Home Lab Secrets: Building the Killer Home Lab Part 5 (Deploying Exchange Server 2016)


In Part 4 of this series we deployed a Remote Desktop Gateway Server within our lab. In Part 5 we will be adding Email capabilities within our lab using Microsoft Exchange Server 2016. Our Exchange Deployment will consist of a single Exchange 2016 Server that will be an Azure VM.

Domain Name Registration

There are a few requirements that we will need to meet before Deploying a fully functional Exchange Environment within our Lab. The first will be registering for a Domain Name. If you have already registered your domain as I have with it.dmgva.com then you can move on to the next section “Azure VM Deployment”. If not, please pick a Name Registrar and register a domain of your choice, for example “it.dmgva.com”.

!!!!Note:  Throughout this article whenever I refer to it.dmgva.com replace it with your Domain Name you registered with a valid Name Registrar!!!!

Azure VM Deployment

Let’s head to Azure now and deploy our Exchange Azure VM by logging into the portal by accessing the URL listed below from your On-Premise Server:

 

https://manage.windowsazure.com

 

Once we are within the portal follow the steps below to create our Exchange Azure VM

 

  1. On the Left-Pane click on NEW.
  2. From the menu select COMPUTE | VIRTUAL MACHINES | FROM GALLERY.

3.  At Choose an image screen select in the Middle-Pane select Windows Server 2012 R2 Datacenter then click Next.

4.  At the Virtual machine configuration screen use the table and information below to create the following VM’s then click Next:

 

VIRTUAL MACHINE NAME SIZE REGION/AFFINITY Group /Virtual network
KHL-EX A5 (2 cores, 14 GB memory) VPNLAB

***Note:  The virtual machine name will need to be unique for your lab since it’s a hostname within cloudapp.net.  So KHL-EX is no longer available

 

      5.  Use the following as a temporary Username and Password then click Next

  • NEW USER NAME:                                       khl-admin
  • NEW PASSWORD:                                        blueberries
  • CONFIRM:                                                      blueberries

6.  At the next screen click Complete.

 

Sit back and wait for you Azure VM to be created.  It normally takes about 5-10 minutes.

 

Once the VM is complete we will need to reserve its IP address.  Since Azure VM’s are given DHCP addresses, we will to set ours to Static since it is going to be a Exchange Server.  I have already posted an article on how to set a Azure VM’s IP to static.  It can be found here:

 

http://blogs.technet.com/b/elliottf/archive/2015/06/12/assigning-static-ip-s-to-azure-vm-s.aspx

Creating Endpoints

1.  Log into the portal by accessing the URL listed below:

https://manage.windowsazure.com

2.  In the Left-Pane click on VIRTUAL MACHINES then in the Right-Pane click on KHL-EX.

3.  Under khl-ex  click on ENDPOINTS.

4.  On the Bottom-Bar click ADD.

5.  At the Add an endpoint to a virtual machine window click the Arrow to proceed.

EndPoint1

6.  At the Specify the details of the endpoint screen use the NAME pull-down menu and select SMTP, then click the Check Box to complete.

EndPoint3

Note: While the port is being added the addition of additional ports is disabled. This process should take about 20-30 seconds.

7.  On the Bottom-Bar click ADD.

8.  At the Add an endpoint to a virtual machine window click the Arrow to proceed.

9.  At the Specify the details of the endpoint screen use the NAME pull-down menu and select HTTPS, then click the Check Box to complete.

Let’s connect to our Azure VM (KHL-EX) via remote desktop.  To do this follow the steps below:

1.  On the Left-Pane click on VIRTUAL MACHINES.

2.  In the Middle-Pane highlight KHL-EX then on the Bottom-Bar click CONNECT.

3.  At the download pop-up click Save | Save As.

4.  At the Save As pop-up enter KHL-EX under File name: then click Save.

5.  Navigate to the file and double-click on KHL-EX.

6.  At the Remote Desktop Connection pop-up click Connect.

7.  At the Windows Security screen enter your credentials.

8.  At the Untrusted Certificate pop-up click Yes.

Once we are logged into KHL-EX we need to verity that it is using KHL-DC as its DNS Server.  We can do that by running an NSLookup as shown below:

nslookup

Once it is confirmed that we can communicate with KHL-DC we will join this server to the domain using the steps below:

1.  Right-click on the Windows Logo and click on System.

2.  Under Computer name, domain and workgroup settings click on Change settings.

3.  At the pop-up screen click on Change.

4.  Under Member of select Domain: then enter killerhomelab.com and click OK.

5.  At the Computer Name/Domain Changes pop-up enter your Domain Admin and Password then click OK.

6.  At the Computer Name/Domain Changes pop-up click OK, OK, then Close.

7.  Click Restart Now.

Exchange 2016 Prerequisites

Once the server has restarted we will re-connect using out Domain Admin credentials. Once logged in we will need to prepare our server for Exchange by installing the Prerequisites for Exchange 2016.  The official prerequisites can be pulled from the TechNet article below even though we will go through each below:

https://technet.microsoft.com/en-us/library/bb691354(v=exchg.160).aspx

IIS Pre-reqs

We will start by installing the IIS Role and the features that are required for an Exchange 2016 Installation.  Follow the procedures below to install the IIS Prerequisites:

1.  Log onto KHL-EX.

2.  Open an Elevated Powershell Prompt.

3.  Copy and Paste the following then hit Enter (Server will Reboot):

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-ADDS, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation -Restart

Poweshell1

Powershell2

Unified Communications Managed API 4.0

Now that we have all of our IIS Pre-Reqs installed, we will need to install the Unified Communications Managed API 4.0.  Follow the steps below to install the Unified Communications Managed API 4.0:

     1.  Open Server Manager.

2.  In the Left-Pane click on Local Server then under the Properties section click on the IE Enhanced Security Configuration toggle.

IE-Enhanced1

3.  At the Internet Explorer Enhanced Security Configuration screen under Administrators select Off.

4.  Launch Internet Explorer 11.

5.  In the Top-Right corner select the Settings gear then select Internet Options.

InternetOptions

6.  At the Internet Options window select the Security tab then click on Custom level.

InternetOptions2

7.  At the Security Settings window make sure the File download settings is set to Enable then click OK, OK.

SecuritySettings

8.  Navigate to the following URL and download Unified Communications Managed API 4.0 Runtime to your Downloads Folder:

http://www.microsoft.com/en-us/download/details.aspx?id=34992

     9.  Navigate to the Downloads Folder and Double-click UcmaRuntimeSetup.

10.  At the Microsoft Unified Communications Managed API 4.0, Runtime Setup screen click Next.

11.  At the License Agreement screen select I have read and accept the license terms then click Install.

12.  At the Installation is Complete screen click Finish.

Installing Exchange 2016

Now we are almost ready to install Exchange 2016.  Follow the steps below to download and extract the Exchange 2016 Setup Files.

1.  From within Internet Explorer navigate to the following URL:

https://www.microsoft.com/en-us/download/details.aspx?id=53837

2.  From your Downloads folder double-click ExchangeServer2016-CU3.iso.

This should mount the ExchangeServer2016-CU3.iso as Drive Letter F:

Preparing AD

Since our first Domain Controller was deployed On-Premise it is the holder of all of the FSMO Roles.  Since Exchange 2016 is going to deployed within Azure which is another AD Site (Azure-KHL), we will need to move the Schema Master Role from our On-Premise Domain Controller (OP-DC) to our Azure Domain Controller (KHL-DC).  Follow the steps below to move this role, Extend our Schema & Prepare AD.

1.  Log onto KHL-DC

2.  Right-click on the Windows Logo and select Command Prompt (Admin).

3.  Type following commands then hit Enter:

ntdsutil roles connections

connect to server khl-dc

quit

transfer Schema Master

quit

quit

ntdsutil

Installing Exchange 2016

We will use the command prompt to install Exchange since it allows us to customize our Default Database Location.  Follow the instructions below to install Exchange 2016

1.  Type following command then hit Enter:

F:\Setup.exe /PrepareAD /OrganizationName:KILLERHOMELAB /IacceptExchangeServerLicenseTerms

F:\setup.exe /mode:install /roles:mb /IAcceptExchangeServerLicenseTerms /MdbName:KHL_DB01 /DbFilePath:C:\KHL_DB01\KHL_DB01.edb /LogFolderPath:C:\KHL_DB01

     2.  When setup is completed reboot the server

Validating the Installation

Now that our server has been rebooted.  Lets do some quick checks to verify that it is operating correctly.  We will start by making sure all of our Exchange Services are up and running.

1.  Right-click on the Windows Logo and select Command Prompt (Admin).

2.  Type following commands then hit Enter:

Services.msc

3.  Within the Services MMC scroll down and make sure all of the following Exchange Services are started:

  • Microsoft Exchange Active Directory Topology
  • Microsoft Exchange Anti-spam Update
  • Microsoft Exchange Compliance Service
  • Microsoft Exchange DAG Management
  • Microsoft Exchange Mailbox Transport Delivery
  • Microsoft Exchange Diagnostics
  • Microsoft Exchange EdgeSync
  • Microsoft Exchange Search
  • Microsoft Exchange Frontend Transport
  • Microsoft Exchange Health Manager
  • Microsoft Exchange Health Manager Recovery
  • Microsoft Exchange IMAP4
  • Microsoft Exchange IMAP4 Backend
  • Microsoft Exchange Information Store
  • Microsoft Exchange Mailbox Assistants
  • Microsoft Exchange Mailbox Replication
  • Microsoft Exchange Notifications Broker
  • Microsoft Exchange POP3
  • Microsoft Exchange POP3 Backend
  • Microsoft Exchange Replication
  • Microsoft Exchange RPC Client Access
  • Microsoft Exchange Service Host
  • Microsoft Exchange Mailbox Transport Submission
  • Microsoft Exchange Throttling
  • Microsoft Exchange Transport
  • Microsoft Exchange Transport Log Search
  • Microsoft Exchange Unified Messaging
  • Microsoft Exchange Unified Messaging Call Router

ExchangeServices1

Once we have validated that all our services are running, lets actually try and log into the Exchange Administration Center.  Launch Internet Explorer and navigate to the following URL:

https://khl-ex/ecp

Once presented with the screen below enter your credentials and click sign in:

EAC1

Since this is the first time we are logging into the EAC, we will be prompted to select a Language and Time Zone as shown in the screens below:

EAC3

EAC4

Now that we are logged into our EAC, let’s check to see if our Database is mounted.  Follow the steps below to validate that your Database is Mounted:

1.  In the Left-Pane click on servers.

2.  In the Middle-Pane click on databases then check the STATUS of the KHL_DB01 database and make sure it is Mounted as shown in the Image below:

MountedDB

Configuring DNS

Exchange has multiple services that will utilize the HTTPS (Port 443/TCP) Protocol.  In a production environments each of these services would have a separate URL which would point to a specific Virtual IP (VIP) hosted by a Load Balancer.  This is done so each VIP can be configured to used optimized rules based on the service.  We will not be deploying a load balancer at this time, but will be utilizing unique URL’s for each Exchange Service to allow more flexibility in the future. This also provides a descriptive URL for users.  Following the steps below lets create our DNS records for our Split DNS Zone using the dnscmd tool:

1.  Logon to KHL-DC

2.  Right-click on the Windows Logo and select Command Prompt (Admin).

3.  Type following commands then hit Enter:

dnscmd khl-dc /RecordAdd it.dmgva.com autodiscover A 192.168.111.6
dnscmd khl-dc /RecordAdd it.dmgva.com owa A 192.168.111.6
dnscmd khl-dc /RecordAdd it.dmgva.com outlook A 192.168.111.6
dnscmd khl-dc /RecordAdd it.dmgva.com eas A 192.168.111.6

***Note:  it.dmgva.com should be replaced with the Public Domain your registered.

     4.  To confirm that our records have been created, from the Command Prompt run dnsmgmt.msc

5.  Within the DNS Manager as shown below confirm all 4 DNS A Records have been created.

exchangedns1

Now that the Internal DNS Records have been created, we will need to configure External DNS.  As stated at the beginning of this article to have a fully functional Exchange Environment we must have publicly registered.  Each Name Registrar has different procedures on creating DNS Records.  Since this is out of scope for this lab please review your Name Registrar’s procedures to create the necessary DNS Records.  In order to determine the IP address, we need these A Records to point to we will ping the Azure FQDN which will be in the following format:

KHL-EX.cloudapp.net

In my case the IP assigned was 13.72.189.14 so my records would need be:

A Records

AUTODISCOVER 13.72.189.14

OWA  13.72.189.14

OUTLOOK 13.72.189.14

EAS 13.72.189.14

SMTP 13.72.189.14

MX Record

SMTP.IT.DMGVA.COM

Setting Virtual Directories

Autodiscover is mechanism used within Exchange to provide clients with a set of URL’s and settings that are used to connect to Exchange Services.  Autodiscover gets these URL’s from the InternalURL and ExternalURL attributes of each Services Virtual Directory.  Using the Exchange Management, follow the steps below to configure each Virtual Directories unique URL.

1.  Click on the Windows Logo and then click the Down Arrow.

2.  Locate and right-click the Exchange Management Shell and select Run as administrator.

3.  At the User Account Control pop-up click Yes.

4.  Run the following commands to configure each Exchange Services Virtual Directory:

***Note:  Replace it.dmgva.com with your Registered Domain Name

AUTODISCOVER

Set-ClientAccessService KHL-EX –AutodiscoverServiceInternalUri https://autodiscover.it.dmgva.com/Autodiscover/Autodiscover.xml

OWA

Set-OWAVirtualDirectory –Identity “KHL-EX\owa (Default Web Site)” –InternalURL https://owa.it.dmgva.com/OWA -ExternalURL https://owa.it.dmgva.com/OWA -ExternalAuthenticationMethods NTLM -FormsAuthentication:$False -BasicAuthentication:$False –WindowsAuthentication:$True

!!!Note:  You will receive the below message since your ECP Virtual Directory has not yet been updated.  Disregard this message since your ECP Directory will be set next.

ecpwarning1

ECP

Set-ECPVirtualDirectory –Identity “KHL-EX\ecp (Default Web Site)” –InternalURL https://owa.it.dmgva.com/ECP -ExternalURL https://owa.it.dmgva.com/ECP -ExternalAuthenticationMethods NTLM -FormsAuthentication:$False -BasicAuthentication:$False –WindowsAuthentication:$True

OAB 

Set-OABVirtualDirectory –Identity “KHL-EX\oab (Default Web Site)” –InternalURL https://outlook.it.dmgva.com/OAB -ExternalURL https://outlook.it.dmgva.com/OAB

MRS Proxy

Set-WebServicesVirtualDirectory –Identity “KHL-EX\EWS (Default Web Site)” –MRSProxyEnabled:$True

ActiveSync

Set-ActiveSyncVirtualDirectory –Identity “KHL-EX\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL https://eas.it.dmgva.com/Microsoft-Server-ActiveSync -ExternalURL https://eas.it.dmgva.com/Microsoft-Server-ActiveSync

Web Services

Set-WebServicesVirtualDirectory –Identity “KHL-EX\EWS (Default Web Site)” –InternalURL https://outlook.it.dmgva.com/EWS/Exchange.asmx -ExternalURL https://outlook.it.dmgva.com/EWS/Exchange.asmx

Mapi over HTTP

Set-MapiVirtualDirectory –Identity “KHL-EX\mapi (Default Web Site)” –InternalURL https://outlook.it.dmgva.com/MAPI -ExternalURL https://outlook.it.dmgva.com/MAPI

     5.  Close the Exchange Management Shell

6.  Right-click on the Windows Logo and select Command Prompt (Admin).

7.  Type following command then hit Enter:

Iisreset /noforce (rerun if it fails)

Now that we have created our DNS Records and set our Virtual Directories, lets access the ECP using our new OWA URL. From Internet Explorer navigate to the following URL:

https://owa.it.dmgva.com/ECP

You will notice that you are presented with the error shown below:

exchangenottrusted

Since the new URL we tried to use (https://owa.it.dmgva.com/OWA) is not included in the Self-Signed Certificate, this error is expected.  This is due to our usage of the default Self-Signed Certificate.  Self-Signed Exchange Certificates only include the Exchange Servers NetBIOS and Fully Qualified Domain Name as shown below:

Self-Signed

Deploying Certificates

Exchange 2016 uses Certificates to secure all of its protocols.  By default the certificate that is used is a Self-Signed Certificate.  This is created at the time of installation of Exchange.  This certificate is good for initial testing and validation that certain services like OWA and ECP work, however they are only trusted on the Exchange Server.  Although this certificate can be trusted on other systems, for our lab we will use our Certificate Authority that was deployed in Part 3 of this series to issue our Certificate since it is already trusted by all Domain Joined Computers.  This certificate will need to include all of the URL’s that will be used by our different Exchange Services.  Incase you have lost count, I have provided them below:

  • owa.it.dmgva.com
  • outlook.it.dmgva.com
  • eas.it.dmgva.com
  • autodiscover.it.dmgva.com
  • smtp.it.dmgva.com

Follow the steps below to Create a Request, Submit a Request and Issue a Certificate:

Requesting a Certificate

1.  Log onto KHL-EX.

2.  Right-Click the Windows Log and select Run.

3.  Enter CERTLM.msc then click OK.

Run-CERTLM

4.  In the Left-Pane right-click Personal and select All Tasks | Request New Certificate.

Request-Cert

5.  At the Before You Begin screen click Next.

6.  At the Select Certificate Enrollment Policy screen click Next.

7.  At the Request Certificates screen select KHL Web Server then click More information is required….

Certificate-Enrollment

8.  Under Subject name: use the pull-down menu and select Common name then enter owa.it.dmgva.com under Value and click Add.

exchangecarequest1

9.  Under Alternative name: use the pull-down menu and select DNS then enter owa.<mydomainname>.com under Value and click Add.

10.  Repeat the previous step for the following additional FQDN’s .

  • autodiscover.it.dmgva.com
  • outlook.it.dmgva.com
  • eas.it.dmgva.com
  • smtp.it.dmgva.com

11.  Click on the General tab then under Friendly name: enter Exchange Internal SAN then OK, Enroll.

CA-Enroll

11.  At the Certificate Installation Results screen click Finish.

CA-Enroll-Finish

Enabling Certificate Requests

Although our Exchange Server has been issued an SSL Certificate to it’s Local Computer Store, we must still enable it within Exchange for it to be used.  Since all Exchange 2016 Services utilize the HTTPS protocol we will enable this certificate by all “IIS” Services by following the steps below:

1.    Launch Internet Explorer and navigate to the following URL:

https://khl-ex/ecp

     2.  From the Exchange Administrative Center in the Left-Pane click on servers.

3.  On the Top-Pane click on certificates.

4.  In the Middle-Pane select Exchange Internal SAN then click on Edit as shown below:

EditCert

5.  At the pop-up click on services and select IIS then click Save.

EditCert2

Now that our new certificate has been enabled, lets try and access ECP using our new URL by launching Internet Explorer and navigating to the following URL:

https://owa.it.dmgva.com/ECP

You will notice that since we Disabled Forms Authentication and Enabled Windows Authentication, we are now prompted with the security prompt below.  Enter your Domain Credentials to authenticate:

ecpsecurity1

Once you are logged in you will also notice that there is no longer any certificate error since the URL used matches that of one of the Certificate’s Subject Alternative Names.

eac1

Now that we’ve configured Exchange to accept requests from Web Clients lets move on to allowing Outbound & Inbound Mail flow between our Exchange Server and the rest of the World.

Deploying SMTP Connectors

1.  From the Exchange Administrative Center in the Left-Pane click on mail flow.

2.  On the Top-Pane click on send connectors.

3.  Click the + button to Create a new Send Connector.

4.  At the Name: screen under Name: enter West Internet and select Internet then click Next.

5.  At the Network settings: screen make sure MX record associated with recipient domain is selected then click Next.

6.  At the Address space: screen click the + button to add a new address space.

7.  At the pop-up select/enter the following then click Save, then Next:

Type:                                                         SMTP

Full Qualified Domain Name (FQDN):      *

     8.  At the Source server: screen click the + button and select KHL-EX then click ADD, OK, then Finish

Although we have deployed our SMTP Connector and our Receive Connector is created by default, there is one more task to do before we can accept mail and that is creating our Accepted Domains and Email Address Policies.  By default the domain that is to fulfill both of these items is the default domain name.  So far in our lab our Active Directory Domain Name is killerhomelab.com.  As stated throughout this blog series, you should now have a Publically registered Domain Name.  This is the Domain will be the one we use when creating our Accepted Domains and Email Address Policies.  Accepted Domains are used to instruct Exchange on which Domain’s you will accept email for.  Email Address Policies are used to define what users get what email addresses and what format they will be generated in (efields@it.dmgva.com, Elliott@it.dmgva.com, elliottf@it.dmgva.com, etc.)  For my Old School Exchange Admins you will remember both of these items were once accomplished via Recipient Policies, but as you can see they are now split up.  Let’s follow the steps below to create our Accepted Domain and Email Address Policy:

1.  From the Exchange Administrative Center in the Left-Pane click on mail flow .

2.  On the Top-Pane click on accepted domains then click Add.

AcceptedDomains1

3.  At the Accepted Domain pop-up enter the following then click Save.

newaccepteddomain1

4.  At the top click on email address policies then click Add.

EmailAddressPolicies1

5.  At the Email Address Policy pop-up enter it.dmgva.com then click Add.

eap1

6.  At the Email Address Format pop-up use the pull-down menu to select it.dmgva.com then click Save, Save.

eap2

7.  At the Warning pop-up click OK.

EmailAddressPolicies4

8.  In the Middle-Pane select it.dmgva.com then in the Right-Pane click Apply.

EmailAddressPolicies5

9.  At the pop-up’s select Yes then Close.

EmailAddressPolicies6EmailAddressPolicies7

Now that we have our Mail Flow settings configured lets create a text mailbox to test our external mail flow.  Within the EAC use the steps below to create a test Mailbox:

     1.  Within the EAC in the Left-Pane click on recipients then in the middle-pane click on mailboxes.

     2.  Click the + button and select User Mailbox.

CreateMailbox1

     2.  At the new user mailbox enter TUser1 and select New user.

     3.  Fill the form in as shown below then click Save.

Testing Exchange 2016

OWA

Now we will log into our Test Mailbox and send some test emails.

     1.  Launch Internet Explorer and navigate to the URL below:

https://owa.it.dmgva.com/OWA

     2.  When prompted enter the Test User1  Credentials.

     3.  Since this is your first time logging into this mailbox select a Time zone then click Save.

     4.  Once you are logged in click on New.

NewMail

     5.  In the To: field enter the email address of another email account you can access then add a subject and click Send:

NewMessage

     6.  Log into your other email account and check to see if you received the message.

As you can see below our message was successfully sent from our New Exchange Server and delivered to another email account.  As you can see below, Outlook actually considered my message to be Junk Email, so make sure to check your Junk Email folder for whatever account you at using for this test.

SuccessfulEmail1

Now that we have sent a successful outbound email, lets reply to our email so we can check our inbound email.

     1.  Open the message from Test User1 then click on Reply all.

     2.  Enter some text within the body of the message then click Send:

ReplyEmail2

If we switch back over to our Test User1 mailbox to we should see our message from our other email account!

MailTest

Now that we know our mail flow is working and OWA is accessible.  Lets move on to test our other Client Connectivity Options

Outlook

Although OWA has grown more robust, there are still times when a full email client is needed.  The client of choice is Outlook.  Outlook leverages a feature called Autodiscover that is able to locate and configure Outlook settings for users automatically.  This process is slightly different dependent on whether the client is Domain or N0n-Domain Joined.  For Domain Joined clients, Outlook uses objects within Active Directory called Service Connection Points (SCPs).  There is a SCP created each time an Exchange Client Access Server is installed.  These SCPs provide client connectivity information such as URL used to attach to specific Exchange Services.  Below I will walk you thru setting up a Domain Joined Outlook Client.  This client can be any machine that you have On-Premise that can have Outlook Installed.  The steps and screenshots below are for Outlook 2013, but can be used for almost every Outlook Client:

     1.  From a Domain Joined Outlook Client launch outlook.

     2.  If prompted with a Welcome to Outlook screen click Next.

WelcometoOutlook

     3.  At the Add an Email Account click Next.

     4.  At the Auto Account Setup screen notice that your Name and Email Address have been populated.   This is actually pulled from your mail

outlookscp1

     5.  At the Searching for your mail server settings… screen wait for Autodiscover to complete then click Finish to launch Outlook.

outlookscp2

Now that we are within Outlook lets confirm that we are connected to Exchange by looking in the bottom-right corner as shown below:

OutlookConnected

For internal Domain Joined clients the connection to Exchange utilizes RPC over HTTP.  This allows Outlook to traverse Firewalls using Port 443/TCP.  Let’s take a look at our connection status to actually see our RPC being encapsulated by HTTP.  Follow the steps below:

     1.  Launch Outlook.

     2.  In the Bottom-Right of your client Taskbar locate the Outlook icon as shown below then hold down the Ctrl Key and Right-click it:

ConnectionStatus1

     3.  Once presented with the menu shown below click on Connection Status:

ConnectionStatus2

Now that our connection status is opened you can see in the image below that our Connection (Conn) is HTTP however we are still utilizing RPC Ports (6001 & 6004)

rpchttp

Outlook (Mapi over HTTP)

Now that we have tested with a Domain Joined client.  Let’s make sure Outlook  will also work with an Non-Domain Joined external client.  In order to utilize “Mapi over HTTP”, you must enable it for your Exchange Organization.  In order to do this you must follow the steps below:

     1.  Log onto KHL-EX.

     2.  Click on the Windows Logo and then click the Down Arrow.

     3.  Locate and right-click the Exchange Management Shell and select Run as administrator.

     4.  At the User Account Control pop-up click Yes.

     5.  Run the following command:

Set-OrganizationConfig -MapiHttpEnabled:$True

     6.  Type following command then hit Enter:

Iisreset /noforce (rerun if it fails)

To keep our Logon consistent with our Email Addresses and in preparation for our Part 7 (Syncing On-Premise with Office 365) we will be creating a new UPN Suffix. A UPN Suffix is an alternate User Principal Name that can be used to logon instead of your default User Logon Name.  Once we have added this UPN Suffix we will change our Test User 1.  Follow the steps below to complete this task:

1.  Logon to KHL-DC.

2.  Right-click on the Windows Logo and select Run then enter the following and click OK:

domain.msc

3.  At the Active Directory Domains and Trusts pop-up in the Left-Pane right-click Active Directory Domains and Trusts [KHL-DC.killerhomelab.com] then click Properties.

upnsuffix1

4.  At the pop-up enter it.dmgva.com under Alternative UPN suffixes: then click Add, OK.

upnsuffix2

5.  Close the Active Directory Domains and Trusts mmc.

6.  Right-click on the Windows Logo and select Run then enter the following and click OK:

dsa.msc

7.  At the Active Directory Users and Computers mmc in the Left-Pane expand killerhomelab.com and select Users.

8.  Locate Test User1 and double-click it.

9.  At the Test User1 Properties click on the Account tab.

10.  Under the User logon name: use the pull-down to change the value from killerhomelab.com to it.dmgva.com then click OK.

Now that “Mapi over HTTP” has been enabled, lets log onto a Non-Domain Joined external client that has Outlook installed and follow the steps below:

     1.  Launch Outlook

     2.  At the Auto Account Setup screen enter your information as shown below then click Next:

externaloutlook

     3.  At the Security Alert pop-up click Yes.  This is due to the fact that this external client does not trust the KHL-CA Certificate Authority.

autodiscovernotrust

     4.  At any of the Windows Security pop-up’s enter your password, check the Remember my credentials box then click OK as shown below:

outlooksecurity

     5.  Once Autodiscover is complete click Finish to open Outlook.

For external Non-Domain Joined clients the connection to Exchange utilizes MAPI over HTTP.  This allows Outlook to traverse Firewalls using Port 443/TCP.  Let’s take a look at our connection status to actually see that we are not utilizing any RPC ports.  Follow the steps below:

     1.  Launch Outlook.

     2.  In the Bottom-Right of your client Taskbar locate the Outlook icon as shown below then hold down the Ctrl Key and Right-click it:

ConnectionStatus1

     3.  Once presented with the menu shown below click on Connection Status:

ConnectionStatus2

   3.  Once presented with the menu shown below click on Connection Status:

ConnectionStatus2

Now that our connection status is opened you can see in the image below that the Protocol that we are using is HTTP and that we no longer utilize any RPC Ports!

mapioverhttp

ActiveSync

The last client we will test is ActiveSync.  ActiveSync is primary service that is used to allow smart phone connectivity to your Exchange Server.  Although OWA can be loaded on most new smart phones with an increased ease of use, most consumers prefer using ActiveSync. To validate that our ActiveSync is working you will need a smart phone that supports ActiveSync.  A few to choose from are Windows Phone, iPhone and Android.  Follow the steps below to test and configure your phone for ActiveSync:

Windows Phone

     1.  Open Microsoft Edge and navigate to the following URL:

http://rdpweb.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

WindowsPhoneCert1

2.  At the pop-up tap Save.

windowsphone2

     3.  At the pop-up tap anywhere to go to Downloads.

windowsphone11

     4.  At the DOWNLOADS pop-up tap on the .cer file as shown below:

windowsphone13

     5.  At the Install certificate screen tap Install.

WindowsPhoneCert5

     6.  At the Your certificates are installed screen tap OK.

WindowsPhoneCert6

       7.  Tap on Settings.

WindowsPhoneCert7

     8.   Tap on Exchange.

WindowsPhoneCert8

     9.  Under Email address tap within the box and enter tuser2@it.dmgva.com then tap Next.

windowsphone3

    10.  At the next screen tap anywhere under Password and enter your password then click Sign in.

windowsphone4

    11.  At the All done! screen click Done.

windowsphone5

    14.  Now your account is configured as shown below:

windowsphone9

    13.  Now you can launch and view your email using the mail app as shown below:

WindowsPhoneCert13        WindowsPhoneCert15

iPhone

     1.  Open Safari and navigate to the following URL:

http://rdpweb.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

iPhoneCert1a

2.  At the Install Profile screen click on Install.

iPhoneCert1

3.  At the Enter Passcode screen enter your passcode.

iPhoneCert2

4.  At the Warning screen click Install.

iPhoneCert3a

     5.  At the Install pop-up click Install.

iPhoneCert4

     6.  At the Profile Installed screen click Done.

iPhoneCert5

     7.  Open Settings.

iPhone1

     8. Scroll down to and click on Mail, Contacts, Calendars.

iPhone2

     9.  Under ACCOUNTS click on your Add Account.

iphone1

    10.  At the Add Account screen click on Exchange.

iPhone5

    11.  At the Exchange screen enter your Email, Password and Description then click Next:

    12. Once completed successfully you will see the screens below then click Save:

 iphone2   iPhone8a

    13.  Now you can launch and view your email using the mail app as shown below:

iPhone9    iPhone12

    14.  If you have multiple accounts on your phone please use the Back Arrow to navigate to your Killer Home Lab Email as shown below:

iPhone10a    iPhone11a    iPhone12

Android

      1.  Open the Google App and navigate to the following URL:

http://rdpweb.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

AndroidCert1

2.  At the Certificate name pop-up tap OK.

AndroidCert2

3.  Go back to Home and click on Settings.

samsung1

4.  At the Settings pop-up click on General then click on Add Account.

samsung2

5.  At the Add Account screen click on Microsoft Exchange ActiveSync.

samsung3

6.  At the Configure Exchange account in a few steps screen enter your Email Address & Password then tap Next.

samsung4

7.  At the Email activation pop-up tap OK.

8. At the Remote security administration screen tap OK.

samsung5

9.  At Account options screen tap Next.

AndroidCert9

10.  At the Set up account screen tap Done.

samsung6

11.  Now you can launch and view your email using the mail app as shown below:.

samsung7     samsung8

Congratulations!!!   You now have a fully functional Exchange Server that is accessible via OWA, Outlook, ActiveSync and can receive and send email to the Internet.  This completes Part 5 of the Killer Home Lab Series. In Part 6 we will securely publish our Exchange 2016 Server using Active Directory Federation Service (ADFS) and Web Application Proxy (WAP) within our lab. Have fun with the lab!!!

Comments (1)

  1. Gaz says:

    Stunning article.

Skip to main content