Building Exchange 2019 from scratch: Administration and tour

In part 3 of this series of building an Exchange 2019 environment from scratch, we took you through the Exchange 2019 unattended installation. In part 4, we will move on to Exchange 2019 administration and the tasks you need to do for your brand-new server. We will be covering the following sections:

  • Licensing Exchange 2019.
  • Configuration of URLs.
  • Turning off access to the Exchange admin center (EAC).
  • Creating your certificate signing request (CSR) and submitting it to a third party provider so you can secure Exchange.

Let’s start with licensing, certainly one of the most important Exchange 2019 administration tasks. When you install Exchange 2019 or 2016 (I’m not covering legacy versions here), you pretty much have a fully operational/working Exchange server that you can set up and use. But you are limited to the number of databases you can have in the Trial mode (which is five, just like Standard). To license Exchange 2019, you can do so with the Exchange Management Shell (EMS) or the Exchange admin center (EAC). All admins have their preferences. In the Exchange admin center, you can log in and then click on servers on the left, and once you click on a server, it will give you the license status on the right-hand side and give you the option to enter a product key as shown below:

Exchange 2019 Administration

Or you can double-click on a server or click on the pencil icon. On the General properties page, you can enter the key (the above will take you to the same place):

Once you click Save, you will be prompted to restart the Information Store Service for the changes to take effect. You can also license the server using PowerShell and the command below:

Set-ExchangeServer -Identity ex2019a -ProductKey xxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx-xxxxx

Replace the values after the product key with your own from your Visual Studio subscription. You will get the same warning as above.

The next thing we will look at configuring is your Exchange 2019 certificate and creating a certificate signing request. We will move to the URL section as soon as this one is complete.

A lot times, I have worked with customers who use wildcard certificates, so it is an easier process because you simply launch IIS and then import the .PFX file, and in Exchange, you assign the services to it.

Exchange 2019 administration: Generating a CSR

If you do not use a wildcard, then you need to generate the CSR, which is done as follows:

Log in to the Exchange admin center, enter your credentials at the login page, and press enter.

Click on Servers on the left, then click on Certificates on the top right and finally click the + button, as shown below:

Exchange 2019 Administration

Once you have clicked the + button, the window below will show up, leave the default as highlighted as we are creating a CSR for a certificate authority, and then click Next.

Enter in a friendly name for the Exchange certificate as shown below and then click Next.

In this example, we are not selecting the option for a wildcard, so just click Next to continue.

Exchange 2019 Administration

On the page shown below, you need to select a server. Clicking the browse button will immediately bring up the server list. Select a server and then click OK.

Exchange 2019 Administration

Once you have clicked OK, the server name will show in the tab as per the below option. Click Next to continue.

Exchange 2019 Administration

On the page below, you need to define your namespace. Remember that anything .local is not resolvable on the Internet. In my example, I made everything the same.

For part 2 of the URL namespace, you can see that I have and then and pop/imap set. Once you have set all of them, click Next.

In the window below, you will have .local as an option. Remove it and anything else you don’t want and then click Next.

Exchange 2019 Administration

Enter in the information below for the certificate and then click Next.

Last, you need to save the request. As you can see below, I used \\localhost\c$\thexchangelab.REQ. Click the Finish button.

Back in the Exchange admin center, you can see below for EX2019A, where I performed this on, there is a pending request. The CSR will now need to be uploaded to a third-party source like GoDaddy, DigiCert, or RapidSSL for them to complete the request for you and provide you with your SSL certificate.

Exchange 2019 Administration

When you have received your SSL certificate after validations and verification (it can take a day or two), you now need to complete the certificate request. Back in the EAC, click on the pending request and then click Complete as shown below:

Exchange 2019 Administration

Enter the location of the file. It can be \\localhost\c$\ssl.cer as an example and then click OK. Now double click on that certificate to assign the services you want it to be bound to. Remember to do an IISRESET or reboot your server for the changes to apply.

Turning off access to the Exchange admin center

I have spoken about this in one of my previous posts. Turning off access to the EAC should be considered when your servers are external facing. You might have a server internally that does not have internet access used for management, which you can use the EAC on. This is just a word of precaution. You do not need to turn it off, but please consider the risks involved with the attacks on Exchange.

Configuration of URLs

Configuring your URLs in Exchange 2019 is important, just like any other version. You need to set them all, so you do not have popups on Outlook or have issues connecting externally. To perform the configurations, here are the PowerShell commands to configure them all:

Set-ClientAccessService -Identity Exchange-2019 -AutodiscoverServiceInternalUri

Get-WebServicesVirtualDirectory -Server Exchange-2019 | Set-WebServicesVirtualDirectory -InternalUrl -ExternalURL

Set-OWAVirtualDirectory -identity “Exchange-2019\owa (Default Web Site)” -InternalURL -ExternalURL

Get-OABVirtualDirectory -Server Exchange-2019 | Set-OABVirtualDirectory -InternalURL -ExternalURL

Get-ECPVirtualDirectory -Server Exchange-2019 | Set-ECPVirtualDirectory -InternalURL -ExternalURL

Get-MAPIVirtualDirectory -Server Exchange-2019 | Set-MAPIVirtualDirectory -InternalURL -ExternalURL -IISAuthenticationMethods NTLM,Negotiate

Get-ActiveSyncVirtualDirectory -Server Exchange-2019 | Set-ActiveSyncVirtualDirectory -InternalURL -ExternalURL

Set-OutlookAnywhere -identity “Exchange-2019\RPC (Default Web Site)” -ExternalHostname -InternalHostname -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM

Once you have set them all, reboot your server for the changes to take effect.

Exchange 2019 administration: Coming up next

This article is quite long, so in the next part of the series, we will continue our Exchange 2019 administration and look at configuring the following:

  • Configuring storage
  • Installing an additional server
  • Creating a database availability group (DAG)

Featured image: Shutterstock

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top