Saturday, August 15, 2015

First Glance on Exchange 2016 (Part 2)

Hi folks,

In this article I continue story of my encounter with the Exchange 2016. After both of the servers have been installed. It is time to configure them.

Here I'm following guidelines from the TechNet. The configuration tasks can be done from both EAC or EMS. I personally preferred EMS for the majority of the tasks as it is more fun.

I have started with preparation works. I have created all the necessary DNS records. In my case I have created A record mail.contoso.com. It will be used as the hostname for client access and transport. Since it is the lab I used poor man's solution, namely DNS round-robin. Of course in the production enterprise environment it will be one single A record pointing to load balancer's VIP address.



Of course the other record I have created was MX record. I assume you all know what it is and how it is used



Additionally I have created SPF record as follows (all email sent from the servers configured as MX records are valid senders of email):
msglab16.net IN TXT “v=spf1 mx –all”



After this I have created a forward lookup DNS zone and called it labmail.com. There I also created MX and SPF record. I will use this DNS zone for my second accepted domain.

As DNS records were ready I moved to the Exchange 2016 configuration. So I have started with configuring the transport level.

First, I have created Send Connector for Internet Mail (using * as the address space and added both of transport servers as source servers).

New-SendConnector -Name "Internet Mail" -AddressSpaces * -SourceTransportServers EX2016-EX01,EX2016-EX02


Send connectors are created with the default maximum message size is 35 MB. So I have tweaked it to

Set-SendConnector "Internet Mail" -MaxMessagesize 50MB



After that I have added labmail.com as accepted domain of the Internal Relay type (this can be used for scenarios of the Office 365 or cross forest integration where part of the recipients sits in one organization and another one in the other). This is a quick command to do this:

New-AcceptedDomain -Name labmail.com -DomainName labmail.com -DomainType InternalRelay


The accepted domain msglab16.com has been created by default as Authoritative accepted domain (since this is the name of my AD forest in the lab).

When a new accepted domain has been selected I have tweaked default email address policy to make email addresses in the format firstname.secondname@labmail.com (%g.%s@labmail.com) as default email address of my recipients.



Additionally I have added another email format alias@mgslab.com to the policy.



After policy has been modified I clicked Apply to have policy applied to all the existing recipients (in my case it was only admin, so be careful in the real life scenarios with this button). Additionally in real life you may created new email address policy and change its priority as appropriate so that it is applied to your new recipients. And, at the end of the day, you can also always use EmailAddressPolicyEnabled:$false for Set-* commands for each recipient to configure them with the email addresses you desire.


After transport had been configured I started working on configuring Exchange Server certificate which will be used for client access and transport. Using EAC is a nicer tool for creating cert request and then assigning it to Exchange services but PowerShell is more fun.

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=MSGLAB16, cn=mail.contoso.com" -DomainName contoso.com, example.com -PrivateKeyExportable $true

After request has been created I submit it to the certification authority. Of course in production environment it should be trusted third-party CA where request should be submitted. In my case I was using my internal enterprise CA in the lab. The following screenshots are self-explanatory and therefore need no additional comments:








After certificate has been downloaded I have imported it to an Exchange server as follows:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.cer -Encoding byte -ReadCount 0))

After certificate has been imported I used its thumbnail and assigned it to IIS,SMTP,POP and IMAP services. And after this don't forget to run iisreset



Certificate for my second server I configured using EAC. I have also attached screenshots from that exercise to this article. Again they are quite self explanatory.









To be continued...