you know this worked?
To verify that you've successfully provisioned an Exchange server for a delegate installation of Exchange, do the following steps:
In Active Directory Users & Computers, select Microsoft Exchange Security Groups, double-click Exchange Servers, and then select the Members tab.
On the Members tab, verify that the provisioned server is a member of the security group. A member of the Delegated Setup role group can now install Exchange on the server.
If your server is listed as a member of the Exchange Servers security group, it was properly provisioned. Someone who's a member of the Delegated Setup role group can now install Exchange on that server.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
An Exchange administrator might need to complete the deployment by performing the tasks provided in Exchange post-installation tasks.
The high-level Active Directory changes that are made when you provision an Exchange server object are described in the following list:
A server object is created in the CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Root Domain> configuration partition.
The following access control entries (ACEs) are added to the server object within the configuration partition for the Delegated Setup role group:
Full Control on the server object and its child objects
Deny access control entry for the Send As extended right
Deny access control entry for the Receive As extended right
Deny CreateChild and DeleteChild permissions for Exchange Public Folder Store objects
Note: Public folders are administered at an organizational level; therefore, the creation and deletion of public folder stores is restricted to Exchange administrators.
The Active Directory computer account for the server is added to the Exchange Servers group.
The server is added as a provisioned server in the Exchange admin center (EAC).
Only members of the Organization Management role group in Exchange have the permissions required to make these changes to Active Directory.