Building an Exchange 2013 LAB Environment using Windows Server 2012 from scratch – Part 7: Setting up DAG Databases and SSL…

Wow – part 7 – this is now (I think) officially the longest running series that I have written and not forgotten to finish it (don’t worry this is not the end, there is one more part to go). Took a little while to get this one off the deck as there are a few steps in this post that we need to go through. In retrospect I should have perhaps done a video for this – but I am trying to work through a “lip smacking” problem that someone commented on you of my “You Tube” videos that has left me a little self conscious. Actually it hasn’t – I don’t care – I just didn’t think of doing one Smile.

To recap – the previous parts (should you wish to read them, refresh or catch up) can be found below:

Part 1

We established our domain design, covered how to provision the Domain Controller for the LAB in Hyper-V and then how to install Windows Server 2012 on the Domain Controller.

Part 2

We went through the process of installing Active Directory Domain Services on the LAB domain controller using PowerShell.

Part 3

We covered how you can install a very simple PKI infrastructure on the domain controller using Active Directory Certificate Services. These will be used in a later part to configure SSL for various parts of Exchange 2013.

Part 4

We covered how to use PowerShell to provision Exchange server VM’s in the lab, and went through the pre-requisite software installation.

Part 5

We covered the Directory, organisation and Exchange preparation – and then went on to install the relevant Exchange servers using the unattended setup feature.

Part 6

We covered Database Availability Groups and provided a script which automates the creation of DAGs from a CSV file in preparation for…

Part 7 (bam! ~ back with a vengeance)

In this part I would like to cover:

  • Creating DAG Enabled Mailbox Databases
  • Configuration the relevant Autodiscover, EWS and Exchange web based URLS using the Active Directory Certificate Services that we installed in Part 3

Create Mailboxes Script

Configuring Mailbox Databases in Exchange 2013 is not very hard – but in the spirit of this series where I have been trying to show how you can use Powershell to automate most tasks I have written the following script which performs the following:

  • Creates Mailbox Databases from the command line.
  • Sets the Offline Address Book to the “Default Offline Address Book”.
  • Mounts the new database.
  • Creates a copy of the new database on each node within the DAG.

You can copy and paste the script from this webpage into a new PS1 file on any of the Exchange Servers that we have created in this LAB – or you can download it from the download link below.

<#
    Exchange 2013 LAB - Create Mailbox Databases and Add Copies Script

    http://www.telnetport25.com

    Author: Andy Grogan
    Version: 0.1
    
    .Compatibility
    
    Windows Server 2012
    Powershell 3
    Exchange 2013
    Not Supported with any other versions of the software mentioned above.
    
    .Parameters
        -DBName
        -DBPath
        -LogFilePath
       
    
    .Example
        .\Create2013LabDBs.ps1 -DBName <DatabaseName> -DBPath <Path to database> -LogFilePath <Path to Log Files>
    
#>

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True)]
    [string]$DBName,[Parameter(Mandatory=$True)]
    [string]$DBPath,[Parameter(Mandatory=$True)]
    [string]$LogFilePath
)

$LocalServerName = $ENV:ComputerName

function create_Databases{
     Write-Host "Creating Database - " $DBName -foregroundcolor White
    New-MailboxDatabase -Name $DBName -EDBFilePath "$DBPath\$DBName.edb" -LogFolderPath $LogFilePath -Server $LocalServerName
    Mount-Database -id $DBName
    Write-Host "Setting Offline Address Book" -foregroundcolor Cyan
    Set-MailboxDatabase $DBName -offlineAddressBook "Default Offline Address Book"

}

function create_FolderStructure{

    if(!(Test-Path $DBPath)){
        Write-Host "Database Folder Path Not Found - Creating." -foregroundcolor Green
        New-Item $DBPath -Type Directory
    }else{
        Write-Host "Database path found." -foregroundcolor Cyan
    }
    
    if(!(Test-Path $LogFilePath)){
        Write-Host "Log Folder Path Not Found - Creating." -foregroundcolor Green
        New-Item $LogFilePath -Type Directory
    }else{
        Write-Host "Log path found." -foregroundcolor Cyan
    }
    
}

function add_databaseCopies{
    
    $MailboxServers = Get-MailboxServer | Select -expandProperty Name
    
    foreach($SVR in $MailboxServers){
        if(!($SVR -eq $LocalServerName)){
            Write-Host "Adding Databases Copy for - " $DBName -foregroundcolor White
            Add-MailboxDatabaseCopy -id $DBName -MailboxServer $SVR 
        }
    }
}

create_FolderStructure
create_Databases
add_databaseCopies

Write-Host "Script Completed..." -foregroundcolor Green

Download

[ CreateMailboxDBS.ps1 – 2.1KB ]

UPDATE – 29/03/2013: A reader of this site requested a CSV enabled version of the above script – I have included it below with a sample CSV file should you wish to further automate the process of Mailbox Database Creation.

[ CreateMBXDBsCSV.ps1 – 2.6KB ]

CSVIco [ sampleMBXDBCSV.csv – 1KB ]

Execute the script from the command line (with no parameters) and you will be asked to navigate to the location of the CSV file which contains the Mailbox Database Information – the script will then create the databases and add the mailbox database copies.

Creating DAG Enabled Mailbox Databases

Before you execute the script, and you have downloaded it from the link provided above you will need to ensure that the Execution Policy is set to allow for scripts to be run from the internet. If you have been following this guide – this should already be in place – but just in case; please refer to the following article: http://www.telnetport25.com/2012/02/quick-tip-running-exchange-based-powershell-script-files-from-the-command-line-or-a-batch-file/

For the purposes of the LAB, using the script we shall create the following databases:

  • London_Office
  • Paris_Office
  • Dublin_Office

We will start with the London_Office. Open an Exchange Management Shell window and navigate to the location where you have stored the script. The script accepts the following command line parameters:

  • -DBName / The name of the database – if you plan to use spaces please enclose this in inverted commas.
  • -DBPath  / The physical path to the Exchange edb file – you do not need to provide the name of the database file as the script will create this for you – do not include a trailing slash at the end of the path.
  • -LogFilePath / The physical path to the log files location.

You do not have to have created any folders for the logs or databases as the script will also create these for you.

Below is an example of the command line that I have used in my LAB to create the London Office database:

.\CreateMailboxDBs.ps1 -DBName "London_Office" -DBPath "x:\ExchangeDatabases\London" -LogFilePath "x:\ExchangeLogs\London"

09-03-201318-24-23

When the script executes you will see information similar to the following screen shot. The script will also pause whilst it seeds the databases on the other servers.

09-03-201318-26-49

When the script has completed its actions – you will see the following output from the script.

09-03-201318-27-20

You can then open up the Exchange Administrative Centre and check that your databases correctly – see below.

09-03-201318-32-22

Configuring SSL

Generating the Exchange Certificate

On either art-CASMBX-01 or 02 open am Exchange Management Shell Window and type in the following command, ensure that you include all the domains (SAN’s) that you would like registered on the certificate within the –DomainName parameter (separated by commas) – see below.

New-ExchangeCertificate -FriendlyName "artLab Certificate" -DomainName autodiscover.artTest.local,owa.artTest.local,mail.artTest.local -GenerateRequest -PrivateKeyExportable $true -KeySize 2048 -RequestFile "x:\DomainCSRRequest.csr"

09-03-201318-12-38

This will generate a new Certificate Signing Request (CSR) that we can submit to the Active Directory Certificate Services component which is installed on art-DC-01. The command will output a CSR file to a location that you specify which will contain text similar to that in the example below.

09-03-201318-13-46

If you then run the following command you can see that there is now a pending Certificate Request

Get-ExchangeCertificate | Where {$_.Status –eq “PendingRequest”} fl

09-03-201318-17-15

Open Internet Explorer on your Exchange server and navigate to http://art-dc-01/certsrv (or the name that you gave you domain controller). From the screen that appears – click on the “Request a Certificate” link – see below.

09-03-201318-47-51

On the next screen click on the “Advanced Certificate Request” link – see below

09-03-201318-51-30

On the next screen – click on the “Submit a certificate request by using a base 64 encoded CMC or PKCS #10 file” – see below

09-03-201319-07-29

Open the CSR file that you created using the New-ExchangeCertificate cmdlet – and copy and past its content in to the section on the next screen entitled “Base64 encoded certificate request (CMC or PKCS #10 or PKCS #7)” – ensure that the certificate template is set to “Web Server” and then click on the “Submit” button – see below.

09-03-201319-10-16

You will be redirected to a screen where you can now download your certificate – click on the “Download Certificate” link – see below.

09-03-201319-11-01

Save the Certificate file to a location on art-CASMBX-01 – see below:

09-03-201319-11-39

Importing and enabling the Certificate

From within the Exchange management shell type in the commands below, ensure that you provide the path to your certificate file that you downloaded. Note that you will need to provide the thumbprint for the imported certificate when you use the Enable-ExchangeCertificate – bear in mind that the THUMBPRINT of the cert is likely to be different from that in my example. The commands below also enables the certificate for the web services (IIS).

Import-ExchangeCertificate -FileName X:\artTest.cer

Thumbprint Services Subject

98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C ....... CN=autodiscover.artTest.local

Enable-ExchangeCertificate 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C –Services IIS

16-03-201311-37-30

We now need to export this certificate from art-MBXCAS-01 to 02 – in order to do this type in the following Exchange Management Shell commands:

Verify the certificate thumbprint

Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C  ...W...    CN=autodiscover.artTest.local
6424884DC425680ABE842CBFA13E8FF590C94A90  ....S..    CN=Microsoft Exchange Server Auth Certificate
B265CDA2135D83E12453DCEA70C9BACDB698B05F  IP.WS..    CN=art-mbxcas-01
CB0DB4239F5D7E974B33F0E95EF5E01231183003  .......    CN=WMSvc-ART-MBXCAS-01

Export the Certificate

$export = Export-ExchangeCertificate 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C -BinaryEncoded:$true -Password (Get-Credential).password

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:

You will be prompted for a user name and password – enter in admin (not used) as the user name and select a password that will be used as the private key (you will need this when you import the certificate into art-MBXCAS-02).

Create the PFX file

Set-Content -Path x:\exportedCert.pfx -Value $export.FileData -Encoding byte

Import the Certificate

Remember that this time around, we are using the –Server parameter to stipulate that we want to allocate this exported cert on to art-MBXCAS-02.

Import-ExchangeCertificate -Server art-mbxcas02 -FileName X:\exportedCert.pfx -Password (Get-Credential).password

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential

Thumbprint                                Services   Subject
----------                                --------   -------
98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C  .......    CN=autodiscover.artTest.local

You will be prompted to supply the password that you selected when you exported the certificate in order to complete the import operation.

Enable the services

Enable-ExchangeCertificate 98F1888F5CD7B4C227B9FEB6A321E5AE6249CD3C -Server art-mbxcas02 –Services IIS

Again, remember that the thumbprint will be different on your system – also remember that you need to stipulate the –Server parameter to make sure that you are working against art-MBXCAS-02.

Creating relevant DNS records

The certificate that you generated should have contained a number of other Domain Names (or subject alternative names) – for example in my LAB these were:

  • OWA.artTest.local
  • MAIL.artTest.local
  • Autodiscover.artTest.local

It is important that these also appear within DNS within the LAB. In order to create these – logon to your LAB domain controller (art-DC-01) – and open a Powershell Command Prompt. Type in the following commands – substituting the IP addresses where appropriate to match that of your own subnets.

Import-Module DNSServer
Add-DnsServerResourceRecordA -Name "autodiscover" -ZoneName "artTest.local" -AllowUpdateAny -IPv4Address "172.31.253.108" -TimeToLive 01:00:00
Add-DnsServerResourceRecordA -Name "owa" -ZoneName "artTest.local" -AllowUpdateAny -IPv4Address "172.31.253.108" -TimeToLive 01:00:00
Add-DnsServerResourceRecordA -Name "mail" -ZoneName "artTest.local" -AllowUpdateAny -IPv4Address "172.31.253.108" -TimeToLive 01:00:00

16-03-201312-18-15

Configuring Web Services in Exchange 2013

Like in previous versions of Exchange there are a number of internal URLS that need to be configured to ensure that services such as the EWS, Autodiscover and OWA work correctly.

One significant change is that there technically no longer the concept of –InternalURL / –ExternalURL on the autodiscover virtual directory. These are now handled via Service Connection Points (SCPs) in Active Directory and for the purposes of our LAB don’t need modification.

In Exchange 2013 there are a number of Virtual Directories that you change the URL settings on – therefore I have provided the following script to automate the process for our LAB.

NOTE: This script ONLY modifies the InternalURL namespaces – it will need modification if you wish to use external URLs. Furthermore it does not make modifications to the OAB Virtual Directory.

As with the previous script – you can copy and paste it from here – or download it from the link below.

<#
    Exchange 2013 LAB - Configure Web Based URLS

    http://www.telnetport25.com

    Author: Andy Grogan
    Version: 0.1
    
    .Compatibility
    
    Windows Server 2012
    Powershell 3
    Exchange 2013
    Not Supported with any other versions of the software mentioned above.
    
    .Parameters
        None
    
    .Example
        .\ConfigureWebURLS.ps1
    
#>

$InternalDomainName = Get-ADDomain | select -expandProperty dnsRoot

Write-Host "Setting Domain Context: $InternalDomainName" -foregroundcolor Red

# Configure Client Access Server

Write-Host "Configuring CAS URLS" -foregroundcolor Cyan

$ClientAccessServer = Get-ClientAccessServer | select -expandProperty Identity
    
foreach($CAS in $ClientAccessServer){
    Set-ClientAccessServer id $CAS AutodiscoverServiceInternalUri "https://autodiscover.$InternalDomainName"
}

# Configure Active Sync

Write-Host "Configuring Active Sync URLS" -foregroundcolor Cyan

$aSyncDirs = Get-ActiveSyncVirtualDirectory | select -expandProperty Identity

foreach($aSyn in $aSyncDirs){

    Set-ActiveSyncVirtualDirectory -id $aSyn -internalURL "https://mail.$InternalDomainName/Microsoft-Server-ActiveSync"

}

# Exchange Control Panel

Write-Host "Configuring ECP URLS" -foregroundcolor Cyan

    $ecpVirDirs = Get-EcpVirtualDirectory | select -expandProperty Identity

foreach ($eVdir in $ecpVirDirs){
    Set-EcpVirtualDirectory Identity $eVdir InternalURL "https://owa.$InternalDomainName/ecp"
}

# Web Services

Write-Host "Configuring Web Services URLS" -foregroundcolor Cyan

    $webSvcVirDirs = Get-WebServicesVirtualDirectory | select -expandProperty Identity
foreach($webSvc in $webSvcVirDirs){
    
    Set-WebServicesVirtualDirectory Identity $webSvc InternalURL "https://mail.$InternalDomainName/EWS/Exchange.asmx"
    
}

# OWA

Write-Host "Configuring OWA URLS" -foregroundcolor Cyan
    $owaVdir = Get-OwaVirtualDirectory | select -expandProperty Identity
    
    foreach($oVDir in $owaVdir){
        Set-OwaVirtualDirectory Identity $oVDir InternalUrl "https://owa.$InternalDomainName/OWA"    
    }

# Powershell

Write-Host "Configuring Powershell URLS" -foregroundcolor Cyan
    $psVdirs = Get-PowerShellVirtualDirectory | select -expandProperty Identity

    foreach($psDir in $psVdirs){

    Set-PowerShellVirtualDirectory Identity $psDir InternalURL "https://mail.$InternalDomainName/powershell"
    
    }
Write-Host "Script has completed..." -foregroundColor Green

[ ConfigureWebURLS.ps1 – 2.4 KB ]

In order to run the script – open an Exchange Management Shell on either art-MBXCAS-01 or 02 and type in:

.\ConfigureWebURLS.ps1

16-03-201316-43-15

The script will then execute and configure the relevant internalURLS for each service. You can then navigate to https://owa.artTest.local/owa and you should see that the certificate is trusted and everything functions as you would expect.

16-03-201316-54-04

In the next part

In the final part of the series we will complete the following:

  • Populate the lab with test users.
  • Create Mailboxes
  • Create Public Folders
  • Create some distribution lists
  • Discuss some options for implementing HA on the Client Access Servers for connectivity
Sharing is caring!:

5 thoughts to “Building an Exchange 2013 LAB Environment using Windows Server 2012 from scratch – Part 7: Setting up DAG Databases and SSL…”

  1. Hi,

    Thanks for the wonderful series, Exchange 2013 Lab setup setup series is awsome.
    Need your help , Can you modify the CreateMailbos db script where multiple DB’s can be crated from CSV for Exchange 2013.

    Regard’s
    K.Sridhar

    1. Hiya Sridhar – I have sent you a mail with the modified script. I will also be adding it to the article above so others can make use of it should they wish.
      Cheers
      A

  2. New-ExchangeCertificate -FriendlyName “artLab Certificate” -DomainName autodiscover.artTest.local,owa.artTest.local,mail.artTest.local -GenerateRequest -PrivateKeyExportable $true -KeySize 2048 -RequestFile “x:\DomainCSRRequest.csr”

    Why you can using -DomainName without dc, cas, mbx server names?
    I create exchange certificate with without dc, cas, mbx server names and client side with prompt error and showed it is no valid certificate.

    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *