The Forefront Protection 2010 for Exchange Server (FPE) uninstall program does not run with elevated user rights. Therefore, it does not have the necessary access for removing entries from the Active Directory Domain Service. The following steps can be used by an Enterprise Administrator to remove the entries created by the FPE installation. The number and types of entries are determined by the particular Exchange versions and roles that are being removed. For example:
- Exchange Server 2010 Mailbox, Hub, or
Hub/Mailbox roles
- Exchange Server 2007 Edge role
- Exchange Server 2007 Mailbox, Hub, or
Hub/Mailbox roles
- Exchange Server 2007 Mailbox only roles (no
changes are required)
Caution: |
---|
Active Directory Domain Service modifications should only be made after FPE is uninstalled. Modifications to these Active Directory settings when FPE is still installed will have an adverse effect on the operation of FPE. |
-
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
-
In the Active Directory Users and Computers pane, expand your domain, click Microsoft Exchange Security Groups, and then double-click Hygiene Management.
-
In the Hygiene Management Properties dialog box, click the Members tab.
-
Select the computer name, click Remove, and then click OK.
-
Open Active Directory Service Interfaces (ADSI) Edit to retrieve the fully qualified distinguished name.
On Windows Server 2008, click Start, point to Administrative Tools, and then click ADSI Edit.
-
In the ADSI Edit interface, connect to localhost:50389 by using the Configuration naming context.
-
In the ADSI Edit interface, open your Message Hygiene folder, typically Configuration\Services\MicrosoftExchange\First Organization\Transport Settings\Message Hygiene
-
Use either DSACLS or LDP tools to change the security settings with the fully qualified distinguished name (obtained from ASDI Edit), and remove the network service and local system.
For example, using DSACLS tools, type the following command to remove the network service:
Copy Code D:\Users\Administrator>dsacls "\\localhost:50389\CN=Message Hygiene,CN=Transport Settings,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,CN={COMPUTER GUID}" /r "NT AUTHORITY\NETWORK SERVICE"
Replace
NETWORK SERVICE
withSYSTEM
to remove the local system.For more information about how to use the DSACLS tool, see the following article in the Microsoft Knowledge Base: http://go.microsoft.com/fwlink/?LinkId=160314
For more information about how to use the LDP tool, see the following article in the Microsoft Knowledge Base: http://go.microsoft.com/fwlink/?LinkId=160315
-
Open ADSI Edit to retrieve the fully qualified distinguished name.
On Windows Server 2008, click Start, point to Administrative Tools, and then click ADSI Edit.
-
In the ADSI Edit interface, connect to your default server by using the Configuration naming context.
-
In the ADSI Edit interface, open your Message Hygiene folder, typically Configuration\Services\MicrosoftExchange\First Organization\Transport Settings\Message Hygiene
-
Edit the security setting by following these steps:
- Right-click the Message Hygiene folder and then click
Properties.
- In the Message Hygiene Properties dialog box, click the
Security tab.
- This step differs depending on whether the server is a Domain
Controller:
For a Domain Controller, remove NETWORK SERVICE and SYSTEM.
For a non-Domain Controller, remove the computer account.
- Click OK.
- Right-click the Message Hygiene folder and then click
Properties.
Note: |
---|
For Exchange Server 2007 Mailbox only roles, no changes are required. |