What is DomainPrep? Why does Exchange recommend running DomainPrep on the Root Domain if there are no Exchange servers or users in that domain?
I have been asked these questions so frequently I thought I’d do a post on it. I know DomainPrep is a little mysterious to many people so let me quickly explain what DomainPrep is and does.
DomainPrep does all the tasks for Exchange Setup which require Domain Admin rights to accomplish. These tasks are:
- Create two groups; The Exchange Enterprise Servers group (EES) and the Exchange Domain Servers group (EDS)
- Create the Microsoft Exchange System Objects container (also known as the Domain Proxy Container) in the Active Directory
- Add permissions (mainly for the EES and EDS) to the Domain, AdminSDHolder, and MS Exchange System Objects containers
- Add permissions to the EES, EDS, and the Pre-Windows 2000 Compatible Access Group
- Add the EES to the local security policy “Manage auditing and security log” on every Domain Controller in the domain
Note: The Recipient Update Service (RUS) will keep these permissions up to date when Exchange is installed in new domains and when new Exchange Full Administrators are delegated.
Thus running DomainPrep requires an account that has Domain Admin level permissions, but does NOT require any Exchange Admin permissions. This way you don’t have to give your email administrator Domain Admin permissions in order to install the first Exchange in a given domain.
That’s it. 2 groups, an object, and some permissions for the groups. That’s all DomainPrep is. It doesn’t create any directories, install any binaries, or add any regkeys. It’s actually very lightweight and runs in seconds.
So then why do I need to run DomainPrep is my Root (or Parent) Domain if I’m not going to have any Exchange servers or users with Exchange mailboxes in that domain? The short answer is “Because that’s usually where the GC is”.
The main issue has to do with DSAccess. DSAccess is what Exchange services use to access information in the Active Directory. In order for it to find the correct information, DSAccess needs to talk to Global Catalog servers, even if those servers are not in a domain where Exchange is installed. DSAccess will only talk to GCs that it has rights to. It will check to see if it has rights to that GC by checking if it has privileges to the Security Access Control List (SACL) on the GC. These rights are only propagated by the Recipient Update Service (RUS) and you can only create a RUS for domains that have been DomainPrepped.
If you follow this chain, you’ll see that it comes down to “DSAccess needs to be able to talk to a GC”, and in order to do that the GC has to be in a domain which has been DomainPrep’d and has a RUS pointed at it.
So if you have a parent-child domain configuration, with Exchange only in the child domain, and GCs in the parent domain, you will have to run DomainPrep in the parent domain AND create a new RUS on an Exchange server in the child domain and point that RUS at the parent domain.
Now I know you’re all asking the question “What if you don’t have a GC, or Exchange servers, or users getting Exchange mailboxes in the parent domain?” The answer is: “Then you don’t need to DomainPrep the parent domain.”
So if all your GCs are in the child domain, and none are in the parent domain, and there are never going to be any Exchange resources in the in the parent domain, then you don’t need to DomainPrep it or create a RUS for it. But that configuration doesn’t happen very often and the consequences for not DomainPreping the parent are bad enough (like the Exchange Information Store service won’t start) that we tell everyone to always domainprep the parent domain.