This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in … Continue reading
Tag Archives: Exchange 2013
Exchange 2010/2013 to Exchange 2016 Migration Step by Step
Gallery
Deployment Location: On-premises Target Environment: Exchange Server 2016 CU4 Current Environment: Exchange Server 2010 or Exchange Server 2013 or mixed Public Folder Location: Exchange Server 2013 Understanding of Exchange Server 2016: Exchange Server 2016 wraps up in two Exchange roles … Continue reading
Configuring Retention Policies in Office 365
Gallery
Retention policies are used to manage email lifecycle. Retention policies are applied by creating retention tags, adding them to a retention policy, and applying the policies to mailboxes. To Create various retention policies in Office 365 using simple PowerShell. Connect … Continue reading
Office 365: Configuring catch-all mailbox during migration
Gallery
Step1: Create Catch-All Mailbox 1. Sign in to portal.office.com>Active Users 2. Create a new user named “Catch-All-Mailbox” and assign licenses either E1 or E3. Step2: Create exception Security Group (Optional Step) 1. Log onto Office 365 admin portal 2. Go … Continue reading
Branding and Customizing the ADFS Sign-in Pages
Gallery
Branding and promoting Company name and logos are common business practices. You would like to see your own brand whilst signing into to Microsoft Office 365. ADFS provides opportunity for businesses to customize sign in page and promote own brand. … Continue reading
Data Loss Prevention (DLP) in Exchange 2013
Data Loss Prevention (DLP) is a mechanism introduced in Exchange 2013 to prevent accidental or malicious disclosure of information via email message. Built-in DLP solution in Exchange 2013 scan message header, message body and attachment based on DLP rule by the transport agent. There are certain conditions applied in Exchange 2013 DLP.
Notify Only Policy
The following conditions can be used:
- The recipient is
- The recipient is located
- The sender is
- The sender is a member of
- The sender is located
The following actions can’t be used:
- Reject the message and include an explanation
- Reject the message with the enhanced status code of
- Delete the message without notifying anyone
Block Message Policy
- Block the message, but allow the sender to override and send
- Block the message.
To add a notify only DLP policy:
- Go to Exchange Administration Center, Go to Compliance management > Data loss prevention
- Then go to Policies, Select Edit
- On the Edit DLP policy page, select Rules.
- To add Policy Tips to an existing rule, highlight the rule and select Edit.
- To add a new blank rule that you can fully customize, select Add or plus sign and then select Create a new rule .
- Select plus sign, select the sensitive information types, select Add, select OK, and then select OK.
- In the Do the following box, select Notify the sender with a Policy Tip, and select an option in the Choose whether the message is blocked or can be sent drop-down list, and then select OK.
- If you want to add additional conditions or actions, at the bottom of the window, select More options.
- In the Choose a mode for this rule list, select whether you want the rule to be enforced. We recommend testing the rule first.
- Select Save to finish.
To add a block message DLP policy:
- In the Exchange Administration Center, go to Compliance management > Data loss prevention.
- Select desired policy> Click Edit .
- On the Edit DLP policy page, select Rules.
- To add Policy Tips to an existing rule, highlight the rule and select Edit .
- To add a new blank rule that you can fully customize, select Add .
- To add an action that will reveal a Policy Tip, select More options and then select the Add action
- From the drop down list, select Notify the sender with a Policy Tip and then select Block the message.
- Select OK, then select Save to finish modifying the rule and save your changes.
Supported Systems for Exchange 2013
Supported Domain Controller
- Windows Server 2012 R2 Standard or Datacenter 1
- Windows Server 2012 Standard or Datacenter
- Windows Server 2008 R2 Standard or Enterprise SP1 or later
- Windows Server 2008 R2 Datacenter RTM or later
- Windows Server 2008 Standard or Enterprise SP1 or later (32-bit or 64-bit)
- Windows Server 2008 Datacenter RTM or later
- Windows Server 2003 Standard Edition with Service Pack 2 (SP2) or later (32-bit or 64-bit)
- Windows Server 2003 Enterprise Edition with SP2 or later (32-bit or 64-bit)
Supported Forest
Windows Server 2003 forest functionality mode or higher 2
- Windows Server 2012 R2 is supported only with Exchange 2013 SP1 or later.
- Windows Server 2012 R2 forest functionality mode is supported only with Exchange 2013 SP1 or later.
DNS Name Space
- Contiguous
- Noncontiguous
- Single label domains
- Disjoint
Mailbox, Client Access, and Management Tools
- Windows Server 2012 R2 Standard or Datacenter
- Windows Server 2012 Standard or Datacenter
- Windows Server 2008 R2 Standard with Service Pack 1 (SP1)
- Windows Server 2008 R2 Enterprise with Service Pack 1 (SP1)
- Windows Server 2008 R2 Datacenter RTM or later
Supported Client
- Outlook 2013
- Outlook 2010
- Outlook 2007
- Entourage 2008 for Mac, Web Services Edition
- Outlook for Mac 2011
Supported Coexistence
- Exchange 2007 SP3 Update Rollup 10
- Exchange 2010 SP3 Update Rollup 6
Supported Hybrid Deployment
- Latest version of Office 365
Relevant Articles
Exchange 2013 Upgrade, Migration and Co-existence
Migration Guide
Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide
How to Configure Unified Messaging in Exchange 2013 Step by Step
Mail flow in Exchange 2013
Source: Microsoft TechNet
Source: Microsoft TechNet
Protocol | Exchange 2007 & Exchange 2013 | Exchange 2007 & Exchange 2013 |
Namespace | legacy.domain.com | no additional namespace |
OWA | Non-silent redirection to legacy.domain.com |
Proxy to CAS2010 Silent direction |
EAS | Proxy to MBX2013 | Proxy to CAS2010 |
Outlook Anywhere | Proxy to CAS2007 | Proxy to CAS2010 |
Autodiscover | Redirect to CAS2007 | Proxy to CAS2010 |
EWS | Autodiscover | Proxy to CAS2010 |
POP/IMAP | Redirect to CAS2007 | Proxy to CAS2010 |
OAB | Redirect to CAS2007 | Proxy to CAS2010 |
RPS | N/A | Proxy to CAS2010 |
ECP | N/A | Proxy to CAS2010 |
Exchange 2013 Perquisites
Supported Co-existence Scenario
- Exchange 2010 SP3
- Exchange 2007 SP3+RU10
Supported Client
- Outlook Anywhere Only, Outlook 2007 or later
- Outlook for Mac 2011
- Entourage 2008 for Mac
Active Directory
- Windows 2003 Forest Functional Level or higher
- At least one global catalog. two global catalog is highly recommended for redundancy purpose
- No support for RODC or ROGC
Namespace
- Contiguous
- Non-Contiguous
- Single level Domain
- disjoint
Operating Systems
- Windows Server 2008 R2 SP1
- Windows Server 2012 or Windows Server 2012 R2
Other Components
- Internet Information Service (IIS)
- .Net Framework 4.5
- Unified Communication Managed API
Cumulative Updates
- CU is a full exchange installer or binary
- Required for co-existence with Exchange 2007/2010
Upgrade from Exchange 2010 to Exchange 2013
1. Prepare
- Prepare Exchange 2010 with SP3
- Test Exchange using Test cmdlets
- Test Active Directory health status
- Prepare Active Directory Schema using Exchange 2013 schema
2. Deploy Exchange 2013
- Install both Exchange 2013 MBX and CAS servers
- Install Management Server on admin PC
3. Obtain and deploy Certificates
- Create Certificate CSR from Exchange 2013
- Sign the certificate from public CA
- Install Certificate and assign certificate to IIS,SMTP,POP,IMAP
OR
- Export certificate from Exchange 2010 and import into Exchange 2013
4. Configure Mail flow
- Create mail and autodiscover namespace and point to Exchange 2013
- Add Exchange 2013 MBX server into Send Connector
- Configure Frontend receive connector
- Create anonymous relay
5. Switch Primary Name Space
- Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
- Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
- Switch port 25 forwarding to Exchange 2013
- Validate traffic flow to Exchange 2013
6. Move Mailboxes
- Build Exchange DAG
- Migrate user mailbox
- Migrate resource mailbox
- Migrate public folders
7. Repeat additional sites
8. Decommission Exchange 2010
Upgrade from Exchange 2007 to Exchange 2013
1. Prepare
- Prepare Exchange 2007 with SP3 +RU
- Test Exchange using Test cmdlets
- Test Active Directory health status
- Prepare Active Directory Schema using Exchange 2013 schema
2. Deploy Exchange 2013
- Install both Exchange 2013 MBX and CAS servers
- Install Management Server on admin PC
3. Obtain and deploy Certificates
- Create a certificate CSR from Exchange 2013 with legacy namespace
- Sign the certificate from public CA
- Install Certificate and assign certificate to Exchange 2013 IIS,SMTP,POP,IMAP
- Install same certificate into Exchange 2007
4. Configure Mail flow
- Create legacy DNS record pointing to Exchange 2007
- Create mail and autodiscover namespace and point to Exchange 2013 CAS
- Create Send Connector in Exchange 2013
- Configure Frontend receive connector
- Create anonymous relay
5. Switch Primary Name Space
- Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
- Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
- Switch port 25 forwarding to Exchange 2013
- Validate traffic flow to Exchange 2013 using MCA and ExRCA
6. Move Mailboxes
- Build Exchange DAG
- Migrate user mailbox
- Migrate resource mailbox
- Migrate public folders
7. Repeat additional sites
8. Decommission Exchange 2007
Validate External Connectivity
- Use Microsoft connectivity analyzer https://testconnectivity.microsoft.com/?tabid=client
- Use remote connectivity analyzer http://www.exrca.com
- Use Test cmdlets
Certificate Best Practice
- Minimize number of certificates
- Minimize number of host name
- use split DNS for Exchange host name
- Don’t list machine name in certificates
- Use Subject Alternative Name Certificate or SAN certificates
Restart Transport Services and Information Store Service
- Patch Exchange Server using WSUS or ConfigMgr
- Reboot DAG member one by one
- Reboot CAS server one by one
- Management Tools
- User Exchange 2013 Administration Center to manage co-existence and migration tasks
- Use Exchange 2010 management console to move offline address book
Cutover Process
- Public folder migration is part of final cutover
- Exchange and Active Directory health check
- verify proposed and implemented Exchange 2013
Post Migration
- Shutdown Exchange 2010 servers for minimum 48 hours in working days
- Decommission Exchange 2010
Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide
Before you begin, create a work sheet in spreadsheet recording required information to migrate Exchange 2007/2010 to Exchange 2013. For this article, I am going to use following work sheet. This work sheet and migration guide are tested in production exchange migration which I did for few of my clients. Note that this article is not situation specific hence I can’t provide you a silver bullet for your situation.
Deployment Work Sheet
Version Readiness Check
Present Server | Proposed Server |
Exchange 2007 SP3 OR 2010 SP3 | Exchange 2013 CU3 |
Exchange Role Assignment
Exchange 2013 has two server roles; the Mailbox and Client Access server roles. You need at least one Client Access server and one Mailbox server in the Active Directory forest. If you’re separating your server roles, Microsoft recommend installing the Mailbox server role first.
Mailbox Role: The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server.
Client Access: The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.
Server Name | Exchange Roles |
AUPEREXMBX01,AUPEREXMBX02 | Mailbox |
AUPEREXCAS01,AUPEREXCAS02 | CAS |
Active Directory Schema and Forest
When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule. A forced replication can be performed after schema preparation.
Description | AD Forest | Domain Controller |
Primary SMTP namespace | Superplaneteers.com | AUPERDC01,AUPERDC02 |
User principal name domain | Superplaneteers.com | AUPERDC01,AUPERDC02 |
Legacy Edge Transport
N/A
Network Configuration
Server Name | TCP/IP | DNS | Replication network |
AUPEREXMBX01 | 10.10.10.11
|
10.10.10.2
10.10.10.3 |
192.168.100.11/24 |
AUPEREXMBX02 | 10.10.10.12 | 10.10.10.2
10.10.10.3 |
192.168.100.12/24 |
AUPEREXCAS01 | 10.10.10.13 | 10.10.10.2
10.10.10.3 |
N/A |
AUPEREXCAS02 | 10.10.10.14 | 10.10.10.2
10.10.10.3 |
N/A |
The network adapter name used within the operating system of mailbox server must be changed to closely match the associated network name. For example: Domain Network and Replication Network. The following binding order must be maintained within Windows operating systems:
- First in Order- Domain adapter connected to the Active Directory network
- Second in Order- Replication adapter connected to the heartbeat network.
Here is a guide how to change adapter binding order http://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx Microsoft does not support multiple default gateways on a single server, no default gateway is required on the replication network card.
Disk layout
Server Name | C: | E: | F: | G: |
AUPEREXMBX01 | 50 GB | 50 GB | 500GB | 300GB |
AUPEREXMBX02 | 50 GB | 50 GB | 500GB | 300GB |
AUPEREXCAS01 | 50 GB | 50 GB | N/A | N/A |
AUPEREXCAS02 | 50 GB | 50 GB | N/A | N/A |
Resilient Exchange Configuration
Purpose | Name | TCP/IP | Subnet | Type |
DAG | AUPEREXDAG01 | 10.10.10.15 | 255.255.255.0 | N/A |
CAS NLB or Load Balancer | Mail.superplaneteers.com | 10.10.10.16 | 255.255.255.0 | Multicast |
Exchange Administrator
User name | Privileges |
ExMigrationAdmin | Domain Admins
Domain user Schema Admin Enterprise Admin Organisation Management Local Administrator |
Certificates
A public Secure Sockets Layer (SSL) certificate is a prerequisite in Exchange 2013. SSL helps to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection.
You can buy a third-party certificate from public CA such as Verisign. Certificates published by public CAs are trusted by most operating systems and browsers.
Common Name | Subject Alternative | Type | Assigned to |
mail.superplaneteers.com | autodiscover.superplaneteers.com | SSL | IIS,SMTP,POP,IMAP |
Supported Client
Exchange 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:
- Outlook 2013 (15.0.4420.1017)
- Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000).
- Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000).
- Entourage 2008 for Mac, Web Services Edition
- Outlook for Mac 2011
Exchange 2013 does not support Outlook 2003.
Public DNS records
DNS record | Record Type | IP/Alias/FQDN | Priority |
Mail.superplaneteers.com | A | 203.17.x.x | N/A |
superplaneteers.com | MX | Mail.superplaneteers.com | 10 |
Autodiscover.superplaneteers.com | CNAME | Mail.superplaneteers.com | N/A |
If you have hosted email security then your MX record must look like this. An example is given here for TrendMicro hosted email security.
DNS record | Record Type | IP/Alias/FQDN | Priority |
Mail.superplaneteers.com | A | 203.17.x.x | N/A |
superplaneteers.com | MX | in.sjc.mx.trendmicro.com | 10 |
Autodiscover.superplaneteers.com | CNAME | Mail.superplaneteers.com | N/A |
Internal DNS records
DNS record | Record Type | Hardware Load Balancer
VIP or CAS NLB IP |
Mail.superplaneteers.com | A | 10.10.10.16 |
Autodiscover.superplaneteers.com | A | 10.10.10.16 |
If you don’t have CAS NLB or hardware load balancer then create Host(A) record of mail.superplaneteers.com and point to Exchange 2013 CAS Server.
Send Connector
Here I am giving an example of TrednMicro smart host. Do not add smart host without proper authorization from smart host provider otherwise you will not be able to send email from internal organisation to external destination.
Intended use | Address Space | Network Settings | Authentication | Smart Host |
Internet | “*” | default | Basic, Exchange, TLS | relay.sjc.mx.trendmicro.com |
Receive Connector
Name | Intended use | Network Settings | IP Range | Server(s) |
Client Frontend | Client | default | All Available IPv4 | AUPEREXMBX01
AUPEREXMBX02 |
Default Frontend | Inbound SMTP | default | All Available IPv4 | AUPEREXMBX01
AUPEREXMBX02 |
Anonymous Relay
Relay | Authentication | Permission | Remote IP | SMTP |
Anonymous Relay | TLS, Externally Secured | Anonymous, Exchange Servers | IP Address of Printers, Scanner, Devices, App Server | 10.10.10.11
10.10.10.12 |
Port Forwarding in Cisco Router
Rule | Source Address | Destination Address | NATed Destination | Port |
OWA | Any | 203.17.x.x | 10.10.10.16 | 443 |
SMTP | Any | 203.17.x.x | 10.10.10.16 | 25 |
Again if you don’t have CAS NLB or load balancer your NATed destination is Exchange 2013 CAS server.
Mailbox Storage
Storage Group Type | Database location |
Mailbox storage | F:Exchange Data |
Mailbox storage logs | G:Exchange Log |
Email address Policy
Email Address Policy | %g.%s@superplaneteers.com |
Virtual Directory for internal and external network
Virtual directory | Internal and External URL value |
Autodiscover | https://autodiscover.superplaneteers.com/autodiscover/autodiscover.xml |
ECP | https://mail.superplaneteers.com/ecp |
EWS | https://mail.superplaneteers.com/EWS/Exchange.asmx |
Microsoft-Server-ActiveSync | https://mail.superplaneteers.com/Microsoft-Server-ActiveSync |
OAB | https://mail.superplaneteers.com/OAB |
OWA | https://mail.superplaneteers.com/owa |
PowerShell | http://mail.superplaneteers.com/PowerShell |
Since you have finished your work sheet, now you are ready to virtualize Exchange servers on Hyper-v.
1. Virtualize Windows Server 2012 R2
2. Configure TCP/IP properties
3. Disable Windows Firewall
4. Join Windows server 2012 R2 to domain.
Download following software as prerequisites.
1. Microsoft Exchange Server 2010 Service Pack 3 (SP3) OR Exchange Server 2007 Service Pack 3
2. Cumulative Update 3 for Exchange Server 2013 (KB2892464)
3. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
4. Microsoft Office 2010 Filter Pack 64 bit
5. Microsoft Office 2010 Filter Pack SP1 64 bit
Additional Prerequisites if you would like to install Exchange 2013 on Windows Server 2008 R2 SP1.
- Microsoft .NET Framework 4.5
- Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
- Microsoft Office 2010 Filter Pack 64 bit
- Microsoft Office 2010 Filter Pack SP1 64 bit
- Microsoft Knowledge Base article KB974405 (Windows Identity Foundation)
- Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2)
- Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution)
Windows Firewall
Open Control Panel > Windows Firewall. Turn off Firewall components (Domain, private and Public) completely.
Preparing Base Windows Server 2012 for Exchange 2013
Mailbox Server Role in Windows Server 2012 R2
To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator. Execute the following cmdlet one by one.
Import-Module ServerManager
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
Reboot Windows Server 2012
Client Access Server Role in Windows Server 2012 R2
To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator, Execute the following cmdlet one by one.
Import-Module ServerManager
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
Reboot Windows Server 2012
If you are installing Exchange 2013 on Windows Server 2008 R2 SP1.
Prepare mailbox role Windows Server 2008 R2 SP1
Open Windows PowerShell as an administrator, Execute the following cmdlets one by one.
Import-Module ServerManager
Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Reboot Windows Server 2008 R2
Prepare Client Access in Windows Server 2008 R2
Open Windows PowerShell, Execute the following cmdlet one by one.
Import-Module ServerManager
Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Reboot Windows Server 2008 R2
Install Service pack 3 on exchange 2010
Upgrading to SP3 requires a schema update, review the Active Directory Schema changes beforehand. Upgrade your Exchange servers to SP3. This should be performed in the following order:
1. CAS servers
2. Hub and/or Edge servers
3. Mailbox servers
4. Unified Messaging servers
Upgrade Exchange 2010 to Exchange 2010 SP3 level
1. Once the files are extracted, locate and run setup.exe as an administrator
2. Select Install Microsoft Exchange Upgrade.
3. Select Next at the welcome screen. Read and accept the license terms, then select Next.
4. If you’ve got all the requirements you’ll see all the green checks, Select Upgrade to begin the upgrade
5. Select Next to start the upgrade.
6. When the upgrade is complete, select Finish.
7. Reboot the server to allow changes to take affect.
Prepare Active Directory Schema
Before you prepare Active Directory, make sure your Active Directory is healthy. Follow the procedure for AD health check.
1. Prepare Active Directory in an Active Directory site where you want to install Exchange 2013.
2. Domain Controller must be Server 2008 Standard/Enterprise (x86/x64) OR Server 2008 R2 Standard / Enterprise OR Windows Server 2012 OR Windows Server 2012 R2.
3. Each domain needs at least one writeable global catalog server
4. Ensure AD replication is working properly in each site / domain
5. Ensure Active Directory is healthy. Visit active directory health check
6. Run the following command in a domain controller, Open command prompt as an administrator
repadmin /showrepl
repadmin /replsummary
repadmin /syncall
netdom query fsmo
Dcdiag /e
Netdiag
7. Open Active Directory Sites and Services MMC, make sure all domain controllers are global catalog.
8. Start Menu, Run, Type eventvwr to open event view, Review event logs to see everything is working as per normal
9. Start Menu, Run> Services.msc to open services, Check DNS server, DNS Client, File replication services are started and set to automatic
10. Open SYSVOL in all domain controllers and check everything is same in all domain controllers.
Now you are ready to prepare Active Directory Domain and Forest.
1. Extract the Exchange2013-x64-cu3.EXE package you have downloaded from Microsoft web site to a common location. In my example I will use E:EXCHANGE2013
2. Open a command prompt as an Administrator, and navigate to the directory in which you extracted the files to. In the case of this example it will be E:Exchange2013. You should see a Setup.exe file located there.
3. Run the following cmd:
- Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
OR
- Setup.exe /PS /IacceptExchangeServerLicenseTerms
4. Run the following cmd:
- Setup.exe /PrepareAD /OrganizationName:<NAMEHERE> /IAcceptExchangeServerLicenseTerms
OR
- Setup.exe /PAD /OrganizationName:<NAMEHERE> /IAcceptExchangeServerLicenseTerms
Now replicate Active Directory manually or wait for replication to complete. Verify event logs in Domain controllers to see any unexpected error or logs pops up or not. If everything looks fine then go ahead and install Exchange 2013.
Installing Exchange 2013 CU3
- After you have downloaded Exchange 2013 CU2, log on to the computer on which you want to install Exchange 2013.
- Navigate to the network location of the Exchange 2013 installation files.
- Start Exchange 2013 Setup by right clicking Setup.exe select Run as administrator
- On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013. Select Don’t check for updates right now, you can download and install updates manually later. Click Next to continue.
- The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.
- On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
- On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send error reports and information about your computer hardware and how you use Exchange to Microsoft. click Next.
- On the Server Role Selection page, select both Mailbox role and Client Access role or separate role based on your design. The management tools are installed automatically if you install any other server role.
Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you must install the Windows features manually. Click Next to continue. - On the Installation Space and Location page, click Browse to choose a new location. I strongly recommend you installing Exchange 2013 on a separate partition other then C: drive. Click Next to continue.
- On the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue.
- On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.
- On the Completion page, click Finish.
- Restart the computer after Exchange 2013 has completed.
- Once rebooted log on to Exchange server and review Event Logs in Exchange Server.
- Repeat the steps for all Exchange Server 2013 in your organisation.
Create a Test mailbox
1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
2. Enter the user name and password of the account you used to install Exchange 2013 in Domainuser name and Password, and then click Sign in.
3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.
4. Provide the information required for the new user and then click Save.
5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .
6. Under Members, click Add .
7. Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.
Install Exchange 2013 certificates
Depending on your requirements, you can configure wild card certificate or a SAN certificate. I will go for SAN certificate to avoid further configuration such as certificate principal name configuration. In this example, I will create a SAN certificate which is as follows.
- Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
- Enter your user name and password in Domainuser name and Password, and then click Sign in.
- Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .
- In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
- Specify a name for this certificate and then click Next.
- If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
- Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.
- For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example: CN=mail.superplaneteers.com and SAN=autodiscover.superplaneteers.com
- These domains will be used to create the SSL certificate request. Click Next.
- Add any additional domains you want included on the SSL certificate.
- Select the domain that you want to be the common name for the certificate and click Set as common name. For example, mail.superplaneteers.com. Click Next.
- Provide information about your organization. This information will be included with the SSL certificate. Click Next.
- Specify the network location where you want this certificate request to be saved. Click Finish.
After you’ve saved the certificate request, submit the request to your certificate authority (CA) which is public CA. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:
- On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
- In the certificate request details pane, click Complete under Status.
- On the Complete pending request page, specify the path to the SSL certificate file and then click OK.
- Select the new certificate you just added, and then click Edit .
- On the certificate page, click Services.
- Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.
- If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.
To re-use existing certificate follow the steps below
- Log on directly to your Exchange 2010 Client Access server with an administrator user account.
- Open an empty Microsoft Management Console (MMC).
- Click File, then Add/Remove Snap-in.
- In the Add or Remove Snap-ins window, select Certificates and then click Add >.
- In the Certificates snap-in window that appears, select Computer account and click Next.
- Select Local computer and click Finish. Then click OK.
- Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.
- Select the 3rd-party certificate that’s used by Exchange 2010 that matches the host names you’ve configured on the Exchange 2013 server. This must be a 3rd-party certificate and not a self-signed certificate.
- Right-click on the certificate and select All Tasks and then Export….
- In the Certificate Export Wizard, click Next.
- Select Yes, export the private key and click Next.
- Make sure Personal Information Exchange – PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.
- Select Password and enter a password to help secure your certificate. Click Next.
- Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.
- You’ll receive a confirmation prompt if the certificate export was successful. Click OK to close it.
- Copy the .pfx file you created to your Exchange 2013 Client Access server.
After you’ve exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.
- Log on directly to your Exchange 2013 Client Access server with an administrator user account.
- Open an empty Microsoft Management Console (MMC).
- Click File, then Add/Remove Snap-in.
- In the Add or Remove Snap-ins window, select Certificates and then click Add >.
- In the Certificates snap-in window that appears, select Computer account and click Next.
- Select Local computer and click Finish. Then click OK.
- Under Console Root, expand Certificates (Local Computer), and then Personal.
- Right-click Personal and select All Tasks and then Import….
- In the Certificate Import Wizard, click Next.
- Click Browse and select the .pfx file you copied to your Exchange 2013 Client Access server. Click Open and then click Next.
- In the Password field, enter the password you used to help secure the certificate when you exported it on the Exchange 2010 Client Access server.
- Verify that Include all extended properties is selected and click Next.
- Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next. Click Finish.
- You’ll receive a confirmation prompt if the certificate import was successful. Click OK to close it.
Now that the new certificate has been imported on your Exchange 2013 Client Access server, you need to assign it to your Exchange services using the following steps.
- Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
- Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.
- Enter your user name and password in Domainuser name and Password, and then click Sign in.
- On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit .
- On the certificate page, click Services.
- Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.
- If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.
Configure Exchange 2013 external and internal URLs
- Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
- Enter your user name and password in Domainuser name and Password, and then click Sign in.
- Go to Servers > Servers, select the name of the Internet-facing Exchange 2013 Client Access server and then click Edit .
- Click Outlook Anywhere.
- In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.superplaneteers.com.
- While you’re here, let’s also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail. superplaneteers.com.
- Click Save.
- Go to Servers > Virtual directories and then click Configure external access domain .
- Under Select the Client Access servers to use with the external URL, click Add .
- Select the Client Access servers you want to configure, and then click Add. After you’ve added all the Client Access servers you want to configure, click OK.
- In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.superplaneteers.com. Click Save.
Configure External and Internal URL to be same
- Open the Exchange Management Shell on your Exchange 2013 Client Access server.
- Store the host name of your Client Access server in a variable that will be used in the next step. For example, In my case, mail.superplaneteers.com
$HostName = “mail.superplaneteers.com “
3. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.
Set-EcpVirtualDirectory “$HostNameECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostNameECP (Default Web Site)”).ExternalUrl)
Set-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)” -InternalUrl ((get-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)”).ExternalUrl)
Set-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)
Set-OabVirtualDirectory “$HostNameOAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostNameOAB (Default Web Site)”).ExternalUrl)
Set-OwaVirtualDirectory “$HostNameOWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostNameOWA (Default Web Site)”).ExternalUrl)
Set-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)”).ExternalUrl)
To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:
- In the EAC, go to Servers > Virtual directories.
- In the Select server field, select the Internet-facing Client Access server.
- Select a virtual directory and then click Edit .
- Verify that the Internal URL field is populated with the correct FQDN.
Move Arbitration Mailboxes
Follow the below steps to move all arbitration and discovery search mailboxes to 2013 database.
Open Exchange Management Shell with run as administrator and run the following cmds
Get‐Mailbox –Arbitration | New-MoveRequest –TargetDatabase TargetDBName
Get-Mailbox “*Discovery*” | New-MoveRequest –TargetDatabase TargetDBName
OR
Type the following comdlets in EMS to find arbitration mailboxes and migrate using migration wizard.
Get-Mailbox –Arbitration >C:Arbitration.txt
Get-Mailbox “*Discovery*” >C:Discovery.txt
- In the EAC, go to Recipients > Migration.
- Click New , and then click Move to a different database.
- On the New local mailbox move page, click Select the users that you want to move, and then click Add .
- On the Select Mailbox page, add the mailbox that has the following properties:
- The display name is Microsoft Exchange.
- The alias of the mailbox’s email address is SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}.
- Click OK, and then click Next.
- On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.
- On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15. x, which indicates that the database is located on an Exchange 2013 server.
- Click OK, and then click Next.
- On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.
Enable and configure Outlook Anywhere
To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2010 servers in your organization. If some Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2010 server:
- Open the Exchange Management Shell on your Exchange 2010 Client Access server.
- Store the external host name of your Exchange 2013 Client Access server in a variable that will be used in the next steps. For example, mail.superplaneteers.com.
$Exchange2013HostName = “mail.superplaneteers.com”
Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}
If you didn’t enable Outlook Anywhere in Exchange 2010 already, Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2013 servers.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic
Configure service connection point (SCP)
Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.
You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you’re updating.
Perform the following steps to configure the SCP object on your Exchange 2010 servers.
- Open the Exchange Management Shell on your Exchange 2010 Client Access server.
- Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.superplaneteers.com.
$AutodiscoverHostName = “autodiscover.superplaneteers.com”
Run the following command to set the SCP object on every Exchange 2010 server to the AutoDiscover URL of the new Exchange 2013 server.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml
Perform the following steps to configure the SCP object on your Exchange 2013 servers.
- Open the Exchange Management Shell on your Exchange 2013 Client Access server.
- Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.superplaneteers.com.
$AutodiscoverHostName = “autodiscover.superplaneteers.com”
Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml
Configure Exchange 2013 Mail flow
Receive connectors
There are four receive connectors in Exchange 2013. They are:
· Default <server name> Accepts connections from Mailbox servers running the Transport service and from Edge servers.
· Client Proxy <server name> Accepts connections from front-end servers. Typically, messages are sent to a front-end server over SMTP.
· Default FrontEnd <server name> Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization.
· Outbound Proxy Frontend <server name> Accepts messages from a Send Connector on a back-end server, with front-end proxy enabled.
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector
2. Select Default Frontend AUPERMBX01, Click on Edit or Pencil icon, On the Security Parameter, Select Anonymous, Click Save.
3. Repeat the steps for Default Frontend AUPERMBX02.
Send connector:
All you have to do is to add Exchange 2013 mailbox servers to the existing send connector as shown below:
Open Exchange management Shell as an administrator, execute the following command.
Set-SendConnector –Identity Outbound –SourceTransportServers AUPEREXMBX01, AUPEREXMBX02
OR
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Send Connector, Click Edit or Pencil icon
2. Click on scoping and + icon on Source Server parameter to add the server
3. Select the Exchange 2013 Mailbox servers (AUPEREXMBX01 and AUPEREXMBX02) and add them and Click save.
4. Send connector configuration completed.
Configure a smart host if necessary
1. In the EAC https://AUPEREXCAS01/ecp?ExchClientVer=15, navigate to Mail flow > Send connectors, and then click Add .
2. In the New send connector wizard, specify a name for the send connector and then select Custom for the Type. You typically choose this selection when you want to route messages to computers not running Microsoft Exchange Server 2013. Click Next.
3. Choose Route mail through smart hosts, and then click Add . In the Add smart host window, the fully qualified domain name (FQDN), such as relay.sjc.mx.trendmicro.com. Click Save.
4. Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter * to specify that this send connector applies to messages sent to any domain. Click Save.
5. For Source server, click Add . In the Select a server window, choose a server and click Add . Click OK.
6. Click Finish.
Anonymous Relay
Create a new receive connector using Exchange Administration Center with the following parameters.
- Name: Anonymous Relay
- Role: Frontend Transport
- Type: Custom
- Available IP: Exchange 2013 server IP
- Port: 25
- Security: Anonymous
- Authentication: TLS, Externally Secured
- Permission: Exchange Servers, Anonymous users
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector, Click Add or + icon
2. Select an Exchange Mailbox Server name AUPEREXMBX01, Type Anonymous Relay on the name, Click Frontend transport, Select Custom, Click Next..
3. On the Network Adapter Binding, Add Exchange 2013 MBX Server IP (10.10.10.11) and port 25. On the remote network settings, add printer, scanner, device and application server IPs. Click Save to create Anonymous Relay.
4. Select newly created Anonymous relay, Click Edit or Pencil Icon, Click Security parameter, Select TLS, Externally Secured in Authentication and Select Exchange Servers, Anonymous users in Permission groups.
5. Open Exchange 2013 Management Shell and execute the following
Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
6. Open Exchange management Shell in Exchange 2010 execute cmdlet
Get-ReceiveConnector –Identity “Anonymous relay” | Fl
From PowerShell Windows copy all the IP addresses of printer and scanner to a notepad
7. Edit Anonymous Relay in Exchange 2013 Administration center and add all the IPs addresses you copied in previous step into remote network setting of Exchange 2013 relay.
8. Repeat step 1 to step 7 on all mailbox servers.
Configure Public Name Space
At this stage, you are ready to configure public DNS record. Update your public DNS record including Hosted Email Security. You only need to configure public DNS if you are changing public IPs and hosted email security otherwise you just have to change the port 443 and port 25 forwarding rule in internal Cisco router in your organization.
You public DNS must look similar to this table.
superplaneteers.com | MX | Mail.superplaneteers.com |
mail.superplaneteers.com | A | 203.17.x.x (Public IP) |
autodiscover.superplaneteers.com | A | 203.17.x.x (Public IP) |
Request your ISP who provided you 203.17.x.x public IP to create reverse DNS record for mail.superplaneteers.com. This is very important for Exchange to function correctly. When you send email to a destination, many destination server checks reverse DNS. If reverse DNS is wrong you could be banned from sending email to destination server. Note that outlook.com check reverse DNS and SPF records of domain sending email to an outlook address.
Configure TMG/UAG
If you are publishing internet facing Exchange 2013 CAS using TMG or UAG, follow the URL below and publish Outlook Web App and Active Sync.
Publish-exchange-server-2010-using-forefront-uag-2010-step-by-step/
Publish-outlook-web-access-and-exchange-servers-using-forefront-tmg-2010/
Create internal DNS Record
Create Host(A) record with reverse DNS in the forward lookup zone of forest superplaneteers.com. Internal DNS records must look similar to this table.
FQDN | Record Type | IP Address |
Mail.superplaneteers.com | A | 10.10.10.16 |
Autodiscover.superplaneteers.com | A | 10.10.10.16 |
If you don’t have CAS NLB or load balancer then your internal host(A) record must point to Exchange 2013 CAS server.
Open PowerShell as an administrator, execute the following
Resove-Dnsname mail.superplaneteers.com
Nslookup mail.superplaneteers.com
Configure Offline Address Book
To create a new offline address book and set the same OAB on all mailbox databases at once, run the following command. The command example uses “Default Offline Address Book” for the name of the OAB.
Open Exchange Management Shell, execute the cmdlets
New-OfflineAddressBook -Name “Default Offline Address Book” -AddressLists “Default Global Address List”
Restart-Service MSExchangeMailboxAssistants
Wait a few minutes and check if the OAB files is created in C:Program FilesMicrosoftExchange ServerV15ClientAccessOAB<newGUID>
Try to access the new OAB in IE: https://mail.superplaneteers.com/oab/<newguid/oab.xml
Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book (Ex2013)”
To Change the generation server open Exchange 2010 Management Shell and run the following command:
Move-OfflineAddressBook –Identity “Default Offline Address Book” –Server AUPERCAS01,AUPERCAS02
Configure new transport rule in Exchange 2013 or Export transport rules from legacy Exchange.
Follow this reference if you are migrating from Exchange 2007
You cannot migrate transport rules from Exchange Server 2007 to Exchange Server 2013
The following cmdlet example exports all your Transport Rules to the XML file, ExportedRules.xml, in the “c:TransportRules” folder:
Export-TransportRuleCollection -FileName “c:TransportRulesExportedRules.xml”
The following example cmdlet imports your transport rule collection from the XML file ExportedRules.xml in the “C:TransportRules” folder
[Byte[]]$Data = Get-Content -Path “C:TransportRulesExportedRules.xml” -Encoding Byte -ReadCount 0 Import-TransportRuleCollection -FileData $Data
To create new Transport rule,
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.
- Enter your user name and password in Domainuser name and Password, and then click Sign in.
- Click Mail Flow, Click Rules, Click Add or + Icon, Type the Name of Rule, Select rule conditions, Click More Option.
- Select Date when you would like to activate the rule
- Click whether you would like to enforce the rule or test the rule
- Follow the wizard to finish the rule settings.
Move mailboxes to Exchange 2013
- Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.
- Enter your user name and password in Domainuser name and Password, and then click Sign in.
- Go to Recipients > Migration, click Add and then select Move to a different database.
- Under Select the users that you want to move, click Add .
- In the Select Mailbox window, select the mailboxes you want to move, click Add and then OK.
- Verify that the mailboxes you want to move are listed and then click Next.
- Specify a name for the new mailbox move and verify that Move the primary mailbox and the archive mailbox if one exists is selected.
- Under Target database, click Browse.
- In the Select Mailbox Database window, select a mailbox database on the Exchange 2013 server that you want to move the mailboxes to, click Add and then OK.
- Verify that the mailbox database displayed in Target database is correct and then click Next.
- Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse and select a different user.
- Verify Automatically start the batch is selected.
- Decide whether you want to have mailbox moves automatically complete. During the finalization phase, the mailbox is unavailable for a short time. If you choose to complete the mailbox move manually, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.
14. Click Finish.
OR
Open Exchange Management Shell
Get-Mailbox –Database “Exchange 2010 database name’ | New-MoveRequest –targetdatabase “Exchange 2013 database name”
Get-MoveRequest
Migrate Room or Resource mailboxes
Open EMS and execute the cmdlets
Get-Mailbox -RecipientTypeDetails roommailbox -database SOURCEDBNAME | new-moverequest -targetdatabase TARGETDBNAME
Upgrade Distribution groups
Open Exchange management Shell as an administrator, execute the following command.
Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ManagedBy “CN=Organization
Management,OU=Microsoft Exchange Security Groups,DC=superplaneteers,DC=com”
Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ForceUpgrade
Upgrading Distribution Groups with multiple owners to Exchange 2013
Open Exchange management Shell as an administrator, execute the following command.
foreach ($DL in (Get-DistributionGroup -ResultSize Unlimited)) { $owners = Get-ADPermission $DL.identity | ?{$_.User -notlike “*Exchange*” -and $_.User -notlike “S-*” -and $_.User -notlike “*Organization*” -and $_.User -notlike “NT*” -and $_.User -notlike “*Domain Admins*” -and $_.User -notlike “*Enterprise Admins” -and $_.User -notlike “BUILTIN*” -and $_.User –notlike “*Delegated Setup*”} | %{$_.user.tostring()};Set-DistributionGroup $DL -BypassSecurityGroupManagerCheck -ManagedBy $owners }
Migrate Public Folder
In Exchange 2013, public folders were re-engineered using mailbox infrastructure to take advantage of the existing high availability and storage technologies of the mailbox database. Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the content. This also means that there’s no longer a public folder database. High availability for the public folder mailboxes is provided by a database availability group (DAG).
There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes. Both types of mailboxes can contain content:
- Primary hierarchy mailbox The primary hierarchy mailbox is the one writable copy of the public folder hierarchy. The public folder hierarchy is copied to all other public folder mailboxes, but these will be read-only copies.
- Secondary hierarchy mailboxes Secondary hierarchy mailboxes contain public folder content as well and a read-only copy of the public folder hierarchy.
There are two ways you can manage public folder mailboxes:
- In the Exchange admin center (EAC), navigate to Public folders > Public folder mailboxes.
Before you migrate public folder, I would recommend creating new separate mailbox database in Exchange 2013 then start the migration process.
Step1: Perform Perquisites
Download all four of the Microsoft Exchange 2013 public folder migration scripts and save the script in C:PFScripts
Prerequisites in Exchange 2010 Server
Open Exchange Management Shell in Exchange 2010 server, run the following cmdlets one by one.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:PFMigrationLegacy_PFStructure.xml
Run the following command to take a snapshot of public folder statistics such as item count, size, and owner
Get-PublicFolderStatistics | Export-CliXML C:PFMigrationLegacy_PFStatistics.xml
Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:PFMigrationLegacy_PFPerms.xml
Save the information from the preceding commands for comparison at the end of the migration.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {$_.Name -like “**”} | Format-List Name, Identity
In Exchange 2007, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like “**”}}
If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>
Make sure there isn’t a previous record of a successful migration. If there is, you’ll need to set that value to $false. If the value is set to $true the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete
Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -PublicFolderMigrationComplete:$false
Prerequisites on Exchange 2013
Make sure there are no existing public folder migration requests. If there are, clear them.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest -Confirm:$false
To make sure there are no existing public folders on the Exchange 2013 servers, run the following commands.
Get-Mailbox -PublicFolder
Get-PublicFolder
If the above commands return any public folders, use the following commands to remove the public folders.
Get-MailPublicFolder | where $_.EntryId -ne $null | Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren | Remove-PublicFolder -Recurse -Confirm:$false
Get-Mailbox -PublicFolder |Remove-Mailbox -PublicFolder -Confirm:$false
Step2: Generate CSV Files
On the Exchange 2010 server, run the Export-PublicFolderStatistics.ps1 script to create the folder name-to-folder size mapping file.
.Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of source server>
Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file. This file is used to create the correct number of public folder mailboxes on the Exchange 2013 Mailbox server.
.PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path> <Folder to mailbox map path>
<Folder to size map path> is \AUPEREX2010c$PFstat.csv
<Maximum mailbox size in bytes> is 20000000
<Folder to mailbox map path> is \AUPEREX2010c$PFMigrationmapgen.csv
Step3: Create public folder mailboxes on Exchange 2013
Run the following command to create the first public folder mailbox on the Exchange 2013 Mailbox server.
New-Mailbox -PublicFolder <Name> -HoldForMigration:$true –database “Exchange 2013 database”
Run the following command to create additional public folder mailboxes as needed based on the .csv file generated from the PublicFoldertoMailboxMapGenerator.ps1 script.
$numberOfMailboxes = 25;
for($index =1 ; $index -le $numberOfMailboxes ; $index++)
{
$PFMailboxName = “Mailbox”+$index; if($index -eq 1) {New-Mailbox -PublicFolder $PFMailboxName -HoldForMigration:$true -IsExcludedFromServingHiearchy:$true;}else{NewMailbox-PublicFolder $PFMailboxName -IsExcludedFromServingHierarchy:$true}
}
Step4: Start Migration request
Legacy system public folders such as OWAScratchPad and the schema-root folder subtree in Exchange 2007 won’t be recognized by Exchange 2013 and will be treated as bad items. This will cause the migration to fail. As part of the migration request, you must specify a value for the BadItemLimit parameter.
From the Exchange 2013 Mailbox server, run the following command:
$PublicFolderDatabasesInOrg = @(Get-PublicFolderDatabase)
$BadItemLimitCount = 5 + ($PublicFolderDatabasesInOrg.Count -1)
New-PublicFolderMigrationRequest -SourceDatabase (Get-PublicFolderDatabase -Server <Source server name>) -CSVData (Get-Content <Folder to mailbox map path> -Encoding Byte) -BadItemLimit $BadItemLimitCount
To verify that the migration started successfully, run the following command.
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport | Format-List
Step 5: Lock Source Server
On the Exchange 2010 server, run the following command to lock the legacy public folders for finalization.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
Step6: Finalize public folder migration
Set-PublicFolderMigrationRequest -Identity PublicFolderMigration -PreventCompletion:$false
Resume-PublicFolderMigrationRequest -Identity PublicFolderMigration
Step7: Test Public Folder Migration
Run the following command to assign some test mailboxes to use any newly migrated public folder mailbox as the default public folder mailbox
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>
Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the following public folder tests:
Post Migration Check
1. Verify Internal and external DNS records and aliases of autodiscover and mail are pointing to Exchange 2013 CAS server or load balancer VIP or CAS NLB IP. At this stage do not delete Host(A) record of legacy exchange servers until you decommission them.
2. Point your Spam Guard or hosted email security to forward all the emails to exchange 2013 to receive incoming mail via Exchange 2013.
3. Configure Spam Guard or hosted email security to accept emails from all Exchange 2013 Mailbox servers.
4. Configure smart host if necessary.
5. Configure all other application to send email via the Exchange 2013 Mailbox Servers
6. Test inbound and outbound email from outlook client and mobile devices.
7. Start Monitoring Exchange, Open EMS and execute Get-mailbox –monitoring
8. Go to https://testconnectivity.microsoft.com/ to test connectivity of Exchange 2013
9. Go to http://mxtoolbox.com/ to test your MX, Reverse DNS and DNS records.
Decommission Legacy Exchange Server
Before you decommission legacy Exchange server, make sure you have completed the following tasks
- Make sure public and internal DNS, MX and CNAME are correct.
- Move all user mailboxes to Exchange 2013.
- Move all room mailboxes to Exchange 2013.
- Move all public folders to Exchange 2013
- Move all arbitration mailboxes to Exchange 2013.
- Move all Discovery Search mailboxes to Exchange 2013
- Add all Exchange 2013 mailbox servers in all the send connectors and remove the Exchange 2007/2010 servers from Send Connector.
- Create new anonymous relay receive connectors in Exchange 2013 and all IPs in remote network settings properties of relay
- Ensure you have configured Autodiscover correctly at AutoDiscoverServiceInternalUri properties if all CAS 2013. Issue Get-ClientAccessServer | fl cmdlet to view internal url of autodiscover.
10. Remove Exchange 2010 CAS arrays. Execute Get-clientaccessarray | remove-ClientAccessArray in Exchange 2010 management shell
11. Point all the applications to use Exchange 2013 SMTP.
12. Test inbound and outbound email from various supported clients.
Now is the time to shutdown legacy exchange servers in your organization and test Exchange 2013 mail flow again. Make sure you shut down the server during working hours and working days. Keep the legacy exchange down for at least 48hrs. To decommission legacy Exchange follow the steps
1. Bring all legacy servers online means power on all servers which were down in previous step.
2. Remove all Public Folder replicas else Public Folder Database will not be removed. To remove public folder replicas, open Exchange Management Console in exchange 2010, Click Tools, Open Public Folder Management Console, Select Default Public Folder, Click properties, Click Replication, Remove exchange 2010 database from replication. Repeat the same for systems public folder.
3. Remove Exchange 2007/2010 mailbox database and Public folder databases from EMC or EMS.
4. Go to Control Panel to remove Exchange 2007/2010. On Program and Features screen click on Uninstall. On the Maintenance Mode page of the Exchange Server 2007/2010 Setup wizard begins the process of removing your Exchange installation. Click Next to continue.
5. On the Server Role Selection page, uncheck in 2007/2010 all Exchange server roles and Exchange management tools to remove. In Exchange 2007 CCR remove passive node first then follow the same steps on active node. Click next to continue.
6. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page and fix any issues that are preventing Setup from removing exchange 2007/2010. If the checks have completed successfully, click Uninstall to remove the entire installation of Exchange 2007/2010.
7. On the Completion page, click Finish.
8. Verify the setup log files and folder located at c:ExchangeSetupLogs.
9. Uninstall Internet Information Services (IIS) from windows Server 2008 or add/remove program and features in Windows Server 2003.
10. Disjoin the legacy Exchange servers from the Domain.
11. Delete Host(A) DNS record of Legacy Exchange Server. Delete ONLY legacy DNS record.
References
http://technet.microsoft.com/en-us/library/ee332361(EXCHG.141).aspx
http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx
http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-CABEAgAAQAAACQEAAQAAAA~~
http://support.microsoft.com/kb/2846555
http://support.microsoft.com/?kbid=940726
http://www.petenetlive.com/KB/Article/0000036.htm
http://www.expta.com/2013/05/owa-2013-cu1-redirection-is-broken-for.html
How to Configure Unified Messaging in Exchange 2013 Step by Step
There are many ways you can achieve unified messaging functionality in Exchange 2013. It all depends on your Exchange, Lync and telephony infrastructure.
Before you begin, you have to install Exchange language pack for non-English Exchange deployment. For English deployment you don’t need to install language pack.
Depending on your Exchange 2013 version, Download Exchange Language Pack from the following web sites.
http://www.microsoft.com/en-au/download/details.aspx?id=35368
http://www.microsoft.com/en-au/download/details.aspx?id=39713
http://www.microsoft.com/en-au/download/details.aspx?id=41176
Right click the UMLanguagePack.Country-Code.exe file, Click Run As Administrator.
In the Exchange 2013 Setup wizard, on the License Agreement page, select I accept the terms in the license agreement, and then click Next then click Install.
Click Finish to complete the installation of the UM language pack.
Scenario#1
If you have a Cisco Call Manager for IP telephony then you just need to perform few tasks in Exchange 2013 to integrate Exchange and Cisco Call Manager. Here are the steps to accomplish unified messaging in Exchange 2013 with Cisco Call Manager.
Step1: Create a Service Account named domainnamesa-ExchangeUC and set password and account to be never expired. Set user cannot change password.
Step2: Open Exchange 2013 Management Shell as an administrator (Account must be a member of Exchange organisation management role). issue the following command.
New-ManagementRoleAssignment –Name:UMServicesConnectionACC –Role:ApplicationImpersonation -User:”domainanemsa-ExchangeUC “
Get-ManagementRoleAssignment
Step3: Create an anonymous relay in Exchange 2013. Here is a guideline.
Name: Anonymous Relay
Role: Frontend Transport
Type: Custom
Available IP: Exchange 2013 server IP
Port: 25
Authentication: TLS, Externally Secured
Permission: Exchange Servers, Anonymous users
Open Exchange Management Shell and execute the following
Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Now add Cisco Call Manager IP address into remote network settings properties of anonymous relay.
Step4: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of windows machine then export as .cer format certificate into Cisco Unity. reference http://www.digicert.com/ssl-support/pfx-import-export-iis.htm
Step5: Configure Cisco Unity for Unified Messaging. Follow this link to configure Cisco Call Manager. Detailed guide is available in Cisco Unity and Microsoft Exchange configuration guide.
Scenario#2
There are other ways to achieve same result if you decide Exchange 2013 to manage dial plan, auto attendant, hunt group and voice delivery etc. In this scenario, you have configure lot more then previous steps. There is no concrete steps for your scenario or your IP telephony systems. But here is what you have to do to accomplish unified messaging between IP-PBX and Exchange 2013. I assume your Exchange 2013 and IP-PBX are working per normal.
Step1: Create a Service Account named domainnamesa-ExchangeUC and set password and account to be never expired. Set user cannot change password in the properties of sa-ExchangeUC account.
Step2: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of a windows machine then export as .cer format certificate into IP-PBX.
Step3: Configure IP-PBX to connect to Exchange 2013 using service account you have created in previous step.
Step4: Create a virtual extension number. This extension number will be used in a Exchange 2013 only.
Step5: Create a dial plan
In the Exchange admin center (EAC), navigate to Unified Messaging > UM dial plans, and then click Add .
On the New UM Dial Plan page, complete the following boxes:
Name: ExchangeUC Dial Plan
Extension Length: 4 or Exact length used in IP-PBX
Dial plan type: Telephone extension
VoIP security mode: Unsecured
Country/Region code: +61 (for australia)
Click Save.
Step6: Create a PIN Policy
In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the ExchangeUC Dial Plan you have created in previous step and then click Edit .
On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to edit, and then click Edit .
Click Properties. On the UM mailbox policy page, click PIN policies.
On the PIN Policies page, configure the following PIN settings
PIN Length: 5
PIN Cycle: 5
Enforce PIN lifetime: 60
Sign-in failure: 5
Sign-in lockout:15
Click Save.
Step8: Add a DNS record in the forward lookup zone of Active Directory DNS
lets say DNS Name: IPPBX.domainname.com and corresponding IP: 10.10.70.240
Step8: Add UM IP Gateway
In the EAC, navigate to Unified Messaging > UM IP Gateways, and then click Add .
On the New UM IP gateway page, enter the following information:
Name: Cisco Unity or 3CX whichever is your gateway
Address: FQDN or IP Address of IP-PBX
UM Dial Plan: ExchangeUC Dial Plan
Click Save.
Step9: Create Auto Attendant
In the EAC, navigate to Unified Messaging > UM dial plans, select the ExchangeUC Dial Plan for which you want to add an auto attendant, and then click Edit .
On the UM Dial Plan page, under UM Auto Attendants, click Add .
On the New UM auto attendant page, complete the following boxes:
Name: ExchangeUC Auto Attendant
Uncheck “Create this auto attendant as enabled”
Uncheck “Set the auto attendant to respond to voice commands”
Access Number: click Add and add virtual extension number you have created in step 4.
Click Save.
Step 10 (Optional):
In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit .
On the UM Dial Plan page, under UM Hunt Groups, click Add .
On the New UM Hunt Group page, complete the following boxes:
Associated UM IP gateway: IPPBX.domainname.com
Name: ExchangeUC Hunt Group
Dial plan Click Browse to select the ExchangeUC Dial Plan
Pilot identifier: a string that uniquely identifies the pilot identifier obtained from IP-PBX.
Click Save.
Step11: Setup UM Dial Plan Policies
In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit .
On the UM Dial Plan page, under UM Mailbox Policies, click New .
On the New UM mailbox policy page, in the Name box, enter the name of ExchangeUC mailbox policy.
Click Save.
Step12: Enable User for Voice Mail
In the EAC, click Recipients. In the List view, select the user whose mailbox you want to enable for Unified Messaging.
In the Details pane, under Phone and Voice Features, click Enable.
On the Enable UM mailbox page, click the Browse and select ExchangeUC mailbox policy, and then click OK.
On the Enable UM mailbox page, complete the following boxes:
Extension Number: Type the extension number you have created in IP-PBX for this mailbox
PIN Settings: Type a 5 digit PIN number
Click Finish.
Now you have successfully configured Unified Messaging in Exchange 2013. However if you have Lync 2013 in your organisation. you will have to perform the following steps in Exchange 2013 to integrate Lync and Exchange.
Step1: Set Dial Start-up mode to dual
Open Exchange Management Shell, Enter the following command
Set-UmService -Identity “FQDN of Exchange Server” -DialPlans “ExchangeUC Dial Plan” -UMStartupMode “Dual”
Step2: Assign Exchange Certificate to UM
Type Get-ExchangeCertificate and copy the thumbprint in notepad
Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “EA5A332496CC05DA69B7578A110D22d” -Services “UM”
I assume that you already assigned this certificate to IIS, SMTP services. Restart the MsExchangeUM service on the Exchange server.
Step3: Assign certificate to call router
Set-UMCallRouterSettings -Server “FQDN of Exchange Server” -UMStartupMode “Dual” -DialPlans “ExchangeUC Dial Plan”
Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “45BAA32496CC891169B75B9811320F78A1075DDA” –Services “IIS”, “UMCallRouter”
Restart the MsExchangeUM service on the Exchange server.
Step4: Test UM Service
$credential = Get-Credential “DomainNameUser1”
Test-CsExUMConnectivity -TargetFqdn “FQDN of Exchange Server” -UserSipAddress “sip:User1@DomainName.com” -UserCredential $credential
$credential = Get-Credential “DomainNameUser2”
Test-CsExUMVoiceMail -TargetFqdn “FQDN of Exchange Server” -ReceiverSipAddress “sip:user1@DomainName.com” -SenderSipAddress “sip:user2@DomainName.com” -SenderCredential $credential
References:
http://technet.microsoft.com/en-us/library/jj673564%28v=exchg.150%29.aspx
http://technet.microsoft.com/en-us/library/jj150478%28v=exchg.150%29.aspx
TrendMicro Worry-Free Business Advanced Configuration Step by Step
Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).
Trend Micro offers the following editions:
Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.
Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.
Features worry-free business Features
- Component Updates
- Device Control
- Antivirus/Anti-spyware
- Firewall
- Web Reputation
- URL Filtering
- Behavior Monitoring
- User Tools
- Instant Messaging Content
- Filtering
- Mail Scan (POP3)
- Mail Scan (IMAP)
- Anti-Spam (IMAP)
- Email Message Content
- Filtering
- Email Message Data Loss Prevention
- Attachment Blocking
TrendMicro Components:
Registration Key
A Registration Key comes with your purchase of Worry-Free Business Security. It has
22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx
Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.
Security Server
At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location
Scan Server
The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.
Downloads scanning-specific components from Trend Micro and uses them to scan clients
Agents
Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.
Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats
Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats
Web Console
The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.
WFBS Ports
WFBS uses the following ports:
• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:
• IIS server default website: The same port number as your HTTP server’s TCP port.
• IIS server virtual website: 8059
• Apache server: 8059
• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.
Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.
SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.
Proxy port: Used for connections through a proxy server.
Systems requirements:
- 1 vCPU, 2GB RAM, 10GB additional space
- IIS 7.5 Windows Server 2008 R2
- Internet Explorer
- Adobe Acrobat
- Java client
- Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
- Administrator or Domain Administrator access on the computer hosting the
- Security Server
- File and printer sharing for Microsoft Networks installed
- Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
- If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications
TrendMicro Download Location:
Installation:
1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.
2. Click Next. The License Agreement screen appears.
3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.
4. Click Next. The Setup Type screen appears.
5. From the Setup Type page, choose one of the following options:
- Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
- Minimal Install
- Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.
6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.
7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).
8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.
9. Click Next. The Select Components page appears.
10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.
- Security Server (default): The Security Server hosts the centralized web-based management console.
- Security Agent (default): The agent protects desktops and servers.
- Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
- Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.
11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.
12. Click Next. The Computer Prescan page appears.
13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:
Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:
- the boot area and boot directory (for boot sector viruses)
- the Windows folder
- the Program Files folder
- Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.
14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:
- Internet Information Services (IIS) server
- Apache Web server 2.0.xx
15. Click Next. The Web Server Identification page appears.
16. Choose from one of the following server identification options for client-server communication:
- Server information – Choose domain name or IP address:
- Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
- IP address – Verify that the target server’s IP address is correct.
17. Click Next. The Administrator Account Password page appears.
18. Specify different passwords for the Security Server web console and the Security Agent.
Note: The password field holds 1-24 characters and is case sensitive.
- Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
- Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.
19. Click Next. The SMTP Server and Notification Recipient(s) page appears.
20. Enter the required information:
- SMTP server – the IP address of your email server
- Port – the port that the SMTP server uses for communications
- Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.
21. Click Next. The Trend Micro Smart Protection Network page appears.
22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.
23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.
- Proxy server type
- Server name or IP address
- Port
- User name and Password – Provide these only if the proxy server requires authentication.
24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.
25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.
26. Set the following items:
- Installation Path – This is the destination folder where the Security Agent files are installed.
- Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.
27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.
28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:
- Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
- Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
- Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
- Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
- Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
- Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
- URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
- Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
- Device Control – This regulates access to external storage devices and network resources.
29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.
30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.
- When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
- When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.
31. Click Next. The Install Messaging Security Agent page appears.
32. Provide the following information:
i. Exchange Server
ii. Domain Administrator Account
iii. Password
33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:
- Target Folder – This is the folder where the MSA files are installed.
- Temp Folder – This is the system root folder for MSA Agent installation.
- Spam management
- End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
- Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.
35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:
- If you wish to verify previous installation settings, click Back.
- Click Next to proceed with the actual installation.
The Install Third Party Components page appears. This page informs you which third party components will be installed.
36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.
Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install
- Log on to the WFBS console.
- Click Security Settings > Add. The Add Computer page appears.
- Under Computer Type section, choose Desktop or server.
- Under Method section, choose Remote install.
- Click Next. The Remote Install page appears.
- From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
- Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
The computer is added to the Selected Computers list. - Repeat Steps 6-7 if you want to add more computers to the list.
- Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.
Installing Agent for Exchange Server
The Messaging Security Agent (MSA) can also be installed from the Web Console.
1. Log on to the Web Console.
2. Click the Security Settings tab, and then click the Add button.
3. Under the Computer Type section, click Microsoft Exchange server.
4. Under Microsoft Exchange Server Information, type the following information:
• Server name: The name of the Microsoft Exchange server to which you want
to install MSA.
• Account: The built-in domain administrator user name.
• Password: The built-in domain administrator password.
5. Click Next. The Microsoft Exchange Server Settings screen appears.
6. Under Web Server Type, select the type of Web server that you want to install on
the Microsoft Exchange server. You can select either IIS Server or Apache Server.
7. For the Spam Management Type, End User Quarantine will be used.
8. Under Directories, change or accept the default target and shared directories for
the MSA installation. The default target and shared directories are C:Program
FilesTrend MicroMessaging Security Agent and C$, respectively.
9. Click Next. The Microsoft Exchange Server Settings screen appears again.
10. Verify that the Microsoft Exchange server settings that you specified in the
previous screens are correct, and then click Next to start the MSA installation.
11. To view the status of the MSA installation, click the Live Status tab.
Configure Smart Host for Outbound Email
1. Open the Exchange Management Console.
2. Click on the plus sign (+) next to Organization Configuration.
3. Select Hub Transport and click the Send Connectors tab.
4. Right-click the existing Send Connector then select Properties and go to the Network tab.
5. Select Route mail through the following smart hosts and click Add.
6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:
o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com
o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu
7. Click OK.
8. Go to the Address Space tab and click Add.
9. Add an asterisk (*) and then click OK.
10. Click Apply > OK.
11. Go to the Source Server tab and add your Exchange Server.
12. Click Apply > OK.
Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.
C:Usersraihan >nslookup
> set type=mx
> domainname.com.au
Non-authoritative answer:
domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au
domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au
mx1.domainname.net.au internet address = 203.161.x.x
mail.domainname.com.au internet address = 116.212.x.x
Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:
Registered Hosted Email Security
Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .
Create service account (See upcoming post on creating a secure services account)
- Open ActiveDirectory Users and Computers
- Create a user sa-TrendMicroHE with password never expires
Open Hosted Email Security Web console
- Visit the link that applies to your location
- For EMEA users: https://emailsec.trendmicro.eu
- For others: https://us.emailsec.trendmicro.com
- Login with your details you setup in the online registration earlier and don’t forget to tick Log on with Trend Micro Online Registration user name and password
Register Your Domains with Trend Micro
1. Go to the Trend Micro Online Registration portal.
2. Create a new OLR account.
a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.
Enter your HES Registration Key.
If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.
Select I Accept, then click Submit.
Complete the registration information form.
Specify your OLR logon ID.
Note: The OLR logon ID will also serve as your HES portal login ID.
Click Submit.
The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.
3. Using the provided OLR username and password, log on to the HES console:
For US: https://us.emailsec.trendmicro.com/loginPage.imss
For EMEA: https://emailsec.trendmicro.eu/loginPage.imss
Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.
4. Enter your domain and IP information, then click Add Domain.
5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.
6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.
Navigate to Administration > Domain Management
- All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
- Click Activate Domain
- Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record
Download the ActiveDirectory Sync Client
- Navigate to Administration > Directory Management
- Click Imported User Directories so it becomes Enabled with a green tick
- Navigate to Administration > Web Services
- Click on the Applications bar so it get’s a Green Tick as above
- Click on Generate Service Authentication Key, copy this key for use later in the setup
- Click and download the ActiveDirectory Sync Client
Install the ActiveDirectory Sync Client
http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx
http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx
1. Extract the ActiveDirectory Sync Client file and run setup.exe
2. Usual I agree, next, next stuff
3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.
4. Click Next
5. Leave installation path as is, and change to install for Everyone
6. Click Next
7. Click Next
8. Click Close when finish
9. The ActiveDirectory Sync Client will then open
10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)
LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com
11. Click Add
LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com
12. Click Add
13. Click Configure
- Username: as per web login
- Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
- Proxy: leave as automatic unless your network requires otherwise
- Synchronize: leave at 1
14. Click OK
15. Click Apply
16. This will restart the service
Amend ClientMHS_AD_ACL.config
1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad
2. Installed Config file looks like this:
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
3. Change the following to add groups and public folders. Ref
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”group”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”publicFolder”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”*”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client
5. Click Sync Now
6. Give it a few moments then click History
7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful
8. Click Close
9. Click Close
Post Configuration Check
- open the Hosted Email Security Console
- Navigate to Administration > Directory Management
- Click the Export to CSV for the domain you’re wanting to check
- This will generate a CSV file, which you can use notepad to check that all your email addresses have synced