安装 Exchange 后 Active Directory 中有哪些变化?What changes in Active Directory when Exchange is installed?

当您安装 Exchange Server 2016 或 Exchange Server 2019 时,将对 Active Directory 林和域进行更改,以存储组织中的 Exchange 服务器、邮箱以及其他与 Exchange 相关的对象的相关信息。When you install Exchange Server 2016 or Exchange Server 2019, changes are made to your Active Directory forest and domains to store information about the Exchange servers, mailboxes, and other Exchange-related objects in your organization.

为 Exchange 准备 Active Directory 需要三个步骤:Three steps are required to prepare Active Directory for Exchange:

  1. 扩展 Active Directory 架构Extend the Active Directory schema

  2. 准备 Active Directory 容器、对象和其他项目Prepare Active Directory containers, objects, and other items

  3. 准备 Active Directory 域Prepare Active Directory domains

完成所有三个步骤后,你的 Active Directory 林已准备好进行 Exchange。After all three steps are done, your Active Directory forest is ready for Exchange. 本主题说明在 Active Directory 准备的每个步骤中,Exchange 执行的操作。This topic explains what Exchange does at each step of Active Directory preparation.

通过使用 Exchange 命令行安装程序运行 /PrepareSchema、 _/PrepareAD_和 _/PrepareAllDomains_或 _/PrepareDomains_命令,您可以在组织中安装第一个 exchange 2016 或 Exchange 2019 服务器之前进行这些更改。You can make these changes before you install the first Exchange 2016 or Exchange 2019 server in the organization by running the /PrepareSchema, /PrepareAD, and /PrepareAllDomains or /PrepareDomains commands using Exchange command line Setup. 有关说明,请参阅为 Exchange 准备 Active Directory 和域For instructions, see Prepare Active Directory and domains for Exchange. 或者,在使用 Exchange 安装向导安装第一台 Exchange 服务器的过程中,会自动为你创建这些更改。Or, these changes are automatically made for you during the installation of the first Exchange server using the Exchange Setup wizard. 有关说明,请参阅使用安装向导安装 Exchange 邮箱服务器For instructions, see Install Exchange Mailbox servers using the Setup wizard.

扩展 Active Directory 架构Extend the Active Directory schema

扩展 Active Directory 架构会添加和更新类、属性及其他项目。Extending the Active Directory schema adds and updates classes, attributes, and other items. 需要进行这些更改,以便 Exchange 可以创建容器和对象来存储关于 Exchange 组织的信息。These changes are needed so that Exchange can create containers and objects to store information about the Exchange organization. Exchange 会对 Active Directory 进行大量更改,没有专用于此步骤的主题。Because Exchange makes a lot of changes to the Active Directory schema, there's a topic dedicated to this step. 若要查看对架构所做的所有更改,请参阅Exchange Server 中的 Active Directory 架构更改To see all of the changes made to the schema, see Active Directory schema changes in Exchange Server.

在通过运行 /PrepareSchema_命令、/PrepareAD 命令或使用 exchange 安装向导安装第一台 Exchange 服务器扩展架构后,架构版本将在Ms-Exch 架构版本-Pt属性中进行设置。After the schema has been extended by running the /PrepareSchema command, the _/PrepareAD command, or installing the first Exchange server using the Exchange Setup wizard, the schema version is set in the ms-Exch-Schema-Version-Pt attribute. 若要验证是否已成功扩展 Active Directory 架构,可以检查存储在此属性中的值。To verify that the Active Directory schema was extended successfully, you can check the value stored in this attribute. 有关详细信息,请参阅Exchange Active Directory 版本For more information, see Exchange Active Directory versions.

准备 Active Directory 容器、对象和其他项目Prepare Active Directory containers, objects, and other items

扩展架构后,下一步是添加 Exchange 用于在 Active Directory 中存储信息的所有容器、对象、属性和其他项目。With the schema extended, the next step is to add all of the containers, objects, attributes, and other items that Exchange uses to store information in Active Directory. 在此步骤中所做的大部分更改将应用于整个 Active Directory 林。Most of the changes made in this step are applied to the entire Active Directory forest. 仅对运行 _/PrepareAD_命令(或使用 exchange 安装向导安装第一台 Exchange 服务器)的本地 Active Directory 域进行一组较小的更改。A smaller set of changes are made only to the local Active Directory domain where the /PrepareAD command was run (or where the first Exchange server was installed using the Exchange Setup wizard).

Exchange 对 Active Directory 林进行以下更改:Exchange makes the following changes to the Active Directory forest:

  • 在 cn = Services,cn = Configuration,DC =<root domain >下创建 Microsoft Exchange 容器(如果它尚不存在)。The Microsoft Exchange container is created under CN=Services,CN=Configuration,DC=<root domain> if it doesn't already exist.

  • 在 cn =<组织名称>、cn = Microsoft Exchange、cn = Services、cn = Configuration、DC =<root domain >下创建下列容器和对象(如果它们尚不存在):The following containers and objects are created under CN=<organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> if they don't already exist:

    • CN=Address Lists ContainerCN=Address Lists Container

    • CN=AddressBook Mailbox PoliciesCN=AddressBook Mailbox Policies

    • CN=AddressingCN=Addressing

    • CN=Administrative GroupsCN=Administrative Groups

    • CN=Approval ApplicationsCN=Approval Applications

    • CN=Auth ConfigurationCN=Auth Configuration

    • CN=Availability ConfigurationCN=Availability Configuration

    • CN=Client AccessCN=Client Access

    • CN=ConnectionsCN=Connections

    • CN=ELC Folders ContainerCN=ELC Folders Container

    • CN=ELC Mailbox PoliciesCN=ELC Mailbox Policies

    • CN = ExchangeAssistanceCN=ExchangeAssistance

    • CN=FederationCN=Federation

    • CN=Federation TrustsCN=Federation Trusts

    • CN=Global SettingsCN=Global Settings

    • CN=Hybrid ConfigurationCN=Hybrid Configuration

    • CN=Mobile Mailbox PoliciesCN=Mobile Mailbox Policies

    • CN=Mobile Mailbox SettingsCN=Mobile Mailbox Settings

    • CN=Monitoring SettingsCN=Monitoring Settings

    • CN=OWA Mailbox PoliciesCN=OWA Mailbox Policies

    • CN=Provisioning Policy ContainerCN=Provisioning Policy Container

    • CN=Push Notification SettingsCN=Push Notification Settings

    • CN=RBACCN=RBAC

    • CN=Recipient PoliciesCN=Recipient Policies

    • CN=Remote Accounts Policies ContainerCN=Remote Accounts Policies Container

    • CN=Retention Policies ContainerCN=Retention Policies Container

    • CN=Retention Policy Tag ContainerCN=Retention Policy Tag Container

    • CN = ServiceEndpointsCN=ServiceEndpoints

    • CN=System PoliciesCN=System Policies

    • CN=Team Mailbox Provisioning PoliciesCN=Team Mailbox Provisioning Policies

    • CN=Transport SettingsCN=Transport Settings

    • CN = UM 自动助理容器(仅限 Exchange 2016)CN=UM AutoAttendant Container (Exchange 2016 only)

    • CN = UM 拨号计划容器(仅限 Exchange 2016)CN=UM DialPlan Container (Exchange 2016 only)

    • CN = UM IPGateway 容器(仅限 Exchange 2016)CN=UM IPGateway Container (Exchange 2016 only)

    • CN = UM 邮箱策略(仅限 Exchange 2016)CN=UM Mailbox Policies (Exchange 2016 only)

    • CN=Workload Management SettingsCN=Workload Management Settings

  • 在 cn = Transport Settings,cn =<Organization Name>,cn = Microsoft Exchange,CN = Services,cn = Configuration,DC =<root domain >下创建下列容器和对象(如果它们尚不存在):The following containers and objects are created under CN=Transport Settings,CN=<Organization Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> if they don't already exist:

    • CN=Accepted DomainsCN=Accepted Domains

    • CN=ControlPoint ConfigCN=ControlPoint Config

    • CN=DNS CustomizationCN=DNS Customization

    • CN=Interceptor RulesCN=Interceptor Rules

    • CN=Malware FilterCN=Malware Filter

    • CN=Message ClassificationsCN=Message Classifications

    • CN=Message HygieneCN=Message Hygiene

    • CN=RulesCN=Rules

    • CN = MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109eCN=MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e

  • 在 Active Directory 中的整个配置分区设置权限。Permissions are set throughout the configuration partition in Active Directory.

  • 导入 Rights.ldf 文件。该文件将添加安装 Exchange 和配置 Active Directory 所需的权限。The Rights.ldf file is imported. This file adds permissions that are needed to install Exchange and configure Active Directory.

  • Microsoft Exchange 安全组组织单位(OU)在林的根域中创建,并向其分配权限。The Microsoft Exchange Security Groups organizational unit (OU) is created in the root domain of the forest, and permissions are assigned to it.

  • 在 Microsoft Exchange 安全组 OU 内创建以下组(如果尚不存在):The following groups are created within the Microsoft Exchange Security Groups OU if they don't already exist:

    • 遵从性管理Compliance Management

    • 委派安装Delegated Setup

    • 发现管理Discovery Management

    • Exchange ServersExchange Servers

    • Exchange 受信任子系统Exchange Trusted Subsystem

    • Exchange Windows 权限Exchange Windows Permissions

    • ExchangeLegacyInteropExchangeLegacyInterop

    • 技术支持Help Desk

    • 安全管理Hygiene Management

    • 托管可用性服务器Managed Availability Servers

    • 组织管理Organization Management

    • 公用文件夹管理Public Folder Management

    • 收件人管理Recipient Management

    • 记录管理Records Management

    • 服务器管理Server Management

    • 仅查看组织管理View-Only Organization Management

  • 在 microsoft exchange 安全组 OU 中创建的新管理角色组(在 Active Directory 中显示为通用安全组(usg))将添加到存储在 CN **** = Microsoft exchange,cn = Services,cn = Configuration,DC =<root 域>容器上的 otherWellKnownObjects 属性中。The new management role groups (which appear as universal security groups (USGs) in Active Directory) that were created in the Microsoft Exchange Security Groups OU are added to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain> container.

  • 仅在 Exchange 2016 中,在根域的 Microsoft Exchange 系统对象容器中创建统一消息语音原始发件人联系人。In Exchange 2016 only, the Unified Messaging Voice Originator contact is created in the Microsoft Exchange System Objects container of the root domain.

  • 仅运行 _/PrepareAD_命令的域(或使用 exchange 安装向导安装第一个 Exchange server 的域)为 Exchange 做好准备。Only the domain where the /PrepareAD command was run (or where the first Exchange server was installed using the Exchange Setup wizard) is prepared for Exchange. 有关为 Exchange 准备 Active Directory 域所执行的操作的信息,请参阅下一节。For information about what's done to prepare an Active Directory domain for Exchange, see the next section.

准备 Active Directory 域Prepare Active Directory domains

为 Exchange 准备 Active Directory 的最后一步是准备 Active Directory 域,在其中安装 Exchange 服务器或启用邮箱的用户所在的位置(使用 _/PrepareAllDomains_命令的林中的所有域、使用 _/PrepareDomains_命令的特定域,或使用 Exchange 安装向导安装第一个 Exhange 服务器)。The final step of preparing Active Directory for Exchange is to prepare the Active Directory domains where Exchange servers will be installed or where mailbox-enabled users will be located (all domains in the forest using the /PrepareAllDomains command, specific domains using the /PrepareDomains command, or installing the first Exhange server using the Exchange Setup Wizard). 此步骤将在运行_PrepareAD_命令的域中自动完成(或使用 Exchange 安装向导安装第一个 Exchange 服务器时)。This step is done automatically in the domain where the PrepareAD command was run (or where the first Exchange server was installed using the Exchange Setup wizard).

Exchange 会对 Active Directory 域进行以下更改:Exchange makes the follwing changes to the Active Directory domains:

  • 已在 Active Directory 中的根域分区中创建 Microsoft Exchange 系统对象容器(如果尚不存在)。The Microsoft Exchange System Objects container is created in the root domain partition in Active Directory if it doesn't already exist.

  • 已在 Exchange 服务器、组织管理和经过身份验证的用户安全组的 Microsoft Exchange 系统对象容器中设置权限。Permissions are set on the Microsoft Exchange System Objects container for the Exchange Servers, Organization Management, and Authenticated Users security groups.

  • 修改默认域控制器 GPO以向Exchange 企业服务器授予 "管理审核和安全日志策略" 权限。Modifying the Default Domain Controllers GPO to grant "Manage Auditing and Security Log policy" rights to Exchange Enterprise Servers.

  • Exchange 安装域服务器域全局组已在当前域中创建,并放置在 Microsoft Exchange 系统对象容器中。The Exchange Install Domain Servers domain global group is created in the current domain and placed in the Microsoft Exchange System Objects container.

  • Exchange 安装域服务器组已添加到根域中 Exchange 服务器 USG。The Exchange Install Domain Servers group is added to the Exchange Servers USG in the root domain.

  • 已为 Exchange Server USG 和组织管理 USG 分配域级权限。Permissions are assigned at the domain level for the Exchange Servers USG and the Organization Management USG.

  • 设置**** 了 "DC =<根域> " 下的 "Microsoft Exchange 系统对象" 容器中的 objectVersion 属性。The objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain> is set. 若要验证是否已成功准备 Active Directory 域,可以检查存储在此属性中的值。To verify that the Active Directory domains were successfully prepared, you can check the value stored in this attribute. 有关详细信息,请参阅Exchange Active Directory 版本For more information, see Exchange Active Directory versions.