Exchange Server 2010 allows an administrator to provision a new Exchange server and then delegate the actual setup of that server to another account.  This is useful in scenarios such as large organizations where the Exchange administrators want to delegate the installation of Exchange to a branch site administrator or an outside contractor.

You cannot delegate the setup of the first Exchange server in the organization, but you can delegate the setup of any further Exchange servers that are being deployed.

Thanks to Exchange 2010’s Role-Based Access Control (RBAC) there is a built-in group for delegating setup of pre-provisioned servers, named the “Delegated Setup” role group.  By default this group has no members.

[PS] C:\>Get-RoleGroupMember "Delegated Setup"
[PS] C:\>

Add a user to this role group to allow them to install provisioned servers.

[PS] C:\>Add-RoleGroupMember "Delegated Setup" -Member paul

[PS] C:\>Get-RoleGroupMember "Delegated Setup"

Name                                                        RecipientType
----                                                        -------------
Paul Cunningham                                             User

Members of this role group can install provisioned servers but not configure or manage them. For those tasks they would also need to be added to the “Server Management” role group.

Now the new Exchange server can be provisioned by an Exchange administrator using Setup.com and the /NewProvisionedServer parameter.

[PS] C:\>setup.com /NewProvisionedServer:ex2.exchangeserverpro.local

Welcome to Microsoft Exchange Server 2010 Unattended Setup

Preparing Exchange Setup

No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check

    Organization Checks              ......................... COMPLETED

Configuring Microsoft Exchange Server

    Provisioning a new server        ......................... COMPLETED

The Microsoft Exchange Server setup operation completed successfully.

The new server has now been provisioned in Active Directory but not actually installed.

adsiedit

Now the account that was made a member of the “Delegated Setup” role group can deploy the new server by running Setup as normal (Note: they will still need to be a local administrator on the server to install the pre-requisites and the Exchange Server application itself).

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Natalie Frith

    Comments for this blog post are now closed; please contact team@practical365.com for any additional questions and comments, thank you.

  2. Dan

    Hi Paul

    Really odd one…

    We are installing Exchange 2010 into a non-production environment and as such we’ve had to export the existing schema from live into an empty domain. The root domain has a child domain that Exchange will be installed into in order to replicate the current setup.

    However, I’m getting this error below when I’m running through the install and i cannot get past this or find anything on it. PrepareAD has given us some duplicate Exchange security groups appending 1 on the end of each group in the root domain and no groups exist in the child domain. Thats the only strange observations I’ve noticed.

    “The following error was generated when “$error.Clear(); if ($RoleIsDatacenter -eq $false) { $delegatedSetupRG = Get-RoleGroup “Delegated Setup”; add-ExchangeAdministrator -role ServerAdmin -Identity $delegatedSetupRG.Identity -Scope $RoleNetBIOSName; }” was run: “Cannot bind argument to parameter ‘Identity’ because it is null.”. ”

    Any ideas??

    Much appreciated!!

    1. Paul Cunningham

      “we’ve had to export the existing schema from live into an empty domain”

      I don’t understand why you’ve had to do that. Why not just prep the new forest using Exchange setup?

  3. Mustafa

    Hi Paul,

    we use Microsoft Provisioning System (MPS) to provision the mail domains between different business organizations on the same Exchange machine (Exchange Server 2003). Has the new provision feature of Exchange Server 2010 the same or better options than MPS? You mean perhaps, we don’t need any more MPS for provisioning?

    Best Regards
    Mustafa

    1. Paul Cunningham

      I’m not familiar with MPS so I don’t know the answer to that.

Comments are closed.