Provision Exchange 2010 Server and Delegate Setup
Applies to: Exchange Server 2010
This topic explains how to provision a server and delegate the setup and installation of Exchange. After the initial installation of the first instance of Exchange Server, you can provision a server for delegated setup of subsequent installations. This procedure allows a delegated account to install single instances of Exchange in your domain, without being a member of the Organization Management management role group.
However, be aware that you must install the first Exchange server in the domain by using an account that is a member of the Organization Management role group and local Administrators group. You can then install subsequent instances of Exchange using a member of the Delegated Setup management role group. (You just can't install the first instance of an Exchange server using a member of the Delegated Setup role group.)
Important
A delegated user can't uninstall an Exchange server. Uninstalling or removing Exchange servers requires an account that is a member of the Organization Management role group and local Administrators group.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2010, see Understanding Permissions, Understanding Role Based Access Control, and Delegated Setup.
Note
Exchange 2010 needs permissions to deploy and function correctly in your organization. These permissions are stamped on the access control lists (ACL) of the objects used by Exchange 2010 during setup. For more information, see Exchange 2010 Deployment Permissions Reference.
You can use Setup.com /NewProvisionedServer to provision your server. The Setup.com /NewProvisionedServer command performs the following tasks:
Creates the server object within the configuration partition: CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Root Domain>
Adds the following access control entries (ACE) to the server object within the configuration partition for the Delegated Setup role group:
- Full Control on the server object and its children
- Deny access control entry for the Send As extended right
- Deny access control entry for the Receive As extended right
- Deny CreateChild and DeleteChild permissions for Exchange Public Folder Store objects
Note
Public folders are administered at an organizational level; therefore, the creation and deletion of public folder stores is restricted to Exchange Organization Administrators.
Adds the computer account to the Exchange Servers group.
Adds the server as a provisioned server in the Exchange Management Console.
Provision an Exchange 2010 Server
If Exchange Server is installed on the computer you're provisioning, you can run the Setup.com command with associated arguments from the Run line or a command prompt. If the computer that you are running the Setup.com command from doesn't have Exchange installed, you must insert the Exchange 2010 DVD into the computer, and then run the Setup.com command from the root directory of the DVD.
Provision the local server
To run Setup.com /NewProvisionedServer, the account you use must be a member of the Delegated Setup role group.
To provision the local server, run the following command:
Setup.com /NewProvisionedServer
Note
Running this command provisions the local server, but it doesn't delegate a user.
Provision a remote server
To run Setup.com /NewProvisionedServer, the account you use must be a member of the Delegated Setup role group.
To provision a remote server, run the following command:
Setup.com /NewProvisionedServer:ServerName