EDIT 03/26/08: Please see our later post on this subject for the location of updated prerequisite check XML file.

Summary

This is a follow-up to an earlier post: Single-label Domain Names and Exchange Server 2007 SP1. Please refer to it for background information on this issue.

After investigating Exchange 2007 Service Pack 1 installed in an Active Directory domain with a Single-label Domain (SLD) name, Microsoft has changed the Setup prerequisite rule for SLDs from an Error to a Warning, thereby allowing Service Pack 1 installation to continue in SLD environments.

There are a few items that I want to point out:

  • Not a recommended configuration
    While Exchange 2007 SP1 is supported with SLDs, the Exchange product team's view is that SLDs are not a recommended configuration. While we will allow installation of Exchange 2007 SP1 in an SLD, we strongly recommend that you take step to move your organization out of this configuration.
  • Not fully tested
    Exchange 2007 and Exchange 2007 SP1 have not been fully tested in SLDs. The Exchange team investigated known issues and determined that there were sufficient workarounds to safely allow installation of SP1 to continue; however, there may be unknown issues that could arise from operating Exchange 2007 in an SLD environment.
  • Deprecated in the next version of Exchange
    The next version of Exchange will not support Active Directory domains with single-label domain names. Similarly, upgrades of Exchange servers currently deployed in single-label domains will not be supported. In this case, "next version" means the next major release of Exchange Server. Customers that intend to deploy the next version of Exchange must use fully qualified domain names.
  • Documentation being updated
    Currently, the existing TechNet documentation states that SLDs are not supported in Exchange 2007. We are working to change the documentation to reflect that SLDs are supported but not recommended configurations. The updated documentation is expected to be published on TechNet as part of the March 2008 document refresh in early March.
  • Exchange 2007 does not support Domain Rename, and there are currently no plans for a Domain Rename Fixup Tool for Exchange 2007
    The possibility of creating a domain rename fixup tool for Exchange 2007, similar to the one that was written for Exchange 2003, was discussed internally. The decision is that there will not be a similar tool written for Exchange 2007. The Domain Rename Fixup tool written for Exchange 2003 is not compatible with Exchange 2007, and should not be used in Exchange 2007 environments.

Recommendations

We have the following recommendations for customers who have Exchange installed in an SLD.

If you have Exchange 2003 installed in an SLD, and you have not run any Exchange 2007 Setup /prepare switches yet:

If you have Exchange 2003 installed in an SLD you should change your domain name to a fully qualified domain name (FQDN).

Exchange 2007 RTM is installed and you want to migrate to a supported configuration:

If you want Exchange 2007 deployed in a fully supported configuration, then you have two options:

  • Migrate users, computers, and security groups from your SLD to a new domain with a fully-qualified domain name in the same Active Directory forest
  • Migrate users, computers, and security groups from your SLD to a new domain with a fully-qualified domain name in a different Active Directory forest

Please note that if you have already installed Exchange 2007 into the organization containing Exchange 2003, or if you have already run the Exchange 2007 /prepare setup switches, you cannot perform a domain rename even if Exchange 2007 servers are removed from the organization. That is because Exchange 2007 setup creates new Active Directory objects which will not be properly renamed by the Exchange 2003 domain rename fixup script.

How SP1 Setup is Being Changed

Microsoft is changing the Single-label domain pre-requisite check from an Error, which blocks Setup, to a Warning, which cautions you strongly, but allows Setup to proceed. While the exact wording has not been determined, it will be similar to the following: "Setup has determined that this computer belongs to a domain that has a single-label DNS name. This is not a recommended configuration. You should plan to migrate to a fully-qualified domain name. ". We'll inform you when this rule has been changed, and when the update is available for download.

If you are installing Exchange 2007 SP1 from files on the local computer, and the computer is connected to the Internet, Setup will automatically download the new rule when it is available.

In addition to the prerequisite rule change, we're also going to modify the ExBPA Health Check rule to mirror the modified Setup check.

Known Issues and Workarounds

Some other things that you should be aware of include:

Installing from DVD
If you are installing Exchange 2007 SP1 from a DVD, Setup will not download the new rules. In this scenario, you must copy the Setup files to your local computer and then run Setup from those local files. This allows Setup to download new rules.

Computer not connected to Internet
If your computer is not connected to the Internet, it won't be able to download the new ExBPA rules. To workaround this, Microsoft will make the updated XML file available for download. Customers will need to download the update and then manually update their local installation files. Details on how to obtain the new XML file will be announced at a later date.

Autodiscover won't create profiles correctly without a hierarchical address
This issue should only apply to customers that are only sending mail internally; anyone who is routing mail externally should have encountered and resolved this issue. Outlook assumes that the default Email Address Policy (EAP) would be to a publicly resolvable name.  To send mail on the Internet, SMTP domains in an EAP must resolve to one of the top level domains supported by RFC's.  The technical requirement for Outlook to work is that the EAP represents at least two levels of hierarchy in the name, i.e. it must have at least one dotted suffix.  The following would be examples of names that Outlook would consider valid:

  • contoso.com
  • contoso.eu
  • contoso.test

The thing to note here is that although Outlook will consider contoso.test to be a valid domain name, it is not publicly resolvable according to RFC standards because there is no top level domain called ".test" on the Internet.  Such a domain name could be used internally, however, mails would only route internally.  It would not be possible to receive mail for that domain from outside the company.

To maintain your SLD, your default EAP must be set to include at least two levels of hierarchy, for example:

Fname.Lname@contoso.com

If you have a mixed environment of Exchange 2003 and Exchange 2007 the EAP is probably the Exchange 2003 version and won’t have the opath filter syntax, therefore run both of the following cmdlets in order.  If you have a pure Exchange 2007 environment just run the second cmdlet:

Set-EmailAddressPolicy "Default Policy" -IncludedRecipients AllRecipients

And then:

Set-EmailAddressPolicy "Default Policy" -enabledPrimarySMTPAddressTemplate "%g.%s@contoso.com"

Domain Rename - best option (if you can use it)

Microsoft strongly recommends that you move off of your single-label domain and transition to an Active Directory domain with a fully qualified domain name. Some of the other challenges with this configuration include:

  • Windows member servers and domain controllers joined to single-label domains require additional configuration to dynamically register or resolve DNS records in single-label DNS zones
  • Some server-based applications are not compatible with single-label domain names. Application support may not exist in the initial release of an application, or may be dropped in a future revision
  • Some server-based applications are not compatible with the domain rename feature supported by Windows Server 2003 and Windows Server 2008 domain controllers. Such incompatibilities either block or complicate the use of domain rename when trying to adopt a fully-qualified domain name. Examples of applications that are not compatible with domain rename include but are not limited to Microsoft Exchange 2000 Server, Microsoft Exchange Server 2007, ISA 2004, Live Communications Server 2005, Microsoft Operations Manager 2005, Microsoft SharePoint Portal Server, and Microsoft SMS 2003.
  • There is no technical reason to create Active Directory domains with single-label DNS names. Because of the above, Windows Server 2008 DCPROMO warns (but does not hard block) against the creation of new domains with single-label domains.
Resolve two problems at one time

Microsoft would like to take this opportunity to make an additional suggestion to customers who fit both of these criteria:

  • You have Exchange 2007, either RTM or SP1, installed in an SLD and you envision wanting to upgrade to a future version of Exchange,

and

  • You have Exchange 2003 or Exchange 2007 installed on Windows Server 2003, and you envision wanting to upgrade to Windows Server 2008.

Customers who fit both of these criteria face two upgrades, both of which call for the removal of Exchange 2007 prior to continuing.

  • In-place upgrade of the operating system on an Exchange Server from Windows 2003 to Windows 2008 is not supported. In order to do an in-place upgrade the operating system of an Exchange server to Windows 2008, you must completely remove Exchange and some of its dependencies prior to the installation.
  • You can't rename a domain with Exchange 2007 installed.

We suggest that you plan your next operating system and Exchange Server upgrades to resolve both of these issues at the same time by either migrating objects to a new domain with a fully qualified domain name, or by performing a domain rename of your existing domain.

- Ed Beck

Share this post :