Exchange Tutorials

Required Exchange exclusions for Windows Defender Antivirus

September 8, 2017 By Gareth Gudger 2 Comments

49 Shares

In prior releases of Windows Server, Microsoft shipped basic malware protection through its Windows Defender software. For full protection either System Center Endpoint Protection, or, a third-party antivirus solution was required. With Windows Server 2016, Windows Defender matured into a fully fledged antivirus solution. It has now been re-branded as Windows Defender Antivirus.

Regardless of whether you choose Windows Defender Antivirus, or, a third-party antivirus solution you need to be sure these products are not scanning critical Exchange components. Microsoft publishes an extensive list of file, folder and, process exclusions to include in your antivirus configuration.

There are eighty-four exclusions in total.

Adding these exclusions are critical to the health and performance of Exchange. Without these exclusions, antivirus software could lock or quarantine files and processes critical to the operation of Exchange.

In this article, we explore how to add the required 84 exclusions to Windows Defender Antivirus. We also have a basic script to automate adding these exclusions for you.

Let’s get started!

Adding Exchange exclusions with PowerShell

Adding 84 exceptions manually through the graphical user interface would be time-consuming, tedious and, prone to human error. This only magnifies with the number of Exchange servers we need to deploy. Windows Defender can be managed through multiple methods (such as System Center or Group Policy). However, for this article, we will explore adding the required exclusions using PowerShell.

To add an exclusion via PowerShell we can use the Add-MpPreference cmdlet. For a folder exclusion, we combine this with the -ExclusionPath parameter. For example, a folder exclusion may look like this.

 C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster

A folder exclusion not only excludes the folder and its files but also all sub-folders. [Read more…] about Required Exchange exclusions for Windows Defender Antivirus

How to create an Office 365 mailbox (in hybrid)

September 2, 2017 By Gareth Gudger 11 Comments

32 Shares

When a company has implemented Exchange hybrid and has moved some or all their users to Office 365, the question “How do I create a mailbox in Office 365?” frequently comes up.

In this article, we explore how to create a mailbox in Exchange Online when directory synchronization is in place. For this article, we will explore this process using Exchange 2016. We will look at how to complete this task with the GUI and PowerShell. Note that these steps are identical for Exchange 2013.

Using the Exchange Admin Center

This is the simplest and quickest way to create a mailbox in Office 365. The drawback to this solution is that it only allows you to create an entirely new Active Directory user. A preexisting user without a mailbox cannot be enabled for an Office 365 mailbox using the GUI. To grant an existing user an Office 365 mailbox you will need to use PowerShell. Alternatively, that user could be given an on-prem mailbox and then move that mailbox to Office 365.

If your current process is to create a new account in Active Directory first and then enable the mailbox in Exchange second, I would recommend reversing these steps. Using the method below allows you to create a basic user in Active Directory with a mailbox in Office 365. Then you can go back into Active Directory to make any additional changes to the new account, such as group memberships.

For our example, we are going to create a new user called Wilfred Mott who will have a mailbox in Office 365. Wilfred does not currently have a user account in Active Directory so we can use this method. Wilfred’s email will be wilfred.mott@exchangeservergeek.com.

From your on-premises Exchange 2016 server, log into the Exchange Admin Center. Select the Recipients tab and Mailboxes sub tab. Click the New (plus sign) and select Office 365 mailbox.

Note: If you do not see this option you may be missing the required RBAC permissions, or, there is an issue with your hybrid configuration.

Selecting this option walks you through the process of creating a remote mailbox in Office 365. The benefit here is that you do not need to migrate the mailbox after it is created as it already exists as an object in the cloud. Keep in mind that you will not see this mailbox in the Office 365 tenant until directory synchronization has run. [Read more…] about How to create an Office 365 mailbox (in hybrid)

Recover Exchange Server after total loss

June 26, 2017 By Gareth Gudger Leave a Comment

138 Shares

Being able to recover an Exchange Server is key to business continuity. This is magnified in environments where there is only a single Exchange server. Rebuilding an Exchange environment from scratch would be an arduous and monumental task. Luckily Exchange saves much of its configuration settings in Active Directory. As long as Active Directory is healthy you can recover an Exchange Server to its former configuration. This process saves a massive amount of time.

That said there are some items that are not stored in Active Directory. This includes the databases where the user and public folder data is stored, third-party certificates and, customizations made outside of the Exchange management tools.

Certificates are easy. If you don’t have a backup you can have your certificate re-keyed by your provider. This may take some time so it is much better to export your Exchange server certificate and save it to a safe location. Then it can be quickly imported in the event of a failure. This will reduce downtime.

Databases are a little more difficult. Depending on the nature of the failure they may need to be restored from backup. The time required for restore largely depends on the size of the database. With the Exchange standard license you get five databases. So, rather than one large database, go with five smaller ones. These greatly aides your recovery time objective (RTO). Exchange enterprise allows up to a hundred databases giving you even greater capacity.

I always recommend that you architect a database availability group (DAG) where possible. Even if your budget can only cover two Exchange servers–creating a two-member DAG with two copies of each database–will put you miles ahead when it comes to disaster recovery. The instructions to recover a DAG member differ and we will cover that in a later article.

Configuration outside of the Exchange tools is going to be a little tougher. You will either need documentation so the changes can be repeated, or, a backup of the changes. Customizations outside of Exchange can include the registry, IIS, or, text-based configuration files. [Read more…] about Recover Exchange Server after total loss

Quickly copy an Anonymous Receive Connector “Relay” between servers

June 18, 2017 By Gareth Gudger Leave a Comment

70 Shares

In this article, we are going to take a look at just how easy it can be to copy an anonymous receive connector from one server to another using PowerShell.

Anonymous Receive Connector Relay

This is especially important in scenarios where a receive connector may have dozens–if not hundreds–of IPs. Adding each IP using the graphical user interface would be insanely time-consuming. It would also be prone to human error. This challenge only multiplies if you have many servers to repeat this process on. With PowerShell, we can cut this task down to mere seconds.

The first part of this article is a primer on how to configure an anonymous receive connector. If you are just interested in how to copy all IPs from one connector to another jump to the section titled Copying an Anonymous “Relay” Connector between servers.

Note: While this article focuses on moving an anonymous receive connector it can be adapted for any custom receive connector you have created.

A quick primer on anonymous receive connectors

Before we explore how to move a receive connector let’s take a refresher on how we create a receive connector with PowerShell. For this task, we use the New-ReceiveConnector cmdlet. For example, to create an anonymous receive connector our command might look like this.

 C:\> New-ReceiveConnector -Name "Anonymous Relay" -Server EX16-01 -Usage Custom -TransportRole FrontEndTransport -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIPRanges 10.0.0.25, 10.0.0.26, 10.0.0.50-10.0.0.59

In this command, we create a receive connector named “Anonymous Relay”. We use the -Server parameter to identify which server we want the connector to be created on. We identify that the -Usage of the connector will be Custom. Custom is one of five connector types and is used for anonymous relays. [Read more…] about Quickly copy an Anonymous Receive Connector “Relay” between servers

Renew a Certificate in Exchange 2016

August 2, 2016 By Gareth Gudger Leave a Comment

74 Shares

In this article, we explore the process of renewing a certificate in Exchange 2016. We demonstrate how to accomplish this using the Exchange Admin Center and PowerShell.

If you are looking to renew a certificate then this article is for you. If this is your first time requesting a certificate I recommend checking these articles instead.

- Generate a Certificate Request for Exchange 2016

- Complete a Certificate Request in Exchange 2016

Assign Services to a Certificate in Exchange 2016

Let’s get started!

Note: These steps will also work for Exchange 2013.

Renew a Certificate with Exchange Admin Center

Log into the Exchange Admin Center (EAC). Select the Servers tab and Certificates sub tab.

This page displays all currently installed Exchange certificates. In our example, we see four self-signed certificates. We also see the certificate that we acquired from a trusted certificate authority (affiliate). This certificate is named webmail.exchangeservergeek.com. This is the certificate we will be renewing.

Select the certificate to be renewed (in our case webmail.exchangeservergeek.com) and click the Renew link in the task pane to the right.

The renewal process will create a new certificate request to submit to our certificate authority. Specify a location to save this certificate request. This location must be in the form of a UNC path. In our example, we specify a file called certreq.txt at the path \\ex16-01\c$\users\supertekboy\desktop\. This will create a text file on our server’s desktop. Click Ok.

How to apply an Exchange product key

July 26, 2016 By Gareth Gudger Leave a Comment

65 Shares

In this article, we explore applying the Exchange product key. We will illustrate this process through both the Exchange Admin Center (EAC) and PowerShell. We will also look at how to license multiple servers at once and how to locate all unlicensed servers in your environment. This process is the same for both Exchange 2013 and 2016.

Apply the product key with Exchange Admin Center

To apply the product key through the Exchange Admin Center follow these steps.

Log into the Exchange Admin Center (EAC). Navigate to the Servers tab and then the Servers sub-tab at the top.

Select the server you wish to apply the key and click the Edit () button.

From the General tab enter your 25-character product key into the 5 boxes under Enter a valid product key section.

Make inbound SMTP highly available with Kemp LoadMaster

June 17, 2016 By Gareth Gudger 4 Comments

205 Shares

Load Balancer Produkte Familie Kemp Technologies In a previous article, Configure Kemp Load Balancer for Exchange 2016, we explored how to make client access services highly available for Exchange 2016. In this article, we continue that trend by making the Simple Mail Transfer Protocol (otherwise known as SMTP) highly available.

If you don’t have a load balancer you can download one for free from Kemp. Kemp’s free appliance is what we will use in this guide.

Don’t worry. Despite the focus being on Kemp, you can translate these principles to any vendor.

Let’s get started!

Disclaimer: I need to point out that I am not sponsored by Kemp in any way. However, this document does contain some affiliate links.

The environment

In our example below we plan to have two Exchange 2016 servers behind a load balancer in a single site; EX16-01 and EX16-02.

Make inbound SMTP highly available with Kemp LoadMasters

Extend, Prepare and Verify Active Directory for Exchange 2016

June 15, 2016 By Gareth Gudger 1 Comment

66 Shares

Before you install Exchange 2016 you will need to perform a number of tasks in Active Directory. This is true for both migrating an older version of Exchange, or, installing into a greenfield that has had no prior iteration of Exchange. This will involve the following tasks.

Extend the schema
Prepare the organization
Prepare the domains

Setup will perform these steps during its main installation if it determines they have not been run. So, you may wonder why you would ever perform these steps manually.

One possibility is that a company operates in a split-permissions model. In large organizations, two separate teams may manage Active Directory and Exchange. If least privilege is in place it is likely that the Exchange team cannot perform elevated Active Directory tasks such as schema extensions. Similarly, the Active Directory team may not have permissions to manage Exchange. In this case, the Active Directory team will need to run the commands manually before the main setup.

Another possibility is that a company may have a large geographically dispersed network with multiple Active Directory sites. It could have its schema master in one site and its Exchange servers in a totally different site. The links between these sites could have any number of restrictions upon them, such as a long interval between replication cycles. In that case, the company will need to run the command manually in site hosting the schema master and allow time for replication.

This article illustrates how to perform these tasks from a command line.

Tip: These same instructions also work for Exchange 2013 installations. In addition, these tasks often have to be repeated when performing cumulative updates. For more information on whether your cumulative update requires these commands be sure to check official Microsoft documentation.

Extending the Schema

To do this we must first open an elevated command prompt. We need to do this from a machine running Windows Server 2012 or 2012 R2. This machine must also be in the same site and domain as the schema master. The computer we execute this from does not have to be a domain controller. For smaller companies with a single-domain/single-site environment, we can simply run these commands from the intended Exchange server.

Tip: To perform this update you must be a member of both the Enterprise and Schema admin groups.

Command Prompt Run As Administrator

Change to the directory containing your Exchange 2016 setup files and issue the following command. Be sure to include the license agreement switch.

C:\Ex2016Setup> Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

After several minutes the command will complete. You should see an output similar to the following. [Read more…] about Extend, Prepare and Verify Active Directory for Exchange 2016