Solved

Exchange 2007 Best Practise results

Posted on 2009-05-18
45
896 Views
Last Modified: 2012-05-07
I have run a Best practise report on our Exchange 2007 Server and need a little help with the results.  

Write DACL inherit (group)
The Write DACL inherit (group) right for the Exchange Enterprise Servers group should be removed from the root of the domain.

I have followed the link (Removing the last legacy server) and as I no longer have an Exchange 2003 server, I cannot follow most of the instructions.  I have run ADSIEDIT.MSC and the Recipient Update Service entry is not present. So I guess I need to run this command: Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group

But from where, my Domain Controller or from the Exchange 2007 server?  I have three Exchange related objects in my Active Directory, are these valid?

Exchange Domain Servers        Security Group-Global
Exchange Enterprise Server     Security Group-Global
Exchange Server                      User
0
Comment
Question by:-Juddy-
  • 17
  • 16
  • 12
45 Comments
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410330
You should be running that on your exchange server.
Those objects are ok.
Run the command from exchange shell and then re-run bpa.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410341
EDS and EES are for the legacy servers and Exchange Server group is the Exchange 2007 group and its fine to run the command butu just make sure if its ES or for EDS and EES.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410345
We have to run the command from the Exchange 2007 server
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410361
Ok, so I'll run this from the Exc 2007 server Powershell:

Remove-ADPermission "dc=<Domain>" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group

Just so I'm sure of the exact syntax:

dc=<domain> will change to dc=my.domain.com

Any other changes I need to make to that command line?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410395
Nope. Powershelll will tell you if there is a syntax error.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410413
Actually, DC means Domain Controller not Domain, so I guess I'd put it dc=domaincontrollername, yes?
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410428
it would be the DN of your domain that you would get from ADSIEDIT
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410443
Sorry,
Correct syntax is
Remove-ADPermission "dc=<domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410447
Right.  Must be getting the syntax wrong.  I type:

Remove-ADPermission "dc=<my-domain>" -user "<Root
Domain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group

I get:

Remove-ADPermission : dc=<my-domain> was not found. Please make sure you
have typed it correctly.
At line:1 char:20
+ Remove-ADPermission  <<<< "dc=<my-domain>" -user "<RootDomain>\Exchange
 Servers" -AccessRights WriteDACL -InheritedObjectType Group
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410448
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410457
That's the article i was referring to.

So if :

Remove-ADPermission "dc=<domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

Is the correct syntax, which entries do I need to change other than the dc=domain part.  Do I Still need the <> around the entry as well?
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410470
Everything else is fine
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410482
So we have to run the command for ES.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410504
Still failed.  This is what I enter:

Remove-ADPermission "dc=<my-domain>,dc=<com>" -user "<domain>\Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

This is the error:  

Remove-ADPermission : dc=<my-domain>,dc=<com> was not found. Please make
sure you have typed it correctly.
At line:1 char:20
+ Remove-ADPermission  <<<< "dc=<my-domain>,dc=<com>" -user "<domain>\
Exchange Enterprise Servers" -AccessRights WriteDACL -InheritedObjectType Group

 I know it's obvious, but I'm not typing My-Domain, I am putting in the name as per ADSIEDIT.MSC!
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410544
It would be Exchange Servers and not EES or EDS

Remove-ADPermission "dc=<Domain>,dc=com" -user "<RootDomain>\Exchange Servers" -AccessRights WriteDACL -InheritedObjectType Group
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410599
Try without the dc part
Sor remove-adpermissions -user domain\exchange servers -accessrights writedacl -inheratedobjecttype group

0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410620
I enter this:

remove-adpermission -user domain\exchange servers -accessrights writedacl -inheratedobjecttype group

(I removed the s form adpermission) and I get this:

Remove-ADPermission : A parameter cannot be found that matches parameter name '
inheratedobjecttype'.
At line:1 char:95
+ remove-adpermission -user domain\exchange servers -accessrights writedacl -in
heratedobjecttype  <<<< group
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410859
Had typo
InheritedObjectType Group
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24410900
The parameter is
-InheritedObjectType
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410937
Now I have a missing parameter.  

I enter this:

remove-adpermission -user domain\exchange servers -accessrights writedacl -InheritedObjectType

And I get:

Remove-ADPermission : Missing an argument for parameter 'InheritedObjectType'.
Specify a parameter of type 'Microsoft.Exchange.Configuration.Tasks.ADSchemaObj
ectIdParameter' and try again.
At line:1 char:94
+ remove-adpermission -user domain\exchange servers -accessrights writedacl -In
heritedObjectType <<<<
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24410965
you missed the group off the end
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24410990
So I did.  I now get this:

Remove-ADPermission : There are multiple objects matching the identity "servers
". Please specify an unique value.
At line:1 char:20
+ remove-adpermission  <<<< -user domain\exchange servers -accessrights writeda
cl -InheritedObjectType group

Do I need to replace the 'exchange servers ' entry with something else?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24411394
Can you put the Exchange servers in double quotes
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24411425
I enter:

remove-adpermission -user domain\"exchange servers" -accessrights writedacl -InheritedObjectType group

I get the following:

cmdlet remove-adpermission at command pipeline position 1
Supply values for the following parameters:
Identity:

And it's waiting for an answer.
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24411668
After the Remove-ADPermission we are not putting the "dc=<Domain>"
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24416472
Try this:


remove-adpermission "dc=domain,dc=local" -user "domain\exchange servers" -accessrights writedacl -InheritedObjectType Group
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24419553
Sorry guys, but I'm getting a bit mixed up with having six different commands to enter.  StevenWells what is the exact command I should be entering please?  Cheers guys.
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24419670
You should be able to do this:

remove-adpermission "dc=microsoft,dc=com" -user "microsoft\exchange servers" -accessrights writedacl -InheritedObjectType Group

obviously replace microsoft with your domain and com with local or what ever your full domain name is,

so if your domain is called mydomain.co.uk,

the dc command part will be

"dc=mydomain,dc=co,dc=uk" and so on.

You will then be prompted are you sure. Click Yes to continue.

I have just tried this on my test domain and the syntax is correct.

If you get the error can not remove ace because it's not present, then you don't need to run this command.
Remember, you won't break exchange!

Steve


0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24419722
It failed:

Remove-ADPermission : User or group "microsoft\exchange servers" was not found.
 Please make sure you have typed it correctly.
At line:1 char:20
+ remove-adpermission  <<<< "dc=jumar-solutions,dc=com" -user "microsoft\exchan
ge servers" -accessrights writedacl -InheritedObjectType Group

I have three Exchange objects in my AD:

Exchange Domain Servers (security group)
Exchange Enterprise Servers  (security group)
ExchangeServer (this is a user)

Do I have to change the microsoft\exchange servers entry ?
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24419733
yes it would be your domain name
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24419742
Yes. change to "jumar\Exchange Servers"
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24419743
Hello we dont want the "Exchange Server" the user, instead there is a group in Microsoft Exchange Security Group Container in ADUC which is named as "Exchange Servers".
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 24419747
I have three Exchange objects in my AD:

Exchange Domain Servers (security group)
Exchange Enterprise Servers  (security group)
ExchangeServer (this is a user)

we dont want the "Exchange Server" the user, instead there is a group in Microsoft Exchange Security Group Container in ADUC which is named as "Exchange Servers".
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24419752
The command is correct. Don't worry about the Exchange Server user comment. The comand specifies the group.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24419770
I ran it, and selected yes:

Remove-ADPermission : Cannot remove ACE on object "DC=my-domain,DC=com" f
or account "domain\Exchange Servers" because it is not present.
At line:1 char:20
+ remove-adpermission  <<<< "dc=my.domain,dc=com" -user "domain\exchange s
ervers" -accessrights writedacl -InheritedObjectType Group

If this is not present, then why does the Best Practises Report tell me to remove it Steven?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24426811
Hi,

As the best practise analyser says it is the

Exchange Enterprise Servers

group, the comand should be

remove-adpermission "dc=jumar-solutions,dc=com" -user "jumar\exchange enterprise servers" -accessrights writedacl -InheritedObjectType Group

The microsoft page has some errors.


0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24426944
actually I would hold off running that command.

0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24427511
To clarify,

I am trying to find examples of the command using "exchange enterprise servers".
The information provided is not clear on which command to use. The tecnet article has been cited as having some errors and I wonder if the best practise tool is not updating.

I am considering posting a question on EE to see if other people can provide information.

I have checked my permissions on my migration and that comment is still there when I run the BPA again and my server has been working for months so it's not critical to operations.

Let me get back to you with concrete answers.

thanks for your patience


Steve
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24429296
I appreciate your help Steven.  One other question, my Exchange Server is a Global Catalogue Server and BPA has said that's not ideal, your thoughts?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24429445
Ideally it's not good to run exchange on a domain controller, but it does run ok. It's from more of a security point of view.
It also depends on budget etc. If you only have two servers and one of them is exchange, then it's probably a good idea to run active directory for fail over.

the main reason is security but another could be performance depending on your load and amount of users.

BTW, I haven't had any responses on my question about which command to run. To be honest, I would just leave it as is. As mentioned before I have still that setting on my domain with no affects.

It's up to you. If I get a response back, I will update you.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24429539
The results of my best practise scan don't really concern me too much.

I have the writedacl issue you have been so kindly dealing with.
Exchange resident on a global catalog server
Windows Firewall is enabled
Outlook connection range
Microsoft filter pack not enabled

I am not reall concerened about these, the AD can stay on the Exchange Server as it's taken me weeks to get it working nicely and i don't want to do anything major with it!  Mail is sending / recieving nicely so the fireall is not a problem and we all use Outlook 2007.  I'm not so sure what the MS Filter pack will do for me though, any thoughts?
0
 
LVL 12

Accepted Solution

by:
Steven Wells earned 250 total points
ID: 24429716
The MS filter pack also showed up on my BPA. I am not too worried about that either. It is used by exchange to help index outlook's attachments

I think this may add extra load to your server.

The link to download is here

http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC&displaylang=en

but you have to manually configure registry to make it work. I don't think its worth the hastle unless your users complain about not able to find stuff when the search in outlook.

Everything else is just tweeking. I would turn off the firewall if you have issues, but if it's working leave it all as is.



0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24430081
It all seems fine, so I'll leave well alone I think.  Many thanks for your help, if you do find an answer to the problem you have been helping me with:

stevanjudd@gmail.com

All the best.
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 24436302
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 24439264
It worked!! Cheers for all the time you have put into this Steven, it's appreciated.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now