Microsoft KB Archive/307630

= How to change the Exchange service account in a mixed Exchange environment =

PSS ID Number: 307630

Article Last Modified on 2/25/2004

-

The information in this article applies to:


 * Microsoft Exchange 2000 Server
 * Microsoft Exchange Server 5.5

-



This article was previously published under Q307630



SUMMARY
This step-by-step article describes how to change the Exchange service account when a Microsoft Exchange 2000 Server computer that is running Site Replication Service (SRS) is installed in the Exchange site.

Microsoft recommends that you avoid changing the Exchange service account. However, if you have a single Exchange site, a single Microsoft Exchange Server 5.5 computer, and an Exchange 2000 computer that is running SRS, you can change the Exchange service account. In situations where there is more than one Exchange 5.5 computer or site, you must completely reinstall Exchange.

To change the Exchange service account, follow these steps:
 * Set the schedules of all the Active Directory Connector (ADC) Connection Agreements.
 * Unsecure the Exchange 5.5 directory.
 * Determine whether the change is replicated to all the other Exchange computers.
 * Create a new Microsoft Windows NT account and make it the Exchange service account.

back to the top

Set the schedules of all the ADC Connection Agreements
Set the schedules of all the ADC Connection Agreements (Configuration Connection Agreement, Recipient Connection Agreement, and Public Folder Connection Agreement) to Never. To do so, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Connector.
 * 2) In the right pane, double-click the Connection Agreement that you want to schedule replication for.
 * 3) Click the Schedule tab, click Never, and then click OK.

For additional information about configuring a two-way user connection, click the following article number to view the article in the Microsoft Knowledge Base:

296260 XGEN: How to configure a two-way Recipient Connection Agreement for Exchange Server 5.5 users

back to the top

Unsecure the Exchange Server 5.5 directory
When you unsecure a directory service database, you remove the link between the database and any Windows NT domain accounts. After you unsecure a directory service database, anyone with physical access to the database can read it; therefore, you must carefully control any nonsecure copies.

You can unsecure a directory service database by removing all the Windows NT account permissions from the following three root security objects in the directory:
 * Organization
 * Site
 * Configuration

Be aware that removing permissions by using the Exchange Server Administrator program is different from deleting accounts with permissions by using Windows NT User Manager. If you use Windows NT User Manager to delete all the accounts with permissions, the Exchange Server directory service database becomes inaccessible to anyone.

Important You can safely use the Microsoft Exchange Server Administrator program to delete all accounts with permissions, but you cannot safely use Windows NT User Manager to do so.

When you remove all the permissions from any one of the root security objects, the container is completely unsecure instead of completely inaccessible. When you remove all permissions, you receive the following error message:

You have removed all security from this object, allowing anybody to modify it. Are you sure you want to do this?

When this message appears, click Yes.

The Organization, Site, and Configuration objects are the roots of three independent security contexts in the Exchange directory. Permissions inheritance from higher up the directory tree is blocked at the root object for each context.

This means that a particular account can have complete permissions for the Site container but still have no permissions at all for the Configuration container. Permissions that are granted to a root object are passed on to all its sub objects. Any account that has permissions on all three of the root objects inherits permissions on every object in the Exchange directory, including the Schema object and the Address Book Views object. (Schema permissions are inherited from the Configuration object, and Address Book Views permissions are inherited from the Site object.)

For additional information about unsecuring the directory, click the following article number to view the article in the Microsoft Knowledge Base:

241152 XADM: How to remove all security from an Exchange Server directory service database for a lab environment

back to the top

Determine whether the change is replicated to all the Exchange computers
If you unsecure an Exchange Server directory service database while it is live on the network, it replicates the change to all the other Exchange computers in the site, effectively unsecuring all the servers. To determine whether the change is replicated, you must use the Microsoft Exchange Server Administrator program in raw mode.

Warning If you use the raw mode of the Exchange Server Administrator program (admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk.

To determine whether the change is replicated to all the other Exchange computers, follow these steps:  Start the Exchange Server Administrator program in raw mode. To do so, follow these steps:  Click Start, and then click Run. In the Open box, type cmd, and then click OK. At the command prompt, type exchsrvr\bin\admin/r, and then press ENTER.  Connect to the Exchange 5.5 computer, and then check to see if the deletion of all the security objects was replicated successfully to the Exchange 5.5 computer. To do so, follow these steps:  In the left pane, select the  , and then click Raw Properties on the File menu.</li> Check to see that the NT-Security-Descriptor attribute is deleted.</li> Repeat steps a through b for the Site object and the Configuration object.</li></ol> </li> Connect to the server that is running SRS by using the Exchange 5.5 Administrator program, and then check to see if the deletion of all the security objects was replicated successfully to the server that is running SRS. To do so, follow these steps:  In the left pane, select the  , and then click Raw Properties on the File menu.</li> Verify that the NT-Security-Descriptor attribute is deleted.</li> Repeat steps a through b for the Site object and the Configuration object.</li></ol> </li></ol>

back to the top

Create a new Windows NT account and make this account the Exchange service account
 Create a new Windows NT account to be the new Exchange service account. For this account, assign the following user rights:  Act as part of the operating system.</li> Log on as a service.</li> Restore files and directories.</li></ol>

Note For this account, the password must be the same as the current Exchange service account password.</li> Start the Exchange Server Administrator program in raw mode. To do so, follow these steps:  Click Start, and then click Run.</li> <li>In the Open box, type cmd, and then click OK.</li> <li>At the command prompt, type exchsrvr\bin\admin/r, and then press ENTER.</li></ol> </li> <li>Assign Service Account Admin permissions for the Organization, Site and Configuration containers. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In the left pane, click, and then click Properties on the File menu.</li> <li>Click the Permissions tab, select Service Account Admin from the Roles list, and then click OK.</li> <li>Repeat steps a through b for the Site container and the Configuration container.</li></ol> </li> <li>Add the new account to the Schema object. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>On the View menu, click Raw Directory. In the left pane, a new object named Schema is displayed at the Site level.</li> <li>Click Schema, and then click Raw Properties on the File menu.</li> <li>In the List attributes of type list, select All.</li> <li>In the Object attributes list, select NT-Security-Descriptor, and then click Editor.</li> <li>In the Editor type box, select NT security descriptor, and then click OK.</li> <li>Click Add, and in the Names list, click the user name.</li> <li>Click Add, and then click OK two times.</li> <li>Click Apply, and then click OK.</li> <li>Click Set, and then click Apply.</li> <li>Click OK, and then click Yes.</li> <li>Click OK.</li></ol> </li> <li>If the new account is not a member of the Local Administrators group, give the new account full control on the required registry keys and sub keys.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To give the new account full control on the required registry keys, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, and then click Run.</li> <li>In the Open box, type regedt32.exe, and then click OK.</li> <li>In Registry Editor, locate and then click the following registry key:

</li> <li>On the Security menu, click Permissions, and then click the Replace Permission on Existing Subkeys check box.</li> <li>Click Add, and then click the new account in the Names list.</li> <li>Click Add, and then click OK two times.</li> <li>Click Yes.</li> <li>Repeat steps a through g for the following registry keys:

</li></ol> </li> <li>Stop the Exchange services.</li> <li>Change the log on account for each Exchange service. To do so, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to Settings, and then click Control Panel.</li> <li>Double-click Services, and in the Service list, click each Exchange service.</li> <li>Click Startup, and then change the Log On As account.</li> <li>Type the password for each service.</li></ol> </li> <li>Restart all the Exchange services. All the services start with the new Exchange service account.</li> <li>For each of the Connection Agreements (Configuration Connection Agreement, Recipient Connection Agreement, and Public Folder Connection Agreement), open the Connection Agreement properties page, click the Connections tab, and then change the Connect as account under Exchange Server information to point to the new account.</li></ol>

For additional information about changing the service account, click the following article number to view the article in the Microsoft Knowledge Base:

152808 XADM: How to change the service account

back to the top

<div class="idea_section">

Rewrite information

Tech writer: partners\nsantosh (v-sanair@microsoft.com)

Editor: v-kathyd

Keywords: kbHOWTOmaster KB307630

Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchange550 kbExchangeSearch kbZNotKeyword2

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.