Article: 4110003

This article describes the preparations that are necessary or recommended prior to installing Replay 4.

Before installing Replay, you will need to need to do the following:

1. Create a Replay service account
2. Add the Replay service account to the local administrators group on the Replay Core and the protected server
3. Assign Local Service Rights to the Replay service account

Additionally, if you are protecting Exchange 2003, you will also need to do the following:

1. Assign an Exchange administrator role
2. Grant the appropriate permissions at the server level for each MS Exchange serverGrant appropriate permissions to the mailbox store(s)

1. Creating the Replay Service Account

To create the Replay service account on the Active Directory domain controller server, do the following:

1. Log on to your Domain controller.

   
   Figure 1. Manage Your Server Window

2. From the Windows Administrator Tools area (Figure 1), double-click the Active Directory Users and Computers icon (See Figure 2).

   
   Figure 2. Administrative Tools Window

3. Click the domain name and then expand the contents. Right-click Users, select New, and then select User (see Figure 3).

   
   Figure 3. Active Directory Users and Computers Window

   In the figure above, the domain name that has been expanded is techwriter.local. When selected, the New Object – User window is displayed (see Figure 4).

   
   Figure 4. New Object – User Window

4. In the New Object – User dialog, enter the following:

   • First Name: Replay
   • Last Name: Service
   • User Logon Name: ReplayAdmin

5. Click Next. The New Object – User window is displayed (see Figure 5).

   
   Figure 5. New Object User

6. Specify a new password, confirm the new password, and then select the Password Never Expires checkbox.

7. Click Next. An Active Directory message is displayed (see Figure 6).

   
   Figure 6. Active Directory Message

8. Click OK. An information confirmation dialog appears (see Figure 7). Review the information you specified and then click Finish if the information is correct. (If the information is incorrect, click Back to return to the previous window, make any necessary corrections, and then click Finish.)

   
   Figure 7. New Object – User Confirmation

2. Adding the Replay service account to the local administrators group

To add the Replay service account to the local administrators group on Replay and the protected server, do the following:

1. From the Windows Administrative Tools snap-in, click Computer Management.
2. In the console tree, expand the Local Users and Groups node.
3. Click Groups.
4. Right-click the Administrators group, and select Add to Group.
5. Click Add and then click Locations.
6. Select the domain with the users and computers you want to add.
7. Click OK.
8. To validate the user or group names added, click Check Names.

3. Assigning Local Server Rights to the Replay Service Account

Each system hosting a component of the Replay Core must have its corresponding permissions configured for the Replay service account that will be used during the installation of the component.

To assign local server rights to the Replay service account, do the following:

1. From Windows Administrative Tools snap-in, click Local Security Policy.

2. Enable the following rights for the user account:

   • Allow Log On Locally
   • Log on as a service

Delegating administrative permissions to the Replay service account’s ReplayAdmin role in MS Exchange 2003

Use the Exchange Administration Delegation Wizard to complete the steps below and delegate administrative permissions to the Replay service account’s ReplayAdmin role in MS Exchange 2003.

1. Launch the MS Exchange System Manager utility.
2. Right-click the organization or the administrative group to which you want to delegate administrative permissions.
3. Click Delegate Control.
4. Click Next.
5. In the Users or Groups prompt, click Add.
6. In the Delegate Control prompt, click Browse.
7. In the Select Users, Computers, or Group prompt, select the appropriate location in the Look in Box.
8. Select the name ReplayAdmin.
9. Click OK.
10. In the Delegate Control prompt, select the Role option.
11. Click Exchange Administrator role for the ReplayAdmin account and then click OK. The user or the group that you added appears in the Users and Groups list.
12. Click Next.
13. Lastly, click Finish.

Granting server-level permissions for MS Exchange 2003 servers

To grant server-level permissions for Exchange 2003 servers, do the following:

1. Open the Exchange System Manager.
2. Right-click the first Exchange Server administrative group name.
3. Expand the Servers group.
4. Right-click on the Exchange Server instance and select Properties.
5. Click Security.
6. In the top pane, select the Replay service account.

7. In the bottom pane, set the permissions on the following options to Allow:

   • Send As
   • Receive As
   • Administer Information Store

Repeat steps 2 through 7 for each Exchange Server.

Granting permissions to Exchange 2003 Mailbox store(s)

To grant permissions to Exchange 2003 Mailbox store(s), do the following:

1. Open the Exchange System Manager.
2. Right-click the first Exchange administrative group name.
3. Expand the Servers group.
4. Expand the first mailbox store group.
5. Right-click the first mailbox store and select Properties.
6. Click Security.
7. In the top pane, select the Replay service account.

8. In the bottom pane, set the permissions on the following options to Allow:

   • Send As
   • Receive As
   • Administer Information Store

Repeat steps 2 through 8 for each mailbox store on each Exchange Server.

Assigning the Exchange Administrator role in MS Exchange 2007

To assign administrative permissions to the Replay Service account, use the Exchange Management Shell tool. To assign administrative permissions to the Replay Service account, do the following:

1. Launch the Windows Exchange Management Shell tool from the Exchange program group.

2. At the prompt, specify, on a single line, enter the following text:

   get-mailboxserver <Exchange2007ServerName> | add-adpermission –user <ReplayAdmin> -accessrights GenericRead, GenericWrite –extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

   Replace variables in <bold> with your specific values.

   NOTE: The variable “Exchange2007ServerName” corresponds to the name of your MS Exchange 2007 Server. The variable “<ReplayAdmin>” corresponds to the name of the Replay service account.

3. Press [Enter] on your keyboard.  You are now ready to set the permissions. To set the permissions, specify the following text on a single line:

   Get-mailboxserver <Exchange2007> | get-ADpermission –user <ReplayAdmin> | Format-List

4. Press ENTER on your keyboard, and then close the Windows Exchange Management Shell tool.

Assigning the Exchange permissions in MS Exchange 2010

Exchange 2010 Administrator Role
To set Send As, Receive As, and Administer Information Store permissions:

1. Run Exchange Management Shell as Administrator.
2. At the command prompt window, type:

   Get-MailboxDatabase <mailboxdatabasename> | Add-ADPermission -User <replayadmin> -AccessRights GenericRead, GenericWrite, ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin, Send-As

   where <mailboxdatabasename> is the name of the mailbox database and <replayadmin> is the name of the user that is used to start the Replay Service, and then press ENTER.
           
   Note: This command should be run for each mailbox database.

3. To check permissions, type:

   Get-MailboxDatabase <mailboxdatabasename> |get-ADPermission -user <replayadmin> | Format-list

   where <mailboxdatabasename> is the name of the mailbox database and <replayadmin> is the name of the user that is used to start the Replay Service, and then press ENTER.

Exchange 2010 Organization Management Group
The user the Replay service is started with should be a member of the Organization Management group. To do this:

1. Run Exchange Management Shell as Administrator.
2. At the command prompt window, type Add-RoleGroupMember “Organization Management” -Member <replayadmin>, where <replayadmin> is the user (local administrator) that is used to start the Replay Service, and then press ENTER.

Permissions to the MDBDATA folder in Exchange 2010
If using Exchange 2010 to resolve thee issue, grant the default permissions to the folder that contains the Exchange databases and to the drive on which this folder resides. To grant the default permissions to the folder that contains the Exchange databases, do the following:

1. Start Windows Explorer, and then move to the folder that contains the Exchange databases.
2. Right-click the folder, and then click Properties.
3. Click the Security tab, and then grant the following default permissions.

         Account                                     Permissions
         Administrators                          Full Control
         System                                       Full Control

To grant the default permissions to the drive that contains the Exchange database folder, follow these steps:

1. Start Windows Explorer.
2. Right-click the Local Disk object that contains the Mdbdata folder, and then click Properties.
3. Click the Security tab, and then grant the following default permissions, according to the operating system:

         Account                                   Permissions
         Administrators                        Full Control
         Creator Owner                        None
         Everyone                                 None
         System                                     Full Control
         Users                                       Read and Execute, List Folder Contents, Read

Exchange Trusted Subsystems Group
In addition to the above permissions, the Exchange Agent server names and the Replay Service account should be members of the Exchange Trusted Subsystems Group.