What changes in Active Directory when Exchange is installed?
When you install Exchange Server 2016 or Exchange Server 2019, changes are made to your Active Directory forest and domains to store information about the Exchange servers, mailboxes, and other Exchange-related objects in your organization.
Three steps are required to prepare Active Directory for Exchange:
After all three steps are done, your Active Directory forest is ready for Exchange. This topic explains what Exchange does at each step of Active Directory preparation.
You can make these changes before you install the first Exchange 2016 or Exchange 2019 server in the organization by running the /PrepareSchema, /PrepareAD, and /PrepareAllDomains or /PrepareDomains commands using Exchange command line Setup. For instructions, see Prepare Active Directory and domains for Exchange. Or, these changes are automatically made for you during the installation of the first Exchange server using the Exchange Setup wizard. For instructions, see Install Exchange Mailbox servers using the Setup wizard.
Extend the Active Directory schema
Extending the Active Directory schema adds and updates classes, attributes, and other items. These changes are needed so that Exchange can create containers and objects to store information about the Exchange organization. Because Exchange makes a lot of changes to the Active Directory schema, there's a topic dedicated to this step. To see all of the changes made to the schema, see Active Directory schema changes in Exchange Server.
After the schema has been extended by running the /PrepareSchema command, the _/PrepareAD command, or installing the first Exchange server using the Exchange Setup wizard, the schema version is set in the ms-Exch-Schema-Version-Pt attribute. To verify that the Active Directory schema was extended successfully, you can check the value stored in this attribute. For more information, see Exchange Active Directory versions.
Prepare Active Directory containers, objects, and other items
With the schema extended, the next step is to add all of the containers, objects, attributes, and other items that Exchange uses to store information in Active Directory. Most of the changes made in this step are applied to the entire Active Directory forest. A smaller set of changes are made only to the local Active Directory domain where the /PrepareAD command was run (or where the first Exchange server was installed using the Exchange Setup wizard).
Exchange makes the following changes to the Active Directory forest:
The Microsoft Exchange container is created under CN=Services,CN=Configuration,DC=<root domain> if it doesn't already exist.
The following containers and objects are created under CN=<organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> if they don't already exist:
CN=Address Lists Container
CN=AddressBook Mailbox Policies
CN=Addressing
CN=Administrative Groups
CN=Approval Applications
CN=Auth Configuration
CN=Availability Configuration
CN=Client Access
CN=Connections
CN=ELC Folders Container
CN=ELC Mailbox Policies
CN=ExchangeAssistance
CN=Federation
CN=Federation Trusts
CN=Global Settings
CN=Hybrid Configuration
CN=Mobile Mailbox Policies
CN=Mobile Mailbox Settings
CN=Monitoring Settings
CN=OWA Mailbox Policies
CN=Provisioning Policy Container
CN=Push Notification Settings
CN=RBAC
CN=Recipient Policies
CN=Remote Accounts Policies Container
CN=Retention Policies Container
CN=Retention Policy Tag Container
CN=ServiceEndpoints
CN=System Policies
CN=Team Mailbox Provisioning Policies
CN=Transport Settings
CN=UM AutoAttendant Container (Exchange 2016 only)
CN=UM DialPlan Container (Exchange 2016 only)
CN=UM IPGateway Container (Exchange 2016 only)
CN=UM Mailbox Policies (Exchange 2016 only)
CN=Workload Management Settings
The following containers and objects are created under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> if they don't already exist:
CN=Accepted Domains
CN=ControlPoint Config
CN=DNS Customization
CN=Interceptor Rules
CN=Malware Filter
CN=Message Classifications
CN=Message Hygiene
CN=Rules
CN=MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e
Permissions are set throughout the configuration partition in Active Directory.
The Rights.ldf file is imported. This file adds permissions that are needed to install Exchange and configure Active Directory.
The Microsoft Exchange Security Groups organizational unit (OU) is created in the root domain of the forest, and permissions are assigned to it.
The following groups are created within the Microsoft Exchange Security Groups OU if they don't already exist:
Compliance Management
Delegated Setup
Discovery Management
Exchange Servers
Exchange Trusted Subsystem
Exchange Windows Permissions
ExchangeLegacyInterop
Help Desk
Hygiene Management
Managed Availability Servers
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
View-Only Organization Management
The new management role groups (which appear as universal security groups (USGs) in Active Directory) that were created in the Microsoft Exchange Security Groups OU are added to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.
In Exchange 2016 only, the Unified Messaging Voice Originator contact is created in the Microsoft Exchange System Objects container of the root domain.
Only the domain where the /PrepareAD command was run (or where the first Exchange server was installed using the Exchange Setup wizard) is prepared for Exchange. For information about what's done to prepare an Active Directory domain for Exchange, see the next section.
Prepare Active Directory domains
The final step of preparing Active Directory for Exchange is to prepare the Active Directory domains where Exchange servers will be installed or where mailbox-enabled users will be located (all domains in the forest using the /PrepareAllDomains command, specific domains using the /PrepareDomains command, or installing the first Exhange server using the Exchange Setup Wizard). This step is done automatically in the domain where the PrepareAD command was run (or where the first Exchange server was installed using the Exchange Setup wizard).
Exchange makes the follwing changes to the Active Directory domains:
The Microsoft Exchange System Objects container is created in the root domain partition in Active Directory if it doesn't already exist.
Permissions are set on the Microsoft Exchange System Objects container for the Exchange Servers, Organization Management, and Authenticated Users security groups.
Modifying the Default Domain Controllers GPO to grant "Manage Auditing and Security Log policy" rights to Exchange Enterprise Servers.
The Exchange Install Domain Servers domain global group is created in the current domain and placed in the Microsoft Exchange System Objects container.
The Exchange Install Domain Servers group is added to the Exchange Servers USG in the root domain.
Permissions are assigned at the domain level for the Exchange Servers USG and the Organization Management USG.
The objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain> is set. To verify that the Active Directory domains were successfully prepared, you can check the value stored in this attribute. For more information, see Exchange Active Directory versions.