In part 3 of this series of building an Exchange 2019 environment from scratch, we took you through the Exchange 2019 unattended installation. In part 4, we will move on to Exchange 2019 administration and the tasks you need to do for your brand-new server. We will be covering the following sections:
- Licensing Exchange 2019.
- Configuration of URLs.
- Turning off access to the Exchange admin center (EAC).
- Creating your certificate signing request (CSR) and submitting it to a third party provider so you can secure Exchange.
Let’s start with licensing, certainly one of the most important Exchange 2019 administration tasks. When you install Exchange 2019 or 2016 (I’m not covering legacy versions here), you pretty much have a fully operational/working Exchange server that you can set up and use. But you are limited to the number of databases you can have in the Trial mode (which is five, just like Standard). To license Exchange 2019, you can do so with the Exchange Management Shell (EMS) or the Exchange admin center (EAC). All admins have their preferences. In the Exchange admin center, you can log in and then click on servers on the left, and once you click on a server, it will give you the license status on the right-hand side and give you the option to enter a product key as shown below:
Or you can double-click on a server or click on the pencil icon. On the General properties page, you can enter the key (the above will take you to the same place):
Once you click Save, you will be prompted to restart the Information Store Service for the changes to take effect. You can also license the server using PowerShell and the command below:
Set-ExchangeServer -Identity ex2019a -ProductKey xxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx-xxxxx
Replace the values after the product key with your own from your Visual Studio subscription. You will get the same warning as above.
The next thing we will look at configuring is your Exchange 2019 certificate and creating a certificate signing request. We will move to the URL section as soon as this one is complete.
A lot times, I have worked with customers who use wildcard certificates, so it is an easier process because you simply launch IIS and then import the .PFX file, and in Exchange, you assign the services to it.
Exchange 2019 administration: Generating a CSR
If you do not use a wildcard, then you need to generate the CSR, which is done as follows:
Log in to the Exchange admin center, enter your credentials at the login page, and press enter.
Click on Servers on the left, then click on Certificates on the top right and finally click the + button, as shown below:
Once you have clicked the + button, the window below will show up, leave the default as highlighted as we are creating a CSR for a certificate authority, and then click Next.
Enter in a friendly name for the Exchange certificate as shown below and then click Next.
In this example, we are not selecting the option for a wildcard, so just click Next to continue.
On the page shown below, you need to select a server. Clicking the browse button will immediately bring up the server list. Select a server and then click OK.
Once you have clicked OK, the server name will show in the tab as per the below option. Click Next to continue.
On the page below, you need to define your namespace. Remember that anything .local is not resolvable on the Internet. In my example, I made everything the same.
For part 2 of the URL namespace, you can see that I have mail.thexchangelab.com and then autodiscover.thexchangelab.com and pop/imap set. Once you have set all of them, click Next.
In the window below, you will have .local as an option. Remove it and anything else you don’t want and then click Next.
Enter in the information below for the certificate and then click Next.
Last, you need to save the request. As you can see below, I used \\localhost\c$\thexchangelab.REQ. Click the Finish button.
Back in the Exchange admin center, you can see below for EX2019A, where I performed this on, there is a pending request. The CSR will now need to be uploaded to a third-party source like GoDaddy, DigiCert, or RapidSSL for them to complete the request for you and provide you with your SSL certificate.
When you have received your SSL certificate after validations and verification (it can take a day or two), you now need to complete the certificate request. Back in the EAC, click on the pending request and then click Complete as shown below:
Enter the location of the file. It can be \\localhost\c$\ssl.cer as an example and then click OK. Now double click on that certificate to assign the services you want it to be bound to. Remember to do an IISRESET or reboot your server for the changes to apply.
Turning off access to the Exchange admin center
I have spoken about this in one of my previous posts. Turning off access to the EAC should be considered when your servers are external facing. You might have a server internally that does not have internet access used for management, which you can use the EAC on. This is just a word of precaution. You do not need to turn it off, but please consider the risks involved with the attacks on Exchange.
Configuration of URLs
Configuring your URLs in Exchange 2019 is important, just like any other version. You need to set them all, so you do not have popups on Outlook or have issues connecting externally. To perform the configurations, here are the PowerShell commands to configure them all:
Set-ClientAccessService -Identity Exchange-2019 -AutodiscoverServiceInternalUri https://mail.thexchangelab.com/autodiscover/autodiscover.xml
Get-WebServicesVirtualDirectory -Server Exchange-2019 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.thexchangelab.com/ews/exchange.asmx -ExternalURL https://mail.thexchangelab.com/ews/exchange.asmx
Set-OWAVirtualDirectory -identity “Exchange-2019\owa (Default Web Site)” -InternalURL https://mail.thexchangelab.com/owa -ExternalURL https://mail.thexchangelab.com/owa
Get-OABVirtualDirectory -Server Exchange-2019 | Set-OABVirtualDirectory -InternalURL https://mail.thexchangelab.com/OAB -ExternalURL https://mail.thexchangelab.com/OAB
Get-ECPVirtualDirectory -Server Exchange-2019 | Set-ECPVirtualDirectory -InternalURL https://mail.thexchangelab.com/ECP -ExternalURL https://mail.thexchangelab.com/ECP
Get-MAPIVirtualDirectory -Server Exchange-2019 | Set-MAPIVirtualDirectory -InternalURL https://mail.thexchangelab.com/MAPI -ExternalURL https://mail.thexchangelab.com/MAPI -IISAuthenticationMethods NTLM,Negotiate
Get-ActiveSyncVirtualDirectory -Server Exchange-2019 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.thexchangelab.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.thexchangelab.com/Microsoft-Server-ActiveSync
Set-OutlookAnywhere -identity “Exchange-2019\RPC (Default Web Site)” -ExternalHostname mail.thexchangelab.com -InternalHostname mail.thexchangelab.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM
Once you have set them all, reboot your server for the changes to take effect.
Exchange 2019 administration: Coming up next
This article is quite long, so in the next part of the series, we will continue our Exchange 2019 administration and look at configuring the following:
- Configuring storage
- Installing an additional server
- Creating a database availability group (DAG)
Featured image: Shutterstock
More Exchange 2019 articles
- Troubleshoot Exchange 2019 with Microsoft Remote Connectivity Analyzer
- Exchange 2019: Migrate from another version or to Hosted Exchange
- Building Exchange 2019 from scratch: Unattended installation mode
- Building Exchange 2019 from scratch: Installation prerequisites
- Building Exchange 2019 from scratch: Setting up a domain controller