A while ago we told you about the setup prerequisite change in Exchange 2007 SP1 that allows setup to ignore unreachable domains and domains that do not have any domain controllers running a minimum of Windows 2003 SP1. That post is here:
In this blog post we’d like to fill you in on the details of this prerequisite change and clear up any confusion about how this check actually works.
In supporting our TAP customers in Exchange, we had several cases that went something like this:
Customer: "Hey, I thought SP1 removed the requirement to have a Windows 2003 SP1 DC in all our domains? Setup is failing and telling me I have a domain that does not meet this requirement. We don’t have Exchange in that domain, what gives?"
Customer sees this in the setup GUI:
Or if from the Command Line Interface (CLI):
Support Services: "Interesting, can we see your setup logs please?"
In looking at these setup logs we noticed a pattern. In each case where setup suggested a domain needed a Windows 2003 SP1 DC, we found Exchange Domain Servers and Exchange Enterprise Servers security groups left over from a previous /domainprep. Though the customer may not have ever deployed any Exchange servers or mailbox enabled users in these domains, they had been prepped for Exchange.
In the setup logs you’ll find this:
[10/18/2007 5:28:41 PM]  Setup will run the task ‘test-setuphealth’
[10/18/2007 5:28:41 PM]  Setup launched task ‘test-setuphealth -DomainController ‘131224vm1.AP2-ROOT.com’ -DownloadConfigurationUpdates $true -ExchangeVersion ‘188.8.131.52’ -Roles ‘Global’ -ScanType ‘PrecheckInstall’ -SetupRoles ‘Global’ -PrepareDomain $null -PrepareLegacyExchangePermissions $null -PrepareOrganization $true -PrepareSchema $true’
[10/18/2007 5:28:41 PM]  Beginning processing.
[10/18/2007 5:29:16 PM]  [WARNING] The Active Directory schema will be upgraded if you continue. Verify that the organization is ready for Exchange 2007 by running the Exchange 2007 Readiness Check, which is part of the Exchange Best Practices Analyzer.
[10/18/2007 5:29:16 PM]  [WARNING] Cannot find the Recipient Update Service responsible for domain ‘DC=child,DC=AP2-ROOT,DC=com’. New and existing users may not be properly Exchange-enabled.
[10/18/2007 5:29:16 PM]  [ERROR] Cannot find at least one domain controller running Windows Server 2003 Service Pack 1 or later in domain ‘DC=child,DC=AP2-ROOT,DC=com’. This could be the result of moving domain controller objects in Active Directory. Check that at least one domain controller running Windows Server 2003 Service Pack 1 or later is located in the ‘Domain Controllers’ organizational unit (OU) and rerun setup.
[10/18/2007 5:29:16 PM]  Ending processing.
[10/18/2007 5:29:16 PM]  **************
However, this does not tell you exactly why setup wants to update this domain. What is actually happening here?
For each reachable domain, Exchange 2007 SP1 setup looks for the Exchange Domain Servers and Exchange Enterprise Servers groups to determine if this domain needs to be updated for Exchange 2007 SP1. Should it find these objects we require a DC running Windows 2003 SP1 or later to be present.
So how can you tell if this is the problem?
In the Exchange Setup Logs directory we include an ExBPA data file that corresponds to the setup run that failed (by time stamp).
If you open this file in the ExBPA you will see the Domain identified:
Select "Tree Reports" and you’ll get details of the specific groups:
Alternatively you can search the raw .xml files by right clicking on them and Opening them in Internet Explorer, then do a "Find" and search for "Exchange Domain Servers" and/or "Exchange Enterprise Servers". The results will look like this:
How do you recover from this problem?
If you know beyond doubt you have no mailbox enabled user accounts in this domain and you never intend on having them in this domain, then you can safely delete these groups.
However, you must not delete these groups from any domain hosting any Exchange servers, Public Folders, mailbox enabled user accounts, mail enabled users, or contacts! Doing so will break Exchange functionality for these domain objects.
Should you discover you have Exchange objects in this domain you must either upgrade a Domain Controller to Windows 2003 SP1 or migrate the objects to alternate domains, then delete the Exchange groups.
We hope this clears up any confusion about why Exchange Server 2007 SP1 setup calls out a particular domain for updating.