Exchange Tutorials

Last year I was invited to write an Exchange 2016 book with a few fellow MVPs. Unfortunately, due to unforeseen circumstances, the book was later canceled. 

Rather than have my chapters go to waste (combined these chapters are 40,000 words) I wanted to offer them to you for free.

Below you will find three chapters covering the management of mailboxes, groups, contacts, mail-enabled users, and public folders.

That said I do want to warn you that these chapters only received a brief technical review. They did not go through any formal editorial process, so I apologize in advance for any errors. Please read these at your own risk.

While I offer these for free I would like to state that my work is under copyright. By viewing or downloading these chapters you agree to the copyright notice below.

Copyright © 2018 by Gareth Gudger

All rights reserved. No part of these chapters may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, please email info@supertekboy.com.

In prior releases of Windows Server, Microsoft shipped basic malware protection through its Windows Defender software. For full protection either System Center Endpoint Protection, or, a third-party antivirus solution was required. With Windows Server 2016, Windows Defender matured into a fully-fledged antivirus solution. It has now been re-branded as Windows Defender Antivirus.

Regardless of whether you choose Windows Defender Antivirus, or, a third-party antivirus solution you need to be sure these products are not scanning critical Exchange components. Microsoft publishes an extensive list of file, folder and, process exclusions to include in your antivirus configuration.

There are eighty-four exclusions in total.

Adding these exclusions are critical to the health and performance of Exchange. Without these exclusions, antivirus software could lock or quarantine files and processes critical to the operation of Exchange.

In this article, we explore how to add the required 84 exclusions to Windows Defender Antivirus. We also have a basic script to automate adding these exclusions for you.

Let’s get started!

Adding Exchange exclusions with PowerShell

Adding 84 exceptions manually through the graphical user interface would be time-consuming, tedious and, prone to human error. This only magnifies the number of Exchange servers we need to deploy. Windows Defender can be managed through multiple methods (such as System Center or Group Policy). However, for this article, we will explore adding the required exclusions using PowerShell.

To add an exclusion via PowerShell we can use the Add-MpPreference cmdlet. For a folder exclusion, we combine this with the -ExclusionPath parameter. For example, a folder exclusion may look like this.

 C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster

A folder exclusion not only excludes the folder and its files but also all sub-folders.

Being able to recover an Exchange Server is key to business continuity. This is magnified in environments where there is only a single Exchange server. Rebuilding an Exchange environment from scratch would be an arduous and monumental task. Luckily Exchange saves much of its configuration settings in Active Directory. As long as Active Directory is healthy you can recover an Exchange Server to its former configuration. This process saves a massive amount of time.

That said there are some items that are not stored in Active Directory. This includes the databases where the user and public folder data is stored, third-party certificates and, customizations made outside of the Exchange management tools.

Certificates are easy. If you don’t have a backup you can have your certificate re-keyed by your provider. This may take some time so it is much better to export your Exchange server certificate and save it to a safe location. Then it can be quickly imported in the event of a failure. This will reduce downtime.

Databases are a little more difficult. Depending on the nature of the failure they may need to be restored from backup. The time required for restore largely depends on the size of the database. With the Exchange standard license you get five databases. So, rather than one large database, go with five smaller ones. These greatly aides your recovery time objective (RTO). Exchange enterprise allows up to a hundred databases giving you even greater capacity.

I always recommend that you architect a database availability group (DAG) where possible. Even if your budget can only cover two Exchange servers–creating a two-member DAG with two copies of each database–will put you miles ahead when it comes to disaster recovery. The instructions to recover a DAG member differ and we will cover that in a later article.

Configuration outside of the Exchange tools is going to be a little tougher. You will either need documentation so the changes can be repeated, or, a backup of the changes. Customizations outside of Exchange can include the registry, IIS, or, text-based configuration files.

In this article, we are going to take a look at just how easy it can be to copy an anonymous receive connector from one server to another using PowerShell.

This is especially important in scenarios where a receive connector may have dozens–if not hundreds–of IPs. Adding each IP using the graphical user interface would be insanely time-consuming. It would also be prone to human error. This challenge only multiplies if you have many servers to repeat this process on. With PowerShell, we can cut this task down to mere seconds.

The first part of this article is a primer on how to configure an anonymous receive connector. If you are just interested in how to copy all IPs from one connector to another jump to the section titled Copying an Anonymous “Relay” Connector between servers.

Note: While this article focuses on moving an anonymous receive connector it can be adapted for any custom receive connector you have created.

A quick primer on anonymous receive connectors

Before we explore how to move a receive connector let’s take a refresher on how we create a receive connector with PowerShell. For this task, we use the New-ReceiveConnector cmdlet. For example, to create an anonymous receive connector our command might look like this.

 C:\> New-ReceiveConnector -Name "Anonymous Relay" -Server EX16-01 -Usage Custom -TransportRole FrontEndTransport -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIPRanges 10.0.0.25, 10.0.0.26, 10.0.0.50-10.0.0.59

In this command, we create a receive connector named “Anonymous Relay”. We use the -Server parameter to identify which server we want the connector to be created on. We identify that the -Usage of the connector will be Custom. Custom is one of five connector types and is used for anonymous relays.

How to renew a certificate in Exchange

In this article, we explore the process of renewing a certificate in Exchange. We demonstrate how to accomplish this using the Exchange Admin Center and PowerShell. The high-level steps include:

• Create a new certificate signing request
• Upload the certificate signing request to your certificate provider
• Download the processed certificate from your certificate provider
• Install the certificate on Exchange
• Export the new certificate to a PFX file
• Import the certificate to all other Exchange servers
• Assign Exchange services to the new certificate on each server
• Delete the old certificate

Let’s get started!

Note: These steps are identical for Exchange 2013, 2016, and 2019.

Renew a Certificate with Exchange Admin Center

Log in to the Exchange Admin Center (EAC). Select the Servers tab and Certificates sub-tab.

This page displays all currently installed Exchange certificates. In our example, we see four self-signed certificates. We also see the certificate that we acquired from a trusted certificate authority (affiliate). This certificate is named webmail.exchangeservergeek.com. This is the certificate we will be renewing.

Select the certificate to be renewed (in our case webmail.exchangeservergeek.com) and click the Renew link in the task pane to the right.

The renewal process will create a new certificate request to submit to our certificate authority. Specify a location to save this certificate request. This location must be in the form of a UNC path. In our example, we specify a file called certreq.txt at the path \\ex16-01\c$\users\supertekboy\desktop\. This will create a text file on our server’s desktop. Click Ok.