Forefront Protection 2010 for Exchange Server 14 and RBAC

Forefront Protection for Exchange Server 11.0 (FPE 11.0) is the first version of Forefront that can interact with the new Role-Based Access Control (RBAC) capabilities in Microsoft Exchange 14.0 (E14).


The steps involved in integrating an FPE machine into E14 RBAC are:


a)      During an E14 install, the role group RoleGroupHygieneManagement is created in Active Directory (AD). E14 will monitor AD replication and keep refreshing the machine account token until the group becomes available.

b)      FPE setup runs the machine preparation tool that adds the current machine to RoleGroupHygieneManagement.

c)       After FPE has been installed, it will not be able to change E14 configuration until this role group membership has been replicated through AD and this membership is added to the current machine account token. For example, the following functions will be unavailable: spam filtering configuration, transport scanning, and configuration of the receive connectors for Forefront Online Protection for Exchange. This functionality will initially be disabled (grayed out) in the Management console. Attempts to make changes in these areas through FPE PowerShell will fail and return a warning. The FPE services will periodically refresh the machine account token until the group membership is detected. Following a successful detection, the full FPE functionality will be enabled.

d)      Setup will write information in the event log regarding the changes it has made in AD. When uninstalling FPE with the intention of decommissioning a server it is good practice to delete these changes. This is described in the FPE documentation on TechNet. When FPE is being uninstalled as part of an upgrade or with the intention of reinstalling it, the machine accounts must not be deleted from the group as this could create problems while the changes are getting replicated.


FPE Setup requires making changes to the E14 configuration. In the past, accounts with local administrator rights had full access to the registry and it was possible to install Forefront (or Antigen) for Exchange using a local administrator account. On E14 machines the default RBAC configuration prevents local administrators from executing most E14 cmdlets.


In order to assist customers that still want to use a local administrator account for product installation, we have provided the ability to run the machine preparation tool independently, and run setup with the /N (which stands for “No-prep”) command-line switch that will skip the preparation steps. This is also described in the FPE documentation.


When troubleshooting RBAC-related issues at FPE installation time, the best place to start is opening an Exchange PowerShell prompt and checking the cmdlets that are available to the current user. If the configuration cmdlets are not available, look first into your E14 RBAC configuration, network connectivity and Active Directory replication and get the issues sorted out, then install FPE.


Eusebio Rufian-Zilbermann

Forefront Server Protection

Skip to main content