As we are now in Part 7 of this series, let's recap the previous parts.
In Parts 1 and 2, we established our domain design, covered how to provision the Domain Controller for the LAB in Hyper-V and then how to install Windows Server 2012 on the Domain Controller, and we went through the process of installing Active Directory Domain Services on the LAB domain controller using PowerShell.
Part 3
We covered how you can install a very simple PKI infrastructure on the domain controller using Active Directory Certificate Services. These will be used in a later part to configure SSL for various parts of Exchange 2013.
Part 4
We covered how to use PowerShell to provision Exchange server VM’s in the lab, and went through the pre-requisite software installation.
Part 5
We covered the Directory, organisation and Exchange preparation – and then went on to install the relevant Exchange servers using the unattended setup feature.
Part 6
We covered Database Availability Groups and provided a script which automates the creation of DAGs from a CSV file in preparation for…
In this part I would like to cover:
Creating DAG Enabled Mailbox Databases
Configuration the relevant Autodiscover, EWS and Exchange web based URLS using the Active Directory Certificate Services that we installed in Part 3
Configuring Mailbox Databases in Exchange 2013 is not very hard – but in the spirit of this series where I have been trying to show how you can use Powershell to automate most tasks I have written the following script which performs the following:
Creates Mailbox Databases from the command line.
Sets the Offline Address Book to the “Default Offline Address Book”.
Mounts the new database.
Creates a copy of the new database on each node within the DAG.
You can copy and paste the script from this webpage into a new PS1 file on any of the Exchange Servers that we have created in this LAB – or you can download it from the download link below.
Before you execute the script, and you have downloaded it from the link provided above you will need to ensure that the Execution Policy is set to allow for scripts to be run from the internet. If you have been following this guide – this should already be in place.
For the purposes of the LAB, using the script we shall create the following databases:
London_Office
Paris_Office
Dublin_Office
We will start with the London_Office. Open an Exchange Management Shell window and navigate to the location where you have stored the script. The script accepts the following command line parameters:
-DBName / The name of the database – if you plan to use spaces please enclose this in inverted commas.
-DBPath / The physical path to the Exchange edb file – you do not need to provide the name of the database file as the script will create this for you – do not include a trailing slash at the end of the path.
-LogFilePath / The physical path to the log files location.
You do not have to have created any folders for the logs or databases as the script will also create these for you.
Below is an example of the command line that I have used in my LAB to create the London Office database:
.\CreateMailboxDBs.ps1 -DBName "London_Office" -DBPath "x:\ExchangeDatabases\London" -LogFilePath "x:\ExchangeLogs\London"
When the script executes you will see information similar to the following screen shot. The script will also pause whilst it seeds the databases on the other servers.
When the script has completed its actions – you will see the following output from the script.
You can then open up the Exchange Administrative Centre and check that your databases correctly – see below.
On either art-CASMBX-01 or 02 open am Exchange Management Shell Window and type in the following command, ensure that you include all the domains (SAN’s) that you would like registered on the certificate within the –DomainName parameter (separated by commas) – see below.
New-ExchangeCertificate -FriendlyName "artLab Certificate" -DomainName autodiscover.artTest.local,owa.artTest.local,mail.artTest.local -GenerateRequest -PrivateKeyExportable $true -KeySize 2048 -RequestFile "x:\DomainCSRRequest.csr"
This will generate a new Certificate Signing Request (CSR) that we can submit to the Active Directory Certificate Services component which is installed on art-DC-01. The command will output a CSR file to a location that you specify which will contain text similar to that in the example below.
If you then run the following command you can see that there is now a pending Certificate Request
Get-ExchangeCertificate | Where {$_.Status –eq “PendingRequest”} fl
Open Internet Explorer on your Exchange server and navigate to http://art-dc-01/certsrv (or the name that you gave you domain controller). From the screen that appears – click on the “Request a Certificate” link – see below.
On the next screen click on the “Advanced Certificate Request” link – see below
On the next screen – click on the “Submit a certificate request by using a base 64 encoded CMC or PKCS #10 file” – see below
Open the CSR file that you created using the New-ExchangeCertificate cmdlet – and copy and past its content in to the section on the next screen entitled “Base64 encoded certificate request (CMC or PKCS #10 or PKCS #7)” – ensure that the certificate template is set to “Web Server” and then click on the “Submit” button – see below.
You will be redirected to a screen where you can now download your certificate – click on the “Download Certificate” link – see below.
Save the Certificate file to a location on art-CASMBX-01 – see below:
From within the Exchange management shell type in the commands below, ensure that you provide the path to your certificate file that you downloaded. Note that you will need to provide the thumbprint for the imported certificate when you use the Enable-ExchangeCertificate – bear in mind that the THUMBPRINT of the cert is likely to be different from that in my example. The commands below also enables the certificate for the web services (IIS).
We now need to export this certificate from art-MBXCAS-01 to 02 – in order to do this type in the following Exchange Management Shell commands:
Remember that this time around, we are using the –Server parameter to stipulate that we want to allocate this exported cert on to art-MBXCAS-02.
Import-ExchangeCertificate -Server art-mbxcas02 -FileName X:\exportedCert.pfx -Password (Get-Credential).password
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Thumbprint Services Subject
---------- -------- -------
98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C ....... CN=autodiscover.artTest.local
You will be prompted to supply the password that you selected when you exported the certificate in order to complete the import operation.
Again, remember that the thumbprint will be different on your system – also remember that you need to stipulate the –Server parameter to make sure that you are working against art-MBXCAS-02.
The certificate that you generated should have contained a number of other Domain Names (or subject alternative names) – for example in my LAB these were:
OWA.artTest.local
MAIL.artTest.local
Autodiscover.artTest.local
It is important that these also appear within DNS within the LAB. In order to create these – logon to your LAB domain controller (art-DC-01) – and open a Powershell Command Prompt. Type in the following commands – substituting the IP addresses where appropriate to match that of your own subnets.
Like in previous versions of Exchange there are a number of internal URLS that need to be configured to ensure that services such as the EWS, Autodiscover and OWA work correctly.
One significant change is that there technically no longer the concept of –InternalURL / –ExternalURL on the autodiscover virtual directory. These are now handled via Service Connection Points (SCPs) in Active Directory and for the purposes of our LAB don’t need modification.
In Exchange 2013 there are a number of Virtual Directories that you change the URL settings on – therefore I have provided the following script to automate the process for our LAB.
NOTE: This script ONLY modifies the InternalURL namespaces – it will need modification if you wish to use external URLs. Furthermore it does not make modifications to the OAB Virtual Directory.
As with the previous script – you can copy and paste it from here – or download it from the link below.
In order to run the script – open an Exchange Management Shell on either art-MBXCAS-01 or 02 and type in:
.\ConfigureWebURLS.ps1
The script will then execute and configure the relevant internalURLS for each service. You can then navigate to https://owa.artTest.local/owa and you should see that the certificate is trusted and everything functions as you would expect.
In the final part of the series we will complete the following:
Populate the lab with test users.
Create Mailboxes
Create Public Folders
Create some distribution lists
Discuss some options for implementing HA on the Client Access Servers for connectivity