Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-02-21

This topic provides you with an installation guide template that you can use as a starting point for formally documenting your organization's server build procedures for Microsoft Exchange Server 2010 servers that will have the Client Access server role installed.

The template includes the following key sections:

For purposes of providing an example, the template uses the fictitious company name of Contoso. Also, you can download this template, along with templates for other server roles, as a download package in .zip file format at Microsoft Exchange Server 2010 Install Guide Templates (http://go.microsoft.com/fwlink/?LinkID=187961).

Executive Summary

The purpose of this document is to explain the installation and configurations necessary to install the Exchange 2010 Client Access server role on the Windows Server 2008 platform.

Business Justification

By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing total cost of ownership (TCO), and easing troubleshooting steps.

Scope

The scope of this document is limited to installation of an Exchange 2010 Client Access server for Contoso on the x64 version of the Windows Server 2008 (SP2 or R2) operating system.

Prerequisites

The administrator should have working knowledge of Windows Server 2008 concepts, Exchange 2010 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.

In addition, before implementing the server role, the administrator should review the Understanding Client Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187352).

Assumptions

This document assumes that Windows Server 2008 x64 Edition is installed on the intended Client Access server per company baseline regulations which include the latest approved service pack and hotfixes. In addition, the following system prerequisites have been installed:

  • Microsoft .NET Framework 3.5 SP1 and the update for .NET Framework 3.5 SP1 For more information, see Microsoft Knowledge Base article 959209, An update for the .NET Framework 3.5 Service Pack 1 is available (http://go.microsoft.com/fwlink/?linkid=3052&kbid=959209).

  • Windows Management Framework (Windows Remote Management 2.0 and Windows PowerShell 2.0).

This document assumes that forest and domain preparation steps have been performed as described in the Prepare Active Directory and Domains topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187262).

This document assumes that the account you will be using for the Exchange tasks has been delegated the Server Management management role, as described in the Server Management topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187265).

This document also assumes that both Exchange 2010 Windows Server 2008 and Windows Server 2008 will be secured following the best practices found in the Windows Server 2008 Security Guide (http://go.microsoft.com/fwlink/?LinkId=122593).

Important:
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

Server Configuration

The following media are required for this section:

  • Windows Server 2008 installation files

The following procedures are in this section:

  1. Additional Software Verification

  2. Network Interfaces Configuration

  3. Drive Configuration

  4. Windows Server 2008 Hotfix Installation

  5. Domain Membership Configuration

  6. Local Administrators Verification

  7. Local Administrator Account Password Reset

  8. Debugging Tools Installation

  9. Page File Modifications

  10. Drive Permissions

  11. Windows Network Load Balancing Installation and Configuration

  12. DNS Entry Creation

Additional Software Verification

  1. Verify that Remote Desktop is enabled.

  2. As an optional process, install Microsoft Network Monitor (http://go.microsoft.com/fwlink/?LinkId=86611).

Network Interfaces Configuration

  1. Log on to the server with an account that has been delegated at least local administrative access.

  2. Click Start > Control Panel, and then double-click Network and Sharing Center.

  3. Click Manage Network Connections.

  4. Locate the connection for the internal network and rename it according to your organization's naming standards.

  5. Right-click the connection and then select Properties.

  6. For Internet Protocol Version 4 (TCP/IPv4), add the following:

    1. Static IP Address, Subnet Mask, and Gateway

    2. DNS Server IP Addresses

    3. Select the check box to Append parent suffixes of the primary DNS suffix.

    4. WINS IP Addresses (if using WINS)

  7. If you are using Internet Protocol Version 6 (TCP/IPv6), configure the IPv6 settings according to your organization's network standards.

Drive Configuration

  1. Connect to the server through Remote Desktop and then log on with an account that has been delegated local administrative access.

  2. Click Start > Administrative Tools, and then select Computer Management.

  3. Expand Storage and then click Disk Management.

  4. Using the Disk Management snap-in of the Microsoft Management Console (MMC), format, rename, and assign the appropriate Drive Letters so that the volumes and DVD drive match the appropriate server configuration.

    Drive configuration

    LUN Drive letter Usage

    1

    C

    Operating system and Exchange binaries

    2

    Z

    DVD drive

Windows Server 2008 Hotfix Installation

  1. Connect to the server via Remote Desktop and log on with an account that has local administrative access.

  2. Obtain the latest hotfixes approved by your company for your version of Windows Server 2008 x64 (SP2 or R2) and copy them to the server.

  3. Launch the hotfix setup via one of two ways:

    1. Double-click the file and follow the GUI instructions.

    2. Perform a silent installation using the following command from an administrative command prompt:

      Copy Code
      <hotfix>.msu /quiet /norestart
      
  4. Click Yes for any Digital Signature not Found dialog boxes that may appear.

    Note:
    These dialog boxes will not appear in environments that have not deployed the Windows Security templates.
  5. Wait for all file copies to complete, and then restart the server. You can use the Processes tab in Windows Task Manager to monitor the hotfix installation progress. When the wusa.exe process has exited, the hotfix installation is complete.

Domain Membership Configuration

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Click Start, right-click My Computer, and then select Properties.

  3. Under the Computer Name, domain, and workgroup settings, click Change Settings.

  4. Click Change.

  5. Choose the Domain option button, and then enter the appropriate domain name.

  6. Enter the appropriate credentials.

  7. Click OK and OK.

  8. Click OK to close System Properties.

  9. Restart the server.

Local Administrators Verification

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Verify (or add if not already there) that the Domain Admins account and the user account that will perform the Exchange installation are members of the local Administrators group on this server.

  3. Verify that your user account is a member of a group which is a member of the local Administrators group on the Windows Server 2008 server. If it is not, use an account that is a member of the local Administrators group before continuing.

Local Administrator Account Password Reset

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Click Start, right-click Computer, and then select Manage.

  3. Expand the nodes to find Configuration\Local Users and Groups\Users.

  4. Right-click Administrator, and then select Set Password. Change the password so that it meets strong complexity requirements.

Debugging Tools Installation

This section describes several useful tools that aid administrators in Exchange administration and in troubleshooting support issues.

Debugging Tools for Windows allow administrators to debug processes that are affecting service and determine root cause.

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Download and install the latest 64-bit Debugging Tools from Install Debugging Tools for Windows 64-bit Version (http://go.microsoft.com/fwlink/?LinkID=123594).

Page File Modifications

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Click Start, right-click Computer, and then select Properties.

  3. Select the Advanced System Settings.

  4. Under Startup and Recovery, click Settings.

    1. Under Write Debugging Information, select Kernel Memory Dump from the memory dump drop-down list.

    2. Click OK.

  5. Under Performance, click Settings.

  6. Click the Advanced tab.

  7. Under Virtual Memory, click Change.

  8. On servers that have a dedicated page file drive, follow these steps:

    1. In the Drive list, click C:, and then click Custom size.

    2. For the C: drive, set the Initial Size (MB) value to a minimum of 200 MB. (Windows requires between 150 MB and 2 GB page file space, depending on server load and the amount of physical RAM that is available for page file space on the boot volume when Windows is configured for a kernel memory dump. Therefore, you may be required to increase the size.)

    3. For the C: drive, set the Maximum Size (MB) value to that of the Initial Size.

    4. In the Drive list, select the page file drive (for example, the P: drive), and then click Custom size.

    5. In the Initial Size (MB) box, type the result of one of the following calculations:

      If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.

      If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.

    6. In the Maximum Size (MB) box, type the same amount that you typed in the Initial Size box.

    7. Delete all other page files.

    8. Click OK.

  9. On servers that do not have a dedicated page file drive, follow these steps:

    1. In the Drive list, click C:, and then click Custom size.

    2. For the C: drive, in the Initial Size (MB) box, type the result of one of the following calculations:

      If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5.

      If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB.

    3. Delete all other page files.

    4. Click OK.

  10. Click OK two times to close the System Properties dialog box.

  11. Click No if prompted to restart the system.

    Note:
    For more information about page file recommendations, see the following Microsoft Knowledge Base articles: How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP (http://go.microsoft.com/fwlink/?linkid=3052&kbid=889654); and Overview of memory dump file options for Windows Vista, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=254649).

Drive Permissions

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Click Start, and then select Computer.

  3. Right-click D Drive, and then select Properties.

  4. Click the Security tab.

  5. Click Edit.

  6. Click Add, and then select the local server from Locations.

  7. Grant the following rights as outlined in the following table.

    Drive permissions

    Account Permissions

    Administrators

    Full Control

    SYSTEM

    Full Control

    Authenticated Users

    Read and Execute, List, Read

    CREATOR OWNER

    Full Control

  8. Click the Advanced button.

  9. Select the CREATOR OWNER permission entry, and then click View/Edit.

  10. Select Subfolders and Files Only from the drop-down list.

  11. Click OK two times.

  12. Click OK to close the drive properties.

  13. Repeat steps 3-12 for each additional drive (other than the C drive).

Load Balancing Configuration

Procedures in this section only need to be performed on Client Access servers that will be used in a load-balanced array. In particular, this section focuses on Windows Network Load Balancing (NLB). For more information about NLB, see Network Load Balancing (http://go.microsoft.com/fwlink/?LinkId=187482) and Network Load Balancing Clusters (http://go.microsoft.com/fwlink/?LinkId=49315) and Implementing a Network Load Balancing Cluster (http://go.microsoft.com/fwlink/?LinkId=187483).

If you are deploying a hardware load balancing array, review your vendor’s documentation and follow their guidance for configuration.

For more information about load balancing in Exchange 2010, see the topics Understanding Load Balancing in Exchange 2010 (http://go.microsoft.com/fwlink/?LinkId=196447) and Load Balancing Requirements of Exchange Protocols (http://go.microsoft.com/fwlink/?LinkId=196448) in the Exchange Server 2010 Library.

Windows Network Load Balancing Installation and Configuration

The values used in NLB must be the same across all nodes in the NLB cluster. The values specified in the following table will ensure that the Windows Network Load Balancing array can load-balance the appropriate protocols (HTTPS, IMAP4, POP3, RPC Endpoint Mapper, the Address Book service, and the RPC Client Access service). For more information, see Understanding Load Balancing in Exchange 2010.

Load-balanced protocols and ports

Protocol

TCP port numbers

HTTPS

443

IMAP4

143 and 993

POP3

110 and 995

RPC Endpoint Mapper

135

Address Book service

59595

RPC Client Access service

59596

Note:
This document uses TCP59595 for the Address Book service and TCP59596 for the RPC Client Access service, but you can use any TCP high ports that are available within the environment between ports 59530 and 60554.
  1. Connect to the server via Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Install Network Load Balancing for your operating system:

    1. Windows Server 2008 SP2   Open an administrative command prompt window and run the following command:

      Copy Code
      ServerManagerCmd.exe -i NLB
      
    2. Windows Server 2008 R2   Open an elevated Windows PowerShell console, and run the following commands:

      Copy Code
      Import-Module ServerManager
      Add-WindowsFeature NLB
      
  3. Click Start > Administrative Tools, and then right-click Network Load Balancing Manager.

  4. Click Cluster-New.

  5. In the New Cluster wizard, enter the local server’s computer name, click Connect and then select the appropriate network connection.

  6. Click Next.

  7. In the Host Parameters section, verify the host’s IP address and subnet mask.

  8. Click Next.

  9. In the Cluster IP Address section, click Add and enter:

    1. IP Address

    2. Subnet Mask

  10. Click Next.

  11. In the Cluster Parameters section, enter in the Full Internet Name (for example, mail.contoso.com) that will be used by the cluster and make sure Unicast is selected.

  12. Click Next.

  13. In the Port Rules section, select the default rule and click Edit.

  14. Under Port Range, change the From value to 80 and the To value to 80.

  15. Under Protocols, select TCP.

  16. Click OK.

  17. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 443 and the To value to 443.

    2. Under Protocols, select TCP.

    3. Click OK.

      Note:
      If you are using IMAP or POP in the environment, be sure to create the appropriate rules.
  18. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 143 and the To value to 143.

    2. Under Protocols, select TCP.

    3. Click OK.

  19. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 110 and the To value to 110.

    2. Under Protocols, select TCP.

    3. Click OK.

  20. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 993 and the To value to 993.

    2. Under Protocols, select TCP.

    3. Click OK.

  21. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 500 and the To value to 500.

    2. Under Protocols, select UDP.

    3. Click OK.

      Note:
      The above rule for UDP 500 should be created if you are using IPSec in the environment.
  22. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 995 and the To value to 995.

    2. Under Protocols, select TCP.

    3. Click OK.

  23. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 135 and the To value to 135.

    2. Under Protocols, select TCP.

    3. Click OK.

  24. Click Add to create a new port rule.

    1. Under Port Range, change the From value to 59595 and the To value to 59596.

    2. Under Protocols, select TCP.

    3. Click OK.

  25. Click OK.

  26. Click OK to acknowledge the resulting dialog box.

  27. While still in the internal network connection properties, click Internet Protocol (TCP/IP) and select Properties.

  28. Click Advanced.

  29. Under IP Addresses, click Add.

    1. Enter the virtual IP Address and Subnet Mask and click OK.

    2. Click OK.

  30. Click Finish to complete the New Cluster wizard.

DNS Entry Creation

Submit a change request to the appropriate operations group to have the domain name that was specified in the previous "Network Load Balancing Installation and Configuration" section for the NLB cluster (for example, mail.contoso.com) created as a host record associated to the NLB cluster’s IP address.

Verification Steps

The following procedures are in this section:

  1. Organizational Unit Verification

  2. Active Directory Site Verification

  3. Domain Controller Diagnostics Verification

  4. Exchange Best Practices Analyzer Verification

Important:
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

Organizational Unit Verification

Submit a change request to the appropriate operations group and have the computer object moved to the appropriate organizational unit (OU).

Active Directory Site Verification

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Open a Command Prompt window.

  3. Verify that the server is in the correct domain and Active Directory site. At the command line, type the following:

    Copy Code
    NLTEST /server:%COMPUTERNAME% /dsgetsite
    
  4. The name of the Active Directory site to which the server belongs will be displayed. If the server is not in the correct Active Directory site, submit a change request to the appropriate operations group and have the server moved to the appropriate Active Directory site.

Domain Controller Diagnostics Verification

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Open a Command Prompt window, and then change paths to the C drive.

  3. Run the following command:

    Copy Code
    dcdiag /s:<Domain Controller> /f:c:\dcdiag.log
    
    Note:
    Change <domain Controller> to a domain controller contained within the same Active Directory site as the Exchange server.
  4. Review the output of C:\dcdiag.log file, and verify that there are no connectivity issues with the local domain controller.

  5. Repeat steps 3 and 4 for each domain controller in the local Active Directory site.

    Note:
    Domain Controller Diagnostics (DCDiag) is a Windows support tool that tests network connectivity and DNS resolution for domain controllers. If the account being used does not have administrative privileges, several tests under the Doing primary tests heading may not pass. These tests can be ignored if the connectivity tests pass. In addition, the log file may report that some service validation tests did not pass. These messages can be ignored if the services do not exist on the domain controller.

Exchange Best Practices Analyzer Verification

The Microsoft Exchange Analyzers help administrators troubleshoot various operational support issues. Connect to a server in the environment that either has the Exchange 2010 SP1 (or later) Management tools installed through Remote Desktop and log on with an account that has local administrative access.

  1. Click Start > All Programs > Microsoft Exchange Server 2010 and then select Exchange Management Console.

  2. Open the Toolbox node.

  3. Double-click Best Practices Analyzer.

  4. Check and apply any updates for the Best Practices Analyzer engine.

  5. Provide the appropriate information to connect to Active Directory and then click Connect to the Active Directory server.

  6. In Start a New Best Practices Scan, select Health Check, and then click Start Scanning.

  7. Review the report, and take action on any errors or warnings that are reported by following the resolution articles that are provided within the Best Practices Analyzer.

Exchange Server Role Installation

The following media are required for this section:

  • Microsoft Exchange Server 2010 installation files

The following procedures are in this section:

  1. Exchange 2010 Prerequisites Installation for:

    • Windows Server 2008 SP2

      -or-

    • Windows Server 2008 R2

  2. Exchange 2010 Installation

  3. Exchange 2010 Update Rollup Installation

  4. Product Key Configuration

  5. System Performance Verification

Important:
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

Exchange 2010 Prerequisites Installation for Windows Server 2008 SP2

  1. Connect to the server via Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Open an elevated command prompt, navigate to the \Setup\ServerRoles\Common folder on the Exchange 2010 installation media, and then use the following commands to configure the Net.Tcp Port Sharing Service for automatic startup and to install the necessary operating system components:

    Copy Code
    sc config NetTcpPortSharing start= auto
    ServerManagerCmd -ip Exchange-CAS.xml -Restart
    

Exchange 2010 Prerequisites Installation for Windows Server 2008 R2

  1. Connect to the server via Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. On the Start Menu, navigate to All Programs > Accessories > Windows PowerShell. Open an elevated Windows PowerShell console, and run the following commands:

    Copy Code
    Import-Module ServerManager
    Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy -Restart
    
  3. After the system has restarted, log on as an administrator, open an elevated Windows PowerShell console, and configure the Net.Tcp Port Sharing Service for automatic startup by running the following command:

    Copy Code
    Set-Service NetTcpPortSharing -StartupType Automatic
    

Exchange 2010 Installation

This document uses the command-line method for installing the Exchange 2010 server roles; however, you can also use a GUI called the Setup Wizard. For more information about how to use the Setup Wizard to install an Exchange 2010 server role, see the Perform a Custom Exchange 2010 Installation topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187220).

  1. Connect to the server via Remote Desktop, and then log on with an account that has been delegated local administrative access. If the Exchange server has been provisioned for delegated setup, the account must be delegated the Delegated Setup management role (or higher).

  2. Follow the procedure detailed in the Install Exchange 2010 in Unattended Mode topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187229). For example, this command installs the Client Access server role:

    Copy Code
    setup.com /r:C
    
  3. If this is the first Exchange 2010 server role being installed into an environment that does not contain any version of Microsoft Exchange, you must also specify the /OrganizationName setup parameter. Do not restart the server, even if required.

  4. To prevent the use of the server role before it is fully configured, open an administrative command prompt and stop the IIS services by running the following command:

    Copy Code
    net stop iisadmin /y
    

Exchange Server 2010 Update Rollup Installation

  1. Connect to the server through Remote Desktop, and then log on with an account that has local administrative access.

  2. Obtain the latest company approved rollup, and then copy it to the server.

  3. Launch the Windows Installer patch (the MSP file) setup via one of two ways:

    1. Double-click the MSP file, and then follow the GUI instructions.

    2. Perform a silent installation using the following command from an administrative command prompt:

      Copy Code
      msiexec /i <Path and filename of MSP file> /q
      
  4. Click Yes for any Digital Signature not Found dialog boxes that may appear.

    Note:
    These dialog boxes will appear only in environments that have deployed the Windows Security templates.

Product Key Configuration

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

  2. Follow the procedure documented in the Enter Product Key topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187234).

System Performance Verification

By default, Exchange 2010 optimizes the server’s processor scheduling management for background services.

  1. Connect to the server through Remote Desktop, and then log on with an account that has local administrative access.

  2. Click Start, right-click Computer, and then select Properties.

  3. Select the Advanced System Settings.

  4. Under Performance, click Settings.

    1. Click the Advanced tab.

    2. Verify that Processor Scheduling is set to Background Services.

  5. Click OK.

Exchange Server Role Configuration

The following procedures are in this section:

  1. Commercial Certificate Configuration

  2. RPC Client Access Array Configuration

  3. RPC Client Access and Address Book Services Configuration

  4. Autodiscover Configuration

  5. Outlook Anywhere Configuration

  6. Offline Address Book Configuration

  7. IMAP4 Configuration

  8. POP3 Configuration

  9. Outlook Web App Configuration (Internet Scenario) or Outlook Web App Configuration (Proxy Scenario)

  10. Legacy ActiveSync Configuration

  11. Handoff Test

Important:
The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.

Commercial Certificate Configuration

A commercial certificate is only needed if the Client Access server will service client requests from the Internet, or if you need to facilitate un-trusted cross-forest communication between Client Access servers.

Note:
For more information about using the certificate tasks, see the Understanding TLS Certificates topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187237).
  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

    Note:
    If generating a certificate that will use Subject Alternative Names, be sure that the certificate’s principal name will be the one that the clients will use to connect (for example, mail.contoso.com). Do not list the Autodiscover namespace as the principal name in the certificate.
  2. Generate the certificate request by using the following Exchange Management Shell command. The DomainName parameter includes the principal URL and the Autodiscover FQDN; be sure to define other FQDNs that clients may utilize. The FriendlyName parameter matches the principal URL that is used by Microsoft Office Outlook Web App and Outlook Anywhere.

    Copy Code
    $Data = New-ExchangeCertificate -GenerateRequest -SubjectName [Full Subject Path] -DomainName mail.contoso.com, autodiscover.contoso.com -FriendlyName mail.contoso.com -BinaryEncoded -privatekeyexportable:$true 
    Set-Content -Path "c:\cert.req" -Value $Data.FileData -Encoding Byte
    
    An example of [Full Subject Path] is "c=US, o=Company, cn=CAS01.contoso.com".

    Note:
    The Windows RPC/HTTP client-side component in Windows Vista requires that the Subject Name (Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection in the Outlook profile. This behavior was changed in Windows Vista Service Pack 1 (SP1). Therefore, as a best practice, make sure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan to change the configuration. You can use the Set-OutlookProvider cmdlet to change the configuration. For more information about how to change the configuration, see the Exchange Team Blog article, When, if and how do you modify Outlook Providers? (http://go.microsoft.com/fwlink/?LinkId=160947)
  3. Submit the request file to the Certificate Authority (CA) and have the CA generate the certificate.

  4. After receiving the certificate, import and enable the certificate by running the following Exchange Management Shell command where [services] can be POP, IMAP, IIS, or a combination:

    Copy Code
    Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\NewCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -services "[services]"
    
  5. To mandate SSL on the default Web site, do the following:

    1. Open Internet Information Services (IIS) Manager.

    2. Expand the Server Node object and the Sites node.

    3. Click the Default Web Site.

    4. In the middle pane, double-click SSL Settings.

    5. Verify Require secure channel (SSL) is enabled.

    Note:
    If you require 128-bit encryption, also verify that Require 128-bit encryption is enabled.

RPC Client Access Array Configuration

If this is the first Client Access server being installed in the Active Directory site, and the Client Access server infrastructure will participate in a load-balanced array, then you also need to create the RPC Client Access array object. The fully-qualified domain name (FQDN) you specify for the RPC Client Access array should map to the FQDN or virtual IP address that is used for the load-balanced array that was previously created.

Note:
If the RPC Client Access array object already exists for this Active Directory site, you can skip this section.
  • Launch the Exchange Management Shell with an account that has been delegated the Server Management role and then run the following command:

    Copy Code
    New-ClientAccessArray -Fqdn <FQDN of CAS load balanced array> -Site <Active Directory Site>
    

RPC Client Access and Address Book Services Configuration

If the Client Access server is configured to participate in a load-balanced array, follow these steps to configure the RPC Client Access and Address Book services to use a specific TCP port for client connections. The procedure uses TCP59595 and TCP59596, but you can utilize any TCP high ports that are available within the environment between ports 59531 and 60554 (adjust load-balanced array rules accordingly).

  1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.

  2. Start Registry Editor.

    Important:
    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
    1. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRPC

    2. Right-click MSExchangeRPC, point to New, and then click Key.

    3. Type ParametersSystem to name the new key.

    4. Right-click ParametersSystem, point to New, and then click DWORD (32-bit) Value.

    5. Type TCP/IP Port to name the new value.

    6. Double-click TCP/IP Port.

    7. In the Value data box, type 59595, and then click OK.

Configure a static port for the Microsoft Exchange Address Book service by performing the steps below for your version of Exchange 2010.

In the Release to Manufacturing (RTM) version of Exchange 2010:

  1. Navigate to <Exchange Install Path>\bin.

  2. Open the MicrosoftExchange.AddressBook.Service.exe.config file in Notepad and add the following entry to the <appSettings> section of the file:

    Copy Code
    <add key="RpcTcpPort" value="59596" />
    
  3. Close and save the file.

In Exchange 2010 Service Pack 1 (SP1):

  1. Start Registry Editor.

    Important:
    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
    1. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAB

    2. Right-click MSExchangeAB, point to New, and then click Key.

    3. Type Parameters to name the new key.

    4. Right-click Parameters, point to New, and then click String Value.

    5. Type RpcTcpPort to name the new value.

    6. Double-click RpcTcpPort.

    7. In the Value data box, type 59596, and then click OK.

  2. Close Registry Editor and then restart the Microsoft Exchange Address Book service.

Autodiscover Configuration

Exchange 2010 includes a service named the Autodiscover service. The Autodiscover service makes it easier to configure Outlook 2007 or Outlook 2010 and some mobile phones. For more information, see the Understanding the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=194169).

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

  2. Configure the internal Autodiscover URL by running the following command within the Exchange Management Shell. In the following example, CAS01 is the name of the Client Access server and internal.domain.fqdn is the internal namespace used for Autodiscover:

    Copy Code
    Set-ClientAccessServer -Identity CAS01 -AutoDiscoverServiceInternalUri "https://internal.domain.fqdn/autodiscover/autodiscover.xml"
    
  3. Optional: Follow the procedure outlined in the Configure the Exchange Services for the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187243) to configure the Autodiscover service for use by Internet clients. This will enable Outlook Anywhere and set the offline address book (OAB), Web Services, and Unified Messaging virtual directories external URL parameter.

  4. Optional: Follow the procedure outlined in the Configure Exchange ActiveSync Autodiscover Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187244) for usage by mobile clients.

  5. Optional: Enable site affinity by following the procedure outlined in the Configure the Autodiscover Service to Use Site Affinity topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187245).

  6. Verify that Autodiscover functions correctly by following the procedure outlined in the Test Outlook Autodiscover Connectivity topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187247).

Outlook Anywhere Configuration

If you completed step 3 from the previous "Autodiscover Configuration" section, you can skip this section. Otherwise, complete this procedure.

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

  2. To enable Outlook Anywhere, follow the procedure outlined in the Enable Outlook Anywhere topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187249).

  3. If the server will be servicing Outlook Anywhere clients on the Internet, follow the procedure outlined in the Configure an External Host Name for Outlook Anywhere topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187253).

Offline Address Book Configuration

If the Client Access server will not be a distribution point for the OAB, you can skip this section.

By default, the OAB virtual directory does not require SSL. By default, Client Access servers use self-signed certificates for providing HTTP and RPC encryption. Clients that use the BITS service to download files (such as OAB) cannot use self-signed certificates. If a commercial certificate is going to be used and ISA 2006 is not going to be used to enforce SSL, you should enable SSL on the OAB virtual directory.

Note:
To use OAB Web distribution, the OAB must be generated on an Exchange 2010 Mailbox server. If the OAB is not generated on an Exchange 2010 Mailbox server, you can skip step 1.
  1. Launch the Exchange Management Shell with an account that has been delegated the Organization Management role and then run the following commands. In the following example, CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL.

    Copy Code
    $a=get-oabvirtualdirectory -Server CAS01
    Set-oabvirtualdirectory $a -ExternalURL https://mail.contoso.com/OAB
    Set-OfflineAddressBook "default offline address book" -VirtualDirectories $a
    iisreset /noforce
    
  2. If the server has a commercial certificate and will be servicing requests from the Internet and either Microsoft Internet Security and Acceleration (ISA) Server 2006, Microsoft Forefront Unified Access Gateway (UAG) or Microsoft Forefront Threat Management Gateway (TMG) 2010 will not be in use to enforce SSL for Internet requests, follow the procedure outlined in the Require SSL for Offline Address Book Distribution topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187254).

IMAP4 Configuration

If the Client Access server will not allow IMAP4 connections, you can skip this section.

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

    1. To configure the IMAP4 bindings, run the following command. In the following example, CAS01 is the Client Access server and 0.0.0.0 implies any IP address.

      Copy Code
      Set-ImapSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:143" -SSLBindings "0.0.0.0:993"
      
    2. To disable plain text authentication and enable custom calendar item retrieval option for IMAP4, run the following command. In the following example, mail.contoso.com is the certificate name and external URL.

      Copy Code
      Set-ImapSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa
      
    3. To enable the Exchange IMAP4 service for automatic startup, run the following command:

      Copy Code
      Set-Service MSExchangeIMAP4 -ComputerName CAS01 -StartupType automatic
      

POP3 Configuration

If the Client Access server will not allow POP3 connections, you can skip this section.

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

    1. To configure the POP3 bindings, run the following command. In the following example, CAS01 is the Client Access server and 0.0.0.0 implies any IP address.

      Copy Code
      Set-PopSettings -server CAS01 -UnencryptedOrTLSBindings "0.0.0.0:110" -SSLBindings "0.0.0.0:995"
      
    2. To disable plain text authentication and enable custom calendar item retrieval option for POP3, run the following command. In the following example, mail.contoso.com is the certificate name and external URL.

      Copy Code
      Set-PopSettings -server CAS01 -X509CertificateName "mail.contoso.com" -LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa
      
    3. To enable the Exchange POP3 service for automatic startup, run the following command:

      Copy Code
      Set-Service MSExchangePOP3 -ComputerName CAS01 -StartupType automatic
      

Outlook Web App Configuration (Internet Scenario)

Follow the steps in this section only if the Client Access server will service directly from the Internet and either ISA 2006 or UAG or TMG pre-authentication mechanisms are not in use. If either is not true, then skip this section and follow the steps outlined in the Outlook Web App Configuration (Proxy Scenario) section below.

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

  2. By default, when the Client Access server role is installed, forms-based authentication is enabled. Ensure that forms-based authentication is enabled by following the procedure outlined in the Configure Forms-based Authentication for Outlook Web App topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187486).

  3. Configure the public and private cookie timeouts by following the procedures outlined in the Set the Forms-Based Authentication Public Computer Cookie Time-Out Value topic (http://go.microsoft.com/fwlink/?LinkId=187334) and the Set the Forms-Based Authentication Private Computer Cookie Time-Out Value topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187336).

  4. Optional: Configure GZip compression by following the procedure outlined in the Configure Gzip Compression Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187343).

  5. Configure WebReady Document Viewing by following the procedure outlined in the Configure WebReady Document Viewing topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187344).

  6. Configure private and public computer file access by following the procedure outlined in Configure Public and Private Computer File Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187346).

  7. Optional: If redirection is to be used, run the following command from the Exchange Management Shell. In the following example, CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL.

    Copy Code
    Set-OwaVirtualDirectory -identity "CAS01\owa (Default Web Site)" -ExternalURL https://mail.contoso.com/owa
    Set-OwaVirtualDirectory -identity "CAS01\ecp (Default Web Site)" -ExternalURL https://mail.contoso.com/ecp
    
  8. Optional: To simplify the Outlook Web App URL and redirect users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187347).

  9. Restart the Client Access server.

Outlook Web App Configuration (Proxy Scenario)

Follow the steps in this section only if the Client Access server will not service requests directly from the Internet, but it will receive requests from other Client Access servers that are located in other Active Directory sites, or the Client Access server will be using ISA or UAG or TMG to pre-authenticate Internet requests.

  1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

  2. Configure Windows Integrated Authentication by following the procedure outlined in the Configure Forms-based Authentication for Outlook Web App topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187486).

  3. Optional: Configure GZip compression by following the procedure outlined in the Configure Gzip Compression Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187343).

  4. Configure WebReady Document Viewing by following the procedure outlined in the Configure WebReady Document Viewing topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187344).

  5. Configure private and public computer file access by following the procedure outlined in Configure Public and Private Computer File Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187346).

  6. Optional: To simplify the Outlook Web App URL and redirect users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187347).

  7. Restart the Client Access server.

Legacy ActiveSync Configuration

In order for mobile devices to synchronize using Client Access servers when the mailbox resides on Exchange Server 2003, the Microsoft-Server-ActiveSync virtual directory must be configured to use Windows Integrated Authentication.

If there are no legacy Exchange Mailbox servers or no legacy mailboxes that are accessed via Exchange ActiveSync, you can skip this section.

Note:
You can manually configure the Microsoft-Server-ActiveSync virtual directory to use Windows Integrated Authentication by installing the hotfix described in Microsoft Knowledge Base article 937031 on a workstation running the Exchange 2003 System Manager (http://go.microsoft.com/fwlink/?linkid=3052&kbid=937031).
  1. Connect to the server via Remote Desktop and log on with an account that has been delegated both local administrative access and the Exchange Full Administrator role within the Exchange 2003 environment.

  2. Create the legacyEAS.vbs script by copying the code from the Server Build DVD Visual Basic Script Examples topic in the Exchange Server 2007 Library (http://go.microsoft.com/fwlink/?LinkId=167205).

  3. Open a command prompt and navigate to the directory containing the script file and run the following command:

    Copy Code
    legacyEAS.vbs -d:DomainController -a:AdminGroup
    
    Note:
    Replace Domain Controller with a domain controller that is in the same Active Directory site as the Exchange server (optional parameter).

The output will be similar to the following if successful:

Copy Code
Z:\E2010-Scripts\CAS>legacyeas.vbs -d:W2K3-DC-01 -a:NorthAmerica
Microsoft (R) Windows Script Host Version 5.1 for Windows
Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.
Exchange Server Container - cn=Microsoft-Server-Activesync,cn=1,cn=HTTP,cn=Protocols,cn=<Server>,cn=Servers,cn=NorthAmerica,cn=Administrative Groups,cn=<OrgName>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain>
Attribute Name & Value - msExchAuthenticationFlags: 6
Attribute Set!!

Handoff Test

Before you can complete the diagnostic tasks in this section, you must have already created test mailboxes in your environment by using the New-TestCasConnectivityUser.ps1 script.

Create Test Mailboxes

  1. Connect to the Exchange 2010 Mailbox server through Remote Desktop and log on with an account that has local administrative access and was delegated the Server Management role.

  2. Click Start > All Programs > Microsoft Exchange Server 2010, and then select Exchange Management Shell.

  3. Change the directory path to <Exchange Server Install Path>\Scripts.

  4. Type New-TestCasConnectivityUser.ps1 and press Enter.

  5. Enter a temporary password and follow the prompts to create the test mailboxes.

Perform Handoff Test

  1. If the server has not been restarted as a result of a previous section’s instructions, restart the server.

  2. Launch the Exchange Management Shell with an account that has been delegated the Server Management role.

  3. To test Exchange ActiveSync connectivity, run the following command where <Server> is the name of the Client Access server:

    Copy Code
    Test-ActiveSyncConnectivity -ClientAccessServer <Server>
    
  4. To test Autodiscover connectivity, run the following command where <EmailAddress> is the e-mail address of a mailbox:

    Copy Code
    Add-TargetAddress <EmailAddress>
    
  5. To test Exchange Web Services functionality, run the following command:

    Copy Code
    Test-WebServicesConnectivity -ClientAccessServer <Server> -AllowUnsecureAccess
    
  6. To test Outlook Web App connectivity, run the following command where <Server> is the name of the Client Access server:

    Copy Code
    Test-OwaConnectivity -ClientAccessServer:<Server> -AllowUnsecureAccess
    

If this server will be responding to Internet client requests, consider using the Exchange Remote Connectivity Analyzer (https://www.testexchangeconnectivity.com/) to verify your configuration, as well.