Loading...
 

Exchange 2010 Installation and Configuration



Some installation/configuration related notes for the various Exchange 2010 roles


Client Access Server Role

Operating System

  • Windows 2008 Enterprise x64 R2 Service Pack 1

Installation

  • Install Powershell 2.0 if not already installed (default on 2008 R2)
  • Open Powershell
    • Import the Server Manager module
      Import-Module ServerManager
    • Install all of the required components
      Add-WindowsFeature -Name NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy
    • Reboot
  • Open Powershell
    • Set the NetTcpPortSharing service to automatic
      Set-Service NetTcpPortSharing -StartupType Automatic
  • Launch Exchange Setup
    • Install only languages from the DVD
    • Install Microsoft Exchange
      • Accept the EULA
      • Do not report errors to Microsoft
      • Select "Custom Exchange Server Installation"
      • Select "Client Access Role"
      • Do not select "The Client Access server role will be Internet-facing"
      • Do not join the "Customer Experience Improvement Program"
      • Install
  • Enter the Product Key
    • Open the Exchange Management Console
    • Right click the server and select "Enter Product Key"
      XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  • Install the appropriate Exchange Service Pack or Rollup.
    • As Service Pack and Rollup levels change I have opted not to include exactly which one to use in this document. Instead, refer the the following Microsoft KB article for what the various Exchange Build numbers are and then issue the following command on a few of our Exchange servers to determine what level of Service Pack or Rollup our servers are running

Configuration

  • Assign a second IP address to the server if you have not done so already
    • All Client Access Servers require two IP addresses. The server will host two SSL enabled web sites with two separate SSL certificates (owa.domain.com and autodiscover.domain.com). The "https" binding for each web site must be bound to a specific IP address, thus the need for two IPs.
  • Copy the Outlook Web Access control directory from an Exchange 2007 Client Access Server
    • The OWA control directory from an Exchange 2007 server is required to allow the Exchange 2010 CAS server to proxy requests to the 2007 CAS server. The control directory name is a version number like "8.2.176.2" and will be incremented with each service pack or update rollup applied to a given CAS server. So you may see several control directories on any given CAS server. You want to copy the control directory with the highest version number. In our current environment, the correct version number is "8.2.176.2".
      • You will copy this folder "C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\8.2.176.2" from an Exchange 2007 CAS server
      • In to this folder "C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\" on your Exchange 2010 CAS server
  • Disable the "Microsoft Exchange IMAP4" service
  • Disable the "Microsoft Exchange POP3" service
  • Create a new AutoDiscover website
    • Open Internet Information Services (IIS) Manager
    • Right click "Sites" and select "Add Web Site"
      • Site name:
        • AutoDiscover (case sensitive)
      • Physical path
        • C:\inetpub\wwwroot\AutoDiscover (you need to create this directory first)
      • Binding
        • Set the "http" binding to the second IP address assigned to this server
        • Set the "Host name:" to "autodiscover.domain.com"
      • Click "OK"
  • Create a new AutoDiscover virtual directory
    • Open the "Exchange Management Shell"
      New-AutoDiscoverVirtualDirectory -WebSiteName AutoDiscover -DomainController <A_DC_In_That_Site>
  • Install the owa.domain.com and autodiscover.domain.com Self Signed SSL certificates
    • These certificates and their passwords are in the KeyPass database under "SSL Certs and Keys". The are listed as "autodiscover self signed" and "owa self signed" and are in the PFX file format. Be aware that the are other SSL certs in the KeyPass for autodiscover and owa, make sure that you import the "self signed" certificates. We are using "self signed" certificates with a 512 bit key on the actual CAS servers and then we are placing the verisign 2048 bit certificates on the F5s to offload the SSL workload
    • These certificates should be imported into the computer account's personal certificate store.
      • Start > Run > MMC
      • File > Add/Remove Snap-in > Certificates
      • Select "Computer account" then "Local Computer"
      • Expand "Certificates"
      • Right click "Personal" and select "All Tasks" > "Import"
      • Repeat this procedure for both certificates
      • *NOTE: During the import process the public key for each certificate should be marked as exportable.
  • Configure IIS
    • Open Internet Information Services (IIS) Manager
      • Configure the Default Website
        • Authentication
          • Anonymous
            • Enabled
          • ASP.Net Impersonation
            • Disabled
          • Basic - NOTE: Even though "Basic" authentication is disabled at the root of the website you still need to set the "Default Domain" so that it applies to the virtual directories beneath it that may have "Basic" authentication enabled
            • Disabled
            • Default Domain: domain.com
          • Digest
            • Disabled
          • Forms
            • Disabled
          • Windows
            • Disabled
        • Require SSL = No
        • Configure HTTP Redirect:
          • https://owa.domain.com/owa
          • Only redirect requests to content in this directory
          • Found (302)
        • Site Binding
          • Set the site binding for "https" to the primary IP address
          • Set the SSL certificate to owa.domain.com
          • DO NOT CHANGE the site binding for "http", leave it as "All Unassigned"
      • Configure the Autodiscover virtual directory
        • Require SSL = Yes
      • Configure the ecp virtual directory
        • Authentication
          • Anonymous
            • Disabled
          • ASP.Net Impersonation
            • Disabled
          • If the CAS Server is External
            • Basic
              • Disabled
              • Default Domain: domain.com
          • If the CAS Server is Internal
            • Basic
              • Enabled
              • Default Domain: domain.com
          • Digest
            • Disabled
          • Forms
            • Disabled
          • Windows
            • Enabled
        • Require SSL = Yes
      • Configure the EWS virtual directory
        • Require SSL = Yes
      • Configure the owa virtual directory
        • Authentication
          • Anonymous
            • Disabled
          • ASP.Net Impersonation
            • Disabled
          • If the CAS Server is External
            • Basic
              • Disabled
              • Default Domain: domain.com
          • If the CAS Server is Internal
            • Basic
              • Enabled
              • Default Domain: domain.com
          • Digest
            • Disabled
          • Forms
            • Disabled
          • Windows
            • Enabled
        • Require SSL = Yes
      • Configure the AutoDiscover website
        • Authentication
          • Anonymous
            • Enabled
          • ASP.Net Impersonation
            • Disabled
          • Basic - NOTE: Even though "Basic" authentication is disabled at the root of the website you still need to set the "Default Domain" so that it applies to the virtual directories beneath it that may have "Basic" authentication enabled
            • Disabled
            • Default Domain: domain.com
          • Digest
            • Disabled
          • Forms
            • Disabled
          • Windows
            • Disabled
        • Configure HTTP Redirect:
          • https://autodiscover.domain.com/autodiscover
          • Only redirect requests to content in this directory
          • Found (302)
        • Site Binding
          • Add a site binding for "https"
          • Set the "https" IP address to the secondary IP address on the server
          • Set the "https" SSL certificate to autodiscover.domain.com
        • Require SSL = No
      • Configure the Autodiscover virtual directory
        • Require SSL = Yes
        • Disable HTTP Redirect:
          • Un-check the box "Redirect requests to this destination:"
  • Configure various CAS specific settings
    • Open the "Exchange Management Console"
      • Add the new CAS server as a web distribution point for the Offline Address Book
        • Expand "Organization Configuration"
        • Click "Mailbox", click the "Offline Address Book" tab
        • Right click "Offline Global Address Book" and select Properties
        • On the "Distribution" tab, under "Distribution Points" add the new CAS server
    • Open the "Exchange Management Shell"
      • Enable Outlook Anywhere
        Enable-OutlookAnywhere -Server <serverName> -DefaultAuthenticationMethod Basic -ExternalHostname owa.domain.com -SSLOffloading:$false
      • Set the Autodiscover URL
        Get-ClientAccessServer -Identity <serverName> | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://owa.domain.com/Autodiscover/Autodiscover.xml
      • Set the Exchange Web Services (EWS) url
        Get-WebServicesVirtualDirectory -Server <serverName> | Set-WebServicesVirtualDirectory -InternalUrl https://owa.domain.com/EWS/Exchange.asmx -ExternalUrl https://owa.domain.com/EWS/Exchange.asmx
      • Set the Offline Address Book (OAB) url
        Get-OabVirtualDirectory -Server <serverName> | Set-OabVirtualDirectory -InternalUrl https://owa.domain.com/OAB -ExternalUrl https://owa.domain.com/OAB
      • Set the ActiveSync URL
        Get-ActiveSyncVirtualDirectory -Server <serverName> | Set-ActiveSyncVirtualDirectory -InternalUrl https://owa.domain.com/Microsoft-Server-ActiveSync -ExternalUrl https://owa.domain.com/Microsoft-Server-ActiveSync
      • Set the Client Access Server's AutoDiscoverSiteScope
        Set-ClientAccessServer -Identity <serverName> -AutoDiscoverSiteScope "<Exchange Site Name>"
      • Set the OWA virtual directory Internal URL
        Get-OwaVirtualDirectory -Server <serverName> | Set-OwaVirtualDirectory -InternalUrl https://owa.domain.com/owa
      • Set the Authentication types for the OWA virtual directory
        • If this Client Access Server will be used for External access, set the Authentication type for the OWA virtual directory to "Forms" based authentication
          Get-OwaVirtualDirectory -Server <serverName> | Set-OwaVirtualDirectory -FormsAuthentication $true -BasicAuthentication $false -WindowsAuthentication $false -LogonFormat Username
        • If this Client Access Server will be used for Internal access, set the Authentication type for the OWA virtual directory to "Windows" authentication
          Get-OwaVirtualDirectory -Server <serverName> | Set-OwaVirtualDirectory -FormsAuthentication $false -BasicAuthentication $false -WindowsAuthentication $true
      • Set the ECP virtual directory Internal URL
        Get-EcpVirtualDirectory -Server <serverName> | Set-EcpVirtualDirectory -InternalUrl https://owa.domain.com/ecp
      • Set the Authentication types for the ECP virtual directory
        • If this Client Access Server will be used for External access, set the Authentication type for the ECP virtual directory to "Forms" based authentication
          Get-EcpVirtualDirectory -Server <serverName> | Set-EcpVirtualDirectory -FormsAuthentication $true -BasicAuthentication $false -WindowsAuthentication $false
        • If this Client Access Server will be used for External access, set the Authentication type for the ECP virtual directory to "Windows" authentication
          Get-EcpVirtualDirectory -Server <serverName> | Set-EcpVirtualDirectory -FormsAuthentication $false -BasicAuthentication $false -WindowsAuthentication $true
      • Disable the requirement for client encryption
        Set-RPCClientAccess -Server <serverName> -EncryptionRequired $false
      • Set the default client language to en-US
        Set-OwaVirtualDirectory -Identity "<serverName>\owa (Default Web Site)" -DefaultClientLanguage 1033
  • Set the static MAPI(55000) and DSACCESS(55002) ports
    • Import the following registry values
      Windows Registry Editor Version 5.00
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
      "TCP/IP Port"=dword:0000d6d8
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
      "RpcTcpPort"="55002"
  • Reboot, then validate the CAS server configuration

Hub Transport Role

Operating System

  • Windows 2008 Enterprise x64 R2 Service Pack 1

Installation

  • Install Powershell 2.0 if not already installed (default on 2008 R2)
  • Open Powershell
    • Import the Server Manager module
      Import-Module ServerManager
    • Install all of the required components
      Add-WindowsFeature -Name NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server
    • Reboot
  • Open Powershell
    • Set the NetTcpPortSharing service to automatic
      Set-Service NetTcpPortSharing -StartupType Automatic
  • Install Microsoft KB979099
  • Install Office 2010 Filter Pack
  • Launch Exchange Setup
    • Install only languages from the DVD
    • Install Microsoft Exchange
      • Accept the EULA
      • Do not report errors to Microsoft
      • Select "Custom Exchange Server Installation"
      • Select "Hub Transport Role"
      • Do not join the "Customer Experience Improvement Program"
      • Install
  • Enter the Product Key
    • Open the Exchange Management Console
    • Right click the server and select "Enter Product Key"
      XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  • Install the appropriate Exchange Service Pack or Rollup.
    • As Service Pack and Rollup levels change I have opted not to include exactly which one to use in this document. Instead, refer the the following Microsoft KB article for what the various Exchange Build numbers are and then issue the following command on a few of our Exchange servers to determine what level of Service Pack or Rollup our servers are running

Mailbox Role

Operating System

  • Windows 2008 Enterprise x64 R2 Service Pack 1

Installation

  • Install Powershell 2.0 if not already installed (default on 2008 R2)
  • Open Powershell
    • Import the Server Manager module
      Import-Module ServerManager
    • Install all of the required components
      Add-WindowsFeature -Name NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Multipath-IO
    • Reboot
  • Open Powershell
    • Set the NetTcpPortSharing service to automatic
      Set-Service NetTcpPortSharing -StartupType Automatic
  • Install Snapdrive, NetApp Host Utilities, NetApp DSM
  • Install Microsoft KB2550886
  • Install Office 2010 Filter Pack
  • Launch Exchange Setup
    • Install only languages from the DVD
    • Install Microsoft Exchange
      • Accept the EULA
      • Do not report errors to Microsoft
      • Select "Custom Exchange Server Installation"
      • Select "Mailbox Role"
      • Do not join the "Customer Experience Improvement Program"
      • Install
  • Enter the Product Key
    • Open the Exchange Management Console
    • Right click the server and select "Enter Product Key"
      XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
  • Install the appropriate Exchange Service Pack or Rollup.
    • As Service Pack and Rollup levels change I have opted not to include exactly which one to use in this document. Instead, refer the the following Microsoft KB article for what the various Exchange Build numbers are and then issue the following command on a few of our Exchange servers to determine what level of Service Pack or Rollup our servers are running

Configuration

  • Open the "Exchange Management Shell"
    • Disable the requirement for client encryption
      Set-RPCClientAccess -Server <serverName> -EncryptionRequired $false
  • Import the following registry values to set the static port for Public Folder Access(55001)
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
    "TCP/IP Port"=dword:0000d6d8

Email Relay and Cisco Ironport

  • Relay Connectors: we soon found out after moving to the cloud that the previous on-premise Ironport servers had been allowed additional permissions by adding their IP addresses to a relay connector that had the "Externally Secured" authentication mechanism checked. This was the relay connector that had been created on what we considered the "outbound" hub transport server. When we created the F5 VIP for inbound mail routing from the cloud Ironport servers they were routing mail directly to our Exchange 2010 site hub transport servers which didn't have that additional relay connector on them. The lack of additional permissions meant that the cloud Ironport servers were no longer considered "Authenticated" and could not send email to distribution lists where the require authentication check box was checked. In addition, some cell phone based mail contacts were not displaying the mail contact information when replying. To re-mediate these issues we had to add a custom connector to each of the hub transport servers with the "Externally Secured" authentication mechanism.

Email Relay Troubleshooting

  • SMTP Extensions Being Stripped by the ASA
    • When trying to test mail routing out of the RSM datacenter we initially had an issue where the SMTP handshake would fail.
      • The initial SMTP response from Ironport was just returning "220 **************************" rather than "220 mailserver.domain.com"
      • Also, some of the extensions were being stripped off of subsequent responses from Ironport, like the requirement for "STARTTLS" for example.
    • The solution was to set "no fixup protocol smtp 25" on the ASA as described in this Microsoft article

SSMTP Relay via F5 Load Balancer

  • Refer to the "BigIP Local Traffic Manager Implementation Guide" for the steps to configure secure SMTP relay via the F5. It is pretty simple but I just wanted to add one bullet that caused me a little pain.
  • The implementation guides states that all you need to configure is a Virtual Server, and SSMTP profile, and a Client SSL profile for secure SMTP relay. Make sure that when you configure your virtual server that you ONLY apply a client ssl profile. DO NOT apply a server ssl profile at all. For whatever reason when a server ssl profile is applied it looks like you are able to connect via telnet but all you get is a black screen, the server never answers back as you would normally expect. Remove the server ssl profile and the SMTP server will answer back with the expected "........Microsoft ESMTP MAIL Service ready......." message.

OWA 2007/2010 Co-Existence

Configuration

In order to provide as seamless of an experience as possible when accessing an Exchange 2007 mailbox via an Exchange 2010 client access server, CAS Proxying is used for 2010 to 2007 communication. For the proxying to occur properly the following items should be in place.
  • The 2007 CAS and 2010 CAS servers should be in separate Active Directory sites. The 2007 Mailbox and 2010 Mailbox servers should be in the same Active Directory site as their respective CAS servers.
  • The Outlook Web Access control directory from the destination CAS server (2007) must exist in the "owa" virtual directory on the source CAS server (2010), see this article for more information
  • Windows Integrated authentication must be enabled on the "owa", "Exchange", "Exchweb", and "Public" virtual directories on the destination CAS server (2007)
  • If load balancing is desired, the InternalURL property of the "owa" virtual directory on the destination CAS server (2007) should be configured with the address of a load balancer
  • The ExternalURL property of the "owa" virtual directory should be blank on both the source (2010) and destination CAS servers (2007)

Reference Information

  • Static ports

    The following static ports were defined for MAPI, DSACCESS, and Public Folder connectivity to simplify the load balancer configuration. See this article for more information on static ports: http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx

    • CAS Static Port(MAPI):
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRpc\ParametersSystem
      • DWORD : TCP/IP Port
      • Data: 55000

    • CAS Static Port(DSACCESS):
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters
      • REG_SZ: RpcTcpPort
      • Data: 55002

    • Mailbox Static Ports(MAPI Public Folders)
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRpc\ParametersSystem
      • DWORD : TCP/IP Port
      • Data: 55001
Show php error messages