Exchange Tutorials

In prior releases of Windows Server, Microsoft shipped basic malware protection through its Windows Defender software. For full protection either System Center Endpoint Protection, or, a third-party antivirus solution was required. With Windows Server 2016, Windows Defender matured into a fully-fledged antivirus solution. It has now been re-branded as Windows Defender Antivirus.

Regardless of whether you choose Windows Defender Antivirus, or, a third-party antivirus solution you need to be sure these products are not scanning critical Exchange components. Microsoft publishes an extensive list of files, folders and, process exclusions to include in your antivirus configuration.

There are eighty-four exclusions in total.

Adding these exclusions are critical to the health and performance of Exchange. Without these exclusions, antivirus software could lock or quarantine files and processes critical to the operation of Exchange.

In this article, we explore how to add the required 84 exclusions to Windows Defender Antivirus. We also have a basic script to automate adding these exclusions for you.

Let’s get started!

Adding Exchange exclusions with PowerShell

Adding 84 exceptions manually through the graphical user interface would be time-consuming, tedious and, prone to human error. This only magnifies the number of Exchange servers we need to deploy. Windows Defender can be managed through multiple methods (such as System Center or Group Policy). However, for this article, we will explore adding the required exclusions using PowerShell.

To add an exclusion via PowerShell we can use the Add-MpPreference cmdlet. For a folder exclusion, we combine this with the -ExclusionPath parameter. For example, a folder exclusion may look like this.

 C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster

A folder exclusion not only excludes the folder and its files but also all sub-folders.

Being able to recover an Exchange Server is key to business continuity. This is magnified in environments where there is only a single Exchange server. Rebuilding an Exchange environment from scratch would be an arduous and monumental task. Luckily Exchange saves much of its configuration settings in Active Directory. As long as Active Directory is healthy you can recover an Exchange Server to its former configuration. This process saves a massive amount of time.

That said there are some items that are not stored in Active Directory. This includes the databases where the user and public folder data is stored, third-party certificates and, customizations made outside of the Exchange management tools.

Certificates are easy. If you don’t have a backup you can have your certificate re-keyed by your provider. This may take some time so it is much better to export your Exchange server certificate and save it to a safe location. Then it can be quickly imported in the event of a failure. This will reduce downtime.

Databases are a little more difficult. Depending on the nature of the failure they may need to be restored from backup. The time required for restore largely depends on the size of the database. With the Exchange standard license you get five databases. So, rather than one large database, go with five smaller ones. These greatly aides your recovery time objective (RTO). Exchange enterprise allows up to a hundred databases giving you even greater capacity.

I always recommend that you architect a database availability group (DAG) where possible. Even if your budget can only cover two Exchange servers–creating a two-member DAG with two copies of each database–will put you miles ahead when it comes to disaster recovery. The instructions to recover a DAG member differ and we will cover that in a later article.

Configuration outside of the Exchange tools is going to be a little tougher. You will either need documentation so the changes can be repeated, or, a backup of the changes. Customizations outside of Exchange can include the registry, IIS, or, text-based configuration files.

In this article, we are going to take a look at just how easy it can be to copy an anonymous receive connector from one server to another using PowerShell.

This is especially important in scenarios where a receive connector may have dozens–if not hundreds–of IPs. Adding each IP using the graphical user interface would be insanely time-consuming. It would also be prone to human error. This challenge only multiplies if you have many servers to repeat this process on. With PowerShell, we can cut this task down to mere seconds.

The first part of this article is a primer on how to configure an anonymous receive connector. If you are just interested in how to copy all IPs from one connector to another jump to the section titled Copying an Anonymous “Relay” Connector between servers.

Note: While this article focuses on moving an anonymous receive connector it can be adapted for any custom receive connector you have created.

A quick primer on anonymous receive connectors

Before we explore how to move a receive connector let’s take a refresher on how we create a receive connector with PowerShell. For this task, we use the New-ReceiveConnector cmdlet. For example, to create an anonymous receive connector our command might look like this.

 C:\> New-ReceiveConnector -Name "Anonymous Relay" -Server EX16-01 -Usage Custom -TransportRole FrontEndTransport -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIPRanges 10.0.0.25, 10.0.0.26, 10.0.0.50-10.0.0.59

In this command, we create a receive connector named “Anonymous Relay”. We use the -Server parameter to identify which server we want the connector to be created on. We identify that the -Usage of the connector will be Custom. Custom is one of five connector types and is used for anonymous relays.

How to renew a certificate in Exchange

In this article, we explore the process of renewing a certificate in Exchange. We demonstrate how to accomplish this using the Exchange Admin Center and PowerShell. The high-level steps include:

• Create a new certificate signing request
• Upload the certificate signing request to your certificate provider
• Download the processed certificate from your certificate provider
• Install the certificate on Exchange
• Export the new certificate to a PFX file
• Import the certificate to all other Exchange servers
• Assign Exchange services to the new certificate on each server
• Delete the old certificate

Let’s get started!

Note: These steps are identical for Exchange 2013, 2016, and 2019.

Renew a Certificate with Exchange Admin Center

Log in to the Exchange Admin Center (EAC). Select the Servers tab and Certificates sub-tab.

This page displays all currently installed Exchange certificates. In our example, we see four self-signed certificates. We also see the certificate that we acquired from a trusted certificate authority (affiliate). This certificate is named webmail.exchangeservergeek.com. This is the certificate we will be renewing.

Select the certificate to be renewed (in our case webmail.exchangeservergeek.com) and click the Renew link in the task pane to the right.

The renewal process will create a new certificate request to submit to our certificate authority. Specify a location to save this certificate request. This location must be in the form of a UNC path. In our example, we specify a file called certreq.txt at the path \\ex16-01\c$\users\supertekboy\desktop\. This will create a text file on our server’s desktop. Click Ok.

In this article, we explore applying the Exchange product key. We will illustrate this process through both the Exchange Admin Center (EAC) and PowerShell. We will also look at how to license multiple servers at once and how to locate all unlicensed servers in your environment. This process is the same for both Exchange 2013 and 2016.

Apply the product key with Exchange Admin Center

To apply the product key through the Exchange Admin Center follow these steps.

Log into the Exchange Admin Center (EAC). Navigate to the Servers tab and then the Servers sub-tab at the top.

Select the server you wish to apply the key and click the Edit () button.

From the General tab enter your 25-character product key into the 5 boxes under Enter a valid product key section.