Professional Documents
Culture Documents
For purposes of providing an example, the template uses the fictitious company name of Contoso. Also, you can download this template, along with templates for other server roles, as a download package in .zip file format at Microsoft Exchange Server 2010 Install Guide Templates (http://go.microsoft.com/fwlink/?LinkID=187961).
Executive Summary
The purpose of this document is to explain the installation and configurations necessary to install the Exchange 2010 Client Access server role on the Windows Server 2008 platform.
Business Justification
By having an installation guide, Contoso will be able to ensure standardization across the enterprise, reducing total cost of ownership (TCO), and easing troubleshooting steps.
Scope
The scope of this document is limited to installation of an Exchange 2010 Client Access server for Contoso on the x64 version of the Windows Server 2008 (SP2 or R2) operating system.
Prerequisites
The administrator should have working knowledge of Windows Server 2008 concepts, Exchange 2010 concepts, the Exchange Management Console and Exchange Management Shell, the command line, and various system utilities. This document does not elaborate on the details of any system utility except as necessary to complete the tasks within.
In addition, before implementing the server role, the administrator should review the Understanding Client Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187352).
Assumptions
This document assumes that Windows Server 2008 x64 Edition is installed on the intended Client Access server per company baseline regulations which include the latest approved service pack and hotfixes. In addition, the following system prerequisites have been installed: Microsoft .NET Framework 3.5 SP1 and the update for .NET Framework 3.5 SP1 For more information, see Microsoft Knowledge Base article 959209, An update for the .NET Framework 3.5 Service Pack 1 is available (http://go.microsoft.com/fwlink/? linkid=3052&kbid=959209). Windows Management Framework (Windows Remote Management 2.0 and Windows PowerShell 2.0). This document assumes that forest and domain preparation steps have been performed as described in the Prepare Active Directory and Domains topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187262). This document assumes that the account you will be using for the Exchange tasks has been delegated the Server Management management role, as described in the Server Management topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187265). This document also assumes that both Exchange 2010 Windows Server 2008 and Windows Server 2008 will be secured following the best practices found in the Windows Server 2008 Security Guide (http://go.microsoft.com/fwlink/?LinkId=122593). Important: The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.
Server Configuration
The following media are required for this section. Windows Server 2008 installation files The following procedures are in this section: 1. Additional Software Verification 2. Network Interfaces Configuration 3. Drive Configuration 4. Windows Server 2008 Hotfix Installation 5. Domain Membership Configuration 6. Local Administrators Verification 7. Local Administrator Account Password Reset 8. Debugging Tools Installation
9. Page File Modifications 10. Drive Permissions 11. Windows Network Load Balancing Installation and Configuration 12. DNS Entry Creation
Drive Configuration
1. Connect to the server through Remote Desktop and then log on with an account that has been delegated local administrative access. 2. Click Start > Administrative Tools, and then select Computer Management. 3. Expand Storage and then click Disk Management. 4. Using the Disk Management snap-in of the Microsoft Management Console (MMC), format, rename, and assign the appropriate Drive Letters so that the volumes and DVD drive match the appropriate server configuration.
Drive configuration
LUN Drive letter Usage
1 2
C Z
7. Under Virtual Memory, click Change. 8. On servers that have a dedicated page file drive, follow these steps: a. In the Drive list, click C:, and then click Custom size. b. For the C: drive, set the Initial Size (MB) value to a minimum of 200 MB. (Windows requires between 150 MB and 2 GB page file space, depending on server load and the amount of physical RAM that is available for page file space on the boot volume when Windows is configured for a kernel memory dump. Therefore, you may be required to increase the size.) c. For the C: drive, set the Maximum Size (MB) value to that of the Initial Size. d. In the Drive list, select the page file drive (for example, the P: drive), and then click Custom size. e. In the Initial Size (MB) box, type the result of one of the following calculations: If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5. If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB. f. In the Maximum Size (MB) box, type the same amount that you typed in the Initial Size box. g. Delete all other page files. h. Click OK. 9. On servers that do not have a dedicated page file drive, follow these steps: a. In the Drive list, click C:, and then click Custom size. b. For the C: drive, in the Initial Size (MB) box, type the result of one of the following calculations: If the server has less than 8 GB of RAM, multiply the amount of RAM times 1.5. If the server has 8 GB of RAM or more, add the amount of RAM plus 10 MB. c. Delete all other page files. d. Click OK. 10. Click OK two times to close the System Properties dialog box. 11. Click No if prompted to restart the system. Note: For more information about page file recommendations, see the following Microsoft Knowledge Base articles: How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP (http://go.microsoft.com/fwlink/? linkid=3052&kbid=889654); and Overview of memory dump file options for Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=254649).
Drive Permissions
1. Connect to the server through Remote Desktop, and then log on with an account that has been delegated local administrative access.
2. Click Start, and then select Computer. 3. Right-click D Drive, and then select Properties. 4. Click the Security tab. 5. Click Edit. 6. Click Add, and then select the local server from Locations. 7. Grant the following rights as outlined in the following table. Drive permissions
Account Permissions
Administrators SYSTEM Authenticated Users CREATOR OWNER 8. Click the Advanced button.
Full Control Full Control Read and Execute, List, Read Full Control
9. Select the CREATOR OWNER permission entry, and then click View/Edit. 10. Select Subfolders and Files Only from the drop-down list. 11. Click OK two times. 12. Click OK to close the drive properties. 13. Repeat steps 3-12 for each additional drive (other than the C drive).
HTTPS (TCP443), IMAP4 (TCP143 and TCP993), POP3 (TCP110 and TCP995), RPC Endpoint Mapper (TCP135), Address Book service (TCP59595), and RPC Client Access (TCP59596). Note: The instructions use TCP59595 and TCP59596 for the Address Book and RPC Client Access services, but you can use any TCP high ports that are available within the environment between ports 59530 and 60554. 1. Connect to the server via Remote Desktop, and then log on with an account that has been delegated local administrative access. 2. Install Network Load Balancing for your operating system: a. Windows Server 2008 SP2 Open an administrative command prompt window and run the following command: ServerManagerCmd.exe -i NLB b. Windows Server 2008 R2 Open an elevated Windows PowerShell console, and run the following commands: Import-Module ServerManager Add-WindowsFeature NLB 3. Click Start>Administrative Tools, and then right-click Network Load Balancing Manager. 4. Click Cluster-New. 5. In the New Cluster wizard, enter the local servers computer name, click Connect and then select the appropriate network connection. 6. Click Next. 7. In the Host Parameters section, verify the hosts IP address and subnet mask. 8. Click Next. 9. In the Cluster IP Address section, click Add and enter: a. IP Address b. Subnet Mask 10. Click Next. 11. In the Cluster Parameters section, enter in the Full Internet Name (for example, mail.contoso.com) that will be used by the cluster and make sure Unicast is selected. 12. Click Next. 13. In the Port Rules section, select the default rule and click Edit. 14. Under Port Range, change the From value to 80 and the To value to 80. 15. Under Protocols, select TCP. 16. Click OK. 17. Click Add to create a new port rule. a. Under Port Range, change the From value to 443 and the To value to 443. b. Under Protocols, select TCP.
c.
Click OK. Note: If you are using IMAP or POP in the environment, be sure to create the appropriate rules.
18. Click Add to create a new port rule. a. Under Port Range, change the From value to 143 and the To value to 143. b. Under Protocols, select TCP. c. Click OK. 19. Click Add to create a new port rule. a. Under Port Range, change the From value to 110 and the To value to 110. b. Under Protocols, select TCP. c. Click OK. 20. Click Add to create a new port rule. a. Under Port Range, change the From value to 993 and the To value to 993. b. Under Protocols, select TCP. c. Click OK. 21. Click Add to create a new port rule. a. Under Port Range, change the From value to 500 and the To value to 500. b. Under Protocols, select UDP. c. Click OK. Note: The above rule for UDP 500 should be created if you are using IPSec in the environment. 22. Click Add to create a new port rule. a. Under Port Range, change the From value to 995 and the To value to 995. b. Under Protocols, select TCP. c. Click OK. 23. Click Add to create a new port rule. a. Under Port Range, change the From value to 135 and the To value to 135. b. Under Protocols, select TCP. c. Click OK. 24. Click Add to create a new port rule. a. Under Port Range, change the From value to 59595 and the To value to 59596. b. Under Protocols, select TCP. c. Click OK. 25. Click OK. 26. Click OK to acknowledge the resulting dialog box.
10
27. While still in the internal network connection properties, click Internet Protocol (TCP/IP) and select Properties. 28. Click Advanced. 29. Under IP Addresses, click Add. a. Enter the virtual IP Address and Subnet Mask and click OK. b. Click OK. 30. Click Finish to complete the New Cluster wizard.
Verification Steps
The following procedures are in this section: 1. Organizational Unit Verification 2. Active Directory Site Verification 3. Domain Controller Diagnostics Verification 4. Exchange Best Practices Analyzer Verification Important: The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur.
11
12
The following procedures are in this section: 1. Exchange 2010 Prerequisites Installation for: -or Windows Server 2008 R2 2. Exchange 2010 Installation 3. Exchange 2010 Update Rollup Installation 4. Product Key Configuration 5. System Performance Verification Important: The procedures within this document should be followed sequentially. If changes are made out of sequence, unexpected results may occur. Windows Server 2008 SP2
13
3. After the system has restarted, log on as an administrator, open an elevated Windows PowerShell console, and configure the Net.Tcp Port Sharing Service for automatic startup by running the following command: Set-Service NetTcpPortSharing -StartupType Automatic
14
15
16
4. After receiving the certificate, import and enable the certificate by running the following Exchange Management Shell command where [services] can be POP, IMAP, IIS, or a combination: Import-ExchangeCertificate -path c:\newcert.cer | EnableExchangeCertificate -services "[services]" 5. To mandate SSL on the default Web site, do the following: a. Open Internet Information Services (IIS) Manager. b. Expand the Server Node object and the Sites node. c. Click the Default Web Site. d. In the middle pane, double-click SSL Settings. e. Verify Require secure channel (SSL) is enabled. Note: If you require 128-bit encryption, also verify that Require 128-bit encryption is enabled.
17
Important: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. a. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeRPC\Pa rametersSystem b. Right-click Performance, point to New, and then click DWORD (32-bit) Value. c. Type TCP/IP Port to name the new value. d. Double-click TCP/IP Port. e. In the Value data box, type 59595, and then click OK. Configure a static port for the Microsoft Exchange Address Book service by performing the steps below for your version of Exchange 2010. In the Release to Manufacturing (RTM) version of Exchange 2010: 1. Navigate to <Exchange Install Path>\bin. 2. Open the MicrosoftExchange.AddressBook.Service.exe.config file in Notepad and add the following entry to the <appSettings> section of the file: <add key="RpcTcpPort" value="59596" /> 3. Close and save the file. In Exchange 2010 Service Pack 1 (SP1): 1. Start Registry Editor. Important: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. a. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeAB b. Right-click MSExchangeAB, point to New, and then click Key. c. Type Parameters to name the new key. d. Right-click Parameters, point to New, and then click String Value. e. Type RpcTcpPort to name the new value. f. Double-click RpcTcpPort. g. In the Value data box, type 59596, and then click OK. 2. Close Registry Editor and then restart the Microsoft Exchange Address Book service.
18
Autodiscover Configuration
Exchange 2010 includes a service named the Autodiscover service. The Autodiscover service makes it easier to configure Outlook 2007 or Outlook 2010 and some mobile phones. For more information, see the Understanding the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=194169). 1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. 2. Configure the internal Autodiscover URL by running the following command within the Exchange Management Shell. In the following example, CAS01 is the name of the Client Access server and internal.domain.fqdn is the internal namespace used for Autodiscover: Set-ClientAccessServer Identity CAS01 -AutoDiscoverServiceInternalUri https://internal.domain.fqdn/autodiscover/autodiscover.xml 3. Optional: Follow the procedure outlined in the Configure the Exchange Services for the Autodiscover Service topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187243) to configure the Autodiscover service for use by Internet clients. This will enable Outlook Anywhere and set the offline address book (OAB), Web Services, and Unified Messaging virtual directories external URL parameter. 4. Optional: Follow the procedure outlined in the Configure Exchange ActiveSync Autodiscover Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187244) for usage by mobile clients. 5. Optional: Enable site affinity by following the procedure outlined in the Configure the Autodiscover Service to Use Site Affinity topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187245). 6. Verify that Autodiscover functions correctly by following the procedure outlined in the Test Outlook Autodiscover Connectivity topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187247).
19
IMAP4 Configuration
If the Client Access server will not allow IMAP4 connections, you can skip this section. 1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. a. To configure the IMAP4 bindings, run the following command. In the following example, CAS01 is the Client Access server and 0.0.0.0 implies any IP address. Set-ImapSettings server CAS01 UnencryptedOrTLSBindings 0.0.0.0:143 SSLBindings 0.0.0.0:993 b. To disable plain text authentication and enable custom calendar item retrieval option for IMAP4, run the following command. In the following example, mail.contoso.com is the certificate name and external URL. Set-ImapSettings server CAS01 -X509CertificateName mail.contoso.com LoginType SecureLogin
20
-CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa c. To enable the Exchange IMAP4 service for automatic startup, run the following command: Set-Service MSExchangeIMAP4 -ComputerName CAS01 -StartupType automatic
POP3 Configuration
If the Client Access server will not allow POP3 connections, you can skip this section. 1. Launch the Exchange Management Shell with an account that has been delegated the Server Management role. a. To configure the POP3 bindings, run the following command. In the following example, CAS01 is the Client Access server and 0.0.0.0 implies any IP address. Set-PopSettings server CAS01 UnencryptedOrTLSBindings 0.0.0.0:110 SSLBindings 0.0.0.0:995 b. To disable plain text authentication and enable custom calendar item retrieval option for POP3, run the following command. In the following example, mail.contoso.com is the certificate name and external URL. Set-PopSettings server CAS01 -X509CertificateName mail.contoso.com LoginType SecureLogin -CalendarItemRetrievalOption Custom -OwaServerUrl https://mail.contoso.com/owa c. To enable the Exchange POP3 service for automatic startup, run the following command: Set-Service MSExchangePOP3 -ComputerName CAS01 -StartupType automatic
21
(http://go.microsoft.com/fwlink/?LinkId=187334) and the Set the Forms-Based Authentication Private Computer Cookie Time-Out Value topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187336). 4. Optional: Configure GZip compression by following the procedure outlined in the Configure Gzip Compression Settings topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187343). 5. Configure WebReady Document Viewing by following the procedure outlined in the Configure WebReady Document Viewing topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187344). 6. Configure private and public computer file access by following the procedure outlined in Configure Public and Private Computer File Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187346). 7. Optional: If redirection is to be used, run the following command from the Exchange Management Shell. In the following example, CAS01 is the name of the Client Access server and mail.contoso.com is the name of the external URL. Set-OwaVirtualDirectory -identity "CAS01\owa (Default Web Site)" -ExternalURL https://mail.contoso.com/owa Set-OwaVirtualDirectory -identity "CAS01\ecp (Default Web Site)" -ExternalURL https://mail.contoso.com/ecp 8. Optional: To simplify the Outlook Web App URL and redirect users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187347). 9. Restart the Client Access server.
22
5. Configure private and public computer file access by following the procedure outlined in Configure Public and Private Computer File Access topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187346). 6. Optional: To simplify the Outlook Web App URL and redirect users to HTTPS, follow the procedure outlined in the Simplify the Outlook Web App URL topic in the Exchange Server 2010 Library (http://go.microsoft.com/fwlink/?LinkId=187347). 7. Restart the Client Access server.
23
Handoff Test
Before you can complete the diagnostic tasks in this section, you must have already created test mailboxes in your environment by using the New-TestCasConnectivityUser.ps1 script.
24