Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-02-21
This topic provides you with an installation guide template that you can use as a starting point for formally documenting your organization's server build procedures for Microsoft Exchange Server 2010 servers that will have the Client Access server role installed.
The template includes the following key sections:
- Executive
Summary
- Server
Configuration
- Load Balancing
Configuration
- Verification
Steps
- Exchange Server Role
Installation
- Exchange Server Role
Configuration
For purposes of providing an example, the template uses the fictitious company name of Contoso. Also, you can download this template, along with templates for other server roles, as a download package in .zip file format at Microsoft Exchange Server 2010 Install Guide Templates (http://go.microsoft.com/fwlink/?LinkID=187961).
Executive Summary
The purpose of this document is to explain the installation and configurations necessary to install the Exchange 2010 Client Access server role on the Windows Server 2008 platform.
Business Justification
By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing total cost of ownership (TCO), and easing troubleshooting steps.
Scope
The scope of this document is limited to installation of an Exchange 2010 Client Access server for Contoso on the x64 version of the Windows Server 2008 (SP2 or R2) operating system.
Prerequisites
The administrator should have working knowledge of Windows Server 2008 concepts, Exchange 2010 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.
In addition, before implementing the server role, the administrator should review the Understanding Client Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187352).
Assumptions
This document assumes that Windows Server 2008 x64 Edition is installed on the intended Client Access server per company baseline regulations which include the latest approved service pack and hotfixes. In addition, the following system prerequisites have been installed:
- Microsoft .NET Framework 3.5 SP1 and the update for .NET
Framework 3.5 SP1 For more information, see Microsoft Knowledge
Base article 959209, An update for the .NET Framework 3.5 Service
Pack 1 is available
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=959209).
- Windows Management Framework (Windows Remote Management 2.0 and
Windows PowerShell 2.0).
This document assumes that forest and domain preparation steps have been performed as described in the Prepare Active Directory and Domains topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187262).
This document assumes that the account you will be using for the Exchange tasks has been delegated the Server Management management role, as described in the Server Management topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187265).
This document also assumes that both Exchange 2010 Windows Server 2008 and Windows Server 2008 will be secured following the best practices found in the Windows Server 2008 Security Guide (http://go.microsoft.com/fwlink/?LinkId=122593).
Important: |
---|
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur. |
Server Configuration
The following media are required for this section:
- Windows Server 2008 installation files
The following procedures are in this section:
- Additional Software Verification
- Network Interfaces Configuration
- Drive Configuration
- Windows Server 2008 Hotfix Installation
- Domain Membership Configuration
- Local Administrators Verification
- Local Administrator Account Password Reset
- Debugging Tools Installation
- Page File Modifications
- Drive Permissions
- Windows Network Load Balancing Installation and
Configuration
- DNS Entry Creation
Additional Software Verification
- Verify that Remote Desktop is enabled.
- As an optional process, install Microsoft Network Monitor
(http://go.microsoft.com/fwlink/?LinkId=86611).
Network Interfaces Configuration
- Log on to the server with an account that has been delegated at
least local administrative access.
- Click Start > Control Panel, and then double-click
Network and Sharing Center.
- Click Manage Network Connections.
- Locate the connection for the internal network and rename it
according to your organization's naming standards.
- Right-click the connection and then select
Properties.
- For Internet Protocol Version 4 (TCP/IPv4), add the
following:
- Static IP Address, Subnet Mask, and
Gateway
- DNS Server IP Addresses
- Select the check box to Append parent suffixes of the
primary DNS suffix.
- WINS IP Addresses (if using WINS)
- Static IP Address, Subnet Mask, and
Gateway
- If you are using Internet Protocol Version 6 (TCP/IPv6),
configure the IPv6 settings according to your organization's
network standards.
Drive Configuration
- Connect to the server through Remote Desktop and then log on
with an account that has been delegated local administrative
access.
- Click Start > Administrative Tools, and then select
Computer Management.
- Expand Storage and then click Disk
Management.
- Using the Disk Management snap-in of the Microsoft Management
Console (MMC), format, rename, and assign the appropriate Drive
Letters so that the volumes and DVD drive match the appropriate
server configuration.
Drive configuration
LUN Drive letter Usage 1
C
Operating system and Exchange binaries
2
Z
DVD drive
Windows Server 2008 Hotfix Installation
- Connect to the server via Remote Desktop and log on with an
account that has local administrative access.
- Obtain the latest hotfixes approved by your company for your
version of Windows Server 2008 x64 (SP2 or R2) and copy them to the
server.
- Launch the hotfix setup via one of two ways:
- Double-click the file and follow the GUI instructions.
- Perform a silent installation using the following command from
an administrative command prompt:
Copy Code <hotfix>.msu /quiet /norestart
- Double-click the file and follow the GUI instructions.
- Click Yes for any Digital Signature not Found
dialog boxes that may appear.
Note: These dialog boxes will not appear in environments that have not deployed the Windows Security templates. - Wait for all file copies to complete, and then restart the
server. You can use the Processes tab in Windows Task
Manager to monitor the hotfix installation progress. When the
wusa.exe process has exited, the hotfix installation is
complete.
Domain Membership Configuration
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Click Start, right-click My Computer, and then
select Properties.
- Under the Computer Name, domain, and workgroup settings,
click Change Settings.
- Click Change.
- Choose the Domain option button, and then enter the
appropriate domain name.
- Enter the appropriate credentials.
- Click OK and OK.
- Click OK to close System Properties.
- Restart the server.
Local Administrators Verification
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Verify (or add if not already there) that the Domain Admins
account and the user account that will perform the Exchange
installation are members of the local Administrators group on this
server.
- Verify that your user account is a member of a group which is a
member of the local Administrators group on the Windows Server 2008
server. If it is not, use an account that is a member of the local
Administrators group before continuing.
Local Administrator Account Password Reset
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Click Start, right-click Computer, and then
select Manage.
- Expand the nodes to find Configuration\Local Users and
Groups\Users.
- Right-click Administrator, and then select Set
Password. Change the password so that it meets strong
complexity requirements.
Debugging Tools Installation
This section describes several useful tools that aid administrators in Exchange administration and in troubleshooting support issues.
Debugging Tools for Windows allow administrators to debug processes that are affecting service and determine root cause.
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Download and install the latest 64-bit Debugging Tools from
Install Debugging Tools for Windows 64-bit
Version (http://go.microsoft.com/fwlink/?LinkID=123594).
Page File Modifications
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Click Start, right-click Computer, and then
select Properties.
- Select the Advanced System Settings.
- Under Startup and Recovery, click Settings.
- Under Write Debugging Information, select Kernel
Memory Dump from the memory dump drop-down list.
- Click OK.
- Under Write Debugging Information, select Kernel
Memory Dump from the memory dump drop-down list.
- Under Performance, click Settings.
- Click the Advanced tab.
- Under Virtual Memory, click Change.
- On servers that have a dedicated page file drive, follow these
steps:
- In the Drive list, click C:, and then click
Custom size.
- For the C: drive, set the Initial Size (MB) value to a
minimum of 200 MB. (Windows requires between 150 MB and 2 GB page
file space, depending on server load and the amount of physical RAM
that is available for page file space on the boot volume when
Windows is configured for a kernel memory dump. Therefore, you may
be required to increase the size.)
- For the C: drive, set the Maximum Size (MB) value to
that of the Initial Size.
- In the Drive list, select the page file drive (for
example, the P: drive), and then click Custom size.
- In the Initial Size (MB) box, type the result of one of
the following calculations:
If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.
If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.
- In the Maximum Size (MB) box, type the same amount that
you typed in the Initial Size box.
- Delete all other page files.
- Click OK.
- In the Drive list, click C:, and then click
Custom size.
- On servers that do not have a dedicated page file drive, follow
these steps:
- In the Drive list, click C:, and then click
Custom size.
- For the C: drive, in the Initial Size (MB) box, type the
result of one of the following calculations:
If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.
If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.
- Delete all other page files.
- Click OK.
- In the Drive list, click C:, and then click
Custom size.
- Click OK two times to close the System Properties
dialog box.
- Click No if prompted to restart the system.
Note: For more information about page file recommendations, see the following Microsoft Knowledge Base articles: How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP (http://go.microsoft.com/fwlink/?linkid=3052&kbid=889654); and Overview of memory dump file options for Windows Vista, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=254649).
Drive Permissions
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Click Start, and then select Computer.
- Right-click D Drive, and then select
Properties.
- Click the Security tab.
- Click Edit.
- Click Add, and then select the local server from
Locations.
- Grant the following rights as outlined in the following
table.
Drive permissions
Account Permissions Administrators
Full Control
SYSTEM
Full Control
Authenticated Users
Read and Execute, List, Read
CREATOR OWNER
Full Control
- Click the Advanced button.
- Select the CREATOR OWNER permission entry, and then
click View/Edit.
- Select Subfolders and Files Only from the drop-down
list.
- Click OK two times.
- Click OK to close the drive properties.
- Repeat steps 3-12 for each additional drive (other than the C
drive).
Load Balancing Configuration
Procedures in this section only need to be performed on Client Access servers that will be used in a load-balanced array. In particular, this section focuses on Windows Network Load Balancing (NLB). For more information about NLB, see Network Load Balancing (http://go.microsoft.com/fwlink/?LinkId=187482) and Network Load Balancing Clusters (http://go.microsoft.com/fwlink/?LinkId=49315) and Implementing a Network Load Balancing Cluster (http://go.microsoft.com/fwlink/?LinkId=187483).
If you are deploying a hardware load balancing array, review your vendor’s documentation and follow their guidance for configuration.
For more information about load balancing in Exchange 2010, see the topics Understanding Load Balancing in Exchange 2010 (http://go.microsoft.com/fwlink/?LinkId=196447) and Load Balancing Requirements of Exchange Protocols (http://go.microsoft.com/fwlink/?LinkId=196448) in the Exchange Server 2010 Library.
Windows Network Load Balancing Installation and Configuration
The values used in NLB must be the same across all nodes in the NLB cluster. The values specified in the following table will ensure that the Windows Network Load Balancing array can load-balance the appropriate protocols (HTTPS, IMAP4, POP3, RPC Endpoint Mapper, the Address Book service, and the RPC Client Access service). For more information, see Understanding Load Balancing in Exchange 2010.
Load-balanced protocols and ports
Protocol |
TCP port numbers |
HTTPS |
443 |
IMAP4 |
143 and 993 |
POP3 |
110 and 995 |
RPC Endpoint Mapper |
135 |
Address Book service |
59595 |
RPC Client Access service |
59596 |
Note: |
---|
This document uses TCP59595 for the Address Book service and TCP59596 for the RPC Client Access service, but you can use any TCP high ports that are available within the environment between ports 59530 and 60554. |
- Connect to the server via Remote Desktop, and then log on with
an account that has been delegated local administrative access.
- Install Network Load Balancing for your operating system:
- Windows Server 2008 SP2 Open an
administrative command prompt window and run the following
command:
Copy Code ServerManagerCmd.exe -i NLB
- Windows Server 2008 R2 Open an elevated
Windows PowerShell console, and run the following commands:
Copy Code Import-Module ServerManager Add-WindowsFeature NLB
- Windows Server 2008 SP2 Open an
administrative command prompt window and run the following
command:
- Click Start > Administrative Tools, and
then right-click Network Load Balancing Manager.
- Click Cluster-New.
- In the New Cluster wizard, enter the local server’s
computer name, click Connect and then select the appropriate
network connection.
- Click Next.
- In the Host Parameters section, verify the host’s IP
address and subnet mask.
- Click Next.
- In the Cluster IP Address section, click Add and
enter:
- IP Address
- Subnet Mask
- IP Address
- Click Next.
- In the Cluster Parameters section, enter in the Full
Internet Name (for example, mail.contoso.com) that will be used
by the cluster and make sure Unicast is selected.
- Click Next.
- In the Port Rules section, select the default rule and
click Edit.
- Under Port Range, change the From value to
80 and the To value to 80.
- Under Protocols, select TCP.
- Click OK.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
443 and the To value to 443.
- Under Protocols, select TCP.
- Click OK.
Note: If you are using IMAP or POP in the environment, be sure to create the appropriate rules.
- Under Port Range, change the From value to
443 and the To value to 443.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
143 and the To value to 143.
- Under Protocols, select TCP.
- Click OK.
- Under Port Range, change the From value to
143 and the To value to 143.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
110 and the To value to 110.
- Under Protocols, select TCP.
- Click OK.
- Under Port Range, change the From value to
110 and the To value to 110.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
993 and the To value to 993.
- Under Protocols, select TCP.
- Click OK.
- Under Port Range, change the From value to
993 and the To value to 993.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
500 and the To value to 500.
- Under Protocols, select UDP.
- Click OK.
Note: The above rule for UDP 500 should be created if you are using IPSec in the environment.
- Under Port Range, change the From value to
500 and the To value to 500.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
995 and the To value to 995.
- Under Protocols, select TCP.
- Click OK.
- Under Port Range, change the From value to
995 and the To value to 995.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
135 and the To value to 135.
- Under Protocols, select TCP.
- Click OK.
- Under Port Range, change the From value to
135 and the To value to 135.
- Click Add to create a new port rule.
- Under Port Range, change the From value to
59595 and the To value to 59596.
- Under Protocols, select TCP.
- Click OK.
- Under Port Range, change the From value to
59595 and the To value to 59596.
- Click OK.
- Click OK to acknowledge the resulting dialog box.
- While still in the internal network connection properties,
click Internet Protocol (TCP/IP) and select
Properties.
- Click Advanced.
- Under IP Addresses, click Add.
- Enter the virtual IP Address and Subnet Mask and
click OK.
- Click OK.
- Enter the virtual IP Address and Subnet Mask and
click OK.
- Click Finish to complete the New Cluster wizard.
DNS Entry Creation
Submit a change request to the appropriate operations group to have the domain name that was specified in the previous "Network Load Balancing Installation and Configuration" section for the NLB cluster (for example, mail.contoso.com) created as a host record associated to the NLB cluster’s IP address.
Verification Steps
The following procedures are in this section:
- Organizational Unit Verification
- Active Directory Site Verification
- Domain Controller Diagnostics Verification
- Exchange Best Practices Analyzer Verification
Important: |
---|
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur. |
Organizational Unit Verification
Submit a change request to the appropriate operations group and have the computer object moved to the appropriate organizational unit (OU).
Active Directory Site Verification
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Open a Command Prompt window.
- Verify that the server is in the correct domain and Active
Directory site. At the command line, type the following:
Copy Code NLTEST /server:%COMPUTERNAME% /dsgetsite
- The name of the Active Directory site to which the server
belongs will be displayed. If the server is not in the correct
Active Directory site, submit a change request to the appropriate
operations group and have the server moved to the appropriate
Active Directory site.
Domain Controller Diagnostics Verification
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Open a Command Prompt window, and then change paths to the C
drive.
- Run the following command:
Copy Code dcdiag /s:<Domain Controller> /f:c:\dcdiag.log
Note: Change <domain Controller> to a domain controller contained within the same Active Directory site as the Exchange server. - Review the output of C:\dcdiag.log file, and verify that
there are no connectivity issues with the local domain
controller.
- Repeat steps 3 and 4 for each domain controller in the local
Active Directory site.
Note: Domain Controller Diagnostics (DCDiag) is a Windows support tool that tests network connectivity and DNS resolution for domain controllers. If the account being used does not have administrative privileges, several tests under the Doing primary tests heading may not pass. These tests can be ignored if the connectivity tests pass. In addition, the log file may report that some service validation tests did not pass. These messages can be ignored if the services do not exist on the domain controller.
Exchange Best Practices Analyzer Verification
The Microsoft Exchange Analyzers help administrators troubleshoot various operational support issues. Connect to a server in the environment that either has the Exchange 2010 SP1 (or later) Management tools installed through Remote Desktop and log on with an account that has local administrative access.
- Click Start > All Programs > Microsoft
Exchange Server 2010 and then select Exchange Management
Console.
- Open the Toolbox node.
- Double-click Best Practices Analyzer.
- Check and apply any updates for the Best Practices Analyzer
engine.
- Provide the appropriate information to connect to Active
Directory and then click Connect to the Active Directory
server.
- In Start a New Best Practices Scan, select Health
Check, and then click Start Scanning.
- Review the report, and take action on any errors or warnings
that are reported by following the resolution articles that are
provided within the Best Practices Analyzer.
Exchange Server Role Installation
The following media are required for this section:
- Microsoft Exchange Server 2010 installation files
The following procedures are in this section:
- Exchange 2010 Prerequisites Installation for:
- Windows Server 2008 SP2
-or-
- Windows Server 2008 R2
- Windows Server 2008 SP2
- Exchange 2010 Installation
- Exchange 2010 Update Rollup Installation
- Product Key Configuration
- System Performance Verification
Important: |
---|
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur. |
Exchange 2010 Prerequisites Installation for Windows Server 2008 SP2
- Connect to the server via Remote Desktop, and then log on with
an account that has been delegated local administrative access.
- Open an elevated command prompt, navigate to the
\Setup\ServerRoles\Common folder on the Exchange 2010 installation
media, and then use the following commands to configure the Net.Tcp
Port Sharing Service for automatic startup and to install the
necessary operating system components:
Copy Code sc config NetTcpPortSharing start= auto ServerManagerCmd -ip Exchange-CAS.xml -Restart
Exchange 2010 Prerequisites Installation for Windows Server 2008 R2
- Connect to the server via Remote Desktop, and then log on with
an account that has been delegated local administrative access.
- On the Start Menu, navigate to All Programs >
Accessories > Windows PowerShell. Open an elevated
Windows PowerShell console, and run the following commands:
Copy Code Import-Module ServerManager Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy -Restart
- After the system has restarted, log on as an administrator,
open an elevated Windows PowerShell console, and configure the
Net.Tcp Port Sharing Service for automatic startup by running the
following command:
Copy Code Set-Service NetTcpPortSharing -StartupType Automatic
Exchange 2010 Installation
This document uses the command-line method for installing the Exchange 2010 server roles; however, you can also use a GUI called the Setup Wizard. For more information about how to use the Setup Wizard to install an Exchange 2010 server role, see the Perform a Custom Exchange 2010 Installation topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187220).
- Connect to the server via Remote Desktop, and then log on with
an account that has been delegated local administrative access. If
the Exchange server has been provisioned for delegated setup, the
account must be delegated the Delegated Setup management role (or
higher).
- Follow the procedure detailed in the Install Exchange 2010 in Unattended Mode topic in the
Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187229). For example, this
command installs the Client Access server role:
Copy Code setup.com /r:C
- If this is the first Exchange 2010 server role being installed
into an environment that does not contain any version of Microsoft
Exchange, you must also specify the /OrganizationName setup
parameter. Do not restart the server, even if required.
- To prevent the use of the server role before it is fully
configured, open an administrative command prompt and stop the IIS
services by running the following command:
Copy Code net stop iisadmin /y
Exchange Server 2010 Update Rollup Installation
- Connect to the server through Remote Desktop, and then log on
with an account that has local administrative access.
- Obtain the latest company approved rollup, and then copy it to
the server.
- Launch the Windows Installer patch (the MSP file) setup via one
of two ways:
- Double-click the MSP file, and then follow the GUI
instructions.
- Perform a silent installation using the following command from
an administrative command prompt:
Copy Code msiexec /i <Path and filename of MSP file> /q
- Double-click the MSP file, and then follow the GUI
instructions.
- Click Yes for any Digital Signature not Found
dialog boxes that may appear.
Note: These dialog boxes will appear only in environments that have deployed the Windows Security templates.
Product Key Configuration
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- Follow the procedure documented in the Enter Product Key topic in the Exchange Server 2010
Library (http://go.microsoft.com/fwlink/?LinkId=187234).
System Performance Verification
By default, Exchange 2010 optimizes the server’s processor scheduling management for background services.
- Connect to the server through Remote Desktop, and then log on
with an account that has local administrative access.
- Click Start, right-click Computer, and then
select Properties.
- Select the Advanced System Settings.
- Under Performance, click Settings.
- Click the Advanced tab.
- Verify that Processor Scheduling is set to Background
Services.
- Click the Advanced tab.
- Click OK.
Exchange Server Role Configuration
The following procedures are in this section:
- Commercial Certificate Configuration
- RPC Client Access Array Configuration
- RPC Client Access and Address Book Services Configuration
- Autodiscover Configuration
- Outlook Anywhere Configuration
- Offline Address Book Configuration
- IMAP4 Configuration
- POP3 Configuration
- Outlook Web App Configuration (Internet Scenario) or Outlook
Web App Configuration (Proxy Scenario)
- Legacy ActiveSync Configuration
- Handoff Test
Important: |
---|
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur. |
Commercial Certificate Configuration
A commercial certificate is only needed if the Client Access server will service client requests from the Internet, or if you need to facilitate un-trusted cross-forest communication between Client Access servers.
Note: |
---|
For more information about using the certificate tasks, see the Understanding TLS Certificates topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187237). |
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
Note: If generating a certificate that will use Subject Alternative Names, be sure that the certificate’s principal name will be the one that the clients will use to connect (for example, mail.contoso.com). Do not list the Autodiscover namespace as the principal name in the certificate. - Generate the certificate request by using the following
Exchange Management Shell command. The DomainName parameter
includes the principal URL and the Autodiscover FQDN; be sure to
define other FQDNs that clients may utilize. The
FriendlyName parameter matches the principal URL that is
used by Microsoft Office Outlook Web App and Outlook
Anywhere.
Copy Code $Data = New-ExchangeCertificate -GenerateRequest -SubjectName [Full Subject Path] -DomainName mail.contoso.com, autodiscover.contoso.com -FriendlyName mail.contoso.com -BinaryEncoded -privatekeyexportable:$true Set-Content -Path "c:\cert.req" -Value $Data.FileData -Encoding Byte
Note: The Windows RPC/HTTP client-side component in Windows Vista requires that the Subject Name (Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection in the Outlook profile. This behavior was changed in Windows Vista Service Pack 1 (SP1). Therefore, as a best practice, make sure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan to change the configuration. You can use the Set-OutlookProvider cmdlet to change the configuration. For more information about how to change the configuration, see the Exchange Team Blog article, When, if and how do you modify Outlook Providers? (http://go.microsoft.com/fwlink/?LinkId=160947) - Submit the request file to the Certificate Authority (CA) and
have the CA generate the certificate.
- After receiving the certificate, import and enable the
certificate by running the following Exchange Management Shell
command where [services] can be POP, IMAP, IIS, or a
combination:
Copy Code Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\NewCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -services "[services]"
- To mandate SSL on the default Web site, do the following:
- Open Internet Information Services (IIS) Manager.
- Expand the Server Node object and the Sites
node.
- Click the Default Web Site.
- In the middle pane, double-click SSL Settings.
- Verify Require secure channel (SSL) is enabled.
Note: If you require 128-bit encryption, also verify that Require 128-bit encryption is enabled. - Open Internet Information Services (IIS) Manager.
RPC Client Access Array Configuration
If this is the first Client Access server being installed in the Active Directory site, and the Client Access server infrastructure will participate in a load-balanced array, then you also need to create the RPC Client Access array object. The fully-qualified domain name (FQDN) you specify for the RPC Client Access array should map to the FQDN or virtual IP address that is used for the load-balanced array that was previously created.
Note: |
---|
If the RPC Client Access array object already exists for this Active Directory site, you can skip this section. |
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role and then run the
following command:
Copy Code New-ClientAccessArray -Fqdn <FQDN of CAS load balanced array> -Site <Active Directory Site>
RPC Client Access and Address Book Services Configuration
If the Client Access server is configured to participate in a load-balanced array, follow these steps to configure the RPC Client Access and Address Book services to use a specific TCP port for client connections. The procedure uses TCP59595 and TCP59596, but you can utilize any TCP high ports that are available within the environment between ports 59531 and 60554 (adjust load-balanced array rules accordingly).
- Connect to the server through Remote Desktop, and then log on
with an account that has been delegated local administrative
access.
- Start Registry Editor.
Important: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. - Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRPC
- Right-click MSExchangeRPC, point to New, and then
click Key.
- Type ParametersSystem to name the new key.
- Right-click ParametersSystem, point to New, and
then click DWORD (32-bit) Value.
- Type TCP/IP Port to name the new value.
- Double-click TCP/IP Port.
- In the Value data box, type 59595, and then click
OK.
- Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRPC
Configure a static port for the Microsoft Exchange Address Book service by performing the steps below for your version of Exchange 2010.
In the Release to Manufacturing (RTM) version of Exchange 2010:
- Navigate to <Exchange Install Path>\bin.
- Open the MicrosoftExchange.AddressBook.Service.exe.config file
in Notepad and add the following entry to the <appSettings>
section of the file:
Copy Code <add key="RpcTcpPort" value="59596" />
- Close and save the file.
In Exchange 2010 Service Pack 1 (SP1):
- Start Registry Editor.
Important: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. - Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAB
- Right-click MSExchangeAB, point to New, and then
click Key.
- Type Parameters to name the new key.
- Right-click Parameters, point to New, and then
click String Value.
- Type RpcTcpPort to name the new value.
- Double-click RpcTcpPort.
- In the Value data box, type 59596, and then click
OK.
- Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAB
- Close Registry Editor and then restart the Microsoft Exchange
Address Book service.
Autodiscover Configuration
Exchange 2010 includes a service named the Autodiscover service. The Autodiscover service makes it easier to configure Outlook 2007 or Outlook 2010 and some mobile phones. For more information, see the Understanding the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=194169).
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- Configure the internal Autodiscover URL by running the
following command within the Exchange Management Shell. In the
following example, CAS01 is the name of the Client Access server
and internal.domain.fqdn is the internal namespace used for
Autodiscover:
Copy Code Set-ClientAccessServer -Identity CAS01 -AutoDiscoverServiceInternalUri "https://internal.domain.fqdn/autodiscover/autodiscover.xml"
- Optional: Follow the procedure outlined in the Configure the Exchange Services for the Autodiscover
Service topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187243) to configure the
Autodiscover service for use by Internet clients. This will enable
Outlook Anywhere and set the offline address book (OAB), Web
Services, and Unified Messaging virtual directories external URL
parameter.
- Optional: Follow the procedure outlined in the Configure Exchange ActiveSync Autodiscover Settings
topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187244) for usage by mobile
clients.
- Optional: Enable site affinity by following the procedure
outlined in the Configure the Autodiscover Service to Use Site
Affinity topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187245).
- Verify that Autodiscover functions correctly by following the
procedure outlined in the Test Outlook Autodiscover Connectivity topic in the
Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187247).
Outlook Anywhere Configuration
If you completed step 3 from the previous "Autodiscover Configuration" section, you can skip this section. Otherwise, complete this procedure.
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- To enable Outlook Anywhere, follow the procedure outlined in
the Enable Outlook Anywhere topic in the Exchange
Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187249).
- If the server will be servicing Outlook Anywhere clients on the
Internet, follow the procedure outlined in the Configure an External Host Name for Outlook Anywhere
topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187253).
Offline Address Book Configuration
If the Client Access server will not be a distribution point for the OAB, you can skip this section.
By default, the OAB virtual directory does not require SSL. By default, Client Access servers use self-signed certificates for providing HTTP and RPC encryption. Clients that use the BITS service to download files (such as OAB) cannot use self-signed certificates. If a commercial certificate is going to be used and ISA 2006 is not going to be used to enforce SSL, you should enable SSL on the OAB virtual directory.
Note: |
---|
To use OAB Web distribution, the OAB must be generated on an Exchange 2010 Mailbox server. If the OAB is not generated on an Exchange 2010 Mailbox server, you can skip step 1. |
- Launch the Exchange Management Shell with an account that has
been delegated the Organization Management role and then run the
following commands. In the following example, CAS01 is the name of
the Client Access server and mail.contoso.com is the name of the
external URL.
Copy Code $a=get-oabvirtualdirectory -Server CAS01 Set-oabvirtualdirectory $a -ExternalURL https://mail.contoso.com/OAB Set-OfflineAddressBook "default offline address book" -VirtualDirectories $a iisreset /noforce
- If the server has a commercial certificate and will be
servicing requests from the Internet and either Microsoft Internet
Security and Acceleration (ISA) Server 2006, Microsoft Forefront
Unified Access Gateway (UAG) or Microsoft Forefront Threat
Management Gateway (TMG) 2010 will not be in use to enforce SSL for
Internet requests, follow the procedure outlined in the Require SSL for Offline Address Book Distribution
topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187254).
IMAP4 Configuration
If the Client Access server will not allow IMAP4 connections, you can skip this section.
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- To configure the IMAP4 bindings, run the following command. In
the following example, CAS01 is the Client Access server and
0.0.0.0 implies any IP address.
Copy Code Set-ImapSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:143" -SSLBindings "0.0.0.0:993"
- To disable plain text authentication and enable custom calendar
item retrieval option for IMAP4, run the following command. In the
following example, mail.contoso.com is the certificate name and
external URL.
Copy Code Set-ImapSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa
- To enable the Exchange IMAP4 service for automatic startup, run
the following command:
Copy Code Set-Service MSExchangeIMAP4 -ComputerName CAS01 -StartupType automatic
- To configure the IMAP4 bindings, run the following command. In
the following example, CAS01 is the Client Access server and
0.0.0.0 implies any IP address.
POP3 Configuration
If the Client Access server will not allow POP3 connections, you can skip this section.
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- To configure the POP3 bindings, run the following command. In
the following example, CAS01 is the Client Access server and
0.0.0.0 implies any IP address.
Copy Code Set-PopSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:110" -SSLBindings "0.0.0.0:995"
- To disable plain text authentication and enable custom calendar
item retrieval option for POP3, run the following command. In the
following example, mail.contoso.com is the certificate name and
external URL.
Copy Code Set-PopSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa
- To enable the Exchange POP3 service for automatic startup, run
the following command:
Copy Code Set-Service MSExchangePOP3 -ComputerName CAS01 -StartupType automatic
- To configure the POP3 bindings, run the following command. In
the following example, CAS01 is the Client Access server and
0.0.0.0 implies any IP address.
Outlook Web App Configuration (Internet Scenario)
Follow the steps in this section only if the Client Access server will service directly from the Internet and either ISA 2006 or UAG or TMG pre-authentication mechanisms are not in use. If either is not true, then skip this section and follow the steps outlined in the Outlook Web App Configuration (Proxy Scenario) section below.
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- By default, when the Client Access server role is installed,
forms-based authentication is enabled. Ensure that forms-based
authentication is enabled by following the procedure outlined in
the Configure Forms-based Authentication for Outlook
Web App topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187486).
- Configure the public and private cookie timeouts by following
the procedures outlined in the Set the Forms-Based Authentication Public Computer Cookie
Time-Out Value topic
(http://go.microsoft.com/fwlink/?LinkId=187334) and the Set the Forms-Based Authentication Private Computer Cookie
Time-Out Value topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187336).
- Optional: Configure GZip compression by following the procedure
outlined in the Configure Gzip Compression Settings topic in the
Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187343).
- Configure WebReady Document Viewing by following the procedure
outlined in the Configure WebReady Document Viewing topic in the
Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187344).
- Configure private and public computer file access by following
the procedure outlined in Configure Public and Private Computer File Access
topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187346).
- Optional: If redirection is to be used, run the following
command from the Exchange Management Shell. In the following
example, CAS01 is the name of the Client Access server and
mail.contoso.com is the name of the external URL.
Copy Code Set-OwaVirtualDirectory -identity "CAS01\owa (Default Web Site)" -ExternalURL https://mail.contoso.com/owa Set-OwaVirtualDirectory -identity "CAS01\ecp (Default Web Site)" -ExternalURL https://mail.contoso.com/ecp
- Optional: To simplify the Outlook Web App URL and redirect
users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange
Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187347).
- Restart the Client Access server.
Outlook Web App Configuration (Proxy Scenario)
Follow the steps in this section only if the Client Access server will not service requests directly from the Internet, but it will receive requests from other Client Access servers that are located in other Active Directory sites, or the Client Access server will be using ISA or UAG or TMG to pre-authenticate Internet requests.
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- Configure Windows Integrated Authentication by following the
procedure outlined in the Configure Forms-based Authentication for Outlook Web
App topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187486).
- Optional: Configure GZip compression by following the procedure
outlined in the Configure Gzip Compression Settings topic in the
Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187343).
- Configure WebReady Document Viewing by following the procedure
outlined in the Configure WebReady Document Viewing topic in the
Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187344).
- Configure private and public computer file access by following
the procedure outlined in Configure Public and Private Computer File Access
topic in the Exchange Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187346).
- Optional: To simplify the Outlook Web App URL and redirect
users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange
Server 2010 Library
(http://go.microsoft.com/fwlink/?LinkId=187347).
- Restart the Client Access server.
Legacy ActiveSync Configuration
In order for mobile devices to synchronize using Client Access servers when the mailbox resides on Exchange Server 2003, the Microsoft-Server-ActiveSync virtual directory must be configured to use Windows Integrated Authentication.
If there are no legacy Exchange Mailbox servers or no legacy mailboxes that are accessed via Exchange ActiveSync, you can skip this section.
Note: |
---|
You can manually configure the Microsoft-Server-ActiveSync virtual directory to use Windows Integrated Authentication by installing the hotfix described in Microsoft Knowledge Base article 937031 on a workstation running the Exchange 2003 System Manager (http://go.microsoft.com/fwlink/?linkid=3052&kbid=937031). |
- Connect to the server via Remote Desktop and log on with an
account that has been delegated both local administrative access
and the Exchange Full Administrator role within the Exchange 2003
environment.
- Create the legacyEAS.vbs script by copying the code from the
Server Build DVD Visual Basic Script Examples
topic in the Exchange Server 2007 Library
(http://go.microsoft.com/fwlink/?LinkId=167205).
- Open a command prompt and navigate to the directory containing
the script file and run the following command:
Copy Code legacyEAS.vbs -d:DomainController -a:AdminGroup
Note: Replace Domain Controller
with a domain controller that is in the same Active Directory site as the Exchange server (optional parameter).
The output will be similar to the following if successful:
Copy Code | |
---|---|
Z:\E2010-Scripts\CAS>legacyeas.vbs -d:W2K3-DC-01 -a:NorthAmerica Microsoft (R) Windows Script Host Version 5.1 for Windows Copyright (C) Microsoft Corporation 1996-1999. All rights reserved. Exchange Server Container - cn=Microsoft-Server-Activesync,cn=1,cn=HTTP,cn=Protocols,cn=<Server>,cn=Servers,cn=NorthAmerica,cn=Administrative Groups,cn=<OrgName>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain> Attribute Name & Value - msExchAuthenticationFlags: 6 Attribute Set!! |
Handoff Test
Before you can complete the diagnostic tasks in this section, you must have already created test mailboxes in your environment by using the New-TestCasConnectivityUser.ps1 script.
Create Test Mailboxes
- Connect to the Exchange 2010 Mailbox server through Remote
Desktop and log on with an account that has local administrative
access and was delegated the Server Management role.
- Click Start > All Programs > Microsoft
Exchange Server 2010, and then select Exchange Management
Shell.
- Change the directory path to <Exchange Server
Install Path>\Scripts.
- Type New-TestCasConnectivityUser.ps1 and press
Enter.
- Enter a temporary password and follow the prompts to create the
test mailboxes.
Perform Handoff Test
- If the server has not been restarted as a result of a previous
section’s instructions, restart the server.
- Launch the Exchange Management Shell with an account that has
been delegated the Server Management role.
- To test Exchange ActiveSync connectivity, run the following
command where <Server> is the name of the Client
Access server:
Copy Code Test-ActiveSyncConnectivity -ClientAccessServer <Server>
- To test Autodiscover connectivity, run the following command
where <EmailAddress> is the e-mail address of a
mailbox:
Copy Code Add-TargetAddress <EmailAddress>
- To test Exchange Web Services functionality, run the following
command:
Copy Code Test-WebServicesConnectivity -ClientAccessServer <Server> -AllowUnsecureAccess
- To test Outlook Web App connectivity, run the following command
where <Server> is the name of the Client Access
server:
Copy Code Test-OwaConnectivity -ClientAccessServer:<Server> -AllowUnsecureAccess
If this server will be responding to Internet client requests, consider using the Exchange Remote Connectivity Analyzer (https://www.testexchangeconnectivity.com/) to verify your configuration, as well.