Deploying VMware View 5 – Part 1: Configure Active Directory and Deploy VMware Connection Server

KB ID 0000594

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.

Solution

Configuring Windows Active Directory for VMware View

1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.

2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.

Note: You can call the groups whatever you like, and have as many different groups as you like.

3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.

Installing and configuring VMware View 5

4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.

View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..

5. Accept all the defaults and finish the installation.

6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.

7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.

8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.

9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.

Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.

Related Articles, References, Credits, or External Links

Deploying VMware View 5 – Part 2: Configure Windows 7 to be a VMware View Desktop

GFI MailArchiver

Deploying GFI MailArchiver with Exchange 2010, Using the Outlook Connector, Importing and Exporting Data.

KB ID 0000666

Problem

I’ve been involved with Exchange for a long time, either being directly responsible for it, or supporting others that do. And like all systems it would run a lot smoother if you kept users away from it! But unfortunately you can’t, so your system is probably full of users “Deleted Items” and “Sent Items” and a copy of every email that some users have ever received “Because I might need them”. And for years I’ve been saying “It’s a messaging system not a file storage system” and lecturing users about tidying up their inbox. Yes you can setup retention policies but most people don’t.

Even if you do have conscientious users, some of them click “Yes” when Outlook asks them “Would you like to Auto-Archive your old messages now?” Then you have PST files all over the place getting corrupted and not getting backed up.

In addition, just as techs like me are shouting at users to delete things, businesses are now finding that they need to keep ALL their digital messaging for things like Sarbanes-Oxley and Freedom of Information enquiries. Yes I’m sure you back up your Exchange server but what if you needed to produce a message thread about a particular project that was two years ago in the middle of a month?

Archiving

Is the process of taking a copy of mail messages as they pass through Exchange and copying them off to an external location, in this case a database. The advantage of doing this is that database can be on cheaper midline storage and (potentially) keeps the Exchange database sizes down. With Exchange this is done by setting up Journaling (that’s the process of sending a copy of all [or specified] mail to a journal users mailbox). MailArchiver then takes this mail and put it into its database.

Advantages

1. Performance: Getting all the ‘Old’ Data out of the exchange databases makes them smaller, and more efficient.

2. Elimination of PST files: There’s a big list of reasons why I don’t like PST files. If you’ve ever had a user lose email because of them, then as far as they’re concerned its YOUR fault. There are tools to import PST file into the database, (and to export as well).

3. Disaster Recovery: How nice would it be, the next time users email message ‘disappears’ (Users never delete emails they just disappear), they could restore it themselves, from within Outlook. the Outlook Mail Connector software will do this. Also your backup window for Exchange will be a lot smaller.

4. Compliance: Saving a copy of all messages in a database has the advantage, that it’s searchable, and you can export the data you find in a format that you can import straight back into Exchange or send to someone.

5. Investigation: MailArchiver provides some powerful search and reporting tools. If your HR department needed to see who said what to who about projectXYZ then using conventional methods would be a nightmare.

Solution

GFI MailArchiver 2012 Installation and Configuration

Enabling Journaling in Exchange 2010

Note: GFI Mail Archive setup can do this for you but I prefer to do things manually.

1. Launch the Exchange System Management Console > Recipient Configuration > Mailbox > New Mailbox.

2. User Mailbox > Give it a name and set the password > Don’t create an archive > New > Finish.

3. Option 1: Standard Journaling can be enabled on a mailbox store > Organisational Configuration > Mailbox > Locate the store> Properties.

4. Maintenance tab > Tick Journal recipient then browse for the user you created > Apply OK.

5. Option 2: (Note: Requires an Exchange Enterprise CAL) This is set up using a Journaling rule > Organizational Configuration > Hub Transport > Journal Rules > New Journal Rule.

6. Give the rule a name > Browse for the user you created earlier > Set the scope (in most cases you will want global) > New > Finish.

7. To test it’s working send and email then log on as your ‘Journal’ user and make sure you have a copy in the inbox.

Installing GFI MailArchiver 2012

8. Before installing the GFI MailArchiver server needs the Exchange MAPI Client and Collaboration Data Objects 1.2.1 (Unless you are installing it on the Exchanges server).

9. Also (though not essential) I prefer to disable IE Enhanced Security Configuration, so IE wont get upset with the management console.

10. You can add the URL to trusted sites if you want, but I’m not a fan of IE ESC anyway so I simply disable it.

11. Now run the GFI MailArchiver installer.

12. Now this I DO LIKE, why can’t Exchange do this! These are the server pre-requisites, rather than just falling over and giving you an error (I’m looking at you Windows Exchange Developers!) It offers to do the hard work for you. It takes a while though, best go for a coffee at this point > Next > Select whether you want to check for a newer version > Accept the EULA > Set the destination folder > Next.

13. Here the default setting, WARNING if you already have web services on this server (or even UPS software using port 80), have a common sense check.

Note: If you are not sure, the following command will tell you if port 80 (http) is in use;

[box]netstat -aon | find “:80″[/box]

14. Select Install > Finish.

Configuring MailArchiver 2012

15. The GFI MailArchiver management console will launch > Configure.

16. Next.

17. Enter your licence key and select verify licence key > Next.

18. Next.

19. In this example I’m using the Firebird database, in a production environment you should be using SQL server > Next.

20. Change the paths if required > Enter some domain credentials> Next.

21. Next

22. Next

23. Next

24. I’m selecting Auto > Next

25. As I set the user up myself I’m choosing Manual > Next.

26. Exchange Web Services seems to be less problematic > Enter your Journal user account > Next.

27. Next.

28. Finish.

29. We are now up and configured.

GFI MailArchiver – Outlook Connector, Import and Export

GFI MailArchiver – Using the Outlook Connector

30. Firstly you need to enable ‘Mailbox Folder Structure Retrieval’ on the GFI server > Launch the MailArchiver Management console.

31. Mailbox Folder Structure Retrieval.

32. Change Settings.

33. Enter a user account to connect to Exchange Web Services with, here I’m using my domain admin, whichever account you use needs to have administrative access on the Exchange and the GFI server. It also (domain admin included) needs the following Powershell commands running on the Exchange server before it will work, (change the user name to match your own);

[box]New-ManagementScope -name “MAUMPolling” -recipientrestrictionfilter {recipienttype -eq “UserMailbox”}</p> <p>New-ManagementRoleAssignment -name “MAUMPollingRA” -role:applicationimpersonation -user “administrator@petenetlive.net” -customrecipientwritescope “MAUMpolling”[/box]

34. Next.

35. Finish.

Installing the Outlook Connector on a Client

36. I’ve already got a client PC setup with Outlook 2010.

37. I’m just connecting to the GFI servers management URL from the client and downloading the Outlook Connector.

Note: The versions are for Outlook 32 bit and Outlook 64 bit, even if your Windows client is 64 bit you may still be running 32 bit Outlook/Office. If you get it wrong it will tell you your version of Office is not supported.

38. Install the client software, accept the defaults, all you need to specify is the URL of the GFI MailArchiver server.

39. Now when your user opens Outlook, they get an additional mailbox called “GFI MailArchiver Mailbox” that carries a copy of ALL the users mail (Note: Not the mail from before the product was installed, to import that see the import section below, and choose ‘Import for Exchange mailbox’. In addition each user now has a MailArchiver tool bar from which they can search for their mails.

Note: If a user ‘loses’ a mail they can simply drag a copy from their GFI mailbox to their live inbox.

GFI MailArchiver – Importing Data from PST Files

Note: To do this the machine needs to have Outlook installed on it (and NOT Outlook 64 bit!)

40. Launch the GFI MailArchiver Import and Export Tool.

41. Import from .pst files.

42. Add PST file > Browse to your PST file > Open.

43. Select the folder(s) required > Next

44. Select a date range > Select the user that will own the imported data > Next.

Note: I’d rather have an “Import Everything” option!

45. When complete > Finish.

46. Now that user will have the imported mail as well (Note: The default view is “Emails in last 30 days” so don’t panic if you don’t see it all).

GFI MailArchiver – Exporting Data to PST File

47. Launch the GFI MailArchiver Import and Export Tool.

48. Enter the URL of the GFI server > Verify > Ensure it says OK > Next.

49. Select what you want to export (I’m going to search for email containing particular words) > Next.

50. Type in your search text > Find > Next.

51. Here you can restore the mail to a mailbox, export it to .msg or .eml format, or my old nemesis .pst files, I’ll choose the latter > Next.

52. And there’s my .pst file, ready to be sent out to satisfy my freedom of Information enquiry.

 

Related Articles, References, Credits, or External Links

NA

SEM – SPAMfighter Exchange Module – Installation and Configuration with Exchange 2013

KB ID 0000824 

Problem

“I seem to get a lot of spam”, and “I get a lot more spam than I used to” are right up there with “My computer is running slow”. It’s a problem that, eats up users time and fills your mail stores with junk, and time/disk space costs money.

SEM is tiny! In a world where a graphics driver is now over 100MB the entire install suite is less than 11MB. This is going into my test network so testing its ability to limit spam is NOT the point of this exercise, I’m looking at the ease of installation, configuration, and administration.

SEM Pre-Requisites

1. Exchange 2000, 2003, 2007, 2010, or 2013.

2. Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2, or 2012.

3. .Net framework version 2.0 (SP1).

4. MDAC (Microsoft Data Access Components) version 2.7.

5. Internet Information Services.

Solution

Before You Start

1. If you have already installed the Microsoft Anti Spam agents you might want to remove them, (not that you have to). If you don’t know you can run the following command;

[box]
Get-TransportAgent[/box]

If you just have the four below then you DO NOT have the extra agents installed.

2. If yours looks like the one below, then YOU DO have them installed.

3. As stated you don’t have to remove them but if you want to simply execute the following two commands;

[box]

cd "Program FilesMicrosoftExchange ServerV15Scripts"
./Uninstall-AmtispamAgents.ps1

[/box]

4. Answer each question, then run;

[box]
services.msc[/box]

5. Restart the Microsoft Exchange Transport service.

Install SPAMfighter

6. Download the installer, and run it.

7. The installer is pretty straight forward > Next > Accept the EULA > Next > Enter your details > Next > Accept or change the install location > Next.

8. The product will install.

9. At this point it’s downloading definitions form the internet, and it will take a while.

10. When complete it needs to setup a user that the services will run under. Just supply a password > Next.

Note: This user (by default) is added to the local administrators group, and the Exchange Organization Management group.

11. Finish.

12. The management console installs on TCP port 5000, so if you need to access it through a firewall you will need to open that port.

13. Toolbars Tab: From here, I’ll jump straight to the configuration section, this drops you straight onto the Plugins tab. From here you can change the logo that will be displayed with the toolbar (this is NOT visible with Outlook 2013). You can also change the URL it points to and adding rights to users.

14. Toolbar Tab > Outlook Toolbar: On a client running Outlook > Download Outlook Toolbar > Run the installer.

Note: The installer is a .exe file, I would have preferred a .msi file, so I could deploy this out (on mass), to domain clients via GPO.

15. Next > Accept the EULA > Next > Next.

16. Finish.

17. Now when you launch Outlook you can see the plugin loading.

18. You will now have an extra toolbar with the following options.

BE AWARE: You install the OWA toolbar ONCE on the Exchange CAS server.

19. Toolbars > Outlook Web Application: Install OWA toolbar.

20. Yes.

21. Now when your clients access OWA, you have the toolbar.

22. Latest news: Essentially this is just an RSS feed from the manufacturer to keep you abreast of software updates etc. If you have some RSS aggregation software you can add this same feed.

23. Mailbox Tab > Mailboxes: Here it will list all the mailboxes, by default the ‘Default policy’ will be applied and virus filtering will NOT be enabled (this is an add on license). you can also access statistics for this particular mailbox, and view quarantined emails. The User filter settings are for applying an exception for this one mailbox (I’ll cover this later). If you can’t locate a particular user there is also a search function.

24. Mailbox Tab > Usergroups: Usergroups are used to apply policies, any new group requires you to maintain membership manually. But if your Active Directory is well designed, you can select your SPAMfighter groups based on your OU structure.

SEM – SPAMfighter – Configuring and Working with Policies

This is pretty intuitive, and the default policy comes preconfigured and already applied, though with all filtering systems it will probably take you a little while to get it streamlined to your requirements. The policies section has four main tabs;

Filter Settings: What tools you are going to use to look for spam.
Accept Actions: What it will do if it finds nothing.
Block Actions: What it will do if it finds something.
User Filter settings: Exceptions to the filters for one or more users.
Mailboxes: Puts you straight back to the mailbox section you saw earlier.

25. Out of the box there are five filters enabled.

26. But there are four further filters that you can add to the policies.

SPAMfighter – Filters

27. VIRUSfighter Antivirus Filter for SPAMfighter Exchange Module: Remember this is an ‘Add on’ so it would only apply to mailboxes that have this enabled. It’s on its most conservative setting, and will replace the infected email with safe content.

28. SPAMfighter Sender Filter > Whitelist:Simply add either a particular email address you want to allow or add in an entire domain.

29. If your lists get a little unwieldy you can import or export them, and chose weather to overwrite them or append the imported list to your existing list.

30. And where there is a Whitelist there is a Blacklist, it’s configured exactly the same.

31. Automatic Whitelist: This is a brilliant feature! It dynamically adds the addresses our users send to to the Whitelist, and maintains the cache for 10 days (which you can alter). I’m surprised this is disabled by default.

Note: This will be enabled by default in the next release.

32. SPAMfighter Content Filter > Whitelist phrases: Gives you the power to automatically Whitelist emails based on a phrase they contain i.e. Your corporate email disclaimer or default signature.

33. SPAMfighter Content Filter > Blacklist phrases: As the warning says be careful with this section, this is the sort of thing that is handy for blocking “We attempted to deliver your parcel but were unable to” emails that urge you to click an attached zip file full of infected spyware nastiness.

34. SPAMfighter Content Filter > Whitelist Attachments: Here you can upload an attachments (like your company logo from your email signatures) and the system will whitelist and allow through emails containing them.

35. SPAMfighter Content Filter > Blacklist Attachments: Thankfully this is disabled by default, the list of file extensions is quite long, and contains some commonly used file extensions, You will need to do some planning and testing with this one if you want to enable it.

36. SPAMfighter Community Filter: This will filter mail based on mails that have already been blocked by other SPAMfighter users, it uses a scoring/weighting system. You simply set a threshold the higher you set it the more mail will be stopped, this will require some fine tuning.

37. SPAMfighter Language Filter:This is enabled by default, but no languages are selected (which is sensible). If you are never expecting any emails in Chinese you can block them here.

SPAMfighter Filters that you can Manually Add to the Policy.

38. SPAMfighter IP-address Filter: Pretty much does what it says on the tin! Though blocking spammers by IP address is a little hard to manage, and it’s pretty easy to spoof an IP address anyway, which is probably when this is not on the default policy.

39. SPAMfighter Sender Policy Framework Filter: Personally I think you would be crazy to turn this on! If you don’t know what an SPF record is then read the following article.

Setting up the Correct DNS Records for your Web or Mail Server

40. SPAMfighter DNSBL Filter: A DNSBL is a dynamic DNS list of known spammers, if you are familiar with RBL block lists this is similar.

41. SPAMfighter Combined Spam Score Filter: All the other filters check the mail and give it a score, if the score is higher than a certain threshold this this filter will aggregate all those scores and block the mail.

SPAMfighter – Policies > Accept Actions

42. If the mail makes it through all the filters, then this section decides what happens with it.

43. And that is adding information to the mail header that says the mail was scanned and accepted.

SPAMfighter – Policies > Block Actions

44. If the mail gets blocked by any of the filters, this section decides how that is handled.

Note: You can add other actions from the drop-down list below if this does not do what you require.

45. Just as for the accept policy action, this modifies the email header, though this one says the mail was blocked.

46. SPAMfighter Move To Folder Policy Action > Mailboxes : The second default policy action takes that filtered email and places it within a folder called SPAMfighter within the users mailbox.

Note: You can redirect that mail to another mailbox if that is your preference.

47. The system for Public Folders (if you use them) is identical.

48. Contacts: As is says contacts do not have a mailbox, but you can redirect filters contact mail to a specific mailbox should you wish.

49. User Filter Settings: This section can create an exception for one particular user, it simply creates another policy that you can apply to that user.

50. You can create new policies and apply then to particular users or usergroups, and make the system as granular as you like.

51. Statistics: On my test network I didn’t have any throughput on which to pull some meaningful statistics.

52. Statistics > Notifications: You can have daily/weekly/monthly reports emailed to you.

53. If you decide to purchase, the licenses are priced per mailbox. Prices start at £14.50 each (or £29.00 with the Antivirus) And go down to £2.45 (or £4.90 with Antivirus) depending on the amount you buy. They are available for 1, 2, and 3 year periods. For an up to date price list go here.

Related Articles, References, Credits, or External Links

NA

Windows Server – Installing IIS and PHP

KB ID 0000879

Problem

What used to be a complicated task has been simplified greatly by the Microsoft Web Platform installer, the process of adding PHP is the same for Windows 8,(though to install IIS you need to enable that as a windows feature (run appwiz.cpl > Turn Windows feature on or off).

Solution

1. From Server Manager (ServerManager.exe) > Manage > Add Roles and Features > Follow the wizard and in the Server Roles section tick ‘Web Server IIS‘.

2. At the role Services selection expand Application Deployment > Select CGI >Complete the wizard and let the role install.

3. Once complete, open a web page and navigate to http://localhost and you should be greeted with the following.

4. Download the Microsoft Platform Web Installer.

5. Run the installer > Products > Frameworks > PHP {version} > Add.

6. I Accept > The software will install.

7. To test open notepad and create a file with the following;

[box]
<?php phpinfo(); ?>
[/box]

8. Save the file into {Drive Letter}:inetpubwwwroot > Change the file type to ‘All Files’ > call it phpinfo.php > Save.

Note: The drive letter will usually be C: unless you have moved the IIS root folder.

9. To test PHP > open a browser and navigate to http://localhost/phpinfo.php > You should see something like the following.

 

Related Articles, References, Credits, or External Links

NA

Windows Server Update Services – Install and Configure

KB ID 0000592

Problem

Windows Server Update Service or WSUS, (previously called SUS Software Update Services) was an additional download that you could use to let one or more servers in your organisation handle the updates for your Windows clients and Microsoft applications.

With Server 2008 R2, it is now included as a server ‘role’ rather than a download. It’s a great tool for centrally managing and reporting on your network’s update status, and if you do not allow your clients web access, lets you update them without punching holes in your firewall. Also it saves all your clients pulling their updates from Microsoft, and hammering your internet connection.

Solution

WSUS Prerequisites

Before you start, make sure the server you are going to use is fully updated. You will also need 6GB (Approx) to hold the updates.

Step 1 Add and Configure the Windows Server Update Services Role

1. On the WSUS Server run the ServerManager (CompMgmtLauncher.exe) > Roles > Add Role > If you see the “Before you begin page” click Next > Select “Windows Server update Services” > At this point if IIS is not installed it will ask to add the required role service > Let it do so > Next.

2. Next > Next > Next > Install > During the install the WSUS Setup Wizard will start > Next > Accept the EULA > Next > Specify a location to store the updates > Next.

3. You can choose an existing Database or click next to install and use SQL Express > Choose your web site settings > Next.

Note: The default setting will install and configure web services on TCP Port 80 (http). If you have another service or program using that port you will have a problem, (i.e. a program that uses Apache web server, or UPS software that has a management console on port 80, etc). If you choose the second option it will set the site up on TCP port 8530 for http and 8531 for https.

4. Next > Finish > Now the configuration wizard will open > Next > Next > If you are going to pull your updates from another WSUS server enter it here > If not click Next > If you need to enter proxy server details do so > Next > Click “Start Connecting” (this can take a while > Next.

5. Select the languages you want to download > Next > Select the products you would like to download updates for > Next.

6. Select the ‘Classifications’ (types of update) you want to serve > Next > Set your sync schedule (I usually do this once a day) > Next.

7. Next > Finish > Close.

Step 2 Group Policy Settings for WSUS Clients.

Remember these policies are Computer Policies NOT User Policies, you need to link the GPO to your computers, If you link it to an OU containing users nothing will happen!

1. On a domain controller > Start > Administrative Tools > Group Policy Management > Locate the OU containing your computers > Right click and create a new GPO.

2. Give the GPO a name > The Edit the new GPO > Navigate to:

3. Edit the settings on the right to suit your requirements. > Close the group policy editor Window, (to see what settings I usually set see the video above).

4. You clients will get these settings next time they boot, after a maximum of two hours, or after you run “gpupdate /force” on them.

5. If you check your clients you will see their Windows Update settings are now “Grayed Out”

Step 3 Configure Windows Server Update Services.

1. WAIT a while before returning to the WSUS server to configure it, (I typically wait a few days). Assuming your computers are now appearing in the “Computers Section” you need to either manually approve the updates or set them to automatically update.

If your computers fail to ‘appear” see Windows Client(s) not ‘appearing’ in WSUS

2. If you want to simply “Auto approve” all new updates then navigate to Options > Automatic approvals > And Select the “Default Automatic Update Rule” > Click the Hyperlinks in the rule to edit them > Apply > Run Rule > Select ‘Yes’ to save and run.

3. If you want to create computer groups and roll out updates in a more staged manner, you can create different computer groups, and add your computers to those groups.

4. If you want to manually approve updates navigate to Updates > All updates > Select the “Unapproved” updates > Right Click > Approve > Select your computer groups as appropriate.

Note: You can select mass select the updates by holding down Shift, or individually by selecting them while pressing Ctrl.

Related Articles, References, Credits, or External Links

Windows Client(s) not ‘appearing’ in WSUS

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.’

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Install SCCM 2007 on Windows Server 2008 R2 – Step by Step

KB ID 0000297

Problem

I had to work out how to do this for a client, and as is my modus operandi, I’ll try and save you some of the pain I endured,

Products Used

System Center Configuration Manager 2007 SP2 Windows Server 2008 R2 SQL 2008 R2 (At time of writing neither officially supported or not supported on SCCM)

Note: I was originally going to use SQL 2005 – hence the reason the SQL servers name is SCCM-SQL2005, however I bit the bullet and used SQL 2008 R2 instead.

Solution

Step 1: SCCM Domain pre install work.

1. Create two groups in Active Directory.

a. sccm administrator group SCCM-ADMIN b. sql administrator group SQL-ADMIN

2. Add both groups to the Domain Admin’s group.

3. Create two new users: sccmadmin and sqladmin.

4. Add sccmadmin to SCCM-ADMIN group and add sqladmin to SQL-ADMIN group.

Step 2: SCCM Pre requisites

1. Add the IIS (Web Server Role).

2. Add the following IIS Role Services:

a. HTTP redirection. b. ASP.Net

c. Windows Authentication. d. IIS6 Metabase compatibility. e. IIS6 WMI compatibility.

3. Add the following “server Features”:

a. Background Intelligent Transfer Service. b. Remote Differential Compression.

4. If you are NOT running Windows Server 2008 R2 Download and install WebDav (already included in Windows Server 2008 R2). If you are running R2 skip to the next step.

5. Server Manager > Roles > Web Server (IIS) > Add Role Services > WebDAV Publishing > Next > Close.

6. To enable WebDav > Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand {server name} > Sites > Default Web Site > WebDav Authoring Rules.

7. Select Enable WebDav (On the right hand side).

8. Select add authoring Rule > All Content > All Users > Permissions > Read > OK.

9. Select the rule you have just created > WebDav Settings.

10. Change “Allow Anonymous Properties Queries” to True > Change “Allow Custom Properties” to False > Change “Allow Property Query with Infinite Depth” to True > Change “Allow hidden files to be listed” to True > Apply.

11. WSUS needs to installed on the SCCM server – Note Server 2008 R2 needs (WSUS Server Update Services 3.0 SP2). If you try and install SP 1 you will see this error.

12. From the WSUS installation choose “Full server installation” > DO NOT accept the default “Use the existing IIS Default Web site” > Use “”Create a Windows Server Update Services 3.0 SP2 Web site” (Note: this will use port TCP 8530 by default).

Step 3: SCCM Install SQL Server.

1. From the SQL install media run setup.exe > Installation > “New Installation or add features to an existing Installation” > OK.

2. Enter product Key if applicable > Next > “I accept…” > Next > Install > Next > Next.

3. Tick Database Engine Services > Tick Management Tools (Basic and Complete) > Next.

4. Next > Accept the defaults > Next > Next.

5. On the Server configuration Page > Select “Use the same account for all SQL Server services > Select the User you created originally (sqladmin) > Set the SQL Server Agent and SQL Server Database Engine Startup type to “Automatic” > Next.

6. Accept “Windows Authentication” > Add in your SCCM-ADMIN group and SQL-ADMIN group > Next > Next > Next > Install.

7. When it’s completed click close.

Step 4: Prepare Active Directory for SCCM

1. Extend the schema > From the install media > SMSSETUP > BIN > 1386 > extadsch.exe

2. Check the above was successful by opening the c:extADsch.txt file it should say “”successfully extended the Active Directory Schema”.

3. We now need to create some active directory objects go to a domain controller > Start > Administrative tools > ADSI Edit > Action > connect to > leave everything on its defaults > OK.

4. Expand the Default naming context > Expand your domain name > Right click “system” > New > Object > Container > Next.

5. Call it “System Management” > Next > Finish > Close ADSI Edit.

6. Still on the domain controller > Start > dsa.msc {enter} > View > Advanced.

7. Expand “system” > Locate the container you created “System Management” > right click it and select properties > Security Tab > Add > Object Types > Tick Computers > OK.

8. Click Advanced > Find Now > Locate and add the SCCM-ADMIN group you created earlier > Also add the SCCM Server itself > OK.

9. Grant allow “Full Control” to both the SCCM admin group and the SCCMserver.

10. Now click advanced > Select the SCCM-ADMIN group > Edit.

11. Change the “Apply to” section from “This object only” to “This object and all descendant objects” > OK > Apply > OK.

12. Repeat the above for the SCCM-Server object.

Step 5: Install SCCM

1. Log on as the sccadmin user.

2. From within the SCCM setup media run splash.hta > Run the Pre requisite checker > Enter the SQL Server name > SCCM server name and the FQDN of the SCCM server > OK.

3. Note If you cannot talk to the SQL server then check that the Windows firewall is not blocking you (on the SQL server Start > run > firewall.cpl > Turn it off).

4. All being well it should say “All required pre requisite tests have completed successfully” > OK.

5. Re-run Splash.hta > This time choose > Install configuration Manager 2007 SP2 > Next > “Install Configuration Manager site Server > Next.

6. Tick “I accept these License terms > Next > Custom Install > Next > Primary Site > Next > Next > enter unlock code is applicable > Next > Accept/change the install directory > Next > Enter a Site code and friendly name > Next.

DO NOT ever try and change this code and don’t forget it!!

7. Change the Site mode to “Configuration Manager Mixed Mode” (Native mode requires certificate services and considerably more work). > Next.

8. Accept the defaults (everything except NAP) > Next.

9. Enter your SQL server name > Next > Next > Next > Next > Next.

10. Select a location to install the updates to > Next.

11. Updates will download this may take some time > when finished it should say it was successful > OK > Next.

12. It will run the pre requisite check again > when finished click begin install.

13. When finished click Next > Finish.

14.Now you need to send out the clients and configure SCCM, I’ll cover that in a later article.

Related Articles, References, Credits, or External Links

SCCM 2007 Initial Setup and Configuration

SCCM OSD Capture a Windows 7 Reference Machine

Deploying Exchange 2013

Part Two – Prerequisites for Windows Server 2008 R2

KB ID 0000717

Problem

Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008 R2 are so much greater than those of Windows Server 2012, I split them up. With that in mind, Id suggest you use Window s server 2012 rather than 2008 R2. (It will be supported for longer).

But if you are determined read on.

Solution

Planning ‘Time spent on reconnaissance is seldom wasted’

If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.

You already have Exchange

Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.

Exchange 2003 to 2010 Transition “Swing Migration”

Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.

Software Requirements

Well we are installing on Server 2008 R2 (Standard/Enterprise or Datacenter, though if you plan to deploy this server as part of a DAG Group, it needs to be Enterprise/Datacenter), so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.

Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

  • Outlook 2013.
  • Outlook 2010 (With SP1 and this update).
  • Outlook 2007 (With SP3 and this update).
  • Outlook for Mac 2011.
  • Entourage 2008 for Mac, Web Services Edition.

Hardware Requirements

1. CPU: As you’re planning on deploying with Windows Server 2008 R2 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.

2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.

3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,

500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.

If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.

4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).

Pre Deployment – Environment

1. The Windows 2008 R2 server should be at least SP1. (If in doubt, Windows Key+R > winver {enter}).

2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.

3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;

[box]netdom query /domain:YOURDOMAINNAME fsmo[/box]

Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.

4. The server you are deploying on, must already be a member of your domain.

5. Run Windows Update, and make sure the server is fully up to date.

6. You will need to install both .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering), and Windows Management Framework 3.0. (Note: you need the Windows6.1-KB2506143-x64 version).

Note: These two pieces of software are needed on the server that will prepare the Active Directory, so they are not strictly prerequisites for Exchange 2013.

7. The Exchange 2013 Server needs the AD DS (RSAT) administration tools installing. To do that simply run the following command;

[box]Add-WindowsFeature RSAT-ADDS[/box]

Note: If you skipped step 6 then you will see the following error;

The term ‘Add-WindowsFeature’ is not recognized as the name of a cmdlet function, script file, or operable program.

Pre Deployment – Roles Required

Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)

Mailbox Server (Or Mailbox Server with Client Access Sever) – Roles Required

1. Issue the following PowerShell command;

[box]Import-Module ServerManager[/box]

2. Issue the following PowerShell command;

[box]Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI [/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

4. Then install the Microsoft Office 2010 Filter Pack 64 bit

5. Then install the Microsoft Office 2010 Filter Pack SP1 64 bit

Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).

6. Then install the Windows Identity Foundation (KB974405). Note: Download Windows6.1-KB974405-x64.msu

7. Then install the Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008). Note: This update requires a reboot.

8. Then install the Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution). If you are fully up to date you may find that this update will not be applicable to your system, and you will see the following popup.

Client Access Server Only – Roles Required

The only difference for a server running the Client Access Role is that .Net 4.5 and the WindowsManagement Framework are not requirements. However if you have been following all the steps you will already have them installed. And having them installed will cause you no problems. So, follow all the same steps, and install all the roles and software that is required for the ‘Mailbox/Combined Mailbox and Client Access Server’.

Related Articles, References, Credits, or External Links

Deploying Exchange 2013 – Part One – Prerequisites for Windows Server 2012

Deploying Exchange 2013 – Part Three – Deploying Exchange 2013 On a ‘Greenfield Site’

 

Deploying Exchange 2013

Part One – Prerequisites for Windows Server 2012

KB ID 0000716 

Problem

Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008 R2 are so much greater, I split them up.

Solution

Planning ‘Time spent on reconnaissance is seldom wasted’

If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.

You already have Exchange

Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.

Exchange 2003 to 2010 Transition “Swing Migration”

Warning: Even at Exchange 2010 – You cannot upgrade to Exchange 2013 without Service Pack 3.

Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.

Software Requirements

Well we are installing on Server 2012 (Standard or Datacenter) so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.

Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

  • Outlook 2013.
  • Outlook 2010 (With SP1 and this update).
  • Outlook 2007 (With SP3 and this update).
  • Outlook for Mac 2011.
  • Entourage 2008 for Mac, Web Services Edition.

Hardware Requirements

1. CPU: As you’re planning on deploying with Windows Server 2012 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.

2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.

3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,

500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.

If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.

4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).

Pre Deployment – Environment

1. The Windows 2012 server should be at least RTM, and should NOT be pre-release (If in doubt, Windows Key+R > winver {enter}). The build number should be at least 9200.

2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.

3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;

[box] netdom query /domain:YOURDOMAINNAME fsmo [/box]

Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.

4. The server you are deploying on, must already be a member of your domain.

5. Run Windows Update, and make sure the server is fully up to date. You will find Windows Update in Server Manager > Local Server.

6. Windows Server 2012 comes pre installed with .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering). So there’s nothing to do for this step, I only mention it for completeness.

7. The Exchange 2013 Server needs the AD DS (RSAT) administration tools installing. To do that simply run the following command;

[box] Install-WindowsFeature RSAT-ADDS [/box]

Note: As previously stated, the server used in the example above is a domain controller, so it already had the tools installed, hence the NoChangeNeeded exit code.

Pre Deployment – Roles Required

Note: From THIS POINT FORWARD, all roles can now installed with the RTM release of Exchange 2012 during setup. The following will only need to be carried out if you are installing the pre-release version of Exchange 2013.

Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)

Client Access Server Only – Roles Required

1. Issue the following PowerShell command;

[box] Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation [/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

Mailbox Server (Or Mailbox Server with Client Access Sever) – Roles Required

1. Issue the following PowerShell command;

[box] Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation[/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

 

4. Download and Install the Microsoft Office 2010 Filter Pack 64 bit

5. Download an Install the Microsoft Office 2010 Filter Pack SP1 64 bit

Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).

Related Articles, References, Credits, or External Links

Deploying Exchange 2013 – Part Two – Prerequisites for Windows Server 2008 R2

How To Install Exchange 2016 (Greenfield Site)

Deploying Exchange 2013

Part Three – Deploying Exchange 2013 On a ‘Greenfield Site’

KB ID 0000730

Problem

In part one and part two we looked at what to consider, and what you need to be doing before you reach for the install DVD. Now we will run through a complete Exchange deployment on a fresh site with no existing mail system.

Items covered below

Install Exchange Server 2013

Exchange 2013 Post Install Configuration Tasks

Enter the Exchange 2013 Server Product Key

Exchange 2013 Create a Default Send Connector

Exchange 2013 Adding a Domain Name as an Accepted Domain

Adding New Email Addresses to the Default Email Address Policy

Exchange 2013 Additional Post Installation Tasks

Moving Exchange 2013 Database(s)

Exchange 2013 Apply for, and Install a Third Party Certificate

Exchange 2013 Setting up ‘Split DNS’ for your Exchange Certificate

Exchange 2013 Test Mail Flow

Solution

Exchange Prerequisites

å

I’ve already written extensively about the hardware, software and environment requirements for Exchange 2013. Please run through the following article before you start.

Deploying Exchange 2013Part One – Prerequisites for Windows Server 2012

With a fully updated Windows Server 2012, that is a domain member your main three pre deployment tasks are to install the following pieces of software.

1. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

2. Microsoft Office 2010 Filter Pack 64 bit

3. Microsoft Office 2010 Filter Pack 64 bit

Install Exchange Server 2013

1. Insert the install DVD and auto-run the setup.

2. Next > Let it check for updates.

3. Next.

4. It will copy the setup files to the server.

5. Next.

6. Accept the EULA > Next.

8. Next.

9. Select the roles required, I’m just having one server so I’m selecting both > Next.

Note: Current Microsoft thinking is to NOT separate out roles like you did with Exchange 2007 and 2010, if you deploy multiple servers deploy multiple roles.

10. Set the install path for the Exchange program files. If you change form the default, and you are deploying multiple Exchange servers, try to keep the path the same for all > Next.

11. Select an Organization name > Next.

12. Select if you want to disable the built in malware protection or not.

Note: Malware protection is now based on Forefront. Only consider disabling this if you plan to deploy some third party malware/AV scanning software.

13. You should get a warning telling you that once complete you will not be able to install Exchange 2010 > Next.

14. Setup will progress (Approx 45 minutes).

15. When done > you can tick the box and launch the ‘Exchange Admin Center’. BUT At this point I would run a full Windows update and reboot the server.

Exchange 2013 Post Install Configuration Tasks

1. To launch the new ‘Exchange Admin Center’, navigate to https://localhost/ecp.

2. Sign in.

Enter the Exchange 2013 Server Product Key

3. Navigate to Server > {Server-Name} > Enter Product Key.

4. Type in your 25 character product key > Save.

5. Read the warning > OK.

6. Windows Key+R > services.msc {Enter} > Locate and restart the ‘Microsoft Exchange Information Store’ service.

Exchange 2013 Create a Default Send Connector

Without configuring a send connector, your outbound/internet destined mail will sit on the outbound queue with the following error.

 ‘A matching connector cannot be found to route the external recipient’

7. Navigate to > Mail flow > Send Connector > Add.

8. Give the connector a name and select ‘Internet’ as it’s use > Next.

9. By default it will select where to send the email based on the DNS name of the recipient, however some people route all their mail via a smart host, (this can be a server or IP address at your ISP or a mail filtering provider). If you use a smart host you will probably already know, in most cases you will want the default option of ‘MX record associated with recipient domain’ > Next.

10. Add.

11. Set the FQDN to asterisk > Save.

12. Add > Then select the Exchange Server.

13. Finish.

Exchange 2013 Adding a Domain Name as an Accepted Domain

14. Whilst in the Mail Flow section > Accepted Domains > Add.

15. Give the entry a name > Type in your domain name > Save > Repeat for any additional domain names.

Adding New Email Addresses to the Default Email Address Policy.

16. Whilst in the Mail Flow section > email address policies > With the default policy selected > Edit (pencil icon).

17. Email address format.

18. Add.

19. Select the domain > Select the name format > If this email address will be the default/reply address then select the bottom tick box > Save > Repeat for each additional email address you want to apply to your users, but only one can be the reply address.

20. When finished > Save.

21. Read the warning > OK.

22. Apply.

23. Yes.

Exchange 2013 Additional Post Installation Tasks.

Moving Exchange 2013 Database(s)

1. Create a folder on the destination drive/volume.

2. First see where the database is now. From within the Exchange admin center (https://localhost/ecp) > Servers > Databases > Select the database to be moved > Edit (pencil icon).

3. Take a note of the database path, and the database filename (filename.edb).

4. Launch the Exchange Management Shell.

5. Execute the the following PowerShell command;

Answer Y to the questions (or A for all).

6. Now you can check that the database has mounted, and is in its new location.

Exchange 2013 Apply for, and Install a Third Party Certificate

1. From within the Exchange admin center (https://localhost/ecp) > Certificates > Add.

2. Self signed certificates are literally more trouble than they are worth, you need to BUY A CERTIFICATE! > Next.

3. Give the request a name > Next.

4. We don’t want a wildcard certificate > Next.

Note: A wildcard certificate is a certificate that has a name like ‘*.domain.com’.

5. Select the Exchange Server > Next.

6. Select the internet Outlook Web App and Edit (pencil icon).

7. Type in the publicly addressable domain name of the Exchange Server > OK.

8. Set the public name of the Autodiscover service > OK > Next.

9. MAKE SURE that the OWA public name is IN BOLD as this will be set as the ‘common name’ on the certificate > Next.

10. Type in your details > Next.

11. Select a share to save the certificate request in > Finish.

Note: This share must already exist, with the correct permissions, if in doubt watch the video above.

12. Now you should have a pending request.

13. Take the certificate request that it has generated (in PIM format), and send that to your certification authority, the link below will take you straight to the correct certificate you need;

Exchange 2013 Server Certificates.

14. Once complete and you have received your new certificate back again > Select the pending request > Complete.

15. Supply the path to the certificate > OK.

16. Now you need to assign Exchange services to the certificate> with it selected > Edit (pencil icon).

17. I’m not using unified messaging or POP, so I’ve just selected SMTP, IMAP and IIS > Save.

18. Yes to overwrite the existing certificate.

19. Now lets make sure its worked, open https://localhost/owa > it will error because the URL is wrong > continue to this website.

20. Open the certificate and check it is correct. (here mine has a common name of mail.petenetlive.com).

Exchange 2013 Setting up ‘Split DNS’ for your Exchange Certificate

Note: You only need to set this up if your private/internal, and public/external domain names are different.

21. To avoid annoying DNS and certificate errors on your internal network, your best bet is to setup ‘Split DNS’. Create a forward lookup zone that matches your PUBLIC domain name. Then inside this zone create an A/Host record for mail that points to the internal IP of your Exchange Server. And another for Autodiscover that points to the same IP address.

WARNING: If you do this, and have a www.yourdomainname.com website hosted externally, you will find that your internal users can no longer get to it! If that happens create an additional A/Host record for a host called www and point its IP address to the public IP address of your website (you may also need an FTP entry if you use that externally as well).

22. Now open a web browser and navigate to the public name of your mail sever, this time it SHOULD NOT ERROR.

Exchange 2013 Test Mail Flow

1. Log into OWA, and send a test email to an internal email address (on a new deployment you probably only have Administrator as a mailbox, so send yourself an email).

2. Then send a test email out to a public email address.

Note: If this fails, check it has left the Exchange Organization by looking at the Queue Viewer.

Exchange 2013 – Where is the Queue Viewer?

.

3. Once you know mail is flowing out test mail in, if this fails make sure you have an MX Record and an A/host record pointing to your Exchange 2013 Server.

Setting up the Correct DNS Records for your Web or Mail Server

Also ensure that TCP port 25 (SMTP) is open to the Exchange Server, (or ‘port forwarded’ to it). And if not add TCP 443 That’s HTTPS, so it is also open/forwarded for OWA, Outlook Anywhere and ActiveSync to work.

 

Related Articles, References, Credits, or External Links

NA