What changes in Active Directory when Exchange 2013 is installed?
Applies to: Exchange Server 2013
When you install Exchange 2013, changes are made to your Active Directory forest and domains. Exchange does this so that it can store information about the Exchange servers, mailboxes, and other objects related to Exchange in your organization. These changes are made for you when you run the Exchange 2013 Setup wizard or when you run the PrepareSchema, PrepareAD, and PrepareDomains commands (see how to use these commands in Prepare Active Directory and domains) during Exchange 2013 command-line Setup. If you're curious about the changes that Exchange makes to Active Directory, this topic is for you. It explains what Exchange does at each step of Active Directory preparation.
There are three steps that need to be done to prepare Active Directory for Exchange:
Extend the Active Directory schema
Prepare Active Directory containers, objects, and other items
Prepare Active Directory domains
After all three steps are done, your Active Directory forest is ready for Exchange 2013. You can find out more about how to install Exchange 2013 by reading Install Exchange 2013 using the Setup wizard.
Extend the Active Directory schema
Extending the Active Directory schema adds and updates classes, attributes, and other items. These changes are needed so that Exchange can create containers and objects to store information about the Exchange organization. Because Exchange makes a lot of changes to the Active Directory schema, there's a topic dedicated to this step. To see all of the changes made to the schema, see Exchange 2013 Active Directory schema changes.
This step is done automatically when you run the Exchange 2013 Setup wizard on the first Exchange 2013 server in the Active Directory forest. It's also done when you run Exchange 2013 command line Setup with the PrepareSchema command (or optionally with the PrepareAD command) on the first Exchange 2013 server in the forest. If you want to find out more information about how to extend the schema, see Extend the Active Directory schema in Prepare Active Directory and domains.
After Exchange is finished extending the schema, it sets the schema version, which is stored in the ms-Exch-Schema-Version-Pt attribute. If you want to make sure that the Active Directory schema was extended successfully, you can check the value stored in this attribute. If the value in the attribute matches the schema version listed for the release of Exchange 2013 you installed, extending the schema was successful. For a list of Exchange releases and how to check the value of this attribute, check out the How do you know this worked? section in Prepare Active Directory and domains.
Prepare Active Directory containers, objects, and other items
With the schema extended, the next step is to add all of the containers, objects, attributes, and other items that Exchange uses to store information in Active Directory. Most of the changes made in this step are applied to the entire Active Directory forest. A smaller set of changes are made to the local Active Directory domain where the PrepareAD command was run during Setup.
These are the changes that are made to the Active Directory forest:
The Microsoft Exchange container is created under CN=Services,CN=Configuration,DC=<root domain> if it doesn't already exist.
The following containers and objects are created under CN=<organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> if they don't already exist:
CN=Address Lists Container
CN=AddressBook Mailbox Policies
CN=Addressing
CN=Administrative Groups
CN=Approval Applications
CN=Auth Configuration
CN=Availability Configuration
CN=Client Access
CN=Connections
CN=ELC Folders Container
CN=ELC Mailbox Policies
CN=ExchangeAssistance
CN=Federation
CN=Federation Trusts
CN=Global Settings
CN=Hybrid Configuration
CN=Mobile Mailbox Policies
CN=Mobile Mailbox Settings
CN=Monitoring Settings
CN=OWA Mailbox Policies
CN=Provisioning Policy Container
CN=Push Notification Settings
CN=RBAC
CN=Recipient Policies
CN=Remote Accounts Policies Container
CN=Retention Policies Container
CN=Retention Policy Tag Container
CN=ServiceEndpoints
CN=System Policies
CN=Team Mailbox Provisioning Policies
CN=Transport Settings
CN=UM AutoAttendant Container
CN=UM DialPlan Container
CN=UM IPGateway Container
CN=UM Mailbox Policies
CN=Workload Management Settings
The following containers and objects are created under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> if they don't already exist:
CN=Accepted Domains
CN=ControlPoint Config
CN=DNS Customization
CN=Interceptor Rules
CN=Malware Filter
CN=Message Classifications
CN=Message Hygiene
CN=Rules
CN=MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e
Permissions are set throughout the configuration partition in Active Directory.
The Rights.ldf file is imported. This file adds permissions that are needed to install Exchange and configure Active Directory.
The Microsoft Exchange Security Groups organizational unit (OU) is created in the root domain of the forest, and permissions are assigned to it.
The following management role groups are created within the Microsoft Exchange Security Groups OU if they don't already exist:
Compliance Management
Delegated Setup
Discovery Management
Help Desk
Hygiene Management
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
The new management role groups (which appear as universal security groups (USGs) in Active Directory) that were created in the Microsoft Exchange Security Groups OU are added to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.
The Unified Messaging Voice Originator contact is created in the Microsoft Exchange System Objects container of the root domain.
The domain where the PrepareAD command was run is prepared for Exchange 2013. For information about what's done to prepare the Active Directory domain for Exchange, check out Preparing Active Directory domains.
The msExchProductId property on the Exchange organization object is set. If you want to make sure that the Active Directory schema was extended successfully, you can check the value stored in this property. If the value in the property matches the schema version listed for the release of Exchange 2013 you installed, extending the schema was successful. For a list of Exchange releases and how to check the value of this property, check out the How do you know this worked? section in Prepare Active Directory and domains.
Prepare Active Directory domains
The final step of preparing Active Directory for Exchange is to prepare all of the Active Directory domains where Exchange servers will be installed or where mailbox-enabled users will be located. This step is done automatically in the domain where the PrepareAD command was run.
These are the changes that are made to the Active Directory domains:
The Microsoft Exchange System Objects container is created in the root domain partition in Active Directory if it doesn't already exist.
Permissions are set on the Microsoft Exchange System Objects container for the Exchange Servers, Organization Management, and Authenticated Users security groups.
The Exchange Install Domain Servers domain global group is created in the current domain and placed in the Microsoft Exchange System Objects container.
The Exchange Install Domain Servers group is added to the Exchange Servers USG in the root domain.
Permissions are assigned at the domain level for the Exchange Servers USG and the Organization Management USG.
The objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain> is set. If you want to make sure that the Active Directory schema was extended successfully, you can check the value stored in this property. If the value in the property matches the schema version listed for the release of Exchange 2013 you installed, extending the schema was successful. For a list of Exchange releases and how to check the value of this property, check out the How do you know this worked? section in Prepare Active Directory and domains.