
Für die letzten und kommenden Beiträge brauch(t)e ich immer mal wieder frisch installierte Exchange Server SEs. Dazu hier die benötigten Schritte zur Installation per Kommandozeile / Script.
Vorbereitung der Domäne
Benötigte Berechtigungen
- Mitglied der „Enterprise Admins“ (deutsch: „Organisations-Admins“)
- Mitglied der „Schema Admins“ (deutsch: „Schema-Admins“)
.\Setup.EXE /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /OrganizationName:"Binford Tools"
# Create DNS zones for Split DNS
Add-DnsServerPrimaryZone -Name owa.binfordtools.org -DynamicUpdate None -ReplicationScope Forest
Add-DnsServerPrimaryZone -Name autodiscover.binfordtools.org -DynamicUpdate None -ReplicationScope Forest
# Create A records for Split DNS
Add-DnsServerResourceRecordA -Name "." -IPv4Address "192.168.51.20" -ZoneName owa.binfordtools.org
Add-DnsServerResourceRecordA -Name "." -IPv4Address "192.168.51.20" -ZoneName autodiscover.binfordtools.org
Microsoft Exchange Server Subscription Edition Unattended Setup
Copying Files…
File copy complete. Setup will now collect additional information needed for installation.Performing Microsoft Exchange Server Prerequisite Check
Prerequisite Analysis 100%Setup will prepare the organization for Exchange Server Subscription Edition by using ‚Setup /PrepareAD‘. No Exchange
Server 2016 roles have been detected in this topology. After this operation, you will not be able to install any
Exchange Server 2016 roles.
For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-NoE16ServerWarning?view=exchserver-2019Setup will prepare the organization for Exchange Server Subscription Edition by using ‚Setup /PrepareAD‘. No Exchange
Server 2013 roles have been detected in this topology. After this operation, you will not be able to install any
Exchange Server 2013 roles.
For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-NoE15ServerWarning?view=exchserver-2019Configuring Microsoft Exchange Server
Organization Preparation COMPLETEDThe Exchange Server setup operation completed successfully.
Installation Exchange Server Subscription Edition
Benötigte Berechtigungen
- Mitglied der (lokalen) Administratoren auf dem neuen Exchange Server
- Mitglied der Gruppe „Organization Management“ (deutsch: „Organisationsverwaltung“)
Installation der Voraussetzungen
- Visual C++ Redistributable Package for Visual Studio 2012: Download Visual C++ Redistributable for Visual Studio 2012 Update 4 from Official Microsoft Download Center
- Visual C++ Redistributable Package for Visual Studio 2013: Update for Visual C++ 2013 Redistributable Package – Microsoft-Support
- Unified Communications Managed API 4.0: Download Unified Communications Managed API 4.0 Runtime from Official Microsoft Download Center
- IIS URL Rewrite Module: URL Rewrite : The Official Microsoft IIS Site
# Prerequisites Download / Installation
$IISCryptoUri = "https://www.nartac.com/Downloads/IISCrypto/IISCryptoCli.exe"
$VC2012Uri = "https://download.microsoft.com/download/1/6/b/16b06f60-3b20-4ff2-b699-5e9b7962f9ae/VSU_4/vcredist_x64.exe"
$VC2013Uri = "https://download.visualstudio.microsoft.com/download/pr/10912041/cee5d6bca2ddbcd039da727bf4acb48a/vcredist_x64.exe"
$UCMAUri = "https://download.microsoft.com/download/2/c/4/2c47a5c1-a1f3-4843-b9fe-84c0032c61ec/UcmaRuntimeSetup.exe"
$URLRWUri = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi"
if(-not(Test-Path -Path "C:\_install" -PathType Container)){
New-Item -Path "C:\" `
-Name "_install" `
-ItemType Directory |
Out-Null
}
if(-not(Test-Path -Path "C:\_install\Logging" -PathType Container)){
New-Item -Path "C:\_install" `
-Name "Logging" `
-ItemType Directory |
Out-Null
}
Write-Host "Downloading IIS Crypto to C:\_install\IISCryptoCli.exe"
Start-BitsTransfer -Source $IISCryptoUri `
-Destination "C:\_install\IISCryptoCli.exe"
Unblock-File -Path "C:\_install\IISCryptoCli.exe"
Write-Host "Downloading VC++ Redistributable 2012 to C:\_install\VC2012x64.exe"
Start-BitsTransfer -Source $VC2012Uri `
-Destination "C:\_install\VC2012x64.exe"
Unblock-File -Path "C:\_install\VC2012x64.exe"
Write-Host "Downloading VC++ Redistributable 2013 to C:\_install\VC2013x64.exe"
Start-BitsTransfer -Source $VC2013Uri `
-Destination "C:\_install\VC2013x64.exe"
Unblock-File -Path "C:\_install\VC2013x64.exe"
Write-Host "Downloading Unified Communications Managed API 4.0 Runtime to C:\_install\UcmaRuntimeSetup.exe"
Start-BitsTransfer -Source $UCMAUri `
-Destination "C:\_install\UcmaRuntimeSetup.exe"
Unblock-File -Path "C:\_install\UcmaRuntimeSetup.exe"
Write-Host "Downloading IIS URL Rewrite to C:\_install\rewrite_amd64_en-US.msi"
Start-BitsTransfer -Source $URLRWUri `
-Destination "C:\_install\rewrite_amd64_en-US.msi"
Unblock-File -Path "C:\_install\rewrite_amd64_en-US.msi"
Write-Host "Installing Windows roles for Exchange Server SE"
Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, `
NET-WCF-Pipe-Activation45, NET-WCF-TCP-Activation45, NET-WCF-TCP-PortSharing45, RPC-over-HTTP-proxy, RSAT-Clustering, `
RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, `
Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, `
Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Console, `
Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, `
Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS, GPMC, RSAT-DNS-Server |
Out-Null
Write-Host "Running IIS Crypto"
$objProc = Start-Process -FilePath "C:\_install\IISCryptoCli.exe" `
-ArgumentList "/template best /backup C:\_install\IISCryptoBackup.reg"`
-NoNewWindow `
-PassThru `
-Wait
if($objProc.ExitCode -ne 0){
Write-Host "Please check IIS Crypto manualy" `
-ForegroundColor Yellow
pause
}
Write-Host "Installing Visual C++ Redistributable 2012"
$objProc = Start-Process -FilePath "C:\_install\VC2012x64.exe" `
-ArgumentList "/install /quiet /log C:\_install\Logging\vcredist2012x64.txt /norestart" `
-NoNewWindow `
-PassThru `
-Wait
if($objProc.ExitCode -notmatch "^(0|1638|3010)$"){
Write-Host "Please check VC redist logs `"C:\_install\Logging\vcredist2012x64.txt`"" `
-ForegroundColor Red
pause
} else{
Remove-Item -Path "C:\_install\VC2012x64.exe"
}
Write-Host "Installing Visual C++ Redistributable 2013:"
$objProc = Start-Process -FilePath "C:\_install\VC2013x64.exe" `
-ArgumentList "/install /quiet /log C:\_install\Logging\vcredist2013x64.txt /norestart" `
-NoNewWindow `
-PassThru `
-Wait
if($objProc.ExitCode -notmatch "^(0|1638|3010)$"){
Write-Host "Please check VC redist logs `"C:\_install\Logging\vcredist2013x64.txt`"" `
-ForegroundColor Red
pause
} else{
Remove-Item -Path "C:\_install\VC2013x64.exe"
}
Write-Host "Installing Unified Communications Managed API 4.0 Runtime"
$objProc = Start-Process -FilePath "C:\_install\UcmaRuntimeSetup.exe" `
-ArgumentList "/q /log C:\_install\Logging\UcmaRuntime.txt /norestart" `
-NoNewWindow `
-PassThru `
-Wait
if($objProc.ExitCode -notmatch "^0$"){
Write-Host "Please check Ucma runtime logs `"C:\_install\Logging\UcmaRuntime.txt`"" `
-ForegroundColor Red
pause
} else{
Remove-Item -Path "C:\_install\UcmaRuntimeSetup.exe"
}
Write-Host "Installing IIS URL Rewrite module"
$objProc = Start-Process -FilePath "C:\Windows\System32\msiexec.exe" `
-ArgumentList "/i `"C:\_install\rewrite_amd64_en-US.msi`"/quiet /l*v C:\_install\Logging\iisrewrite.txt /norestart" `
-NoNewWindow `
-PassThru `
-Wait
if($objProc.ExitCode -notmatch "^(0|1638|3010)$"){
Write-Host "Please check IIS rewrite logs `"C:\_install\Logging\iisrewrite.txt`"" `
-ForegroundColor Red
pause
} else{
Remove-Item -Path "C:\_install\rewrite_amd64_en-US.msi"
}
Write-Host "Configuring TLS settings .Net v2.0.50727"
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" `
-Name "SchUseStrongCrypto" `
-PropertyType Dword `
-Value 1 |
Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" `
-Name "SchUseStrongCrypto" `
-PropertyType Dword `
-Value 1 |
Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" `
-Name "SystemDefaultTlsVersions" `
-PropertyType Dword `
-Value 1 |
Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" `
-Name "SystemDefaultTlsVersions" `
-PropertyType Dword `
-Value 1 |
Out-Null
Write-Host "Configuring TLS settings .Net v4.0.30319"
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" `
-Name "SchUseStrongCrypto" `
-PropertyType Dword `
-Value 1 |
Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" `
-Name "SchUseStrongCrypto" `
-PropertyType Dword `
-Value 1 |
Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" `
-Name "SystemDefaultTlsVersions" `
-PropertyType Dword `
-Value 1 |
Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" `
-Name "SystemDefaultTlsVersions" `
-PropertyType Dword `
-Value 1 |
Out-Null
Restart-Computer
Installation Exchange Server SE
# Place database and logs to own disk(s) in production!
.\Setup.EXE /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /Mode:Install /Roles:Mailbox /LogFolderPath:"C:\EX-Logs\EXSE-DB01" /DbFilePath:"C:\EX-DBs\EXSE-DB01\EXSE-DB01.edb" /MdbName:"EXSE-DB01"
Restart-Computer
Microsoft Exchange Server Subscription Edition Unattended Setup
Copying Files…
File copy complete. Setup will now collect additional information needed for installation.Languages
Management tools
Mailbox role: Transport service
Mailbox role: Client Access service
Mailbox role: Mailbox service
Mailbox role: Front End Transport service
Mailbox role: Client Access Front End servicePerforming Microsoft Exchange Server Prerequisite Check
Configuring Prerequisites COMPLETED Prerequisite Analysis COMPLETEDConfiguring Microsoft Exchange Server
Preparing Setup COMPLETED Stopping Services COMPLETED Copying Exchange Files COMPLETED Language Files COMPLETED Restoring Services COMPLETED Language Configuration COMPLETED Exchange Management Tools COMPLETED Mailbox role: Transport service COMPLETED Mailbox role: Client Access service COMPLETED Mailbox role: Mailbox service COMPLETED Mailbox role: Front End Transport service COMPLETED Mailbox role: Client Access Front End service COMPLETED Finalizing Setup COMPLETEDThe Exchange Server setup operation completed successfully.
Exchange Setup has enabled Extended Protection on all the virtual directories on this machine. For more information
visit: https://aka.ms/EnableEPviaSetup.We recommend periodically running the Exchange Health Checker script, as well as after setup, to evaluate the
organization for additional recommended configurations and security best practices. The Health Checker script can be
downloaded from https://aka.ms/ExchangeSetupHC.Setup has made changes to operating system settings that require a reboot to take effect. Please reboot this server
prior to placing it into production.
(Minimal) Konfiguration nach der Installation (in der Testumgebung)
Disable-Mailbox -Identity $env:USERNAME -Confirm:$false
New-AcceptedDomain -Name binfordtools.org -DomainName binfordtools.org -DomainType Authoritative
Set-AcceptedDomain -Identity binfordtools.org -MakeDefault:$true
Set-EmailAddressPolicy -Identity "Default Policy" -EnabledPrimarySMTPAddressTemplate "%g@binfordtools.org"
Update-EmailAddressPolicy -Identity "Default Policy"
# In production not recommended
Get-MailboxDatabase | Set-MailboxDatabase -CircularLoggingEnabled:$true
Get-MailboxDatabase | Dismount-Database -Confirm:$false
Get-MailboxDatabase | Mount-Database
New-ExchangeCertificate -SubjectName "CN=owa.binfordtools.org, O=Binford Tools, C=DE" -DomainName "owa.binfordtools.org", "autodiscover.binfordtools.org" -FriendlyName "Binford Tools Exchange SE" -KeySize 4096 -PrivateKeyExportable:$true -Confirm:$false -Force
Enable-ExchangeCertificate -Thumbprint "669a2cfe987edff9b4cf338dfdfafd7e93de5a30" -Services IIS, POP, IMAP, SMTP
Get-OwaVirtualDirectory -Server $env:COMPUTERNAME |
Set-OwaVirtualDirectory -InternalUrl "https://owa.binfordtools.org/owa" -ExternalUrl "https://owa.binfordtools.org/owa"
Get-EcpVirtualDirectory -Server $env:COMPUTERNAME |
Set-EcpVirtualDirectory -InternalUrl "https://owa.binfordtools.org/ecp" -ExternalUrl "https://owa.binfordtools.org/ecp"
Get-OABVirtualDirectory -Server $env:COMPUTERNAME |
Set-OABVirtualDirectory -InternalURL "https://owa.binfordtools.org/OAB" -ExternalURL "https://owa.binfordtools.org/OAB"
Get-ActiveSyncVirtualDirectory -Server $env:COMPUTERNAME |
Set-ActiveSyncVirtualDirectory -InternalURL "https://owa.binfordtools.org/Microsoft-Server-ActiveSync" -ExternalURL "https://owa.binfordtools.org/Microsoft-Server-ActiveSync"
Get-WEbServicesVirtualDirectory -Server $env:COMPUTERNAME |
Set-WEbServicesVirtualDirectory -InternalURL "https://owa.binfordtools.org/EWS/Exchange.asmx" -ExternalURL "https://owa.binfordtools.org/EWS/Exchange.asmx"
Get-MapiVirtualDirectory -Server $env:COMPUTERNAME |
Set-MapiVirtualDirectory -InternalURL "https://owa.binfordtools.org/mapi" -ExternalURL "https://owa.binfordtools.org/mapi"
Get-ClientAccessService -Identity $env:COMPUTERNAME |
Set-ClientAccessService -AutodiscoverServiceInternalUri "https://owa.binfordtools.org/autodiscover/autodiscover.xml"
Get-OutlookAnywhere -Server $env:COMPUTERNAME |
Set-OutlookAnywhere -InternalHostname "owa.binfordtools.org" -InternalClientsRequireSsl:$true -ExternalHostname "owa.binfordtools.org" -ExternalClientsRequireSsl:$true -ExternalClientAuthenticationMethod "Negotiate"
$Password = ConvertTo-SecureString "Kennwort1" -AsPlainText -Force
New-Mailbox -UserPrincipalName User1@binfordtools.org -Name "Test1 User1" -FirstName "Test1" -LastName "User1" -DisplayName "Test1 User1" -OrganizationalUnit "OU=Users,OU=Binford Tools,DC=ad,DC=binfordtools,DC=org" -Password $Password
New-Mailbox -UserPrincipalName User2@binfordtools.org -Name "Test2 User2" -FirstName "Test2" -LastName "User2" -DisplayName "Test2 User2" -OrganizationalUnit "OU=Users,OU=Binford Tools,DC=ad,DC=binfordtools,DC=org" -Password $Password
New-Mailbox -UserPrincipalName User3@binfordtools.org -Name "Test3 User3" -FirstName "Test3" -LastName "User3" -DisplayName "Test3 User3" -OrganizationalUnit "OU=Users,OU=Binford Tools,DC=ad,DC=binfordtools,DC=org" -Password $Password
In einer produktiven Umgebung wird man sicherlich noch einen Empfangs- sowie Sendekonnektor anlegen und den bestehenden Benutzern Postfächer spendieren. Zusätzlich bietet es sich an, eine neue E-Mail-Adressrichtlinie zu erstellen anstatt die Default zu nutzen. Und wenn man schon dabei ist, kauft man flott ein passendes Zertifikat oder bemüht Let’s Encrypt. 🙂
Schreibe einen Kommentar