Exchange Server 2010 cannot be installed on a domain controller if the forest is in split permission mode

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2010-06-14

The Microsoft Exchange Best Practices Analyzer tool determines whether the /ActiveDirectorySplitPermissions parameter is set to TRUE on the computer on which you want to install Microsoft Exchange Server 2010.

If the /ActiveDirectorySplitPermissions parameter is set to TRUE on a domain controller, and if the current forest is in split permission mode, Exchange Server 2010 is not installed. When this occurs, you receive the following error message:

In Active Directory split permission mode, Exchange Servers should not be installed on a domain controller.

The /ActiveDirectorySplitPermissions parameter is configured on the Exchange Organization Name page in the Setup program during a new installation of Exchange Server 2010. If setup is run on a domain controller for a new installation, and the ActiveDirectorySplitPermissions check box is selected, the prerequisite check for org prep will not fail. But, the prerequisite checks for other server roles, such as CAS, MBX, HUB, UM will fail.

If the /ActiveDirectorySplitPermissions parameter is set to TRUE, do not create non-delegating role assignments to the following RoleTypes roles:

  • MailRecipientCreation

  • ActiveDirectoryPermissions

  • SecurityGroupCreationAndMembership

Remove any non-delegating role assignments from these RoleTypes roles, if the assignments exist.

If /ActiveDirectorySplitPermissions parameter is set to FALSE, the non-delegating role assignments that are listed in this section will not be recovered. You must create the assignments manually.

If the current forest is in AD split permission mode, an attempt to install any server roles (such as CAS, MBX, HUB, or UM) on a domain controller will fail the Prereq check.