Exchange Server 2010 allows an administrator to provision a new Exchange server and then delegate the actual setup of that server to another account. This is useful in scenarios such as large organizations where the Exchange administrators want to delegate the installation of Exchange to a branch site administrator or an outside contractor.
You cannot delegate the setup of the first Exchange server in the organization, but you can delegate the setup of any further Exchange servers that are being deployed.
Thanks to Exchange 2010’s Role-Based Access Control (RBAC) there is a built-in group for delegating setup of pre-provisioned servers, named the “Delegated Setup” role group. By default this group has no members.
[PS] C:\>Get-RoleGroupMember "Delegated Setup" [PS] C:\>
Add a user to this role group to allow them to install provisioned servers.
[PS] C:\>Add-RoleGroupMember "Delegated Setup" -Member paul [PS] C:\>Get-RoleGroupMember "Delegated Setup" Name RecipientType ---- ------------- Paul Cunningham User
Members of this role group can install provisioned servers but not configure or manage them. For those tasks they would also need to be added to the “Server Management” role group.
Now the new Exchange server can be provisioned by an Exchange administrator using Setup.com and the /NewProvisionedServer parameter.
[PS] C:\>setup.com /NewProvisionedServer:ex2.exchangeserverpro.local Welcome to Microsoft Exchange Server 2010 Unattended Setup Preparing Exchange Setup No server roles will be installed Performing Microsoft Exchange Server Prerequisite Check Organization Checks ......................... COMPLETED Configuring Microsoft Exchange Server Provisioning a new server ......................... COMPLETED The Microsoft Exchange Server setup operation completed successfully.
The new server has now been provisioned in Active Directory but not actually installed.
Now the account that was made a member of the “Delegated Setup” role group can deploy the new server by running Setup as normal (Note: they will still need to be a local administrator on the server to install the pre-requisites and the Exchange Server application itself).
Comments for this blog post are now closed; please contact team@practical365.com for any additional questions and comments, thank you.
Hi Paul
Really odd one…
We are installing Exchange 2010 into a non-production environment and as such we’ve had to export the existing schema from live into an empty domain. The root domain has a child domain that Exchange will be installed into in order to replicate the current setup.
However, I’m getting this error below when I’m running through the install and i cannot get past this or find anything on it. PrepareAD has given us some duplicate Exchange security groups appending 1 on the end of each group in the root domain and no groups exist in the child domain. Thats the only strange observations I’ve noticed.
“The following error was generated when “$error.Clear(); if ($RoleIsDatacenter -eq $false) { $delegatedSetupRG = Get-RoleGroup “Delegated Setup”; add-ExchangeAdministrator -role ServerAdmin -Identity $delegatedSetupRG.Identity -Scope $RoleNetBIOSName; }” was run: “Cannot bind argument to parameter ‘Identity’ because it is null.”. ”
Any ideas??
Much appreciated!!
“we’ve had to export the existing schema from live into an empty domain”
I don’t understand why you’ve had to do that. Why not just prep the new forest using Exchange setup?
Hi Paul,
we use Microsoft Provisioning System (MPS) to provision the mail domains between different business organizations on the same Exchange machine (Exchange Server 2003). Has the new provision feature of Exchange Server 2010 the same or better options than MPS? You mean perhaps, we don’t need any more MPS for provisioning?
Best Regards
Mustafa
I’m not familiar with MPS so I don’t know the answer to that.