Remote Desktop Services: RDS Sizing Calculations

KB ID 0001753

Problem

This is a horrible subject to find any decent information on. Microsoft are typically ‘vague’ and most people are stuck with using trial and error, or massively overestimating hardware to be on the safe side. I get asked this occasionally and, just like Microsoft, it’s a question I don’t like to answer!

People are reticent to tell you that you need ‘x’ amount of CPU and ‘y’ amount of RAM. Simply because ‘it depends’ e.g. a dozen users just doing some file and print, and working on office documents, will be much less of a requirement, than a dozen users making MS Teams calls and doing 3D Auto CAD modelling.

I’m going to Assume: That we are deploying RDS in a virtual environment, so I’ll be talking about vCPU requirements. BE AWARE: Running a VM with a LOT of vCPUs can be counter productive for performance (Google CPU Ready).

RDS Sizing Requirements

RDS Dependancies

Most of these will be common sense, 

  • Domain Authentication: Usually via Active Directory or Azure AD credentials.
  • DNS Resolution: Not just for the RDS server roles deployed, for resolving the names on Certificates, and for third party hosted applications.
  • Third Party (Line of Business) Applications: Not all apps support RDS deployment, and many that do, require different licensing (Check!)
  • File and Print: Thankfully these days most file storage is moving into the cloud, but users still need user profiles? How are you going to present them?FXLogix, Redirected folders, Shared folders etc.
  • Access: These days having RDP open to the outside world is a thing of the past, it you want to connect to RDS you either come in via an RDS Web Gateway, or even better, by connecting to a VPN, then accessing the RDS deployment.
  • Licensing: Obviously the RDS servers themselves require licensing, but so does RDS. Depending on what licence model you buy, (user CALs, or device CALs). Typically most people buy user CALs (Device CALs are good for things like call centres e.g. where 3 shift workers use the same PC in a 24 hour period so you can buy 1 device CAL rather than 3 user CALs).*

*Note: Whats a SAL then? A Subscriber Access Licence is used if you have your servers SPLA licenced from a service provider. These are usually on a monthly rental basis.

RDS Sizing: Roles

You can,  (and I think it’s still the default) put all the RDS roles on one server, obviously this is not ideal for anything other than a tiny deployment (5-10 users doing very low impact roles for example). But the individual roles required are;

RD Session Host: This is what does all the heavy lifting, it hosts the remote user sessions. Typically these will be the server(s) in your deployment that suffer with recourse constraints if you get something wrong. As I’ve mentioned above if you’re running 3rd Party Line of Business applications on here MAKE sure they are designed and optimised for RDS. Finally based on what your users are doing is it worth having better/faster/local storage on these servers.

RD Connection Broker: This role had two primary jobs, 1) Connect remote users to the least utilised session hosts, and 2) Reconnect users to the correct session host if they’ve dropped a connection, or have an existing open RDS session. 

RD Web Server: This provides a web logon portal for RDS so that RDS desktops and applications can be accessed over HTTPS. Remember just because traffic is on HTTPS (TCP port 443) do not assume it’s trusted and non malicious. Nearly every exploit and attack these days used HTTPS or SSH to get traffic in and out of your network. Unless you are inspecting https it’s not more secure than http! Typically the RD Web server is deployed in a DMZ. In some small deployments it can also be on the RD Connection broker.

RD Licence Server: Typically this gets put on ‘Another‘ server in the environment, the draw back of this is people forget where it is, and don’t check before decommissioning a server then find out a few days later their licence server disappeared. You install this role, then register it with Microsoft, then finally add your licences to it.

RDS Sizing Calculations

For all RDS roles apart from the RD Session Host(s) Then the footprint is relatively small.

RD Session Host(s) CPU: This depends on the amount of users, typically no more more than 4 users per vCPU , and up to a maximum of 8 vCPUs per host, (this should tell you you need an RDS Session Host for every 24 (approx) users). Remember to factor in additional hosts in case you suffer a loss of server/hypervisor. For that reason it’s also good practice to deploy your session hosts with anti-affix city rules so that they are not all on the same hypervisor host!

RD Session Host(s) RAM: Again depends on the user and what they will be doing, as a rule of thumb, allow between 2 and 8 GB per user, but do not allocate more than 128 GB per RDS Session Host.

RD Connection Broker: (2x vCPU, 8GB RAM, 70GB HDD) Note: Can scale up to 8 vCPU, 16 GB RAM, 70 GB HDD) for larger deployments.

RD Web Server: (2x vCPU, 4GB RAM, 70GB HDD) Note: Can scale up to 8 vCPU, 16GB RAM, 70 GB HDD) for larger deployments. Once you get larger than this you need to look as load balancing multiple RD Web servers.

RD Licensing: (1 x vCPU, 4GB RAM, 70GB HDD) Assuming there’s no additional compute requirements on the same host.

I welcome any feedback and recommendations below.

Related Articles, References, Credits, or External Links

Deploying Remote Desktop Services

How To Install Exchange 2016 (Greenfield Site) – Part 2

KB ID 0001302

Problem

Back in Part-One, we looked at all the things to consider before you start to install Exchange 2016. Now we will start installing software, and getting to a point where we can configure Exchange 2016 and carry out some post deployment.

Solution

Your forest functional level needs to be at ‘Windows Server 2008’ before you can install Exchange 2016.

The server you intend to deploy Exchange on, needs to be a domain member server.

To save you any hassle, make sure your intended server is fully updated.

The server needs .Net installing, the versions, (at time of writing ) are;

  • Exchange 2016 CU3 Req.Net 4.5.2 (or greater).
  • Exchange 2016 CU5 Req.Net 4.6.2 (or greater).
  • Exchange 2016 CU6 Req.Net 4.7.2 (or greater).

Exchange 2016 Roles/Features Windows Server 2016

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS, Server-Media-Foundation

[/box]

Exchange 2016 Roles/Features Windows Server 2012 (2012 R2)

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

[/box]

You will also need to install the ‘Unified Communications Managed API 4.0 Runtime‘ software. Note: Not required if you are only installing the management tools.

Windows Server 2016 Only: You should already have update KB3206632 as we updated the server above, if you skipped that step you need to pre install that update, so update now!

Installing Exchange 2016

If you downloaded the Exchange media as a .iso file mount it and let it autoplay. If you extracted the software run Setup.exe. The first thing it will do is look to see if it has any updates.

Files will get copied over > Next > You will be presented with an introduction > Next.

Accept the EULA > Next > I usually just accept the recommended settings > Next.

Select either Mailbox server, Edge Transport server, or just the management tools > Next > Select the location that you want to install Exchange to > Next.

Note: Although in the example below, I’m using the ‘C:’ drive, for production I would always install Exchange onto a separate volume to the OS.

I usually accept the default organisation name of ‘First Organisation’ you can change it if you with, but choose wisely because you can’t change it once installed > Next > Unless you have a specific requirement to disable the built in malware protection, leave it enabled > Next.

Exchange now does a quick check to make sure it’s happy to progress, you will always get a couple of warnings, if it complains about anything else rectify it and click ‘recheck’, once you are happy click Next.

Setup progress takes ages! Seriously go to lunch at this point > Next > Once completed Ive ticked the box to open the Exchange Admin Center, but nearly every time I’ve done this it fails. Your best bet is to reboot the server, go and have a coffee then come back and open a browser window and navigate to https://{server-FQDN}/ecp 

In Part 3, we will look at post install tasks.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site) – Part 1

Windows Server 2012 – Deploying SSTP VPNs

KB ID 0000819

Problem

SSTP gives you the ability to connect to your corporate network from any location that has an internet connection, and is not filtering https. This port is usually open for normal secure web traffic. Traditional VPN connections require ports and protocols to be open for them to work, which makes a solution that runs over TCP port 443 attractive.

Thoughts: While I can see why this is a good idea, Microsoft has basically changed some existing protocols so they work on a port that wont be blocked by most firewalls. This is not a new approach, (Microsoft did it before with RPC over HTTP). I can’t help feeling that the more traffic we push over ports 80 and 443, sooner or later security/firewall vendors are going to statefully inspect/block traffic that isn’t supposed to be on that port. (If you think ‘that would never happen!’ Try running an Exchange Server through a Cisco firewall with SMTP inspection turned on). Anyway, it’s there, I’ve been asked to do a walkthrough, so read on,

Solution

I’ve got a Windows 2012 Server already setup, it’s a domain controller, and is running DNS. You don’t have to have the same server running SSTP/RRAS but in this lab environment that’s what I’m doing. In addition my remote VPN clients will get an IP address from my normal corporate LAN.

1. On the server I have two network cards installed, the first (NIC1) is the normal network connection for the server, the second (NIC2) will be the one that the remote clients get connected to (once they have authenticated to NIC1).

2. Make sure the Internet facing NIC has good comms, and works OK.

3. NIC2 as you can see, does not even need a default gateway.

Windows Server 2012 Add Certificate Services

I’m going to use a ‘self signed’ certificate, if you have purchased one, then skip this section.

4. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Active Directory Certificate Services.

5. Add Features > Next > Next > Next > Tick ‘Certificate Authority Web Enrolment’.

6. Add Features > Next > Next > Next > Install > Close > From the warning (top right) > Configure Active Directory Certificate Services on this server.

7. Next.

8. Select both Certificate Authority and Certificate Authority Web Enrolment > Next.

9. Next > Next > Next > Next > Next > Next > Next > Configure > Close > Close Server Manager.

10. Open a Microsoft Management Console.

11. File > Add Remove Snap-in > Certificate Authority > Add > Local computer > Finish > OK.

12. Drill down to Certificate Templates > Manage.

13. From the list that appears locate IPsec > Right Click > Duplicate Template.</p:

14. General tab > Change the name to SSTP-VPN.

15. Request Handling tab > Tick ‘Allow private key to be exported’.

16. Subject Name tab > Tick ‘Supply the request’ > Click OK when prompted.

17. Extensions Tab > Select the Application Policies entry > Edit.

18. Add > Locate the ‘Server Authentication’ policy > OK > OK > Apply > OK > Close the Certificate Template console.

19. From the Certificate templates Folder > New > Certificate Template Issue.

20. Locate the SSTP-VPN entry > OK > Close the MMC.

SSTP Firewall Setup

In this example my server is behind a corporate firewall. If yours is internet facing then you may simply want to add an exception/rules for allowing https/TCP443. My server will ultimately have a public IP address that resolves to its public name (vpn.pnl.com) so I just need to allow the ports in. If your server does not have its own public IP address, then you may need to setup port forwarding instead. You will see later I’m also going to use TCP 80 (normal HTTP) to access my certificate services remotely, so I’ve got that open as well. You may want to access certificate services via HTTPS instead in a corporate environment.

21. On this server I’m simply going to disable the firewall > Start > Run > firewall.cpl {enter} > Turn Windows Firewall on or off > Set as appropriate.

Grant users SSTP VPN/Dial-in rights.

22. Make sure that any user who wants to access the SSTP VPN has had their Dial-in set to ‘allow access’.

Windows 2012 Server Install and Configure RRAS for SSTP

23. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Network Policy and Access Services.

24. Add Features > Next > Next> Next > Next > Install > Close.

25. Back at Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select ‘Remote Access’.

26. Add Features > Next > Next > Next > Tick ‘Routing’ > Next > Install.

27. Close.

Note: At this point you may see the warning that there are additional steps to take, (to configure routing an remote access), if so you can launch and then close this wizard because we will do it manually.

28. Close Server Manager > Open a new MMC > File > Add/Remove Snap-in > Certificates > Add > Computer account > Finish > OK.

29. Expand Personal > Certificates > All Tasks > Request New Certificate.

30. Locate the SSTP-VPN entry > Click the ‘More information required..’ link.

31. Change the Type to common name > Enter the public name of the SSTP VPN server > Add > OK.

Note: This will be the common name on the certificate, i.e. vpn.pnl.com, which will need a public A/Host record creating for it in your public DNS, (speak to your ISP or DNS hosting company). That way when your remote clients go to https://vpn.pnl.com they wont get an error, (providing you imported the root cert correctly on THAT machine).

32. Tick the certificate > Enrol.

33. Finish > Close the MMC.

34. Windows Key+R > rrasmgmt.msc > OK.

35. Right click the server > Configure and Enable Routing and Remote Access.

36. At the Wizard > Next > Next > Tick VPN > Next.

37. Select NIC1, In this case I’m unticking the ‘Enable security’ option, (or is disables RDP and locks the NIC down) > Next.

38. I’m going to use this server so select the bottom option > Next.

39. New > Create a range of IP addresses. (Note: You may need to exclude these from your existing DHCP scope) > OK > Next.

40. Next.

41. Finish > OK > OK > At this point you will see the services restarting.

42. Right click the server > Properties.

43. Security tab > Change the certificate to the one we created > Apply > Yes > OK > Close the console.

Windows Server 2012 – Connect to SSTP from a Remote Client

At this point I have the correct ports open on the firewall, and I’m on a Windows 7 client outside the corporate network.

44. Because we are using a self signed certificate, we need to get the client to trust it. We can give the user the root certificate, or they can connect and download it, here I’m connecting to the Certificate Services web portal. Note: Remember that’s on the same server.

45. Supply your domain credentials > OK > Download a CA Certificate > Download CA Certificate > Save As.

46. Put the certificate somewhere, and call it something sensible.

47. Now launch an MMC on the client machine, and add the certificate snap-in (for ‘computer account’).

48. Drill down to Trusted Root Certification authorities > Certificates > All Tasks > Import > Navigate to, and select the certificate you just downloaded.

Note: If you double click the cert and import it manually, then it gets put into the user account NOT the computer account, and this will cause you problems. (Error 0x800b0109).

Registry Key Required for SSTP Access

The title is not really true, but as we are using a self signed certificate the client cannot check the CRL for the CA. Even with some purchased certificates you may need to to do this.

49. Open the registry editor and navigate to:

[box]
HKLM > SYSTEM > Current > CurrentControlSet > services > SstpSvc > Parameters
[/box]

50. Create a new 32 bit DWORD called NoCertRevocationCheck and set its value to 1 (one).

Setup a SSTP VPN Connection

51. Open the Network and sharing Center.

52. Setup a new connection or network.

53. Connect to a workplace.

54. Use my Internet Connection.

55. Supply the Internet Address (that matches the common name you used above) > Next.

56. Supply your domain credentials > Connect.

57. Connected successfully.

Note: If it fails at this point, it usually gives you an error code you can Google, or it gives you the option of logging for you to troubleshoot.

58. Just to prove I’m connected, this client can ping the SSTP servers private address.

 

Related Articles, References, Credits, or External Links

NA

Windows Server 2012 – Install and Configure an FTP Server

KB ID 0000847

Problem

FTP might be an ages old solution for moving files around, but a lot of people swear by it. With Windows Server it’s still supported, even if it is hidden as a ‘role service’.

Solution

Create a Security Group For Domain FTP Access

Note: For a Standalone/Workgroup server see below for setting up users and groups.

1. Launch Server Manager > Tools > Active Directory Administrative Center.

2. New > Group.

3. Give the group a sensible name.

4. Here I’m going to create a user to test with, in production you would just use the domain users who you want to give access to.

5. I will simply create a user called ‘ftpuser’.

6. Add the domain user(s) to your new security group.

7. Create a folder that will be the ‘root’ of your FTP site.

8. Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).

Create a Security Group For Workgroup / Standalone FTP Access

1. From Server Manager > Tools >Computer Management.

2. System Tools > Local Users and Groups > Groups.

3. Give the group a sensible name.

4. I’m going to create a test user called ftpuser, this is done in Local users and groups > Users.

5. Place the user(s) you want to grant access to, into your local security group.

6. Crete a folder that will be the ‘root’ of your FTP site and open its properties.

7. On the security Tab > Advanced > Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).

Windows Server 2012 Install FTP

1. From Server Manager > Tools > Add Roles and Features.

2. Next.

3. Next

4. Next

5. Select Web Server (IIS) > Select Add (when prompted) > Next.

6. Next

7. Next

8. Locate and Select FTP Server AND FTP Extensibility > Next.

9. Install

10. Close.

11. Reboot the server. This is because some of the firewall settings have a habit of not enabling until the server has restarted, this does not happen all the time, so you may be lucky and not need to reboot. But I’m a firm believer in ‘If something can go wrong, it will go wrong’.

Windows Server 2012 Configure FTP

1. Windows Key > Internet Information Services (IIS) Manager.

3. Expand the servername > Right click ‘Sites’ > Add FTP Site.

4. Give the site a name > Browse to the folder you are going to use as the FTP ‘root’ folder > Next.

5. Select No SSL (I’m not going to secure the site with web certificates) > Next.

6. Authentication = Basic > Allow Access to = Selected roles or user groups > Permissions = Select read and write as appropriate > Finish.

7. Windows Key+R > firewall.cpl > Allow an app or feature through Windows Firewall.

8. Ensure FTP Server is allowed for the ‘profile’ that your network card has been allocated.

9. Advanced Settings.

10. Incoming Rules.

11. There should be three FTP Settings, by default they should be enabled (for FTP Port 21, Passive Ports, and Secure FTP / TCP 990).

Windows 2012 FTP Server – Testing Access

1. You can test the firewall is open by opening a telnet session to the server on port 21;

[box]

telnet {ip address or name of server} 21

[/box]

2. This is what you should see (or in some cases a blinking cursor, if you are going through a firewall or device that suppresses response headers).

3. Or you can use a web browser and navigate to ftp://{ip address or name of the FTP server}.

4. Or from command line you can use the direct ftp command like so;

[box]
ftp {ip address or name of server}[/box]

Windows 2012 FTP Server – Testing External Access

To access the server externally (from the internet), requires your remote users to know either the public IP address or the public name of the server. In addition FTP (TCP Port 21) needs to be open to that IP address. This can be done by giving the server its own public IP address, or by Port Forwarding FTP from your public IP address to the private IP address of the FTP server. How that is done will differ depending on your firewall or router.

Note: If you have a Cisco Firewall, I’ll put the links you require on the bottom of the page.

1. Here I’m on an external machine, and I’m using FileZilla (a free FTP client) to connect to my FTP server.

2. Just to test I’ll drag a file to the FTP server, to make sure I can write/put files.

3. Here is the file uploaded.

4. Back on the server, in the ‘root’ folder you can see the file successfully uploaded.

 

Related Articles, References, Credits, or External Links

Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Windows Server 2008 R2 Deploying Applications with RemoteApp

KB ID 0000528

Problem

RemoteApp is a solution for delivering applications to your users from a Remote Desktop Services Server.

Why would you want to do this? Imagine you only had one copy of office to update in your entire organisation when a new service pack or security update is released., or Adobe bring out a new version of Dreamweaver that’s on all your machines – you simply update the master copy on the RDS server, or redeploy new RemoteApps.

In the following example I’ll configure the server, and create a RemoteApp application (Word 2010) and finally, deploy it to my domain clients.

Client requirements: Windows XP (SP2), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.

Note: For XP and Server 2003 clients you need to have installed Remote Desktop Connection (Terminal Services Client 6.0).

Solution

1. On a 2008 R2 Server (That’s a domain member), Start > Run > CompMgmtLauncher.exe {enter} > Roles > Add Roles > Remote Desktop Services > Add the following “Role Services” > Remote Desktop Session Host > Remote Desktop Web Access > (If you do not have a RDS Licensing services Licencing server add that also).

2. Select “Network Level Authentication” >Select your licensing mode > Add in the user(s) and/or group(s) you want to grant access to > Set your client experience options > Set the scope for the licensing server (per forest or per domain) > When complete let the server reboot.

3. If you do not already have a RDS Licensing server then activate the Licensing Server and follow the instructions. (Start > Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager).

4. Then Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > Locate Licensing > And click the “Not Specified” > Then add in the licencing server you just activated.

5. Install and configure the applications you want to deploy. Then Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager > Add RemoteApp Programs > Install and configure the desired application.

6. Add the computers that need access to RemoteApp(s) to the LOCAL group on the RDS server called “TS Web Access Computers”.

8. In the RemoteApp Manager select “Create Windows Installer Package” follow the instructions and put the resulting .msi file in a network share that your domain clients can access.

9. Send out the .msi file generated to your clients by group policy.

10. By default your deployed RemoteApps will be listed on the clients start menu under “Remote Programs”.

Related Articles, References, Credits, or External Links

Server 2008 – Terminal Server (Remote Desktop Services) Licensing

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Windows ‘ Error while installing WebDAV IIS Version 7.0 is required’

KB ID 0000293 

Problem

I had this error in Windows Server 2008 R2, though you will see the same on Windows 7, you may assume you are running IIS 7, but you are actually running IIS 7.5.

Error: IIS Version 7.0 is required to use this product

Thankfully you don’t have to download another version of WebDAV you just need to enable it.

Solution

You need to enable WebDAV, it’s now a “feature”.

Windows 7 Enable WebDAV

1. Start > Run > appwiz.cpl {enter} > Turn Windows Features on or off> Expand World Wide Web Service > Expand Common HTTP Features > Select WebDAV Publishing > OK.

Windows Server 2008 R2 Enable WebDAV

1. Launch Server Manager > Roles > Web Server (IIS) >Add Role Services > Below Common HTTP Features >Select WebDAV Publishing > Next > Install.

Then you can manage WebDAV Authoring rules in Internet Information Services (IIS) Manager.

 

Related Articles, References, Credits, or External Links

NA

Deploying Exchange 2013

Part Two – Prerequisites for Windows Server 2008 R2

KB ID 0000717

Problem

Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008 R2 are so much greater than those of Windows Server 2012, I split them up. With that in mind, Id suggest you use Window s server 2012 rather than 2008 R2. (It will be supported for longer).

But if you are determined read on.

Solution

Planning ‘Time spent on reconnaissance is seldom wasted’

If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.

You already have Exchange

Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.

Exchange 2003 to 2010 Transition “Swing Migration”

Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.

Software Requirements

Well we are installing on Server 2008 R2 (Standard/Enterprise or Datacenter, though if you plan to deploy this server as part of a DAG Group, it needs to be Enterprise/Datacenter), so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.

Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

  • Outlook 2013.
  • Outlook 2010 (With SP1 and this update).
  • Outlook 2007 (With SP3 and this update).
  • Outlook for Mac 2011.
  • Entourage 2008 for Mac, Web Services Edition.

Hardware Requirements

1. CPU: As you’re planning on deploying with Windows Server 2008 R2 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.

2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.

3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,

500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.

If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.

4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).

Pre Deployment – Environment

1. The Windows 2008 R2 server should be at least SP1. (If in doubt, Windows Key+R > winver {enter}).

2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.

3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;

[box]netdom query /domain:YOURDOMAINNAME fsmo[/box]

Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.

4. The server you are deploying on, must already be a member of your domain.

5. Run Windows Update, and make sure the server is fully up to date.

6. You will need to install both .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering), and Windows Management Framework 3.0. (Note: you need the Windows6.1-KB2506143-x64 version).

Note: These two pieces of software are needed on the server that will prepare the Active Directory, so they are not strictly prerequisites for Exchange 2013.

7. The Exchange 2013 Server needs the AD DS (RSAT) administration tools installing. To do that simply run the following command;

[box]Add-WindowsFeature RSAT-ADDS[/box]

Note: If you skipped step 6 then you will see the following error;

The term ‘Add-WindowsFeature’ is not recognized as the name of a cmdlet function, script file, or operable program.

Pre Deployment – Roles Required

Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)

Mailbox Server (Or Mailbox Server with Client Access Sever) – Roles Required

1. Issue the following PowerShell command;

[box]Import-Module ServerManager[/box]

2. Issue the following PowerShell command;

[box]Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI [/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

4. Then install the Microsoft Office 2010 Filter Pack 64 bit

5. Then install the Microsoft Office 2010 Filter Pack SP1 64 bit

Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).

6. Then install the Windows Identity Foundation (KB974405). Note: Download Windows6.1-KB974405-x64.msu

7. Then install the Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008). Note: This update requires a reboot.

8. Then install the Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution). If you are fully up to date you may find that this update will not be applicable to your system, and you will see the following popup.

Client Access Server Only – Roles Required

The only difference for a server running the Client Access Role is that .Net 4.5 and the WindowsManagement Framework are not requirements. However if you have been following all the steps you will already have them installed. And having them installed will cause you no problems. So, follow all the same steps, and install all the roles and software that is required for the ‘Mailbox/Combined Mailbox and Client Access Server’.

Related Articles, References, Credits, or External Links

Deploying Exchange 2013 – Part One – Prerequisites for Windows Server 2012

Deploying Exchange 2013 – Part Three – Deploying Exchange 2013 On a ‘Greenfield Site’

 

Deploying Exchange 2013

Part One – Prerequisites for Windows Server 2012

KB ID 0000716 

Problem

Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008 R2 are so much greater, I split them up.

Solution

Planning ‘Time spent on reconnaissance is seldom wasted’

If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.

You already have Exchange

Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.

Exchange 2003 to 2010 Transition “Swing Migration”

Warning: Even at Exchange 2010 – You cannot upgrade to Exchange 2013 without Service Pack 3.

Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.

Software Requirements

Well we are installing on Server 2012 (Standard or Datacenter) so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.

Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

  • Outlook 2013.
  • Outlook 2010 (With SP1 and this update).
  • Outlook 2007 (With SP3 and this update).
  • Outlook for Mac 2011.
  • Entourage 2008 for Mac, Web Services Edition.

Hardware Requirements

1. CPU: As you’re planning on deploying with Windows Server 2012 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.

2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.

3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,

500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.

If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.

4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).

Pre Deployment – Environment

1. The Windows 2012 server should be at least RTM, and should NOT be pre-release (If in doubt, Windows Key+R > winver {enter}). The build number should be at least 9200.

2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.

3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;

[box] netdom query /domain:YOURDOMAINNAME fsmo [/box]

Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.

4. The server you are deploying on, must already be a member of your domain.

5. Run Windows Update, and make sure the server is fully up to date. You will find Windows Update in Server Manager > Local Server.

6. Windows Server 2012 comes pre installed with .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering). So there’s nothing to do for this step, I only mention it for completeness.

7. The Exchange 2013 Server needs the AD DS (RSAT) administration tools installing. To do that simply run the following command;

[box] Install-WindowsFeature RSAT-ADDS [/box]

Note: As previously stated, the server used in the example above is a domain controller, so it already had the tools installed, hence the NoChangeNeeded exit code.

Pre Deployment – Roles Required

Note: From THIS POINT FORWARD, all roles can now installed with the RTM release of Exchange 2012 during setup. The following will only need to be carried out if you are installing the pre-release version of Exchange 2013.

Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)

Client Access Server Only – Roles Required

1. Issue the following PowerShell command;

[box] Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation [/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

Mailbox Server (Or Mailbox Server with Client Access Sever) – Roles Required

1. Issue the following PowerShell command;

[box] Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation[/box]

2. After running this command you may need to reboot.

3. Once complete you need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

 

4. Download and Install the Microsoft Office 2010 Filter Pack 64 bit

5. Download an Install the Microsoft Office 2010 Filter Pack SP1 64 bit

Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).

Related Articles, References, Credits, or External Links

Deploying Exchange 2013 – Part Two – Prerequisites for Windows Server 2008 R2

How To Install Exchange 2016 (Greenfield Site)

Exchange 2010 (c/w SP1) Install – Greenfield Site

(Installing on Server 2008 R2)

KB ID 0000416

Problem

Microsoft have not only slipstreamed the service pack into the install media, they have (Finally!) got the install routine to put in all the usual pre-requisites, roles, and features, that you had to do yourself before. (With the exception of the Microsoft 2010 filter pack, but even then you can do that after the install).

The procedure below was done on a single server in a test environment, to demonstrate the simplified procedure, it IS NOT good practice to install Exchange (any version) on a domain controller.

Solution

Before Site Visit

1. Have your install media downloaded and ready to go (Make sure you also have the unlock codes for Exchange – or you will have 119 days to licence it, post install).

2. Does your current anti virus solution support Exchange 2010? Do you need an upgrade?

3. Does your current backup software support Exchange 2010? Do you need to purchase extra remote agents or updates?

Before Deploying Exchange 2010

1. Depending on what documentation you read, some say that the global catalog server(s) in the current site need to be at least Server 2003 SP2. Other documentation says the schema master needs to be at least Server 2003 SP2. Let’s hedge our bets, and make sure that ALL the domain controllers are at least Server 2003 SP2 🙂

2. Your domain and forest functional levels need to be at Windows Server 2003.

3. Don’t forget – your server needs to be x64 bit (the video below was shot on a Server 2008 R2 server).

4. Make sure both the server you are installing on, and the Windows domain, are happy (get into the event viewers of your servers and have a good spring clean before deploying Exchange 2010).

5. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

6. Install the roles required with the following PowerShell Commands;

[box]

Import-Module ServerManager

For Client Access, Hub Transport, and the Mailbox roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For Client Access and Hub Transport server roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For only the Mailbox role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart

For only the Unified Messaging role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart

For only the Edge Transport role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

[/box]

7. Set the Net.Tcp Port Sharing Service for Automatic startup by running the following command;

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

Exchange 2010 (c/w SP1) Install – Greenfield Site

The single best thing Microsoft has done with the SP1 install media, is to include this tick box.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site)