SolutionBase: Rename Exchange Active Directory objects with LegacyExchangeDN

Properly naming an Exchange server is important. If you need to change the name of an Exchange server, here's how LegacyExchangeDN can help.

In a perfect world, you'd install an application like Exchange Server and never have to touch the server or configuration again. In fact, in a perfect world, the application would be installed for you! Unfortunately, companies, networks, and organizations go through change, sometimes on a daily basis. Guiding your Exchange servers through those changes can be a real chore. In this article, I'll explain how you can use the LegacyExchangeDN tool, available from Microsoft's Web site, to simplify those changes.


Exchange 2000 Server and Exchange Server 2003 are tightly integrated with the Active Directory. These two versions of Exchange Server use several objects in the Active Directory to maintain mailboxes and a host of other information about the organization, server, user, and other elements. LegacyExchangeDN is an attribute of several Active Directory objects related to Exchange Server. LegacyExchangeDN serves to map objects to a naming system understood by Exchange Server 5.5 for backward compatibility. Even in a pure Exchange 2000 Server or Exchange Server 2003 environment, the LegacyExchangeDN attribute is still required.

Now, enter the LegacyDN.exe tool, which gives you the following capabilities:

  • Change Exchange 2000 and 2003 organization names
  • Change Exchange 2000 and 2003 administrative group names
  • Change LegacyExchangeDN values in the Active Directory
  • View LegacyExchangeDN values in the Active Directory

Why would you need to change these Exchange Server items? Server and data recovery are the main reasons. Exchange 5.5, 2000, and 2003 all enable you to back up an Exchange database on one server and restore it on another, allowing you to move your server to another physical server, create a test server for evaluating patches and add-ons, or recover data or otherwise work with the Exchange database without affecting your production server.

With Exchange 5.5, only the organization and site names must be the same on the source and target servers. In Exchange 2000 and 2003, however, the organization name, administrative group name, and the LegacyExchangeDN values for objects in the Active Directory must all match between the two servers. The LegacyExchangeDN value is stamped in the Exchange database when it's created (on Exchange 2000 and 2003), and the database can be started only in an administrative group with a matching LegacyExchangeDN value.

Under Exchange 5.5, the only way to set the name was to reinstall Exchange Server. This meant a reinstallation any time you needed to copy the database from one server to the test or recovery server. With Exchange 2000 and 2003, you can change organization, site, and LegacyExchangeDN values with a little work.

One method is to specify the appropriate name when you install Exchange Server to begin with. To do so, run Forestprep on the server and specify an Exchange organization name that matches the /o= portion of the LegacyExchangeDN value on the source server. When Forestprep is complete, run Setup again and install only the Exchange administrative tools. Then, use the Exchange System Manager to create an additional administrative group with a name that matches the /ou= portion of the LegacyExchangeDN value on the source server. Finally, run Setup again and install the server in this administrative group.

If this sounds like a lot of work, you're right—it is a lot of work, particularly if you keep a spare system or a virtual machine with Exchange Server installed to use as a testing or recovery server. Fortunately, you can take a different approach to configuring the recovery server—just modify the properties for the existing server as needed.

You have two ways to modify the server. One approach is to use a tool such as ADSI Edit to forage through the Active Directory and make the necessary changes. You'd have to modify all of the occurrences of LegacyExchangeDN in the Active Directory, which would be fairly time-consuming.

Your other option is to use the LegacyDN.exe utility. This tool provides a graphical interface for viewing the values, as well as setting them. LegacyDN.exe therefore offers a much easier solution to the problem.

Using LegacyDN.exe

LegacyDN.exe offers two operating modes: Read-Only and Read/Write. Read-Only mode enables you to view the values in the Active Directory but not modify them. You would typically run the tool in Read-Only mode on the source server to determine the correct value for LegacyExchangeDN on the recovery server.

It's important to use Read-Only mode on the source server because an inadvertent name change on the source server will cause all of the Exchange databases to become inoperable. Attempts to restore the databases without renaming the administrative groups could ultimately lead to damaged databases and the need to recover the databases from a backup. Read-Only is the default mode for LegacyDN.exe.

When you start LegacyDN.exe, it first prompts you to specify credentials to access the Active Directory (Figure A). When you've specified the appropriate credentials, LegacyDN.exe searches the Active Directory and displays the administrative groups on the current server. When you click an administrative group from the list, the GUI displays the organization name, administrative group name, and LegacyExchangeDN stem name for the selected administrative group (Figure B).

Figure A

LegacyDN.exe prompts for server and authentication information.

Figure B

LegacyDN.exe displays the properties for the selected administrative group when you click the group.

To enable Read/Write mode for the recovery server, you must start LegacyDN.exe with the /FORCEWRITE switch. Just make sure you use this switch only on the recovery server because, as I've already indicated, changing names on a production server will, at best, bring down your server and, at worst, cause problems with your Exchange databases from which you can't recover.

When you start LegacyDN.exe in Read/Write mode, the Change button for each of the three objects becomes enabled, making it possible to change the names. When all of the changes have been made, click Exit to close the program.

There are a handful of other switches you can use to start LegacyDN.exe in addition to /FORCEWRITE. For example, you can set logging level, dump the administrative groups to the log file, specify the preferred domain controller, and specify credentials. To view these switches and the syntax for LegacyDN.exe, run the program and click the Usage button. LegacyDN.exe displays the syntax and switches in a dialog box (Figure C).

Figure C

You can view syntax and switches for LegacyDN.exe within the program.

Service Pack 1 to the rescue

It's important to note that the creation and use of a recovery server becomes less of an issue for Exchange Server 2003, particularly with Service Pack 1 installed. As I explained in "Learn the problems addressed by Exchange Server 2003 Service Pack 1," recovery storage groups in Exchange Server 2003 simplify mailbox database recovery and can eliminate the need for a separate recovery server. However, you still need a recovery server to recover public folder databases even with Exchange Server 2003.

If you don't already have an Exchange recovery server in place and need to create one for recovery or testing, Microsoft's Exchange 2000 Server Database Recovery white paper can help.