Preparing Legacy Exchange Permissions

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

When transitioning from Microsoft Exchange Server 2003 or Exchange 2000 Server to Exchange Server 2007, you must first grant specific Exchange permissions in each domain in which you have run Exchange 2003 or Exchange 2000 DomainPrep. To do this, you run the setup /PrepareLegacyExchangePermissions command. We recommend that you run the setup /PrepareLegacyExchangePermissions command in the root domain of the Active Directory forest. The command can be run on an intended Exchange 2007 server or on an Exchange 2007 administration workstation. Regardless of where you run the setup /PrepareLegacyExchangePermissions command, Setup must be able to communicate with an Active Directory directory server that is running Windows Server 2003 with Service Pack 1 or later.

Granting these permissions is part of preparing the Active Directory directory service and your domains for installing Exchange 2007. For detailed instructions, see How to Prepare Active Directory and Domains.

This topic explains why you must run the setup /PrepareLegacyExchangePermissions command, when you run it, and what permissions are set by the command in your Exchange 2007 organization.

Why Run Setup /PrepareLegacyExchangePermissions

Essentially, you must run the setup /PrepareLegacyExchangePermissions command so that the Exchange 2003 or Exchange 2000 Recipient Update Service functions correctly after you update the Active Directory schema for Exchange 2007. This section explains the main issue and how running the command resolves this issue.

Issue

In Exchange Server 2003 and Exchange 2000 Server, the Recipient Update Service updates some mailbox attributes, such as the proxy address, on mail-enabled user objects. The Recipient Update Service has permission to modify these attributes because the computer account (named <ServerName>) for the server on which the Recipient Update Service runs, is in the Exchange Enterprise Servers (EES) group. The EES group is created when you run Exchange Server 2003 or Exchange 2000 Server DomainPrep. Instead of granting the EES group permissions to each individual mailbox attribute that the Recipient Update Service must modify, the mailbox attributes are grouped together in property sets. When you run Exchange Server 2003 or Exchange 2000 Server DomainPrep, Exchange provides the EES group with permissions to modify the property sets through access control entries (ACEs) that Exchange sets on the domain container in Active Directory.

Exchange 2007 has a new predefined Exchange Administrator role called Exchange Recipient Administrators. This role contains permissions to manage the e-mail attributes of all users. Exchange administrators who are members of the Exchange Recipient Administrators role can manage only users' e-mail properties. To enable this functionality, Exchange 2007 must move some e-mail attributes of users into a property set called the "Exchange-Information property set." Exchange does this by redefining the attribute schemas in Active Directory when importing the new Exchange 2007 schema. However, the legacy EES group does not have permissions to the Exchange-Information property set. Therefore, when you import the new Exchange 2007 schema, the Recipient Update Service will no longer have permissions to the users' e-mail attributes and will stop functioning correctly. (For example, it will not be able to set proxy addresses for newly created Exchange Server 2003 users.)

Resolution

Running the setup /PrepareLegacyExchangePermissions command enables the legacy Recipient Update Service to function correctly. Before importing the new Exchange 2007 schema, Exchange 2007 must grant new permissions in each domain in which you have run Exchange Server 2003 or Exchange 2000 Server DomainPrep. The setup /PrepareLegacyExchangePermissions command grants these new permissions. Before you run setup /PrepareSchema, you must run setup /PrepareLegacyExchangePermissions and allow the permissions to replicate across your Exchange organization. The server where you run setup /PrepareLegacyExchangePermissions contacts the local global catalog to locate the domains in which you have run Exchange Server 2003 or Exchange 2000 Server DomainPrep by checking for the EES and Exchange Domain Servers (EDS) groups. The server must be able to communicate with every domain in the forest in which you ran Exchange Server 2003 or Exchange 2000 Server DomainPrep. Also, the account that you use to run setup /PrepareLegacyExchangePermissions must have the permissions assigned to the Enterprise Admins universal security group (USG) so that it can set the ACEs in each domain and in the Exchange organization.

Permissions Set By Setup /PrepareLegacyExchangePermissions

Running setup /PrepareLegacyExchangePermissions finds every domain in the forest that has the EES group and the Exchange Domain Servers (EDS) group. For each domain that has these groups, setup /PrepareLegacyExchangePermissions does the following:

  • Adds an ACE to the domain root access control list (ACL) to provide the EES group with WRITE_PROP permissions on the Exchange-Information property set.

  • Adds an ACE to the domain root ACL to provide authenticated users with READ_PROP permissions on the Exchange-Information property set.

  • Adds an ACE to the AdminSDHolder container of the domain to provide the EES group with WRITE_PROP and READ_PROP permissions on the Exchange-Information property set.

  • Adds an ACE to the Exchange organization container ACL to provide the EDS group with WRITE_PROP permissions on the Exchange-Information property set.

Running Setup /PrepareLegacyExchangePermissions Again

There are some cases in which you will need to run setup /PrepareLegacyExchangePermissions again:

  • You have a domain that contains Exchange Server 2003 or Exchange 2000 Server servers, and you have not run DomainPrep

  • You add a new domain to your forest and you want to install Exchange Server 2003 or Exchange 2000 Server in this domain

  • In a new or existing domain, you mailbox-enable users who will log on to mailboxes on Exchange Server 2003 or Exchange 2000 Server servers in domains in which you have not run DomainPrep.

In these cases, you must run setup /PrepareLegacyExchangePermissions again after you run Exchange Server 2003 or Exchange 2000 Server DomainPrep. This allows the Exchange Server 2003 or Exchange 2000 Server Recipient Update Service to function correctly in this domain.