Last week, I mentioned some of the new features in Exchange Server 2003's Setup process, including improvements to the way that Setup applies permissions and some changes in the Setup permissions model. This week, I want to expand on those remarks by talking about changes to the Forestprep and Domainprep processes.
If you aren't already familiar with Exchange 2003 or Exchange 2000 Server, you might wonder what Forestprep and Domainprep are for--no equivalent processes exist in Exchange Server 5.5 (or indeed in many other messaging systems). Forestprep gets its name from the fact that it prepares an Active Directory (AD) forest to contain Exchange 2003 or Exchange 2000 servers. Forestprep's primary function is to make changes to the AD schema--about 1100 changes for Exchange 2003, to be exact. Forestprep also makes some permissions changes to the forest structure, and it creates some objects in the Configuration Naming Context (NC) that are necessary for Exchange. You must run Forestprep once in each AD forest into which you install Exchange; one change that Exchange 2003 makes is that you can rerun Forestprep to restore permissions on the organization object if they get out of whack. Domainprep is primarily a security process; it creates the Exchange Domain Servers group and sets appropriate permissions on that group.
So, what's new with these processes in Exchange 2003? A lot! The first change you'll notice is that when you run Forestprep, the process doesn't ask for your organization name, as it does in Exchange 2000. Instead, Setup creates a temporary Exchange organization object and uses that object to complete the preparation steps, leaving you to set the real organization name later on. When you install Exchange 2003, you're prompted to join an existing Exchange organization (in which case the temporary object is renamed to match that organization) or create a new organization (in which case you can specify a name for the object).
Another significant change is that Forestprep adds a Deny access control entry (ACE) for the Exchange Domain Servers group. In Exchange 2000, adding an account to this group is the most common way of providing full mailbox access. However, granting such access is a significant security risk, so the Exchange 2003 Setup program adds the Deny ACE by default during Forestprep (Setup also applies this ACE when you install a new Exchange 2003 server). You can remove the ACE, but Microsoft recommends creating a security group and granting it Send As/Receive As permissions on the objects it needs to reach instead of using the Exchange Domain Servers group.
Running Exchange 2003 Forestprep also makes it possible to use the Exchange 2003 Exchange System Manager (ESM), even if you have only Exchange 2000 servers. This capability is significant because it lets you use the nifty new ESM features on your existing organization. (My favorite is the multithreaded--and more robust--mailbox mover, but the new queue viewer is pretty spiffy too.)
Of course, Forestprep and Domainprep aren't operations you should rush into, especially if you're still using Exchange 5.5. The Exchange 2003 documentation and exdeploy.chm, which I mentioned last week, have more details about what these operations do and when you should perform them. Read up, study up, and move up!