By running ForestPrep you have provisioned your Active Directory to accommodate Exchange Server related schema definitions in it. Now the next step is to assign appropriate permissions to the Exchange Server objects in Active Directory. Unlike any other Active Directory objects such as user account, machine account, printer, contact, etc. Active Directory treats Exchange objects as normal AD objects and these objects need to have correct permissions on Exchange containers in Active Directory so that the machine accounts for Exchange servers as well the administrator accounts for Exchange boxes should be able to access the resources from AD. This task is done by running DomainPrep in the domain where Exchange related services are going to be used.
This task finishes within few minutes and does not take a long time as the forest preparation takes. What happens when DomainPrep is run and what are the changes made in AD when the DomainPrep is finished? Let’s a take a quick look;
During this stage of setup exchange installer inserts a set of permissions on Domain Naming Context and Configuration Naming Context. The objects which are assigned permissions on these containers include the security groups which are created by DomainPrep itself. These groups are namely Exchange Enterprise Servers (EES) and Exchange Domain Server (EDS). Once these groups are created setup assigns EDS as a member of EES and proceeds further. A better view of these permissions can be seen using Adsiedit.msc. Apart from creation and nesting of these two security group exchange also creates an addition container in AD Domain Naming Context which is very well known as Microsoft Exchange System Objects (MESO). Once you enable advanced features view of you Active Directory Users and Computers (ADUC) you can see this container in it. This container consists of the Exchange Server system objects native to Exchange configurations. These objects are mainly the system mailboxes which are marked disabled by system itself SMTP mailboxes and the System Attendant mailbox which plays a key role in calendaring stuff in Exchange Server 2003. System Attendant and SMTP mailboxes are used for the email transport and are a part of Microsoft SMTP Store Driver. This component is responsible for handling the email transport within and outside of the Exchange organization. Being very precise about it outlook which the only MAPI client widely used with exchange Servers also relies on SMTP store driver to send and receive emails though it uses RPC communication as a major communication protocol with Exchange and Active Directory.
ForestPrep needs to be run only once in the entire AD enterprise as it’s a schema modifier. However DomainPrep needs to be run several times in each domain which will be using Exchange resources. Do not get confused that it needs to be run even if you are running a resource forest. If you have multiple domain architecture of your AD and want to have different exchange servers in each of these domains you will be running DomainPrep in each of the required. Consider a scenario where you don’t want to deploy a dedicated exchange Server in another domain yet you are willing to have your mailboxes created in the Exchange organization and also want to have email addresses stamped by the recipient policies from the same organization you will need to run the DomainPrep in that domain. This is required because the Exchange objects and its binaries will be interacting with the Domain Naming Context of another domain and to do so they will need correct permissions to modify the user properties and write new email addresses in it. I will try to cover up a bit of this kind of scenario with a diagrammatic representation in some other post.