Jans Cloud

Installation Exchange Server SE RTM

Installation Exchange Server SE RTM
Unbeaufsichtigte Exchange Server SE Installation

Für die letzten und kommenden Beiträge brauch(t)e ich immer mal wieder frisch installierte Exchange Server SEs. Dazu hier die benötigten Schritte zur Installation per Kommandozeile / Script.

Vorbereitung der Domäne

Benötigte Berechtigungen

  • Mitglied der „Enterprise Admins“ (deutsch: „Organisations-Admins“)
  • Mitglied der „Schema Admins“ (deutsch: „Schema-Admins“)
PowerShell
.\Setup.EXE /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD /OrganizationName:"Binford Tools"

# Create DNS zones for Split DNS
Add-DnsServerPrimaryZone -Name owa.binfordtools.org -DynamicUpdate None -ReplicationScope Forest
Add-DnsServerPrimaryZone -Name autodiscover.binfordtools.org -DynamicUpdate None -ReplicationScope Forest

# Create A records for Split DNS
Add-DnsServerResourceRecordA -Name "." -IPv4Address "192.168.51.20" -ZoneName owa.binfordtools.org
Add-DnsServerResourceRecordA -Name "." -IPv4Address "192.168.51.20" -ZoneName autodiscover.binfordtools.org

Microsoft Exchange Server Subscription Edition Unattended Setup

Copying Files…
File copy complete. Setup will now collect additional information needed for installation.

Performing Microsoft Exchange Server Prerequisite Check

Prerequisite Analysis                                                                             100%

Setup will prepare the organization for Exchange Server Subscription Edition by using ‚Setup /PrepareAD‘. No Exchange
Server 2016 roles have been detected in this topology. After this operation, you will not be able to install any
Exchange Server 2016 roles.
For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-NoE16ServerWarning?view=exchserver-2019

Setup will prepare the organization for Exchange Server Subscription Edition by using ‚Setup /PrepareAD‘. No Exchange
Server 2013 roles have been detected in this topology. After this operation, you will not be able to install any
Exchange Server 2013 roles.
For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-NoE15ServerWarning?view=exchserver-2019

Configuring Microsoft Exchange Server

Organization Preparation                                                                             COMPLETED

The Exchange Server setup operation completed successfully.

Installation Exchange Server Subscription Edition

Benötigte Berechtigungen

  • Mitglied der (lokalen) Administratoren auf dem neuen Exchange Server
  • Mitglied der Gruppe „Organization Management“ (deutsch: „Organisationsverwaltung“)

Installation der Voraussetzungen

PowerShell
# Prerequisites Download / Installation
$IISCryptoUri = "https://www.nartac.com/Downloads/IISCrypto/IISCryptoCli.exe"
$VC2012Uri = "https://download.microsoft.com/download/1/6/b/16b06f60-3b20-4ff2-b699-5e9b7962f9ae/VSU_4/vcredist_x64.exe"
$VC2013Uri = "https://download.visualstudio.microsoft.com/download/pr/10912041/cee5d6bca2ddbcd039da727bf4acb48a/vcredist_x64.exe"
$UCMAUri = "https://download.microsoft.com/download/2/c/4/2c47a5c1-a1f3-4843-b9fe-84c0032c61ec/UcmaRuntimeSetup.exe"
$URLRWUri = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi"

if(-not(Test-Path -Path "C:\_install" -PathType Container)){
        New-Item -Path "C:\" `
            -Name "_install" `
            -ItemType Directory |
                Out-Null
}

if(-not(Test-Path -Path "C:\_install\Logging" -PathType Container)){
        New-Item -Path "C:\_install" `
            -Name "Logging" `
            -ItemType Directory |
                Out-Null
}

Write-Host "Downloading IIS Crypto to C:\_install\IISCryptoCli.exe"
Start-BitsTransfer -Source $IISCryptoUri `
    -Destination "C:\_install\IISCryptoCli.exe"
Unblock-File -Path "C:\_install\IISCryptoCli.exe"

Write-Host "Downloading VC++ Redistributable 2012 to C:\_install\VC2012x64.exe"
Start-BitsTransfer -Source $VC2012Uri `
    -Destination "C:\_install\VC2012x64.exe"
Unblock-File -Path "C:\_install\VC2012x64.exe"

Write-Host "Downloading VC++ Redistributable 2013 to C:\_install\VC2013x64.exe"
Start-BitsTransfer -Source $VC2013Uri `
    -Destination "C:\_install\VC2013x64.exe"
Unblock-File -Path "C:\_install\VC2013x64.exe"

Write-Host "Downloading Unified Communications Managed API 4.0 Runtime to C:\_install\UcmaRuntimeSetup.exe"
Start-BitsTransfer -Source $UCMAUri `
    -Destination "C:\_install\UcmaRuntimeSetup.exe"
Unblock-File -Path "C:\_install\UcmaRuntimeSetup.exe"

Write-Host "Downloading IIS URL Rewrite to C:\_install\rewrite_amd64_en-US.msi"
Start-BitsTransfer -Source $URLRWUri `
    -Destination "C:\_install\rewrite_amd64_en-US.msi"
Unblock-File -Path "C:\_install\rewrite_amd64_en-US.msi"

Write-Host "Installing Windows roles for Exchange Server SE"
Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, `
    NET-WCF-Pipe-Activation45, NET-WCF-TCP-Activation45, NET-WCF-TCP-PortSharing45, RPC-over-HTTP-proxy, RSAT-Clustering, `
    RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, `
    Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, `
    Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Console, `
    Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, `
    Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS, GPMC, RSAT-DNS-Server |
        Out-Null

Write-Host "Running IIS Crypto"
$objProc = Start-Process -FilePath "C:\_install\IISCryptoCli.exe" `
    -ArgumentList "/template best /backup C:\_install\IISCryptoBackup.reg"`
    -NoNewWindow `
    -PassThru `
    -Wait

if($objProc.ExitCode -ne 0){
    Write-Host "Please check IIS Crypto manualy" `
        -ForegroundColor Yellow
    pause
}

Write-Host "Installing Visual C++ Redistributable 2012"
$objProc = Start-Process -FilePath "C:\_install\VC2012x64.exe" `
     -ArgumentList "/install /quiet /log C:\_install\Logging\vcredist2012x64.txt /norestart" `
     -NoNewWindow `
     -PassThru `
     -Wait

if($objProc.ExitCode -notmatch "^(0|1638|3010)$"){
    Write-Host "Please check VC redist logs `"C:\_install\Logging\vcredist2012x64.txt`"" `
        -ForegroundColor Red
    pause
} else{
    Remove-Item -Path "C:\_install\VC2012x64.exe"
}

Write-Host "Installing Visual C++ Redistributable 2013:"
$objProc = Start-Process -FilePath "C:\_install\VC2013x64.exe" `
    -ArgumentList "/install /quiet /log C:\_install\Logging\vcredist2013x64.txt /norestart" `
    -NoNewWindow `
    -PassThru `
    -Wait

if($objProc.ExitCode -notmatch "^(0|1638|3010)$"){
    Write-Host "Please check VC redist logs `"C:\_install\Logging\vcredist2013x64.txt`"" `
        -ForegroundColor Red
    pause
} else{
    Remove-Item -Path "C:\_install\VC2013x64.exe"
}

Write-Host "Installing Unified Communications Managed API 4.0 Runtime"
$objProc = Start-Process -FilePath "C:\_install\UcmaRuntimeSetup.exe" `
    -ArgumentList "/q /log C:\_install\Logging\UcmaRuntime.txt /norestart" `
    -NoNewWindow `
    -PassThru `
    -Wait

if($objProc.ExitCode -notmatch "^0$"){
    Write-Host "Please check Ucma runtime logs `"C:\_install\Logging\UcmaRuntime.txt`"" `
        -ForegroundColor Red
    pause
} else{
    Remove-Item -Path "C:\_install\UcmaRuntimeSetup.exe"
}

Write-Host "Installing IIS URL Rewrite module"
$objProc = Start-Process -FilePath "C:\Windows\System32\msiexec.exe" `
 -ArgumentList "/i `"C:\_install\rewrite_amd64_en-US.msi`"/quiet /l*v C:\_install\Logging\iisrewrite.txt /norestart" `
 -NoNewWindow `
 -PassThru `
 -Wait

if($objProc.ExitCode -notmatch "^(0|1638|3010)$"){
    Write-Host "Please check IIS rewrite logs `"C:\_install\Logging\iisrewrite.txt`"" `
        -ForegroundColor Red
    pause
} else{
    Remove-Item -Path "C:\_install\rewrite_amd64_en-US.msi"
}

Write-Host "Configuring TLS settings .Net v2.0.50727"
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" `
    -Name "SchUseStrongCrypto" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" `
    -Name "SchUseStrongCrypto" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" `
    -Name "SystemDefaultTlsVersions" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" `
    -Name "SystemDefaultTlsVersions" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null

Write-Host "Configuring TLS settings .Net v4.0.30319"
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" `
    -Name "SchUseStrongCrypto" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" `
    -Name "SchUseStrongCrypto" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" `
    -Name "SystemDefaultTlsVersions" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" `
    -Name "SystemDefaultTlsVersions" `
    -PropertyType Dword `
    -Value 1 |
        Out-Null
        
Restart-Computer

Installation Exchange Server SE

PowerShell
# Place database and logs to own disk(s) in production!

.\Setup.EXE /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /Mode:Install /Roles:Mailbox /LogFolderPath:"C:\EX-Logs\EXSE-DB01" /DbFilePath:"C:\EX-DBs\EXSE-DB01\EXSE-DB01.edb" /MdbName:"EXSE-DB01"

Restart-Computer

Microsoft Exchange Server Subscription Edition Unattended Setup

Copying Files…
File copy complete. Setup will now collect additional information needed for installation.

Languages
Management tools
Mailbox role: Transport service
Mailbox role: Client Access service
Mailbox role: Mailbox service
Mailbox role: Front End Transport service
Mailbox role: Client Access Front End service

Performing Microsoft Exchange Server Prerequisite Check

Configuring Prerequisites                                                                         COMPLETED
Prerequisite Analysis                                                                             COMPLETED

Configuring Microsoft Exchange Server

Preparing Setup                                                                                   COMPLETED
Stopping Services                                                                                 COMPLETED
Copying Exchange Files                                                                            COMPLETED
Language Files                                                                                    COMPLETED
Restoring Services                                                                                COMPLETED
Language Configuration                                                                            COMPLETED
Exchange Management Tools                                                                         COMPLETED
Mailbox role: Transport service                                                                   COMPLETED
Mailbox role: Client Access service                                                               COMPLETED
Mailbox role: Mailbox service                                                                     COMPLETED
Mailbox role: Front End Transport service                                                         COMPLETED
Mailbox role: Client Access Front End service                                                     COMPLETED
Finalizing Setup                                                                                  COMPLETED

The Exchange Server setup operation completed successfully.

Exchange Setup has enabled Extended Protection on all the virtual directories on this machine. For more information
visit: https://aka.ms/EnableEPviaSetup.

We recommend periodically running the Exchange Health Checker script, as well as after setup, to evaluate the
organization for additional recommended configurations and security best practices. The Health Checker script can be
downloaded from https://aka.ms/ExchangeSetupHC.

Setup has made changes to operating system settings that require a reboot to take effect. Please reboot this server
prior to placing it into production.

(Minimal) Konfiguration nach der Installation (in der Testumgebung)
PowerShell
Disable-Mailbox -Identity $env:USERNAME -Confirm:$false

New-AcceptedDomain -Name binfordtools.org -DomainName binfordtools.org -DomainType Authoritative
Set-AcceptedDomain -Identity binfordtools.org -MakeDefault:$true
Set-EmailAddressPolicy -Identity "Default Policy" -EnabledPrimarySMTPAddressTemplate "%g@binfordtools.org"
Update-EmailAddressPolicy -Identity "Default Policy"

# In production not recommended
Get-MailboxDatabase | Set-MailboxDatabase -CircularLoggingEnabled:$true
Get-MailboxDatabase | Dismount-Database -Confirm:$false
Get-MailboxDatabase | Mount-Database

New-ExchangeCertificate -SubjectName "CN=owa.binfordtools.org, O=Binford Tools, C=DE" -DomainName "owa.binfordtools.org", "autodiscover.binfordtools.org" -FriendlyName "Binford Tools Exchange SE" -KeySize 4096 -PrivateKeyExportable:$true -Confirm:$false -Force
Enable-ExchangeCertificate -Thumbprint "669a2cfe987edff9b4cf338dfdfafd7e93de5a30" -Services IIS, POP, IMAP, SMTP

Get-OwaVirtualDirectory -Server $env:COMPUTERNAME |
    Set-OwaVirtualDirectory -InternalUrl "https://owa.binfordtools.org/owa" -ExternalUrl "https://owa.binfordtools.org/owa"
Get-EcpVirtualDirectory -Server $env:COMPUTERNAME |
    Set-EcpVirtualDirectory -InternalUrl "https://owa.binfordtools.org/ecp" -ExternalUrl "https://owa.binfordtools.org/ecp"
Get-OABVirtualDirectory -Server $env:COMPUTERNAME |
    Set-OABVirtualDirectory -InternalURL "https://owa.binfordtools.org/OAB" -ExternalURL "https://owa.binfordtools.org/OAB"
Get-ActiveSyncVirtualDirectory -Server $env:COMPUTERNAME |
    Set-ActiveSyncVirtualDirectory -InternalURL "https://owa.binfordtools.org/Microsoft-Server-ActiveSync" -ExternalURL "https://owa.binfordtools.org/Microsoft-Server-ActiveSync"
Get-WEbServicesVirtualDirectory -Server $env:COMPUTERNAME |
    Set-WEbServicesVirtualDirectory -InternalURL "https://owa.binfordtools.org/EWS/Exchange.asmx" -ExternalURL "https://owa.binfordtools.org/EWS/Exchange.asmx"
Get-MapiVirtualDirectory -Server $env:COMPUTERNAME |
    Set-MapiVirtualDirectory -InternalURL "https://owa.binfordtools.org/mapi" -ExternalURL "https://owa.binfordtools.org/mapi"
Get-ClientAccessService -Identity $env:COMPUTERNAME |
    Set-ClientAccessService -AutodiscoverServiceInternalUri "https://owa.binfordtools.org/autodiscover/autodiscover.xml"
Get-OutlookAnywhere -Server $env:COMPUTERNAME |
    Set-OutlookAnywhere -InternalHostname "owa.binfordtools.org" -InternalClientsRequireSsl:$true -ExternalHostname "owa.binfordtools.org" -ExternalClientsRequireSsl:$true -ExternalClientAuthenticationMethod "Negotiate"

$Password = ConvertTo-SecureString "Kennwort1" -AsPlainText -Force
New-Mailbox -UserPrincipalName User1@binfordtools.org -Name "Test1 User1" -FirstName "Test1" -LastName "User1" -DisplayName "Test1 User1" -OrganizationalUnit "OU=Users,OU=Binford Tools,DC=ad,DC=binfordtools,DC=org" -Password $Password
New-Mailbox -UserPrincipalName User2@binfordtools.org -Name "Test2 User2" -FirstName "Test2" -LastName "User2" -DisplayName "Test2 User2" -OrganizationalUnit "OU=Users,OU=Binford Tools,DC=ad,DC=binfordtools,DC=org" -Password $Password
New-Mailbox -UserPrincipalName User3@binfordtools.org -Name "Test3 User3" -FirstName "Test3" -LastName "User3" -DisplayName "Test3 User3" -OrganizationalUnit "OU=Users,OU=Binford Tools,DC=ad,DC=binfordtools,DC=org" -Password $Password

In einer produktiven Umgebung wird man sicherlich noch einen Empfangs- sowie Sendekonnektor anlegen und den bestehenden Benutzern Postfächer spendieren. Zusätzlich bietet es sich an, eine neue E-Mail-Adressrichtlinie zu erstellen anstatt die Default zu nutzen. Und wenn man schon dabei ist, kauft man flott ein passendes Zertifikat oder bemüht Let’s Encrypt. 🙂

Die gesuchte Lösung noch nicht gefunden oder benötigen Sie Hilfe bei anderen Themen aus meinem Blog? Nehmen Sie gerne Kontakt mit mir bzw. meinem Unternehmen Jan Mischo IT auf. Ich freue mich auf Ihre Anfrage: https://janmischo.it/kontakt/


+49 2801 7004300

info@janmischo.it

Beitrag veröffentlicht

in

, , , ,

von

Jan Mischo

Schlagwörter:

, , , ,

Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre, wie deine Kommentardaten verarbeitet werden.