Installing Exchange 2016: Step-by-step guide (Part 2)

In Part 1 of this series, we walked through the steps needed to install Exchange 2016. Here in Part 2, we will look at the following tasks that need to be done post-installation:

  • Install the security update for the CU you installed.
  • Install Windows updates.
  • Access the Exchange Admin Center (EAC) and log in.
  • License your Exchange 2016 servers.
  • Create a new certificate request.
  • Configure your URLs for Exchange 2016.
  • Update your bindings with the new certificate in IIS.

Security updates

Once you have installed your Exchange 2016, before doing anything you need to install the security updates. Security updates fix the issues identified and ensure that your Exchange Server is secure. You need to download the file and then run it from an elevated command prompt. The setup varies from system to system. Some take 15 minutes, others take 2-3 hours.

Windows updates

Once that is done, you need to run Windows updates for your Windows 2016 Server. Depending on how far behind your server is, it can take a while. If you have an image that is fully patched then it should not take long.

Exchange Admin Center (EAC)

Accessing the EAC (Exchange Admin Center) can be done by clicking the start menu and under Exchange 2016 you can click it and a web page will open, similar to the one below. (Take note that if you are running in coexistence that you need to specify /?ExchClientVer=15 as you will be redirected to Exchange 2010 ECP/OWA pages.)

Enter your account credentials. It can be domain\admin_account and the password. Logging in for the first time does take a few minutes so don’t think it’s broken. Your window will look similar to the one below:

Licensing

When you install Exchange 2016, it is a full version of Exchange, meaning you have access to the entire system for a certain period of time but you are limited to a maximum of 5x databases. You have the option to choose from Standard Edition or Enterprise Edition. Standard is limited to five mounted databases and Enterprise is limited to 100.

To license your server, you can either do it from the Exchange Admin Center or by using the Exchange Management Shell (EMS) / PowerShell, which I find much easier to do. To license your using the Exchange Admin Center, click on “servers” on the left and then select “servers” in the middle. Double-click on the server you want to license and on the general page you will be able to enter in the license key as shown below:

Now if you want to use PowerShell, you can simply enter the command below to license your server: (Replace Server1 and the key with your key.)

  • Set-ExchangeServer Server1 -ProductKey 00000-00000-00000-00000-00000

After this, you need to restart the Microsoft Information Store.

Certificates

Certificates are not difficult to install and get set up. For the most part, you will have a SAN name for the namespace you want to use, like mail.thexchangelab.com and you will have an autodiscover record on. To obtain a certificate you will need to create a request to an external SSL provider like GoDaddy, DigiCert, RapidSSL, etc. In the Exchange Admin Center, if you click on “servers” on the left and then “certificates” on the top right, you can click the + button to create a new CSR. Here are some screenshots:

Select the first option and then click Next to continue

You need to provide a friendly name for the certificate> enter in one and then click Next.

If you are using a wildcard certificate then enable the checkbox above or click Next to continue.

You need to store this certificate request on a server. Click the browse button, which will bring up all the servers. Select one.

Your server will now be displayed in the box above. As you can see, the Next button is highlighted for you to proceed.

In this section, you need to update the URLs you wish to use for POP3, IMAP4, MAPI, OAB, OWA, EWS, and AS. Once done, click Next to continue.

Now in this window enter the details and then click Next.

Last, enter the location where this request file will be saved. You can use \\localhost\C$\certname.REQ and then click Finish.

Now you can upload the REQ file you just saved to the vendor’s site and you will see the names just as you selected them and they will ask you to validate the domain before they issue you the certificate.

Configuring your URLs

In this example, I will show you how to configure your URLs for all the services using PowerShell. Here are all the commands needed to configure them:

Set-ClientAccessService -Identity Exchange-2016 -AutodiscoverServiceInternalUri https://mail.thexchangelab.com/autodiscover/autodiscover.xml

Get-WebServicesVirtualDirectory -Server Exchange-2016 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.thexchangelab.com/ews/exchange.asmx -ExternalURL https://mail.thexchangelab.com/ews/exchange.asmx

Set-OWAVirtualDirectory -identity “Exchange-2016\owa (Default Web Site)” -InternalURL https://mail.thexchangelab.com/owa -ExternalURL https://mail.thexchangelab.com/owa

Get-OABVirtualDirectory -Server Exchange-2016 | Set-OABVirtualDirectory -InternalURL https://mail.thexchangelab.com/OAB -ExternalURL https://mail.thexchangelab.com/OAB

Get-ECPVirtualDirectory -Server Exchange-2016 | Set-ECPVirtualDirectory -InternalURL https://mail.thexchangelab.com/ECP -ExternalURL https://mail.thexchangelab.com/ECP

Get-MAPIVirtualDirectory -Server Exchange-2016 | Set-MAPIVirtualDirectory -InternalURL https://mail.thexchangelab.com/MAPI -ExternalURL https://mail.thexchangelab.com/MAPI -IISAuthenticationMethods NTLM,Negotiate

Get-ActiveSyncVirtualDirectory -Server Exchange-2016 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.thexchangelab.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.thexchangelab.com/Microsoft-Server-ActiveSync

Set-OutlookAnywhere -identity “Exchange-2016\RPC (Default Web Site)” -ExternalHostname mail.thexchangelab.com -InternalHostname mail.thexchangelab.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM

Once you have run them all, you can either perform an IISReset or you can reboot your server for the changes to take effect.

Last, do not forget to update the bindings in IIS. You can do so as follows:

To configure this, launch IIS as we did in the previous section, expand sites and click on Default Web Site as shown in Figure 4.22.

On the right-hand side, you will see a link that says “Bindings…”. Click on this link.

A new window as shown below will open:

Now click on https as highlighted and select Edit on the right-hand side. A new window will open as shown below.

Click the dropdown list below “SSL Certificate” and select the certificate you want to use. Once done click OK to go back to the previous window and then click Close.

In the next part of this series, we will continue our look at configurations after you install Exchange 2016. We will focus on the send/receive connectors, limiting EAC access, databases, and DAGs.

Featured image: Shutterstock

Edward van Biljon

Edward van Biljon is an experienced messaging specialist working in the IT and services industry. He is skilled in WSUS, domain name system, datacenters, printer support, and System Center Configuration Manager (SCCM). He has a background as a strong IT professional and has an international diploma in programming focused on computer programming.

Share
Published by
Edward van Biljon

Recent Posts

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

14 hours ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

17 hours ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

20 hours ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

2 days ago

Free VPNs from Hong Kong with ‘no-log policy’ experience data leak

With these free VPNs based in Hong Kong, you may not be paying any money…

2 days ago

Azure DevOps tips and tricks: Using built-in features

These Azure DevOps tips and tricks come fresh from the field where they have been…

2 days ago