ENow Blog | Exchange Center

Exchange 2013 Lab Tutorial: Part 7- Setting up DAG Databases and SSL

Written by Andy Grogan | Apr 17, 2013 12:25:00 AM

As we are now in Part 7 of this series, let's recap the previous parts.

In Parts 1 and 2, we established our domain design, covered how to provision the Domain Controller for the LAB in Hyper-V and then how to install Windows Server 2012 on the Domain Controller, and we went through the process of installing Active Directory Domain Services on the LAB domain controller using PowerShell.

Part 3

We covered how you can install a very simple PKI infrastructure on the domain controller using Active Directory Certificate Services. These will be used in a later part to configure SSL for various parts of Exchange 2013.

Part 4

We covered how to use PowerShell to provision Exchange server VM’s in the lab, and went through the pre-requisite software installation.

Part 5

We covered the Directory, organisation and Exchange preparation – and then went on to install the relevant Exchange servers using the unattended setup feature.

Part 6

We covered Database Availability Groups and provided a script which automates the creation of DAGs from a CSV file in preparation for…

Part 7

In this part I would like to cover:

  • Creating DAG Enabled Mailbox Databases

  • Configuration the relevant Autodiscover, EWS and Exchange web based URLS using the Active Directory Certificate Services that we installed in Part 3

Create Mailboxes Script

Configuring Mailbox Databases in Exchange 2013 is not very hard – but in the spirit of this series where I have been trying to show how you can use Powershell to automate most tasks I have written the following script which performs the following:

  • Creates Mailbox Databases from the command line.

  • Sets the Offline Address Book to the “Default Offline Address Book”.

  • Mounts the new database.

  • Creates a copy of the new database on each node within the DAG.

You can copy and paste the script from this webpage into a new PS1 file on any of the Exchange Servers that we have created in this LAB – or you can download it from the download link below.

<# Exchange 2013 LAB - Create Mailbox Databases and Add Copies Script http://www.telnetport25.com Author: Andy Grogan Version: 0.1 .Compatibility Windows Server 2012 Powershell 3 Exchange 2013 Not Supported with any other versions of the software mentioned above. .Parameters -DBName -DBPath -LogFilePath .Example .\Create2013LabDBs.ps1 -DBName <DatabaseName> -DBPath <Path to database> -LogFilePath <Path to Log Files> #> [CmdletBinding()] Param( [Parameter(Mandatory=$True)] [string]$DBName,[Parameter(Mandatory=$True)] [string]$DBPath,[Parameter(Mandatory=$True)] [string]$LogFilePath ) $LocalServerName = $ENV:ComputerName function create_Databases{ Write-Host "Creating Database - " $DBName -foregroundcolor White New-MailboxDatabase -Name $DBName -EDBFilePath "$DBPath\$DBName.edb" -LogFolderPath $LogFilePath -Server $LocalServerName Mount-Database -id $DBName Write-Host "Setting Offline Address Book" -foregroundcolor Cyan Set-MailboxDatabase $DBName -offlineAddressBook "Default Offline Address Book" } function create_FolderStructure{ if(!(Test-Path $DBPath)){ Write-Host "Database Folder Path Not Found - Creating." -foregroundcolor Green New-Item $DBPath -Type Directory }else{ Write-Host "Database path found." -foregroundcolor Cyan } if(!(Test-Path $LogFilePath)){ Write-Host "Log Folder Path Not Found - Creating." -foregroundcolor Green New-Item $LogFilePath -Type Directory }else{ Write-Host "Log path found." -foregroundcolor Cyan } } function add_databaseCopies{ $MailboxServers = Get-MailboxServer | Select -expandProperty Name foreach($SVR in $MailboxServers){ if(!($SVR -eq $LocalServerName)){ Write-Host "Adding Databases Copy for - " $DBName -foregroundcolor White Add-MailboxDatabaseCopy -id $DBName -MailboxServer $SVR } } } create_FolderStructure create_Databases add_databaseCopies Write-Host "Script Completed..." -foregroundcolor Green

Creating DAG Enabled Mailbox Databases

Before you execute the script, and you have downloaded it from the link provided above you will need to ensure that the Execution Policy is set to allow for scripts to be run from the internet. If you have been following this guide – this should already be in place.

For the purposes of the LAB, using the script we shall create the following databases:

  • London_Office

  • Paris_Office

  • Dublin_Office

We will start with the London_Office. Open an Exchange Management Shell window and navigate to the location where you have stored the script. The script accepts the following command line parameters:

  • -DBName / The name of the database – if you plan to use spaces please enclose this in inverted commas.

  • -DBPath  / The physical path to the Exchange edb file – you do not need to provide the name of the database file as the script will create this for you – do not include a trailing slash at the end of the path.

  • -LogFilePath / The physical path to the log files location.

You do not have to have created any folders for the logs or databases as the script will also create these for you.

Below is an example of the command line that I have used in my LAB to create the London Office database:

.\CreateMailboxDBs.ps1 -DBName "London_Office" -DBPath "x:\ExchangeDatabases\London" -LogFilePath "x:\ExchangeLogs\London"

When the script executes you will see information similar to the following screen shot. The script will also pause whilst it seeds the databases on the other servers.

When the script has completed its actions – you will see the following output from the script.

You can then open up the Exchange Administrative Centre and check that your databases correctly – see below.

Configuring SSL

Generating the Exchange Certificate

On either art-CASMBX-01 or 02 open am Exchange Management Shell Window and type in the following command, ensure that you include all the domains (SAN’s) that you would like registered on the certificate within the –DomainName parameter (separated by commas) – see below.

New-ExchangeCertificate -FriendlyName "artLab Certificate" -DomainName autodiscover.artTest.local,owa.artTest.local,mail.artTest.local -GenerateRequest -PrivateKeyExportable $true -KeySize 2048 -RequestFile "x:\DomainCSRRequest.csr"

This will generate a new Certificate Signing Request (CSR) that we can submit to the Active Directory Certificate Services component which is installed on art-DC-01. The command will output a CSR file to a location that you specify which will contain text similar to that in the example below.

If you then run the following command you can see that there is now a pending Certificate Request

Get-ExchangeCertificate | Where {$_.Status –eq “PendingRequest”} fl

Open Internet Explorer on your Exchange server and navigate to http://art-dc-01/certsrv (or the name that you gave you domain controller). From the screen that appears – click on the “Request a Certificate” link – see below.

On the next screen click on the “Advanced Certificate Request” link – see below

On the next screen – click on the “Submit a certificate request by using a base 64 encoded CMC or PKCS #10 file” – see below

Open the CSR file that you created using the New-ExchangeCertificate cmdlet – and copy and past its content in to the section on the next screen entitled “Base64 encoded certificate request (CMC or PKCS #10 or PKCS #7)” – ensure that the certificate template is set to “Web Server” and then click on the “Submit” button – see below.

You will be redirected to a screen where you can now download your certificate – click on the “Download Certificate” link – see below.

Save the Certificate file to a location on art-CASMBX-01 – see below:

Importing and enabling the Certificate

From within the Exchange management shell type in the commands below, ensure that you provide the path to your certificate file that you downloaded. Note that you will need to provide the thumbprint for the imported certificate when you use the Enable-ExchangeCertificate – bear in mind that the THUMBPRINT of the cert is likely to be different from that in my example. The commands below also enables the certificate for the web services (IIS).

Import-ExchangeCertificate -FileName X:\artTest.cer Thumbprint Services Subject 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C ....... CN=autodiscover.artTest.local Enable-ExchangeCertificate 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C –Services IIS

We now need to export this certificate from art-MBXCAS-01 to 02 – in order to do this type in the following Exchange Management Shell commands:

Verify the certificate thumbprint

Get-ExchangeCertificate
Thumbprint                                Services   Subject
----------                                --------   -------
98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C  ...W...    CN=autodiscover.artTest.local
6424884DC425680ABE842CBFA13E8FF590C94A90  ....S..    CN=Microsoft Exchange Server Auth Certificate
B265CDA2135D83E12453DCEA70C9BACDB698B05F  IP.WS..    CN=art-mbxcas-01
CB0DB4239F5D7E974B33F0E95EF5E01231183003  .......    CN=WMSvc-ART-MBXCAS-01

Export the Certificate

$export = Export-ExchangeCertificate 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C -BinaryEncoded:$true -Password (Get-Credential).password
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
You will be prompted for a user name and password – enter in admin (not used) as the user name and select a password that will be used as the private key (you will need this when you import the certificate into art-MBXCAS-02).

Create the PFX file

Set-Content -Path x:\exportedCert.pfx -Value $export.FileData -Encoding byte

Import the Certificate

Remember that this time around, we are using the –Server parameter to stipulate that we want to allocate this exported cert on to art-MBXCAS-02.

Import-ExchangeCertificate -Server art-mbxcas02 -FileName X:\exportedCert.pfx -Password (Get-Credential).password

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

Thumbprint                                Services   Subject
----------                                --------   -------
98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C  .......    CN=autodiscover.artTest.local

You will be prompted to supply the password that you selected when you exported the certificate in order to complete the import operation.

Enable the services

Enable-ExchangeCertificate 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C -Server art-mbxcas02 –Services IIS

Again, remember that the thumbprint will be different on your system – also remember that you need to stipulate the –Server parameter to make sure that you are working against art-MBXCAS-02.

Creating relevant DNS records

The certificate that you generated should have contained a number of other Domain Names (or subject alternative names) – for example in my LAB these were:

  • OWA.artTest.local

  • MAIL.artTest.local

  • Autodiscover.artTest.local

It is important that these also appear within DNS within the LAB. In order to create these – logon to your LAB domain controller (art-DC-01) – and open a Powershell Command Prompt. Type in the following commands – substituting the IP addresses where appropriate to match that of your own subnets.

Import-Module DNSServer Add-DnsServerResourceRecordA -Name "autodiscover" -ZoneName "artTest.local" -AllowUpdateAny -IPv4Address "172.31.253.108" -TimeToLive 01:00:00 Add-DnsServerResourceRecordA -Name "owa" -ZoneName "artTest.local" -AllowUpdateAny -IPv4Address "172.31.253.108" -TimeToLive 01:00:00 Add-DnsServerResourceRecordA -Name "mail" -ZoneName "artTest.local" -AllowUpdateAny -IPv4Address "172.31.253.108" -TimeToLive 01:00:00

Configuring Web Services in Exchange 2013

Like in previous versions of Exchange there are a number of internal URLS that need to be configured to ensure that services such as the EWS, Autodiscover and OWA work correctly.

One significant change is that there technically no longer the concept of –InternalURL / –ExternalURL on the autodiscover virtual directory. These are now handled via Service Connection Points (SCPs) in Active Directory and for the purposes of our LAB don’t need modification.

In Exchange 2013 there are a number of Virtual Directories that you change the URL settings on – therefore I have provided the following script to automate the process for our LAB.

NOTE: This script ONLY modifies the InternalURL namespaces – it will need modification if you wish to use external URLs. Furthermore it does not make modifications to the OAB Virtual Directory.

As with the previous script – you can copy and paste it from here – or download it from the link below.

<# Exchange 2013 LAB - Configure Web Based URLS http://www.telnetport25.com Author: Andy Grogan Version: 0.1 .Compatibility Windows Server 2012 Powershell 3 Exchange 2013 Not Supported with any other versions of the software mentioned above. .Parameters None .Example .\ConfigureWebURLS.ps1 #> $InternalDomainName = Get-ADDomain | select -expandProperty dnsRoot Write-Host "Setting Domain Context: $InternalDomainName" -foregroundcolor Red # Configure Client Access Server Write-Host "Configuring CAS URLS" -foregroundcolor Cyan $ClientAccessServer = Get-ClientAccessServer | select -expandProperty Identity foreach($CAS in $ClientAccessServer){ Set-ClientAccessServer id $CAS AutodiscoverServiceInternalUri "https://autodiscover.$InternalDomainName" } # Configure Active Sync Write-Host "Configuring Active Sync URLS" -foregroundcolor Cyan $aSyncDirs = Get-ActiveSyncVirtualDirectory | select -expandProperty Identity foreach($aSyn in $aSyncDirs){ Set-ActiveSyncVirtualDirectory -id $aSyn -internalURL "https://mail.$InternalDomainName/Microsoft-Server-ActiveSync" } # Exchange Control Panel Write-Host "Configuring ECP URLS" -foregroundcolor Cyan $ecpVirDirs = Get-EcpVirtualDirectory | select -expandProperty Identity foreach ($eVdir in $ecpVirDirs){ Set-EcpVirtualDirectory Identity $eVdir InternalURL "https://owa.$InternalDomainName/ecp" } # Web Services Write-Host "Configuring Web Services URLS" -foregroundcolor Cyan $webSvcVirDirs = Get-WebServicesVirtualDirectory | select -expandProperty Identity foreach($webSvc in $webSvcVirDirs){ Set-WebServicesVirtualDirectory Identity $webSvc InternalURL "https://mail.$InternalDomainName/EWS/Exchange.asmx" } # OWA Write-Host "Configuring OWA URLS" -foregroundcolor Cyan $owaVdir = Get-OwaVirtualDirectory | select -expandProperty Identity foreach($oVDir in $owaVdir){ Set-OwaVirtualDirectory Identity $oVDir InternalUrl "https://owa.$InternalDomainName/OWA" } # Powershell Write-Host "Configuring Powershell URLS" -foregroundcolor Cyan $psVdirs = Get-PowerShellVirtualDirectory | select -expandProperty Identity foreach($psDir in $psVdirs){ Set-PowerShellVirtualDirectory Identity $psDir InternalURL "https://mail.$InternalDomainName/powershell" } Write-Host "Script has completed..." -foregroundColor Green

In order to run the script – open an Exchange Management Shell on either art-MBXCAS-01 or 02 and type in:

.\ConfigureWebURLS.ps1

The script will then execute and configure the relevant internalURLS for each service. You can then navigate to https://owa.artTest.local/owa and you should see that the certificate is trusted and everything functions as you would expect.

In the next part

In the final part of the series we will complete the following:

  • Populate the lab with test users.

  • Create Mailboxes

  • Create Public Folders

  • Create some distribution lists

  • Discuss some options for implementing HA on the Client Access Servers for connectivity