TestLabGuide IntranetAndTeamSites Ebook
TestLabGuide IntranetAndTeamSites Ebook
TestLabGuide IntranetAndTeamSites Ebook
2.
3.
4.
5.
6.
7.
8.
9.
Domain Controller
Operating System
Management Tools
Operating System
Domain controllers
Once the above requirements are verified for consistency, proceed with the following preparation
tasks on the server/computer which will be used to prepare the Active Directory using the
Exchange Server 2016 Active Directory Prepare module.
Install Microsoft .Net Framework 4.5
Install Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
Prepare Domains
On the command prompt, run the following
Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
10
11
12
13
14
15
16
17
18
19
20
They are difficult for end users to remember (this primarily impacts Outlook on the web,
where users tend to find it easier to remember a URL such as mail.oviwin.com )
A URL containing a specific server name cant be load-balanced across multiple servers in
a high availability deployment
The internal AD namespace for many organizations is not a valid domain name on the
internet, for example oviwin.local, which makes it impossible to acquire SSL certificates for
Exchange 2016.
The recommended practice is to change the URLs configured on your Exchange 2016 servers to
aliases or generic host names such as mail.oviwin.com after you first install the server.
Get-ClientAccessService -Identity EXCH01 | Select AutodiscoverServiceInternalUrI
Set-ClientAccessService -Identity EXCH01 -AutoDiscoverServiceInternalUri https://mail.oviwin.com/Autodiscover/Autodiscover.xml
21
22
23
24
25
26
27
When Exchange Server 2016 is first installed it generates a self-signed SSL certificate that is then
enabled for IIS (HTTPS services like OWA, EWS and ActiveSync), SMTP, POP and IMAP. The selfsigned certificate allows the server to be secure by default and begin encrypting network
communications right from the start, but it is only intended to be used temporarily while you
provision the correct SSL certificates for your environment.
When deploying Exchange Server 2016 you should plan to replace the self-signed certificate with
a valid SSL certificate for your deployment scenario. This involves an investment of anywhere from
$99 to several thousand dollars depending on your Client Access namespace scenario, the type of
certificate you purchase, and which certificate authority you purchase it from.
If youre tempted to stick with the self-signed certificate, or to try and disable SSL requirements
on Exchange services, I strongly recommend you do not do those things.
28
With the namespaces correctly configured, and DNS records in place, you will then need to
provision an SSL certificate for the Exchange 2016 server.
29
30
31
32
33
34
35
36
37
38
39
40
The common causes of Outlook security alerts containing certificate warnings are misconfigured Exchange
server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure
your namespaces and/or install a valid SSL certificate. When your Exchange servers configuration has
been corrected the Outlook security alerts should stop appearing for your end users.
41
42
43
44
45
46
Next youll need to decide how the outbound emails will be delivered. There are two choices by
MX record, or via smart host. MX record delivery involves your Exchange server looking up the MX
records of the recipients domain in DNS, and then connecting directly to their email server via
SMTP to deliver the email message. Smart host delivery involves your Exchange server sending the
messages to a specified IP address or host name for another system (typically an email security
appliance or cloud service) that is then responsible for the further delivery of that email message.
47
For this example Im going to use MX records to deliver the message. My server already has
outbound firewall access on TCP port 25, and can resolve MX records on the internet using DNS,
so at a basic level this should work fine. There are other considerations such as SPF and IP
reputation in the real world that may impact the delivery of email messages from your server.
48
Set the address space for the send connector. An address space of * means any domain and is
suitable if you have one send connector that is used for all outbound mail flow. You can use this
address space option if you later need to configure specific send connectors for different domains.
49
50
51
The Exchange server will accept SMTP connections using a receive connector. A receive connector
that is suitable for incoming email from the internet is pre-configured for you by Exchange setup,
52
If you look at the properties of that connector you might notice that Anonymous Users is enabled as a
permission group. Yes this is the correct configuration for the connector, and no that does not mean it
can be abused as an open relay.
53
Notice the three options for the type of domain. The explanations are very clear, but to summarize:
54
Authoritative a domain for which your servers host the only recipients. For most
scenarios this will be the correct choice.
Internal relay a domain for which your servers host some, but not all of the recipients.
A typical use case for this type of accepted domain is a shared SMTP namespace, which is
often required when two companies are merging or separating.
External relay a domain for which your server receives email, but hosts none of the
recipients.
55
56
57