How Exchange Server 2007 Extends the Active Directory Schema

Microsoft Active Directory uses the Schema to represent the classes, attributes and objects that are used to display what you can see in the GUI of the Active Directory Users and Computers Snap In or other Snap Ins. The schema is part of the Schema partition in Active Directory and the Schema partition will be replicated through all Active Directory domain controllers in the Forest.

Because Active Directory schema changes are an important part of a healthy Active Directory environment, only members of the Schema Administrators and Enterprise Administrator groups have the right to extend and manage the Active Directory schema.

Requirements

Since Exchange Server 2007 is a 64bit application, you cannot install Exchange Server 2007 on a 32bit Server; but it is possible to use the Exchange 2007 32bit version for Active Directory Schema extension. It is possible to extend the Active Directory schema with a 32bit trial version of Exchange Server 2007 on a 32bit Windows 2003 machine.

You should always use the Active Directory Schema Master for expanding the Schema for Exchange Server 2007 because of replication traffic.

Exchange Server 2007 prerequisites:

A successful Exchange Server 2007 installation depends on a lot of prerequisites. You will need the following updates before installing Exchange Server 2007:

Extending the Active Directory schema

If the user who is installing Exchange 2007 is a member of the Schema and Enterprise Administrators group, Exchange setup automatically extends the Active Directory schema and you don’t have to run the Active Directory extension manually. This procedure is not common in larger environments where the Active Directory and Exchange Management are strictly separated.

For this reason it is possible that a Windows Server 2003 Active Directory Administrator who is a member of the Schema and Enterprise Administrators group can extend the Active Directory schema without installing Exchange Server 2007.

Exchange Server 2003 uses the Setup switch Setup /Forestprep to expand the Windows Active Directory schema but Exchange Server 2007 uses a new tool to extend the Active Directory schema called SETUP.COM, which can be used with various parameters.

It is one of these parameters that you need to extend the Active Directory schema…

Setup.com /prepareschema

This setup parameter is responsible for adding additional schema attributes to the Active Directory Schema which will be used by Exchange Server 2007 and its subsystems. This Setup parameter is used in conjunction with the Setup.com / PrepareLegacyExchangePermissions parameter, if Exchange Server 2007 is installed into an existing Exchange Server 2003 environment.

Setup /PrepareLegacyExchangePermissions

This setup parameter prepares Exchange Server 2003 for interoperability between Exchange Server 2003 and Exchange Server 2007. It requires Enterprise Administrator rights and will be executed as part of the /PrepareSchema switch. Read more about this setup switch at http://technet.microsoft.com/en-us/library/bb125224.aspx. You only have to do this if it is a fresh Exchange Server installation.

Schema extension files

Exchange Server 2007 setup uses, like Exchange Server 2003, a lot of Schema extension files in LDF (Lightweight Directory Exchange) format. During Schema extension, these files will be imported into Active Directory. Exchange Server 2007 will use a lot more Schema extension files, as you can see in the following image.


Figure 1: Schema extension files

The following image shows an example of a Schema definition file. The file you will see here is called Schema0.ldf. This file and others will be imported during the Exchange Server 2007 installation or the manual execution of Setup.com /prepareschema.


Figure 2: Detailed view of Schema0.ldf file

Use ADSIEDIT to view all Schema extensions during Exchange Server 2007 setup

You can use ADSIEDIT to view all Schema entries in the Schema partition of Active Directory. ADSIEDIT is one of the Windows Server 2003 Support tools which you can find on the Windows Server 2003 installation CD.


Figure 3: Active Directory Schema partition after Schema extension

Setup.com /preparedomain

If you have other domains in which you would like to install Exchange 2007 Server, execute the following command:

setup.com /PrepareAD

Property sets in Exchange Server 2007

You can use property sets in Exchange Server 2007 for attribute grouping that enables access control for specific object properties. Property sets use one single Access Control Entry (ACE) instead of an ACE for each individual property.

Exchange Server 2007 creates two new property sets exclusively for itself and doesn’t use existing Active Directory property sets. During Active Directory Schema extension, Exchange Server 2007 performs the following actions:

  • Extends the Active Directory schema with new classes and attributes.
  • Creates the property sets for Exchange Server 2007 and Exchange Information and Exchange Personal Information.
  • Adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets.

Exchange Server 2007 SP1 Schema Extensions

Exchange Server 2007 SP1 comes with a lot of additional Schema extensions:

  • ms-Exch-Foreign-Forest-Public-Folder-Admin-USG-Sid,<SchemaContainerDN>
  • ms-Exch-Internal-NLB-Bypass-Host-Name,<SchemaContainerDN>
  • ms-Exch-Mobile-Additional-Flags,<SchemaContainerDN>
  • ms-Exch-Mobile-Allow-Bluetooth,<SchemaContainerDN>
  • ms-Exch-Mobile-Allow-SMIME-Encryption-Algorithm-Negotiation,<SchemaContainerDN>
  • ms-Exch-Mobile-Approved-Application-List,<SchemaContainerDN>
  • ms-Exch-Mobile-Max-Calendar-Age-Filter,<SchemaContainerDN>
  • ms-Exch-Mobile-Max-Email-Age-Filter,<SchemaContainerDN>
  • ms-Exch-Mobile-Max-Email-Body-Truncation-Size,<SchemaContainerDN>
  • ms-Exch-Mobile-Max-Email-HTML-Body-Truncation-Size,<SchemaContainerDN>
  • ms-Exch-Mobile-Min-Device-Password-Complex-Characters,<SchemaContainerDN>
  • ms-Exch-Mobile-Require-Encryption-SMIME-Algorithm,<SchemaContainerDN>
  • ms-Exch-Mobile-Require-Signed-SMIME-Algorithm,<SchemaContainerDN>
  • ms-Exch-Mobile-Unapproved-In-ROM-Application-List,<SchemaContainerDN>
  • ms-Exch-Standby-Copy-Machines,<SchemaContainerDN>

Please note:
There are many more Schema changes during Exchange Server 2007 SP1 setup but I cannot list all the changes in this article. If you are interested in what changes occur read the following article.

Verifying Exchange Server 2007 SP1 schema extensions

It is possible to verify the Active Directory schema extensions with ADSIEDIT which is one of the Windows 200x support tools.

Navigate to:

CN CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=DN-of-forest-root-domaincontroller

In the Attribute Editor tab, scroll down to the “rangeUpper” attribute. If Exchange 2007 Service Pack 1 Beta 2 has extended the schema, the value should be 11116.

If you are using the RTM version of Exchange 2007 the value should be10637.

For Exchange 2003, the value should be 6870 and Exchange 2000 should return a value of 4397.


Figure 4: Display Schema extension version

Conclusion

In this article I showed you how the Exchange Server 2007 setup extends the Microsoft Active Directory schema and why Active Directory schema extensions are necessary. I also showed you how the Exchange Server 2007 SP1 setup adds additional schema changes.

Related Links

  1. Active Directory Schema Changes (SP1)
  2. How to Prepare Active Directory and Domains
  3. Windows PowerShell 1.0
  4. Microsoft .NET Framework Version 2.0
  5. .NET Framework Update
  6. Microsoft Management Console (MMC) 3.0 if Windows Server 2003 R2 is not used
  7. How the Exchange 2003 Active Directory Connector Setup Process Updates the Schema
  8. Description of the Parameters Used With the Exchange 2007 Setup.com Tool

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top