Forestprep/Domainprep

I have a question. In EC2 and Transcender (and possible the MS Press, can't remember), it says that to run Forestprep I must be a member of Schema Admins, Enterprise Admins, and Local Admin.
To run Domainprep I must be a member of Domain Admins and Local Admins.

Now I have two questions.

1. MS says (here) that you must be a member of Domain Admins too. Now I know for sure that Transcender says no, as I got a question wrong when I included the Domain Admin role as necessary to run Forestprep.
So which is correct?

2. The required permissions to run Domainprep are Domain Admin and Local Administrator. Now if I were instead a member of Enterprise Admins and Local Admins, that would work, right?

Find more posts tagged with

Comments

strauchr

1. You do not need to be a member of domain admins, as enterprise admins you already inherit those permissions plus your enterprise ones. Its a bit tricky that question. I am not sure of the official MS stance on this though.

2. For domainprep you need to have the minimum rights of domain admins, however if you were enterprise admin you would have the rights to do a domain prep. For exams though just think of what the minimum rights are that you require. Think principle of least privilage.

eurotrash

Ok, cheers!

Danman32

That's the very thing that gets me annoyed with practice (and often real test) questions. If you don't say Domain Admins, you are wrong because as Enterprise Admin, you are already Domain Admin. But in other situations (or practice tests) you are marked wrong because of the implied relationship including domain admins.

I can see though that not including domain admins is more correct. Schema Admin is not related to being Enterprise admin. You can have one privilege and not the other. Local admin normally would normally follow for an Enterprise (and therefore Domain) admin for a member server and certainly for a domain controller, but not always.

It really has to do with the roles required for the task and the role privilege given for the membership. I don't think there are any domain admin specific tasks in doing a forestprep but there are for domain prep (obviously). Schema admin specific roles are needed to add class and attribute schema changes. Enterprise admin is needed to add forestwide objects to the configuration partition (as opposed to the domain partition) in AD. Local admin specific roles are needed to perform some adjustments to the machine you are installing Exchange on I think, though I am starting to doubt that. I think you can run Forestprep on any machine and not affect the machine itself. Oh wait, you have the setup log written to the root of the boot disk partition, so you need file rights there.