Using PrepareSchema on existing Exchange 2007 Server - Mailboxes have PROTECTED INHERIT flag

Question

I was trying to create a new Receive Connector on my older Exchange 2007 SP3 server (planning underway to upgrade later this year) and when it failed I did some research. The solution I found Here (I got the exact same error) included running setup.exe /PrepareSchema from the SP3 setup files on the server to correctly setup the active directory schema. Before trying this I wanted to find out if running the prepareschema on an existing server would cause any issues. I came across one blog here that worried me. It said in short, that if inherited permissions were disabled for objects in Active Directory, the prepareschema command would fail and might give problems with mailflow.

I followed the steps to and downloaded adfind and ran the command he supplied and the adfind tool returned several user and group objects, but I'm not quite sure if it's telling me they have inherited permissions disabled or not.

It's a small server, with only about 20 mailboxes, but when I ran the command

adfind -b "DC=domain,DC=name" -sddl++ ntsecuritydescriptor -onlydaclflag -resolvesids -list -csv | find /i "(FLAGS:PROTECTED INHERIT)" | find /v /i "CN=Policies,CN=System"

it returned a row for several users that hav a mailbox on the server, and some WMIPolicy and System objects, and it looked like this:

"CN=FirstName LastName,CN=Users,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=VolumeTable,CN=FileLinks,CN=System,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=Cert Publishers,CN=Users,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=Schema Admins,CN=Users,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=Replicator,CN=Builtin,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=WMIPolicy,CN=System,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"
"CN=SOM,CN=WMIPolicy,CN=System,DC=domain,DC=com","[DACL]  (FLAGS:PROTECTED INHERIT)"

It seems to be a mixture of users and group objects but I'm not really sure, and I'm not sure if it's saying they indeed have inheritance disabled, and if that's a bad thing or not. All these objects are in my BUILTIN or USERS organizational unit from what I can tell, and it's only 28 objects.

Would it be safe to run the PrepareSchema command considering this information?

Answer 1

I know this is an old question, but it just popped up on the home page for some reason and it's still unanswered, thus I'll give it a try.

---

That blog post is indeed old, and it warns about what can happen if you try to prepare your AD for installing Exchange 2007 when upgrading from Exchange 2003; in that scenario, some modifications could be not properly inherited by some objects, thus disrupting the existing mail flow.

However, since you already have Exchange 2007 installed, the PrepareSchema operation only needs to adjust some settings for SP3, instead of heavily restructuring your Exchange organization like it's done when upgrading from Exchange 2003; you are thus not be going to experience that issue, because the heavy lifting has already been done when Exchange 2007 was firstly installed; if the issue was present in your environment, you would have been experiencing it already.