I'm trying to understand what permissions are required in order to do certain activities when Exchange 2003 is installed in a multi-domain environment. For example, I have two virtual machines, one as a parent domain controller, and one as a child domain controller. I have run forestprep on the forest root domain controller. In the process of doing so, I have granted the exchange full admin role to a user named "exchange.fulladmin". I have installed the exchange organization on the parent domain controller, and then installed exchange again on the child domain. As of right now, the only user who has any rights in exchange is this user "exchange.fulladmin", which is located on the parent domain controller. This user is also in the administrator group on both domains. Where my confusion starts is here: When logged onto the parent domain controller as the local Administrator (who is the Enterprise Admin), or as any other user who is a member of the Domain Admins global group, I can create users on the domain and mail-enable them with no issue. However, when I log into any user on the child domain (regardless of their administrator status), I cannot mail-enable the users, or even use the exchange system manager. When I try to make a user, the server selection box is empty. When I try to use the system manager, I get an LDAP error. These errors, however, go away when I delegate exchange access to a user on the child domain, which is to be expected. What I'm confused about is why the Administrator accounts on the parent domain do not have to be delegated this control to create mail-enabled users, while administrators on the child domain do. Is there something my textbook is not explaining?

Hi , Here is your answer. http://support.microsoft.com/kb/236146 Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2

I'm not sure I understand - I already installed Exchange in the child domain, and I used the exchange.fulladmin account to do so, so there doesn't seem to be an issue there. I forgot to mention, though, just incase you're curious: I did run domainprep on both the parent and the child domains before installing exchange on either domain.

Hi , there is no issue if you have run domainprep on both systems because it has just updated the shcema regarding exchange requirements . So dont worry there will be no issue. Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2

Hello Agent154, Give the user Exchange Full Administrator permission to install the exchange server on child domain. To install Exchange on a server in a child domain: Log on to the server in the child domain using the account that has been granted the Exchange Full Administrator role for the organization. Run Setup from your Exchange CD-ROM. The Setup.exe file is located in the Setup\i386 folder on the Exchange CD-ROM How to Install Exchange in a Child Domain http://support.microsoft.com/kb/236146/en-us It will help you.EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT

Run the Delegation Wizard and grant the appropriate accounts Exchange rights. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "agent154" wrote in message news:c9fe379d-c159-46b7-9b39-a06509b5f031... I'm trying to understand what permissions are required in order to do certain activities when Exchange 2003 is installed in a multi-domain environment. For example, I have two virtual machines, one as a parent domain controller, and one as a child domain controller. I have run forestprep on the forest root domain controller. In the process of doing so, I have granted the exchange full admin role to a user named "exchange.fulladmin". I have installed the exchange organization on the parent domain controller, and then installed exchange again on the child domain. As of right now, the only user who has any rights in exchange is this user "exchange.fulladmin", which is located on the parent domain controller. This user is also in the administrator group on both domains. Where my confusion starts is here: When logged onto the parent domain controller as the local Administrator (who is the Enterprise Admin), or as any other user who is a member of the Domain Admins global group, I can create users on the domain and mail-enable them with no issue. However, when I log into any user on the child domain (regardless of their administrator status), I cannot mail-enable the users, or even use the exchange system manager. When I try to make a user, the server selection box is empty. When I try to use the system manager, I get an LDAP error. These errors, however, go away when I delegate exchange access to a user on the child domain, which is to be expected. What I'm confused about is why the Administrator accounts on the parent domain do not have to be delegated this control to create mail-enabled users, while administrators on the child domain do. Is there something my textbook is not explaining? Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I don't think you guys are understanding my question... - I have properly installed Exchange in both the parent and child domains. That is to say, I have run domainprep in both domains prior to installation. I have also done the installation using the proper account (the one that has the Exchange Full Admin role). - My question is not about how to get the administrator on my child domain to be able to do the things it needs to do (I already know I need to delegate authority to it). However, my question is "Why does the Administrator on the parent domain have the right to mail-enable new AD users, when it was not delegated authority?". This is my point. The "Administrator" account in my parent domain (member of the groups: Enterprise Admins, Schema Admins, Group Policy Creator Owner, Domain Admins, Domain Users, and Administrators) is not delegated the authority to administer Exchange - only the user "exchange.fulladmin" has that right. However, that user, and any other user I assign to the "Domain Admins" group, has the ability to create users in Active Directory and then subsequently mail-enable them. This seems inconsistent with the material I'm reading, which happens to be an official Microsoft IT Academy textbook on 70-284. If this is actually supposed to happen, then what explanation can you give as to why the "Domain Admins" group in my child domain cannot also do these same tasks? Why must that group be delegated exchange admin authority, while my parent domain's "Domain Admins" group does not need that explicit authority?

I'm afraid you'll have to drill down using something like ADSI Edit to see what permissions "Administrator" has in the relevant places. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "agent154" wrote in message news:fb7d8b01-0451-4717-a5ec-b149fae52458... I don't think you guys are understanding my question... - I have properly installed Exchange in both the parent and child domains. That is to say, I have run domainprep in both domains prior to installation. I have also done the installation using the proper account (the one that has the Exchange Full Admin role). - My question is not about how to get the administrator on my child domain to be able to do the things it needs to do (I already know I need to delegate authority to it). However, my question is "Why does the Administrator on the parent domain have the right to mail-enable new AD users, when it was not delegated authority?". This is my point. The "Administrator" account in my parent domain (member of the groups: Enterprise Admins, Schema Admins, Group Policy Creator Owner, Domain Admins, Domain Users, and Administrators) is not delegated the authority to administer Exchange - only the user "exchange.fulladmin" has that right. However, that user, and any other user I assign to the "Domain Admins" group, has the ability to create users in Active Directory and then subsequently mail-enable them. This seems inconsistent with the material I'm reading, which happens to be an official Microsoft IT Academy textbook on 70-284. If this is actually supposed to happen, then what explanation can you give as to why the "Domain Admins" group in my child domain cannot also do these same tasks? Why must that group be delegated exchange admin authority, while my parent domain's "Domain Admins" group does not need that explicit authority? Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I'm afraid you'll have to drill down using something like ADSI Edit to see what permissions "Administrator" has in the relevant places. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." That solved it, thank you very much. It would appear that a few security principals have hidden permissions for the Exchange organization. I find it odd that it would do this, and not show them in the delegation wizard. "Domain Admins" on my parent domain had some (not full, but almost) access, yet there was no entry in the ACL for "Domain Admins" on my child domain. Problem solved, now I can sleep. Ha!