You must use caution when changing the IIS settings for Exchange 2010. The reason is simple. Powershell or the Exchange management console EMC uses IIS to manage Exchange. So if you incorrectly change settings you will render your Exchange EMC and Powershell useless.
VERBOSE: Connecting to cas01.testDomain.com
[cas01.testDomain.com] The WinRM service cannot process the request because the request needs to be sent to a different machine. Use the redirect information to send the request to a new machine. Redirect location reported: https://owa.testDomain.com/owa/PowerShell. To automatically connect to the redirected URI, verify “MaximumConnectionRedirectionCount” property of session preference variable “PSSessionOption” and use “AllowRedirection” parameter on the cmdlet.
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) , PSRemotingTransportRedirectException
+ FullyQualifiedErrorId : PSSessionOpenFailed
First thing you’ll want to do is go to your default website and change the redirect. Use the settings from this image below. Use them exactly, you have been warned.
Once that is complete you have to uncheck redirect on all of these sub directories.
Exchange, Exchweb, and Public virtual directories should redirect to /owa.
Now if you try to open Internet Explorer you will receive a HTTP 403.4 error. That is because SSL is required. Select the default website just like the image below and remove the SSL requirement.
Once again you will have to go through these virtual sub directories and make sure the SSL box IS checked!
Warning: If you require SSL for the PowerShell virtual directory, you will render Remote PowerShell inoperable!
Changing the Interal OWA URL, OOF, OAB, and Unified Message Service URL in Exchange 2007
Get-WebServicesVirtualDirectory | fl *url*
Find the string you want to change in my case it will be:
Next you will run this command to change the setting:
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://FQDN/EWS/Exchange.asmx
You can confirm your change by running:
Get-OwaVirtualDirectory | fl *url*
Similarly you can change the Client Access Server auto discover service internal uri by running this command:
Get-ClientAccessServer | fl *uri*
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceUri http://FQDN/Autodiscover/Autodiscover.xml
You must then run IISReset
Similarly you can set your unfied messaging piece the same way:
Get-UMVirtualDirectory | Set-UmVirtualDirectory -internalurl https://FQDN/UnifiedMessaging/Service.asmx
All of these settings can be verified by opening an Outlook client and holding down cntrl while right clicking on the Outlook icon in the system tray. You will see an option that says Test E-mail AutoConfiguration
As most know Exchange 2010 is the latest version of Microsoft’s email server. I wanted to write a short description of the software and outline its features.
Like its predecessor Exchange 2010 requires that you run it on an x64 platform. 32-bit processing is surely but slowly becoming a thing of the past. In 2010 however you must also be running Windows 2008 SP2 or 2008 R2. One of the major decisions you’ll have to make is whether to select the standard or enterprise edition. This basically boils down to how many stores you need. Standard supports 5 stores per server as to where Enterprise you can do 50+. As far as the client side CAL’s are concerned you must purchase the 2008 enterprise CAL’s if you wish to do unified messaging. There is not however a limitation in the software. It is simply a licensing issue. Which means you’ll still have the ability to access unified messaging but it will not be licensed correctly. Another feature Microsoft has decided to keep is the JET EDB database. It has been rumored in the past that Microsoft would start using SQL server to house the Exchange database. This is not the case.
If you ever worked with recovery storage groups in Exchange 2003 or 2007 you will no longer find those in 2010. As well you will not be able to find routing groups. All of the Exchange 2010’s routing is done through active directory sites and services. So you must make sure that you have properly configured your sites before moving forward with Exchange. It is essential to Exchange 2010 functioning properly. As with Exchange 2007 Microsoft still is trying to deemphasize public folders. Their goal is to eventually replace these with their Sharepoint product.
Another major feature of Exchange 2007 and 2010 is their ability to reject email at the gateway. The Edge transport server allows you to configure ADAM and active directory lightweight services to query AD. This allows you to get a list of valid email address and push them out to the border of your network. If the edge server detects that someone is trying to send email to the inside of your organization and the user does not exist it is dropped immediately. This saves on memory and processing power internally so that you don’t have to deal with spam.
Additionally with Exchange 2007 and 2010 you get the ability to create UNC direct file access paths. This way in OWA when a user needs a file on a network share they can grab it without needing a cumbersome VPN client. Outlook anywhere also remains widely the same in 2007 and 2010. It basically encapsulates your RPC packets into https packets. This allows you to traverse your firewall without opening any additional ports. Therefore giving users access to their email from Outlook wherever they may travel.
One of the greatest new features of Exchange 2010 in my opinion is database availability groups or DAG. This is essentially the same thing as CCR in Exchange 2007. Anyone who has tried to configure CCR, LCR, or SCR in Exchange 2007 knows that it can be quite the process. Microsoft simplified this with DAG’s in 2010. It allows you to keep 16 copies of a users mailbox for redundancy and disaster recovery. It does this through a process called log shipping. Where 1MB files are created and then played into the database. This allows you to keep a backup of your server at another physical location for disaster recovery or have two Exchange servers running next to each other.
Another nice feature in 2010 is the fact that the client access server or CAS redirects your client to their database server that houses their mailbox. You no longer need to specify the location of your server in Outlook. The CAS parses AD and redirects them automatically. Therefore there is no hard coding. This makes the transition for failover a lot easier.
As most of you know who have used Exchange 2007 the GUI is simply a front end to Microsofts command line utility called EMS or Exchange Mangement Shell. Anything you do in the GUI is converted to a command and executed against your server. I would personally say you have about 90% functionality in the GUI as opposed to EMS. However, EMS definitely makes the process a lot easier if you need to apply a setting to multiple objects at the same time.
As with Exchange 2007 you still have the same five roles edge transport, hub transport, client access server, mailbox, and unified messaging. Inside of these five roles only the edge transport server must be installed separately from the rest of the servers. Everything else can be ran on one box. Although this is not recommend for performance reasons. The reason why the edge server is standalone is it was meant to sit in your DMZ or on the border of your network. Absorbing the hits so your internal servers are not affected. It has features such as safelist aggregation where Outlook client rules are brough outside to it so that it can apply those rules before the message ever enters your internal network.
The hub server still is the same as Exchange 2007 it routes your messages internally and holds compliancy rules. You can also run a command against it to install antispam featureset. This way if you don’t have an edge transport server you can use it to receive outside mail directly. Although this is not recommended by Microsoft.
The CAS server or client access server is meant to interface with your internal and external clients. As stated before it automatically redirects your Outlook clients so that you don’t need to hardcode their mailbox server. It also accepts connections from smart phones, OWA, etc. It is basically your clients interface to your Exchange infrastructure.
If you wish to monitor your Exchange 2010 infrastructure Microsoft has made a plugin for their SCOM or system center operations manager. This is Microsoft’s MOM replacement that allows you to montior your servers.
In Exchange 2010 you will no longer see SCR, LCR, or CCR. They have been superceded by DAG or database availability groups. This makes configuring database replication a lot smoother. DAG’s also allow for your data to reside across multiple servers. You can also have multiple DAG’s. This is a great feature because if half of your users are in one DAG group and it goes down the other half are not even affected. Other benefits are reduced restore time since you’re not restoring all of your users’ data only the ones in that DAG. You can also have separate exchange policies for different DAG’s. So if your management is in one and your regular users are in another you can change the rules that apply to them. This is a great way to mitigate risk by distributing your load.
As far as the enterprise and standard software go they are both installed from the same media. It is just different license keys that you input that determine what version you are installing. It is also upgradable. You can go from trial to standard to enterprise. However, you cannot downgrade backwards from enterprise to standard or standard to trial.
In order to install Exchange 2010 your domain and forest functional level must be at 2003. Also each site which contains Exchange 2010 must also contain a 2003SP2 domain controller or 2008 domain controller. We recommend you have your domain running 2008R2 domain controllers however.
Exchange still uses EAS or exchange active sync for mobile devices. This way your contacts, calendar, email, etc. are all tightly integrated with your Windows mobile devices.
One common misconception that people have is Exchange enterprise must be installed on server enterprise software. Or that server enterprise software cannot have Exchange standard installed on it. Both of these are fallacies.
When you begin your Exchange installation you should give serious consideration to how you configure your arrays. Exchange is a very read/write intensive application. Therefore you should separate your OS, log files, and database all on separate arrays. If this is not possible it is then recommended that you at least put yoru OS and log files on one array and your database files on another. The reason for this is simple. The log files are write intensive and the database files are read intensive. Separate these two out can speed up your disk I/O.
Memory requirements in Exchange 2010 have pretty much gone unchanged. Start your server with 2GB of memory and then 5MB for every mailbox user. I would also personally recommend to have a minimum of 4GB. Memory is cheap enough these days that the benefit of having more of it outway the cost.
Although the databases in Exchange can grow very large we do not recommend that you go over 100GB. This can become cumbersome to work with and decrease performance on your server.
If you wish to remotely manage your Exchange server you can install the management tools. They will install on Vista SP2 and higher or server 2008 SP2 or higher. This way you do not have to remotely login to your Exchange server to make all of your changes.
As far as your site layout goes you should also plan on having a global catalog server in every location that contains a mailbox server. This is recommended by Microsoft and will reduce WAN traffic.
Exchange has also setup a new permissions setup which they refer to as RBAC or role based access control. From this you get 5 roles to manage your exchange infrastructure. They are Organization management, view only organization management, recipient management, records management, and GAL synchronization management.
Another thing you should consider before installing Exchange 2010 is to make sure your domain is setup properly. You can use tools such as NETDIAG and DCDIAG to verify this. In order to install Exchange 2010 you’re going to need to be a member of domain admins, enterprise admins, and schema admins. You will also want to add connect.microsoft.com and download.microsoft.com to your trusted sites list in IE. Other pieces of software that must be installed are .NET 3.5, Windows remote management 2.0, powershell v2, 2007 office converter microsoft filter packs. If you are installing the mailbox role you must also have AD services remote management tools.
Before starting the install you must prepare your schema by running setup /ps if it fails delete the contents of c:windowstemp, copy the files from your CD to yoru hard drive and rerun setup /ps. You must then run setup /prepareAD /OrganizationName:MyCompany where “MyCompany” can be replaced by your organization name.
You must then prepare the prerequisites by running the following commands.
Once this is complete reboot your server. You are now ready to run Setup.com /mode:install /roles:H,C,M the H,C,M install hub cas and mailbox roles.
Once your install is complete run the Exchange BPA or best practice analyzer.
In order to install the Edge server you’ll want to make sure you’re running 2008 standard with SP2. You’ll need .NET 3.5, remote management 2.0, powershell v2, AD LDS (can be installed via servermanagerCMD -i ADLDS). For the edge server to work in a DMZ you’ll need to open ports 50389-50636. Then run new-EdgeSubscription -filename “c:tempEdgeSubscriptionInfo.xml” Copy that generated file to your hub server you can import it in the GUI and run start-edgeSubscription from EMS. You can test this once it is imported to verify it is working properly by using test-EdgeSubscription from EMS.
I would personally recommend using a RBL provider to stop spam from entering your organization. One example of this is SpamHaus. This queries the connecting server to a black list of IP’s and blocks communcation if it is found on the list. This one feature can drastically cut down on spam.
Another item you have to address is purchasing a SAN certificate for your Exchange server. Exchange has moved to a secure by default mentality. You will find connecting to OWA or using activesync become very painful if you try to issue your own SSL certificates.
Another security improvement in Exchange 2007 and 2010 is that all intracommunication is secure and encrypted. TLS is used for all server to server communication internally. RPC is used for your Outlook clients to communicate with your servers. SSL is configured for all external client communication including, OWA, activesync, etc.
Opportunistic TLS is a new feature where your Exchange server will no long try to send via SMTP by default. It will first send a STARTTLS command to use TLS to encrypt external SMTP communication with other servers. If the other server however does not support this it will revert to unsecure communications.
Still included in Exchange 2010 is the ability to use a journaling mailbox to track all of your emails. This is required by some organizations. Keep in mind that this feature can increase your processor and memory usage by 25%. So you should make sure your server has plenty of resources before turning on this feature.
One of the requirements as previously stated is that Exchange 2010 must be running active directory 2003. Even though 2008 is recommended if you are running Cisco Unified Messaging 4.2(1) or lower it is NOT compatible with active directory 2008.
When you upgrade your active directory infrastructure it is recommended that you create a virtual machine using Microsoft Hyper-v or Vmware. Make the virtual machine an additional domain controller and make it a global catalog. This way if your upgrade takes turn for the worst you have data that is intact if you have to downgrade. Do not forget to unplug it from the network before doing the upgrade. If you need to revert back you can use NTDSUTIL to seize the roles.
If for whatever reason you need to create a scratch installation of a domain you can always use the ADMT utility to move users, groups, computers, service accounts, and trusts.
To migrate from 2003 Exchange to 2010 the overview is as follows. First you must be running Exchange 2003 with service pack 2. Your active directory domain and forest functional levels must be 2003 and at least one global catalog has to be 2003 server with SP2. Instal AD LDIFDE tools on 2008 to upgrade your schema. Upgrade your Exchange Schema. Transfer OWA, activesync, and Outlook anywhere to the CAS server. Install/upgrade hub server. Transfer the mail flow to the hub transport server. Install mailbox servers and DAG if required. Move your public folder replicas using pfmigrat.wsf or PFRecursive.PS1. Move your mailboxes. Rehome OAB. Rehome public folder heirarchy. Transfer public folder replicas. Delete 2003 public and private stores. Delete routing group connectors. Delete RUS using ADSIEdit. Uninstall Exchange 2003.
To migrate from 2007 Exchange to 2010 the process is a little less. Make sure your Exchange 2007 server is running SP2. Make sure your domain and forest is at 2003 functional level. Global catalog server is at 2003 SP2. Use AD LDIFDE tools to upgrade your schema. Prepare schema. CAS server. Transfer OWA. Install hub transport. Transfer mail to hub transport. Use AddReplicatoPFRecursive.Ps1 to move your public folder replications. Move your mailboxes. Rehome OAB. Transfer public folder replica. Delete public and private stores. Uninstall Exchange 2007.
The first thing you’re going to want to do is create two users in active directory.
OWAEnabled and OWADisabled
You then need to mail enabled these two groups.
enable-DistributionGroup -Identity ‘domain.internal/OU/OWAEnabled’ -Alias ‘OWAEnabled’
enable-DistributionGroup -Identity ‘domain.internal/OU/OWADisabled’ -Alias ‘OWADisabled’
I would also hide them from the address list
Set-Distributiongroup ‘OWAEnabled’ -HiddenFromAddressListsEnabled $true
Set-Distributiongroup ‘OWADisabled’ -HiddenFromAddressListsEnabled $true
From there add the users to their respective groups based on if you want their owa enabled or not.
Finally once you have that all setup run the following powershell commands
Get-DistributionGroupMember “OWADisabled” | Set-CasMailbox -OWAEnabled $False
Get-DistributionGroupMember “OWAEnabled” | Set-CasMailbox -OWAEnabled $True
If you follow these directions it basically resets your Exchange virtual directories back to default:
- Back up your IIS Metabase. To do this, follow these steps:
- Start IIS Manager.
- Right-click Default Web Site, point to All Tasks, and then click Save Configuration to a File.
- Delete the virtual directories for Outlook Web Access. To do this, right-click Exadmin in the left pane of IIS Manager, and then click Delete. Click Yes when you are prompted with the question of whether you want to delete this item.
Repeat this step for the following virtual directories:
- Quit IIS Manager.
- Click Start, click Run, type cmd, and then press ENTER.
- Change to the following folder. In this example, Drive is the hard disk drive where Windows is installed:
- Type adsutil, and then press ENTER.
Important By default, CScript is not the default scripting host for Windows Server 2003. To run the adsutil command, CScript must be configured as the default scripting host. To do this, click Yes if you are prompted to register CScript as you default host for VBscript, and then click OK.
Note If you receive a list of adsutil command options, CScript is already configured as the default scripting host for VBscript.
- Type adsutil delete ds2mb, and then press ENTER.
Note To set the default scripting host to WScript, type WScript //H:WScript at the command prompt, press ENTER, and then click OK.
- Click Start, point to All Programs, point to Administrative Tools, and then click Services.
- To restart the Microsoft Exchange System Attendant service, follow these steps:
- Click Start, click Run, type services.msc, and then click OK.
- Right-click Microsoft Exchange System Attendant, and then click Restart.
- When you are prompted to restart the dependant Exchange Server services, click Yes.
Note When you restart the Microsoft Exchange System Attendant service, the Microsoft Exchange Information Store service is also restarted. In this scenario, your Exchange Server users lose connectivity to their Exchange Server mailboxes.
The virtual directories are re-created. To verify that the virtual directories are re-created, start IIS Manager, and then view the Default Web site folder.
Important If the virtual directories are not re-created after 15 minutes, restart the computer.
- Reset the access permissions to Anonymous. To do this, follow these steps:
- Start IIS Manager, right-click ExchWeb, click Properties, and then click the Directory Security tab.
- Under Authentication and access control click Edit, and then verify that the Enable anonymous access check box is turned on.
- Click to select the Integrated Windows authentication check box, click OK, and then click Apply.
- If an Inheritance Overrides dialog box appears, click Select All, and then click OK.
- Under Authentication and access control, click Edit, and then click to clear the Integrated Windows authentication check box.
- Click OK two times, and then quit IIS Manager.
Use a Web browser to verify that you can connect to your Outlook Web Access server. If you are also running other mobility services, verify that you can connect to these services by using an appropriate client.