Microsoft Exchange Server 2010 contains a feature named Role Based Access Control System (RBAC) that gives Exchange Administrators greater control over access rights for individual users. As a result of this feature, all commands in the Exchange module for Windows PowerShell must be authorized by the Exchange services. This means that Microsoft Forefront Protection 2010 for Exchange Server (FPE) must be granted access rights within Exchange’s Hygiene Management role group. To accomplish this, you must run the FPE installation program with Exchange Organization Management rights.

In organizations with large Active Directory deployments, you can run the FseMachinePrep.exe utility in order to allow machine account replication prior to installing FPE. This avoids delays in the ability of FPE to perform some Exchange management tasks until full Active Directory replication is completed.

To run FseMachinePrep.exe before installing
  1. On the Exchange Server where you will be installing FPE, extract components from the forefrontexchangesetup.exe package by running the following command:

    forefrontexchangesetup.exe /x: extractpath

    If you are typing an extract path that contains spaces, you must enclose quotation marks around the path. For example:
    forefrontexchangesetup.exe /x:"c:\Forefront\Install Files"
  2. Grant access to the Exchange server resources in Active Directory Domain Services by running the following command from the extract path:


    This command must be run on each machine in your Exchange organization.

  3. Install FPE by starting the Setup Wizard. For more information, see Installing on a standalone server by using the Setup Wizard. You may also run an unattended installation. For more information, see Installing from a command prompt - specifying parameters.

    It is also possible for a Local Administrator to run Setup.exe /N and bypass FseMachinePrep.exe. In this case, after installing FPE, it is up to the administrator to run FseMachinePrep.exe.

Related Topics