Professional Documents
Culture Documents
For purposes of providing an example, the template uses the fictitious company name of Contoso. Also, you can download this template, along with templates for other server roles, as a download package in .zip file format at Microsoft Exchange Server 2010 Install Guide Templates (http://go.microsoft.com/fwlink/?LinkID=187961).
Executive Summary
The purpose of this document is to explain the installation and configurations necessary to install the Exchange 2010 Client Access server role on the Windows Server 2008 platform.
Business Justification
By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing total cost of ownership (TCO), and easing troubleshooting steps.
Scope
The scope of this document is limited to installation of an Exchange 2010 Client Access server for Contoso on the x64 version of the Windows Server 2008 (SP2 or R2) operating system.
Prerequisites
The administrator should have working knowledge of Windows Server 2008 concepts, Exchange 2010 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.
In addition, before implementing the server role, the administrator should review the Understanding Client Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/? LinkId=187352).
Assumptions
This document assumes that Windows Server 2008 x64 Edition is installed on the intended Client Access server per company baseline regulations which include the latest approved service pack and hotfixes. In addition, the following system prerequisites have been installed: Microsoft .NET Framework 3.5 SP1 and the update for .NET Framework 3.5 SP1 For more information, see Microsoft Knowledge Base article 959209, An update for the .NET Framework 3.5 Service Pack 1 is available (http://go.microsoft.com/fwlink/?linkid=3052&kbid=959209). Windows Management Framework (Windows Remote Management 2.0 and Windows PowerShell 2.0). This document assumes that forest and domain preparation steps have been performed as described in the Prepare Active Directory and Domains topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187262). This document assumes that the account you will be using for the Exchange tasks has been delegated the Server Management management role, as described in the Server Management topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187265). This document also assumes that both Exchange 2010 Windows Server 2008 and Windows Server 2008 will be secured following the best practices found in the Windows Server 2008 Security Guide (http://go.microsoft.com/fwlink/?LinkId=122593). Important: The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.
Server Configuration
The following media are required for this section: Windows Server 2008 installation files The following procedures are in this section: 1. Additional Software Verification 2. Network Interfaces Configuration 3. Drive Configuration 4. Windows Server 2008 Hotfix Installation 5. Domain Membership Configuration 6. Local Administrators Verification 7. Local Administrator Account Password Reset 8. Debugging Tools Installation 9. Page File Modifications
10. Drive Permissions 11. Windows Network Load Balancing Installation and Configuration 12. DNS Entry Creation
Drive Configuration
1. Connect to the server through Remote Desktop and then log on with an account that has been delegated local administrative access. 2. Click Start > Administrative Tools, and then select Computer Management. 3. Expand Storage and then click Disk Management. 4. Using the Disk Management snap-in of the Microsoft Management Console (MMC), format, rename, and assign the appropriate Drive Letters so that the volumes and DVD drive match the appropriate server configuration.
Drive configuration
LUN Drive letter Usage
1 2
C Z
7. Under Virtual Memory, click Change. 8. On servers that have a dedicated page file drive, follow these steps: a. In the Drive list, click C:, and then click Custom size. b. For the C: drive, set the Initial Size (MB) value to a minimum of 200 MB. (Windows requires between 150 MB and 2 GB page file space, depending on server load and the amount of physical RAM that is available for page file space on the boot volume when Windows is configured for a kernel memory dump. Therefore, you may be required to increase the size.) c. For the C: drive, set the Maximum Size (MB) value to that of the Initial Size. d. In the Drive list, select the page file drive (for example, the P: drive), and then click Custom size. e. In the Initial Size (MB) box, type the result of one of the following calculations: If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5. If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB. f. In the Maximum Size (MB) box, type the same amount that you typed in the Initial Size box. g. Delete all other page files. h. Click OK. 9. On servers that do not have a dedicated page file drive, follow these steps: a. In the Drive list, click C:, and then click Custom size. b. For the C: drive, in the Initial Size (MB) box, type the result of one of the following calculations: If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5. If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB. c. Delete all other page files. d. Click OK. 10. Click OK two times to close the System Properties dialog box. 11. Click No if prompted to restart the system. Note: For more information about page file recommendations, see the following Microsoft Knowledge Base articles: How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP (http://go.microsoft.com/fwlink/? linkid=3052&kbid=889654); and Overview of memory dump file options for Windows Vista, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 (http://go.microsoft.com/fwlink/? linkid=3052&kbid=254649).
Drive Permissions
1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access. 2. Click Start, and then select Computer. 3. Right-click D Drive, and then select Properties. 4. Click the Security tab. 5. Click Edit. 6. Click Add, and then select the local server from Locations. 7. Grant the following rights as outlined in the following table. Drive permissions
Account Permissions
Administrators SYSTEM Authenticated Users CREATOR OWNER 8. Click the Advanced button.
Full Control Full Control Read and Execute, List, Read Full Control
9. Select the CREATOR OWNER permission entry, and then click View/Edit. 10. Select Subfolders and Files Only from the drop-down list. 11. Click OK two times. 12. Click OK to close the drive properties. 13. Repeat steps 3-12 for each additional drive (other than the C drive).
9. In the Cluster IP Address section, click Add and enter: a. IP Address b. Subnet Mask 10. Click Next. 11. In the Cluster Parameters section, enter in the Full Internet Name (for example, mail.contoso.com) that will be used by the cluster and make sure Unicast is selected. 12. Click Next. 13. In the Port Rules section, select the default rule and click Edit. 14. Under Port Range, change the From value to 80 and the To value to 80. 15. Under Protocols, select TCP. 16. Click OK. 17. Click Add to create a new port rule. a. Under Port Range, change the From value to 443 and the To value to 443. b. Under Protocols, select TCP. c. Click OK. Note: If you are using IMAP or POP in the environment, be sure to create the appropriate rules. 18. Click Add to create a new port rule. a. Under Port Range, change the From value to 143 and the To value to 143. b. Under Protocols, select TCP. c. Click OK. 19. Click Add to create a new port rule. a. Under Port Range, change the From value to 110 and the To value to 110. b. Under Protocols, select TCP. c. Click OK. 20. Click Add to create a new port rule. a. Under Port Range, change the From value to 993 and the To value to 993. b. Under Protocols, select TCP. c. Click OK. 21. Click Add to create a new port rule. a. Under Port Range, change the From value to 500 and the To value to 500. b. Under Protocols, select UDP. c. Click OK. Note: The above rule for UDP 500 should be created if you are using IPSec in the environment.
10
22. Click Add to create a new port rule. a. Under Port Range, change the From value to 995 and the To value to 995. b. Under Protocols, select TCP. c. Click OK. 23. Click Add to create a new port rule. a. Under Port Range, change the From value to 135 and the To value to 135. b. Under Protocols, select TCP. c. Click OK. 24. Click Add to create a new port rule. a. Under Port Range, change the From value to 59595 and the To value to 59596. b. Under Protocols, select TCP. c. Click OK. 25. Click OK. 26. Click OK to acknowledge the resulting dialog box. 27. While still in the internal network connection properties, click Internet Protocol (TCP/IP) and select Properties. 28. Click Advanced. 29. Under IP Addresses, click Add. a. Enter the virtual IP Address and Subnet Mask and click OK. b. Click OK. 30. Click Finish to complete the New Cluster wizard.
Verification Steps
The following procedures are in this section: 1. Organizational Unit Verification 2. Active Directory Site Verification 3. Domain Controller Diagnostics Verification 4. Exchange Best Practices Analyzer Verification Important: The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.
11
12
Management tools installed through Remote Desktop and log on with an account that has local administrative access. 1. Click Start > All Programs > Microsoft Exchange Server 2010 and then select Exchange Management Console. 2. Open the Toolbox node. 3. Double-click Best Practices Analyzer. 4. Check and apply any updates for the Best Practices Analyzer engine. 5. Provide the appropriate information to connect to Active Directory and then click Connect to the Active Directory server. 6. In Start a New Best Practices Scan, select Health Check, and then click Start Scanning. 7. Review the report, and take action on any errors or warnings that are reported by following the resolution articles that are provided within the Best Practices Analyzer.
13
14
15
3. RPC Client Access and Address Book Services Configuration 4. Autodiscover Configuration 5. Outlook Anywhere Configuration 6. Offline Address Book Configuration 7. IMAP4 Configuration 8. POP3 Configuration 9. Outlook Web App Configuration (Internet Scenario) or Outlook Web App Configuration (Proxy Scenario) 10. Legacy ActiveSync Configuration 11. Handoff Test Important: The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.
16
An example of [Full Subject Path] is "c=US, o=Company, cn=CAS01.contoso.com". Note: The Windows RPC/HTTP client-side component in Windows Vista requires that the Subject Name (Common Name) on the certificate match the Certificate Principal Name configured for the Outlook Anywhere connection in the Outlook profile. This behavior was changed in Windows Vista Service Pack 1 (SP1). Therefore, as a best practice, make sure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan to change the configuration. You can use the SetOutlookProvider cmdlet to change the configuration. For more information about how to change the configuration, see the Exchange Team Blog article, When, if and how do you modify Outlook Providers? (http://go.microsoft.com/fwlink/?LinkId=160947) 3. Submit the request file to the Certificate Authority (CA) and have the CA generate the certificate. 4. After receiving the certificate, import and enable the certificate by running the following Exchange Management Shell command where [services] can be POP, IMAP, IIS, or a combination: Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\NewCert.pfx -Encoding byte -ReadCount 0)) -Password:(GetCredential).password | Enable-ExchangeCertificate -services "[services]" 5. To mandate SSL on the default Web site, do the following: a. Open Internet Information Services (IIS) Manager. b. Expand the Server Node object and the Sites node. c. Click the Default Web Site. d. In the middle pane, double-click SSL Settings. e. Verify Require secure channel (SSL) is enabled. Note: If you require 128-bit encryption, also verify that Require 128-bit encryption is enabled.
17
Launch the Exchange Management Shell with an account that has been delegated the Server Management role and then run the following command: New-ClientAccessArray -Fqdn <FQDN of CAS load balanced array> -Site <Active Directory Site>
18
Important: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. a. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAB b. Right-click MSExchangeAB, point to New, and then click Key. c. Type Parameters to name the new key. d. Right-click Parameters, point to New, and then click String Value. e. Type RpcTcpPort to name the new value. f. Double-click RpcTcpPort. g. In the Value data box, type 59596, and then click OK. 2. Close Registry Editor and then restart the Microsoft Exchange Address Book service.
Autodiscover Configuration
Exchange 2010 includes a service named the Autodiscover service. The Autodiscover service makes it easier to configure Outlook 2007 or Outlook 2010 and some mobile phones. For more information, see the Understanding the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=194169). 1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. 2. Configure the internal Autodiscover URL by running the following command within the Exchange Management Shell. In the following example, CAS01 is the name of the Client Access server and internal.domain.fqdn is the internal namespace used for Autodiscover: Set-ClientAccessServer Identity CAS01 -AutoDiscoverServiceInternalUri https://internal.domain.fqdn/autodiscover/autodiscover.xml 3. Optional: Follow the procedure outlined in the Configure the Exchange Services for the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187243) to configure the Autodiscover service for use by Internet clients. This will enable Outlook Anywhere and set the offline address book (OAB), Web Services, and Unified Messaging virtual directories external URL parameter. 4. Optional: Follow the procedure outlined in the Configure Exchange ActiveSync Autodiscover Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187244) for usage by mobile clients. 5. Optional: Enable site affinity by following the procedure outlined in the Configure the Autodiscover Service to Use Site Affinity topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187245). 6. Verify that Autodiscover functions correctly by following the procedure outlined in the Test Outlook Autodiscover Connectivity topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187247).
19
IMAP4 Configuration
If the Client Access server will not allow IMAP4 connections, you can skip this section.
20
1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. a. To configure the IMAP4 bindings, run the following command. In the following example, CAS01 is the Client Access server and 0.0.0.0 implies any IP address. Set-ImapSettings server CAS01 UnencryptedOrTLSBindings 0.0.0.0:143 SSLBindings 0.0.0.0:993 b. To disable plain text authentication and enable custom calendar item retrieval option for IMAP4, run the following command. In the following example, mail.contoso.com is the certificate name and external URL. Set-ImapSettings server CAS01 -X509CertificateName mail.contoso.com LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa c. To enable the Exchange IMAP4 service for automatic startup, run the following command: Set-Service MSExchangeIMAP4 -ComputerName CAS01 -StartupType automatic
POP3 Configuration
If the Client Access server will not allow POP3 connections, you can skip this section. 1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. a. To configure the POP3 bindings, run the following command. In the following example, CAS01 is the Client Access server and 0.0.0.0 implies any IP address. Set-PopSettings server CAS01 UnencryptedOrTLSBindings 0.0.0.0:110 SSLBindings 0.0.0.0:995 b. To disable plain text authentication and enable custom calendar item retrieval option for POP3, run the following command. In the following example, mail.contoso.com is the certificate name and external URL. Set-PopSettings server CAS01 -X509CertificateName mail.contoso.com LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa c. To enable the Exchange POP3 service for automatic startup, run the following command: Set-Service MSExchangePOP3 -ComputerName CAS01 -StartupType automatic
21
22
1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. 2. Configure Windows Integrated Authentication by following the procedure outlined in the Configure Forms-based Authentication for Outlook Web App topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187486). 3. Optional: Configure GZip compression by following the procedure outlined in the Configure Gzip Compression Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187343). 4. Configure WebReady Document Viewing by following the procedure outlined in the Configure WebReady Document Viewing topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187344). 5. Configure private and public computer file access by following the procedure outlined in Configure Public and Private Computer File Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187346). 6. Optional: To simplify the Outlook Web App URL and redirect users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187347). 7. Restart the Client Access server.
23
Note: Replace Domain Controller with a domain controller that is in the same Active Directory site as the Exchange server (optional parameter). The output will be similar to the following if successful: Z:\E2010-Scripts\CAS>legacyeas.vbs -d:W2K3-DC-01 a:NorthAmerica Microsoft (R) Windows Script Host Version 5.1 for Windows Copyright (C) Microsoft Corporation 1996-1999. All rights reserved. Exchange Server Container cn=Microsoft-ServerActivesync,cn=1,cn=HTTP,cn=Protocols,cn=<Server>,cn=Servers,cn=NorthAme rica,cn=Administrative Groups,cn=<OrgName>,cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain> Attribute Name & Value msExchAuthenticationFlags: 6 Attribute Set!!
Handoff Test
Before you can complete the diagnostic tasks in this section, you must have already created test mailboxes in your environment by using the New-TestCasConnectivityUser.ps1 script.
24
Test-WebServicesConnectivity ClientAccessServer <Server> AllowUnsecureAccess 6. To test Outlook Web App connectivity, run the following command where <Server> is the name of the Client Access server: Test-OwaConnectivity -ClientAccessServer:<Server> -AllowUnsecureAccess If this server will be responding to Internet client requests, consider using the Exchange Remote Connectivity Analyzer (https://www.testexchangeconnectivity.com/) to verify your configuration, as well.
25