In Part 1 of this series, we walked through the steps needed to install Exchange 2016. Here in Part 2, we will look at the following tasks that need to be done post-installation:
- Install the security update for the CU you installed.
- Install Windows updates.
- Access the Exchange Admin Center (EAC) and log in.
- License your Exchange 2016 servers.
- Create a new certificate request.
- Configure your URLs for Exchange 2016.
- Update your bindings with the new certificate in IIS.
Once you have installed your Exchange 2016, before doing anything you need to install the security updates. Security updates fix the issues identified and ensure that your Exchange Server is secure. You need to download the file and then run it from an elevated command prompt. The setup varies from system to system. Some take 15 minutes, others take 2-3 hours.
Once that is done, you need to run Windows updates for your Windows 2016 Server. Depending on how far behind your server is, it can take a while. If you have an image that is fully patched then it should not take long.
Exchange Admin Center (EAC)
Accessing the EAC (Exchange Admin Center) can be done by clicking the start menu and under Exchange 2016 you can click it and a web page will open, similar to the one below. (Take note that if you are running in coexistence that you need to specify /?ExchClientVer=15 as you will be redirected to Exchange 2010 ECP/OWA pages.)
Enter your account credentials. It can be domain\admin_account and the password. Logging in for the first time does take a few minutes so don’t think it’s broken. Your window will look similar to the one below:
When you install Exchange 2016, it is a full version of Exchange, meaning you have access to the entire system for a certain period of time but you are limited to a maximum of 5x databases. You have the option to choose from Standard Edition or Enterprise Edition. Standard is limited to five mounted databases and Enterprise is limited to 100.
To license your server, you can either do it from the Exchange Admin Center or by using the Exchange Management Shell (EMS) / PowerShell, which I find much easier to do. To license your using the Exchange Admin Center, click on “servers” on the left and then select “servers” in the middle. Double-click on the server you want to license and on the general page you will be able to enter in the license key as shown below:
Now if you want to use PowerShell, you can simply enter the command below to license your server: (Replace Server1 and the key with your key.)
- Set-ExchangeServer Server1 -ProductKey 00000-00000-00000-00000-00000
After this, you need to restart the Microsoft Information Store.
Certificates are not difficult to install and get set up. For the most part, you will have a SAN name for the namespace you want to use, like mail.thexchangelab.com and you will have an autodiscover record on. To obtain a certificate you will need to create a request to an external SSL provider like GoDaddy, DigiCert, RapidSSL, etc. In the Exchange Admin Center, if you click on “servers” on the left and then “certificates” on the top right, you can click the + button to create a new CSR. Here are some screenshots:
Select the first option and then click Next to continue
You need to provide a friendly name for the certificate> enter in one and then click Next.
If you are using a wildcard certificate then enable the checkbox above or click Next to continue.
You need to store this certificate request on a server. Click the browse button, which will bring up all the servers. Select one.
Your server will now be displayed in the box above. As you can see, the Next button is highlighted for you to proceed.
In this section, you need to update the URLs you wish to use for POP3, IMAP4, MAPI, OAB, OWA, EWS, and AS. Once done, click Next to continue.
Now in this window enter the details and then click Next.
Last, enter the location where this request file will be saved. You can use \\localhost\C$\certname.REQ and then click Finish.
Now you can upload the REQ file you just saved to the vendor’s site and you will see the names just as you selected them and they will ask you to validate the domain before they issue you the certificate.
Configuring your URLs
In this example, I will show you how to configure your URLs for all the services using PowerShell. Here are all the commands needed to configure them:
Set-ClientAccessService -Identity Exchange-2016 -AutodiscoverServiceInternalUri https://mail.thexchangelab.com/autodiscover/autodiscover.xml
Get-WebServicesVirtualDirectory -Server Exchange-2016 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.thexchangelab.com/ews/exchange.asmx -ExternalURL https://mail.thexchangelab.com/ews/exchange.asmx
Set-OWAVirtualDirectory -identity “Exchange-2016\owa (Default Web Site)” -InternalURL https://mail.thexchangelab.com/owa -ExternalURL https://mail.thexchangelab.com/owa
Get-OABVirtualDirectory -Server Exchange-2016 | Set-OABVirtualDirectory -InternalURL https://mail.thexchangelab.com/OAB -ExternalURL https://mail.thexchangelab.com/OAB
Get-ECPVirtualDirectory -Server Exchange-2016 | Set-ECPVirtualDirectory -InternalURL https://mail.thexchangelab.com/ECP -ExternalURL https://mail.thexchangelab.com/ECP
Get-MAPIVirtualDirectory -Server Exchange-2016 | Set-MAPIVirtualDirectory -InternalURL https://mail.thexchangelab.com/MAPI -ExternalURL https://mail.thexchangelab.com/MAPI -IISAuthenticationMethods NTLM,Negotiate
Get-ActiveSyncVirtualDirectory -Server Exchange-2016 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.thexchangelab.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.thexchangelab.com/Microsoft-Server-ActiveSync
Set-OutlookAnywhere -identity “Exchange-2016\RPC (Default Web Site)” -ExternalHostname mail.thexchangelab.com -InternalHostname mail.thexchangelab.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM
Once you have run them all, you can either perform an IISReset or you can reboot your server for the changes to take effect.
Last, do not forget to update the bindings in IIS. You can do so as follows:
To configure this, launch IIS as we did in the previous section, expand sites and click on Default Web Site as shown in Figure 4.22.
On the right-hand side, you will see a link that says “Bindings…”. Click on this link.
A new window as shown below will open:
Now click on https as highlighted and select Edit on the right-hand side. A new window will open as shown below.
Click the dropdown list below “SSL Certificate” and select the certificate you want to use. Once done click OK to go back to the previous window and then click Close.
In the next part of this series, we will continue our look at configurations after you install Exchange 2016. We will focus on the send/receive connectors, limiting EAC access, databases, and DAGs.
Featured image: Shutterstock