Home Lab Secrets: Building the Killer Home Lab Part 5 (Deploying Exchange Server 2016)(New Azure Portal)


In Part 4 of this series we deployed a Remote Desktop Gateway Server within our lab. In Part 5 we will be adding Email capabilities within our lab using Microsoft Exchange Server 2016. Our Exchange Deployment will consist of a 2 Exchange 2016 Servers.  To keep our Azure costs down we will Deploy a Small Sized (F1s) VM within Azure as an Edge Server (KHL-EX) that will accept all of our SMTP Public traffic.  This is necessary since most residential ISP's block port 25/TCP.   Our 2nd Server will be an Mailbox Server (OP-EX) that is deployed On-Premise as a VM and will receive email across our VPN, bypassing any port filtering the ISP has implemented.

Domain Name Registration

There are a few requirements that we will need to meet before Deploying a fully functional Exchange Environment within our Lab. The first will be registering for a Domain Name. If you have already registered your domain as I have with it.dmgva.com then you can move on to the next section “Azure VM Deployment”. If not, please pick a Name Registrar and register a domain of your choice, for example “it.dmgva.com”.

!!!!Note:  Throughout this article whenever I refer to it.dmgva.com replace it with your Domain Name you registered with a valid Name Registrar!!!!

 

On-Premise VM Deployment

To fulfill our On-Premise Exchange Server requirement I would recommend building a VM with at least 14-16 GB or RAM, 1 Core and at least 100GB Dynamic Disk for Storage.  Once the VM has been deployed and fully patched on your Hypervisor follow the steps below to configure it's IP Address:

  1. Log onto OP-EX
  2. Right-click on the Windows Logo and click on Run.
  3. Enter ncpa.cpl then click OK.
  4. Right-click on Ethernet then click Properties.
  5. Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
  6. Select Use the following IP address: and enter the following:

op-ex1

Once this is complete we will use nslookup from a command prompt to confirm that we are using OP-DC as our DNS Server as shown below:

op-ex2

Once we have confirmed we are actually using OP-DC as our DNS Server, we will join OP-EX to the killerhomelab.com domain following the steps below:

1.  Right-click on the Windows Logo and click on System.

2.  Under Computer name, domain and workgroup settings click on Change settings.

3.  At the pop-up screen click on Change.

4.  Under Member of select Domain: then enter killerhomelab.com and click OK.

5.  At the Computer Name/Domain Changes pop-up enter your Domain Admin and Password then click OK.

6.  At the Computer Name/Domain Changes pop-up click OK, OK, then Close.

7.  Click Restart Now.

Exchange 2016 Prerequisites for a Mailbox Server

Once the server has restarted we will re-connect using our Domain Admin credentials. Once logged in we will need to prepare our server for Exchange by installing the Prerequisites for Exchange 2016.  The official prerequisites can be pulled from the TechNet article below even though we will go through each below:

https://technet.microsoft.com/en-us/library/bb691354(v=exchg.160).aspx

IIS Pre-reqs

We will start by installing the IIS Role and the features that are required for an Exchange 2016 Installation.  Follow the procedures below to install the IIS Prerequisites:

1.  Log onto OP-EX.

2.  Open an Elevated Powershell Prompt.

3.  Copy and Paste the following then hit Enter (Includes Telnet Client for Edge Troubleshooting) (Server will Reboot):

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-ADDS, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, Telnet-Client -Restart

Poweshell1

Powershell2

Unified Communications Managed API 4.0

Now that we have all of our IIS Pre-Reqs installed, we will need to install the Unified Communications Managed API 4.0.  Follow the steps below to install the Unified Communications Managed API 4.0:

     1.  Open Server Manager.

2.  In the Left-Pane click on Local Server then under the Properties section click on the IE Enhanced Security Configuration toggle.

IE-Enhanced1

3.  At the Internet Explorer Enhanced Security Configuration screen under Administrators select Off.

4.  Launch Internet Explorer 11.

5.  In the Top-Right corner select the Settings gear then select Internet Options.

InternetOptions

6.  At the Internet Options window select the Security tab then click on Custom level.

InternetOptions2

7.  At the Security Settings window make sure the File download settings is set to Enable then click OK, OK.

SecuritySettings

8.  Navigate to the following URL and download Unified Communications Managed API 4.0 Runtime to your Downloads Folder:

http://www.microsoft.com/en-us/download/details.aspx?id=34992

     9.  Navigate to the Downloads Folder and Double-click UcmaRuntimeSetup.

10.  At the Microsoft Unified Communications Managed API 4.0, Runtime Setup screen click Next.

11.  At the License Agreement screen select I have read and accept the license terms then click Install.

12.  At the Installation is Complete screen click Finish.

Deploying Exchange 2016

Now we are almost ready to install Exchange 2016.  Follow the steps below to download and extract the Exchange 2016 Setup Files.

1.  From within Internet Explorer navigate to the following URL:

https://www.microsoft.com/en-us/download/details.aspx?id=54450

2.  From your Downloads folder double-click ExchangeServer2016-CU4.iso.

This should mount the ExchangeServer2016-CU4.iso as Drive Letter F:

Installing Exchange 2016

We will use the command prompt to install Exchange since it allows us to customize our Default Database Location.  Follow the instructions below to install Exchange 2016

1.  Type following command then hit Enter:

E:\Setup.exe /PrepareAD /OrganizationName:KILLERHOMELAB /IacceptExchangeServerLicenseTerms

E:\setup.exe /mode:install /roles:mb /IAcceptExchangeServerLicenseTerms /MdbName:KHL_DB01 /DbFilePath:C:\KHL_DB01\KHL_DB01.edb /LogFolderPath:C:\KHL_DB01

     2.  When setup is completed reboot the server

Validating the Installation

Now that our server has been rebooted.  Lets do some quick checks to verify that it is operating correctly.  We will start by making sure all of our Exchange Services are up and running.

1.  Right-click on the Windows Logo and select Command Prompt (Admin).

2.  Type following commands then hit Enter:

Services.msc

3.  Within the Services MMC scroll down and make sure all of the following Exchange Services are started:

  • Microsoft Exchange Active Directory Topology
  • Microsoft Exchange Anti-spam Update
  • Microsoft Exchange Compliance Service
  • Microsoft Exchange DAG Management
  • Microsoft Exchange Mailbox Transport Delivery
  • Microsoft Exchange Diagnostics
  • Microsoft Exchange EdgeSync
  • Microsoft Exchange Search
  • Microsoft Exchange Frontend Transport
  • Microsoft Exchange Health Manager
  • Microsoft Exchange Health Manager Recovery
  • Microsoft Exchange Information Store
  • Microsoft Exchange Mailbox Assistants
  • Microsoft Exchange Mailbox Replication
  • Microsoft Exchange Replication
  • Microsoft Exchange RPC Client Access
  • Microsoft Exchange Service Host
  • Microsoft Exchange Mailbox Transport Submission
  • Microsoft Exchange Throttling
  • Microsoft Exchange Transport
  • Microsoft Exchange Transport Log Search
  • Microsoft Exchange Unified Messaging
  • Microsoft Exchange Unified Messaging Call Router

ExchangeServices1

Once we have validated that all our services are running, lets actually try and log into the Exchange Administration Center.  Launch Internet Explorer and navigate to the following URL:

https://op-ex/ecp

Once presented with the screen below enter your credentials and click sign in:

EAC1

Since this is the first time we are logging into the EAC, we will be prompted to select a Language and Time Zone as shown in the screens below:

EAC3

EAC4

Now that we are logged into our EAC, let's check to see if our Database is mounted.  Follow the steps below to validate that your Database is Mounted:

1.  In the Left-Pane click on servers.

2.  In the Middle-Pane click on databases then check the STATUS of the KHL_DB01 database and make sure it is Mounted as shown in the Image below:

op-ex3

Configuring DNS

Exchange has multiple services that will utilize the HTTPS (Port 443/TCP) Protocol.  In a production environments each of these services would have a separate URL which would point to a specific Virtual IP (VIP) hosted by a Load Balancer.  This is done so each VIP can be configured to used optimized rules based on the service.  We will not be deploying a load balancer at this time, but will be utilizing unique URL's for each Exchange Service to allow more flexibility in the future. This also provides a descriptive URL for users.  Following the steps below lets create our DNS records for our Split DNS Zone using the dnscmd tool:

1.  Logon to OP-DC

2.  Right-click on the Windows Logo and select Command Prompt (Admin).

3.  Type following commands then hit Enter:

dnscmd op-dc /RecordAdd it.dmgva.com autodiscover A 192.168.1.6
dnscmd op-dc /RecordAdd it.dmgva.com owa A 192.168.1.6
dnscmd op-dc /RecordAdd it.dmgva.com outlook A 192.168.1.6
dnscmd op-dc /RecordAdd it.dmgva.com eas A 192.168.1.6

***Note:  it.dmgva.com should be replaced with the Public Domain your registered.

4.  To confirm that our records have been created, from the Command Prompt run dnsmgmt.msc

5.  Within the DNS Manager as shown below confirm all 4 DNS A Records have been created.

op-ex4

6.  We will also create our A Record which is required for Name Resolution for Edge Server which will be deployed later in the post:

dnscmd op-dc /RecordAdd killerhomelab.com khl-ex A 10.1.0.6

***Note: This record is being created within the AD DNS Zone killerhomelab.com.

Now that the Internal DNS Records have been created, we will need to configure External DNS.  As stated at the beginning of this article to have a fully functional Exchange Environment we must have publicly registered DNS Records.  Each Name Registrar has different procedures on creating DNS Records so in order to make the lab easier we will be creating our DNS Zone within Azure and then modifying our Name Registrar's Name Servers to point to Azure DNS Name Servers.  In order to determine the IP address we need these A Records to point to we will need to retrieve our Public IP Address that our ISP has provided.  In order to do this we will need to log onto our On-Premise Router AZURE-VPN and run an ipconfig to see what IP has been assigned to our External Interface as shown below:

In my case the IP assigned was 98.175.27.234 so the following A records would need be:

A Records

AUTODISCOVER 98.175.27.234

OWA 98.175.27.234

OUTLOOK 98.175.27.234

EAS 98.175.27.234

 

We already created a NAT rule on our On-Premise Router to allow Web Traffic to our On-Premise Server on Port 443/TCP, in Part 1 of this Series.  Most ISP's don't normally block port 443 so you should be safe, however since our OWA Public DNS A Record is currently a Dynamic IP issued by our ISP, we will need to update it by switching our External DNS to use Azure DNS Zones.  Since Azure DNS Zones can be modified using powershell, we will be able to leverage the Script we created in Part 1 of this series that runs on our AZURE-VPN Windows Server 2012 R2 Router.  In order to make all this work we will need to do the following:

  • Create an Azure DNS Zone
  • Create all of the Necessary DNS Records
  • Set your DNS Name registrars Names Servers to use Azure Name Servers
  • Modify AZURE VPN IP Update Script to include Azure DNS Record Update commands

Creating an Azure DNS Zone

1.  Log into the portal by accessing the URL listed below:

https://portal.azure.com

2.  In the Left-Pane click on + | Networking | DNS zone as shown below:

azuredns1

3.  At the Create DNS zone screen enter dmgva.com and under Resource Group select Killer-Home-Lab then click Create.

azuredns2

Create all of the Necessary DNS Records

1.  In the Left-Pane click on Resource Groups | Killer-Home-Lab then click on dmgva.com as shown below:

azuredns3

2.  Notate the Azure DNS Name Servers as highlighted below then click +Record Set.

!!!Note:  These Name Servers will be used to replace your domain names current Name Servers within your Name Registrar.

azuredns4

3.  At the Add record set screen enter the information shown below then click OK.

azuredns5

4.  Repeat the above procedures to create the following A Records also pointing to your ISP Provided IP:

  • outlook.it
  • autodiscover.it
  • eas.it

 

Set your DNS Name registrars Names Servers to use Azure Name Servers

Refer to your Name Registrar's instructions on how to set your Domain Name to utilize External DNS Servers.  Once you have located these procedures, update your Name Servers to utilize the Azure DNS Name Servers notated in the steps above.

Modify AZURE VPN IP Update Script

1.  Log onto AZURE-VPN.

2.  Navigate to C:\AzureConfig and open Azure.ps1.

3.  Once inside the file locate the following line:

$AzureIP =  $LocalNetworkGateway.GatewayIpAddress
  4.  Underneath the line that was located above paste the following lines within the Azure.ps1 script:
Remove-AzureRmDnsRecordSet -ZoneName dmgva.com -ResourceGroup Killer-Home-Lab -RecordType A -Name owa.it -Force
$owa = New-AzureRmDnsRecordSet -ResourceGroupname Killer-Home-Lab -ZoneName dmgva.com -Name owa.it -RecordType A -Ttl 900
Add-AzureRmDnsRecordConfig -RecordSet $owa -Ipv4Address $IP
Set-AzureRmDnsRecordSet -RecordSet $owa
Remove-AzureRmDnsRecordSet -ZoneName dmgva.com -ResourceGroup Killer-Home-Lab -RecordType A -Name outlook.it -Force
$outlook = New-AzureRmDnsRecordSet -ResourceGroupname Killer-Home-Lab -ZoneName dmgva.com -Name outlook.it -RecordType A -Ttl 900
Add-AzureRmDnsRecordConfig -RecordSet $outlook -Ipv4Address $IP
Set-AzureRmDnsRecordSet -RecordSet $outlook
Remove-AzureRmDnsRecordSet -ZoneName dmgva.com -ResourceGroup Killer-Home-Lab -RecordType A -Name autodiscover.it -Force
$autodiscover = New-AzureRmDnsRecordSet -ResourceGroupname Killer-Home-Lab -ZoneName dmgva.com -Name autodiscover.it -RecordType A -Ttl 900
Add-AzureRmDnsRecordConfig -RecordSet $autodiscover -Ipv4Address $IP
Set-AzureRmDnsRecordSet -RecordSet $autodiscover
Remove-AzureRmDnsRecordSet -ZoneName dmgva.com -ResourceGroup Killer-Home-Lab -RecordType A -Name eas.it -Force
$eas = New-AzureRmDnsRecordSet -ResourceGroupname Killer-Home-Lab -ZoneName dmgva.com -Name eas.it -RecordType A -Ttl 900
Add-AzureRmDnsRecordConfig -RecordSet $eas -Ipv4Address $IP
Set-AzureRmDnsRecordSet -RecordSet $eas

The above lines will update the following A Records within you Azure DNS Zone every time your ISP gives you a new IP.

  • owa.it
  • outlook.it
  • autodiscover.it
  • eas.it

 

Setting Virtual Directories

Autodiscover is mechanism used within Exchange to provide clients with a set of URL's and settings that are used to connect to Exchange Services.  Autodiscover gets these URL's from the InternalURL and ExternalURL attributes of each Services Virtual Directory.  Using the Exchange Management, follow the steps below to configure each Virtual Directories unique URL.

1.  Click on the Windows Logo and then click the Down Arrow.

2.  Locate and right-click the Exchange Management Shell and select Run as administrator.

3.  At the User Account Control pop-up click Yes.

4.  Run the following commands to configure each Exchange Services Virtual Directory:

***Note:  Replace it.dmgva.com with your Registered Domain Name

AUTODISCOVER

Set-ClientAccessService OP-EX –AutodiscoverServiceInternalUri https://autodiscover.it.dmgva.com/Autodiscover/Autodiscover.xml

OWA

Set-OWAVirtualDirectory –Identity “OP-EX\owa (Default Web Site)” –InternalURL https://owa.it.dmgva.com/OWA -ExternalURL https://owa.it.dmgva.com/OWA -ExternalAuthenticationMethods NTLM -FormsAuthentication:$False -BasicAuthentication:$False –WindowsAuthentication:$True

!!!Note:  You will receive the below message since your ECP Virtual Directory has not yet been updated.  Disregard this message since your ECP Directory will be set next.

ecpwarning1

ECP

Set-ECPVirtualDirectory –Identity “OP-EX\ecp (Default Web Site)” –InternalURL https://owa.it.dmgva.com/ECP -ExternalURL https://owa.it.dmgva.com/ECP -ExternalAuthenticationMethods NTLM -FormsAuthentication:$False -BasicAuthentication:$False –WindowsAuthentication:$True

OAB 

Set-OABVirtualDirectory –Identity “OP-EX\oab (Default Web Site)” –InternalURL https://outlook.it.dmgva.com/OAB -ExternalURL https://outlook.it.dmgva.com/OAB

MRS Proxy

Set-WebServicesVirtualDirectory –Identity “OP-EX\EWS (Default Web Site)” –MRSProxyEnabled:$True

ActiveSync

Set-ActiveSyncVirtualDirectory –Identity “OP-EX\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL https://eas.it.dmgva.com/Microsoft-Server-ActiveSync -ExternalURL https://eas.it.dmgva.com/Microsoft-Server-ActiveSync

Web Services

Set-WebServicesVirtualDirectory –Identity “OP-EX\EWS (Default Web Site)” –InternalURL https://outlook.it.dmgva.com/EWS/Exchange.asmx -ExternalURL https://outlook.it.dmgva.com/EWS/Exchange.asmx

Mapi over HTTP

Set-MapiVirtualDirectory –Identity “OP-EX\mapi (Default Web Site)” –InternalURL https://outlook.it.dmgva.com/MAPI -ExternalURL https://outlook.it.dmgva.com/MAPI

     5.  Close the Exchange Management Shell

6.  Right-click on the Windows Logo and select Command Prompt (Admin).

7.  Type following command then hit Enter:

Iisreset /noforce (rerun if it fails)

Now that we have created our DNS Records and set our Virtual Directories, lets access the ECP using our new OWA URL. From Internet Explorer navigate to the following URL:

https://owa.it.dmgva.com/ECP

You will notice that you are presented with the error shown below:

exchangenottrusted

Since the new URL we tried to use (https://owa.it.dmgva.com/OWA) is not included in the Self-Signed Certificate, this error is expected.  This is due to our usage of the default Self-Signed Certificate.  Self-Signed Exchange Certificates only include the Exchange Servers NetBIOS and Fully Qualified Domain Name as shown below:

Self-Signed

Deploying Certificates

Exchange 2016 uses Certificates to secure all of its protocols.  By default the certificate that is used is a Self-Signed Certificate.  This is created at the time of installation of Exchange.  This certificate is good for initial testing and validation that certain services like OWA and ECP work, however they are only trusted on the Exchange Server.  Although this certificate can be trusted on other systems, for our lab we will use our Certificate Authority that was deployed in Part 3 of this series to issue our Certificate since it is already trusted by all Domain Joined Computers.  This certificate will need to include all of the URL's that will be used by our different Exchange Services.  Incase you have lost count, I have provided them below:

  • owa.it.dmgva.com
  • outlook.it.dmgva.com
  • eas.it.dmgva.com
  • autodiscover.it.dmgva.com
  • smtp.it.dmgva.com

Follow the steps below to Create a Request, Submit a Request and Issue a Certificate:

Requesting a Certificate

1.  Log onto OP-EX.

2.  Right-Click the Windows Log and select Run.

3.  Enter CERTLM.msc then click OK.

Run-CERTLM

4.  In the Left-Pane right-click Personal and select All Tasks | Request New Certificate.

Request-Cert

5.  At the Before You Begin screen click Next.

6.  At the Select Certificate Enrollment Policy screen click Next.

7.  At the Request Certificates screen select KHL Web Server then click More information is required….

Certificate-Enrollment

8.  Under Subject name: use the pull-down menu and select Common name then enter owa.it.dmgva.com under Value and click Add.

exchangecarequest1

9.  Under Alternative name: use the pull-down menu and select DNS then enter owa.<mydomainname>.com under Value and click Add.

10.  Repeat the previous step for the following additional FQDN's .

  • autodiscover.it.dmgva.com
  • outlook.it.dmgva.com
  • eas.it.dmgva.com
  • smtp.it.dmgva.com

11.  Click on the General tab then under Friendly name: enter Exchange Internal SAN then OK, Enroll.

CA-Enroll

11.  At the Certificate Installation Results screen click Finish.

CA-Enroll-Finish

Enabling Certificate Requests

Although our Exchange Server has been issued an SSL Certificate to it's Local Computer Store, we must still enable it within Exchange for it to be used.  Since all Exchange 2016 Services utilize the HTTPS protocol we will enable this certificate by all "IIS" Services by following the steps below:

1.    Launch Internet Explorer and navigate to the following URL:

https://op-ex/ecp

     2.  From the Exchange Administrative Center in the Left-Pane click on servers.

3.  On the Top-Pane click on certificates.

4.  In the Middle-Pane select Exchange Internal SAN then click on Edit as shown below:

EditCert

5.  At the pop-up click on services and select IIS then click Save.

EditCert2

Now that our new certificate has been enabled, lets try and access ECP using our new URL by launching Internet Explorer and navigating to the following URL:

https://owa.it.dmgva.com/ECP

You will notice that since we Disabled Forms Authentication and Enabled Windows Authentication, we are now prompted with the security prompt below.  Enter your Domain Credentials to authenticate:

ecpsecurity1

Once you are logged in you will also notice that there is no longer any certificate error since the URL used matches that of one of the Certificate's Subject Alternative Names.

eac1

Now that we've configured Exchange to accept requests from Web Clients lets move on to allowing Outbound & Inbound Mail flow between our Exchange Server and the rest of the World.  Before we can accept mail we must create our Accepted Domains and Email Address Policies.  By default the domain that is to fulfill both of these items is the default domain name.  So far in our lab our Active Directory Domain Name is killerhomelab.com.  As stated throughout this blog series, you should now have a Publically registered Domain Name.  This is the Domain will be the one we use when creating our Accepted Domains and Email Address Policies.  Accepted Domains are used to instruct Exchange on which Domain's you will accept email for.  Email Address Policies are used to define what users get what email addresses and what format they will be generated in (efields@it.dmgva.com, Elliott@it.dmgva.com, elliottf@it.dmgva.com, etc.)  For my Old School Exchange Admins you will remember both of these items were once accomplished via Recipient Policies, but as you can see they are now split up.  Let's follow the steps below to create our Accepted Domain and Email Address Policy:

1.  From the Exchange Administrative Center in the Left-Pane click on mail flow .

2.  On the Top-Pane click on accepted domains then click Add.

AcceptedDomains1

3.  At the Accepted Domain pop-up enter the following then click Save.

newaccepteddomain1

4.  At the top click on email address policies then click Add.

EmailAddressPolicies1

5.  At the Email Address Policy pop-up enter it.dmgva.com then click Add.

eap1

6.  At the Email Address Format pop-up use the pull-down menu to select it.dmgva.com then click Save, Save.

eap2

7.  At the Warning pop-up click OK.

EmailAddressPolicies4

8.  In the Middle-Pane select it.dmgva.com then in the Right-Pane click Apply.

EmailAddressPolicies5

9.  At the pop-up's select Yes then Close.

EmailAddressPolicies6EmailAddressPolicies7

Now that we have our Mail Flow settings configured lets create a text mailbox to test our external mail flow.  Within the EAC use the steps below to create a test Mailbox:

     1.  Within the EAC in the Left-Pane click on recipients then in the middle-pane click on mailboxes.

     2.  Click the + button and select User Mailbox.

CreateMailbox1

     2.  At the new user mailbox enter TUser1 and select New user.

     3.  Fill the form in as shown below then click Save.

tuser1

Azure VM Deployment

Let’s head to Azure now and deploy our Exchange Azure VM by logging into the portal by accessing the URL listed below from your On-Premise Server:

 

https://portal.azure.com

 

Once we are within the portal follow the steps below to create our Exchange Azure VM

1.  In the Left-Pane click + | Compute | Windows Server 2012 R2 Datacenter

newazureportal18

2.  At the Windows Server 2012 R2 Datacenter screen click Create.

newazureportal19

3.  At the Basics screen enter the following then click OK.

khl-ex1

***Note:  The virtual machine name will need to be unique for your lab since it’s a hostname within eastus.cloudapp.azure.com.  So KHL-EX is no longer available.

4.  At the Choose a size screen click on View All and select F1S Standard VM then click Select.

khl-ex-1c

6.  At the Settings screen accept the defaults then click OK.

khl-ex2

7.  At the Summary screen review your settings then click OK.

khl-ex3b

Sit back and wait for you Azure VM to be created. It normally takes about 5-10 minutes.

Once the VM is finished being created (About 5-10 minutes), we will need to make a few modifications to the VM to make sure we can access it consistently remotely.  This will involve, setting Static IP's for the VM (Internal/External) as well as an external DNS name for the computer, that can be used to access it via Remote Desktop.  Follow the steps below to make these change

     1.  In the Left-Pane click on Virtual Machines then click on KHL-EX.

khl-ex4a

2.  At the KHL-EX screen click on the Public IP address as shown below:

khl-ex5a

3.  At the KHL-EX-ip - Configuration screen under Assignment click Static, under DNS name label enter khl-ex, then click Save.

khl-ex6

4.  In the top-right corner click on the Bell to confirm the public ip addres change has been saved.

khl-ex7

5.  Scroll back to the Left-Side of the screen then click on Virtual Machines | KHL-EX.

khl-ex4a

6.  Under KHL-EX click on Network interfaces.

khl-ex9

7.  At the KHL-EX - Network interfaces screen click on the Network Interface as shown below:

khl-ex10

8.  Under the Network Interface click on IP configurations.

khl-ex11

9.  At the IP configurations screen click on ipconfig1 as shown below:

khl-ex12

10.  At the ipconfig1 screen under Assignment select Static then click Save.

khl-ex13

If you completed Part 4 of this series you should have already be familiar with Network Security Groups.  These objects are used within Azure to determine which ports are opened for a VM.  This group includes the Inbound and Outbound Rules that allow connectivity to the VM.  A Network Security Group is created for each VM that you create within Azure.  Following the steps below to modify the Network Security Group that was created for KHL-EX to allow port 25/TCP for mail flow.

1.  Log into the portal by accessing the URL listed below:

https://portal.azure.com

2.  In the Left-Pane click on Resource Groups then select Killer-Home-Lab.

newazureportal37

3.  Under the Killer-Home-Lab Resource Group click on the KHL-EX-nsg Network Security Group.

khl-ex19

4.  Under KHL-EX-nsg click on Inbound security rules.

khl-ex20

5.  Under KHL-EX-nsg - Inbound security rules click on Add.

khl-ex21

6.  At the Add inbound security rule screen enter the Name "SMTP-Inbound" and use the Service pull-down menu to select SMTP click OK.

khl-ex22

7.  Under KHL-EX-nsg click on Outbound security rules.

8.  At the Add outbound security rule screen enter the Name "SMTP-Outbound" and use the Service pull-down menu to select SMTP click OK.

 

Now that our KHL-EX VM has been created we will need to create and A Record that will be used with our MX Record.

MX (Mail Exchanger) records are using to determine which server is responsible for a domains mail.  Since MX Records point to A Records we will need to create an A Record pointing to our External Mail Entry Point.  Since this is going to be our Edge Server we will ping the Azure FQDN for KHL-EX which will be in the following format:

KHL-EX.eastus.cloudapp.azure.com

In my case the IP assigned was 13.92.38.75 so my records would need be:

A Records

SMTP 13.92.38.75

MX Record

SMTP.IT.DMGVA.COM

 

An A Record will need to be created for the following A Record using the Public IP of KHL-EX:

  • smtp.it

Follow the steps below to create this record:

1.  Within the Azure Portal access the Killer-Home-Lab Resource Group and DNS Zone dmgva.com.

2.  Click on +Record set then at the Add record set screen enter the values shown below and click OK:

azuredns6

Follow the steps below to connect to KHL-EX.

     1.  In the Left-Pane click on Virtual Machines then click on KHL-EX.

khl-ex4a

2.  At the KHL-EX screen click on Connect.

khl-ex15b

3.  At the Pop-up click Save.

khl-ex16

4.  At the next pop-up click on Open Folder.

khl-ex17

5.  Under the Downloads double-click on KHL-EX then at the pop-up click Connect, and enter your Credentials.

khl-ex18

Once it is confirmed that we can communicate with KHL-DC modify KHL-EX's FQDN using the steps below:

1.  Right-click on the Windows Logo and click on System.

2.  Under Computer name, domain and workgroup settings click on Change settings.

3.  At the pop-up screen click on Change.

4.  At the Computer Name/Domain Changes window click on More.

5.  At the DNS Suffix and NetBIOS Computer Name pop-up under Primary DNS suffix of this computer enter killerhomelab.com then click OK, OK.

6.  At the Computer Name/Domain Changes pop-up click OK then Close.

7.  Click Restart Now.

Exchange 2016 Prerequisites for a Edge Server

Once the server has restarted we will re-connect using our Admin credentials. Once logged in we will need to prepare our server for Exchange by installing the Prerequisites for Exchange 2016.  The official prerequisites can be pulled from the TechNet article below even though we will go through each below:

https://technet.microsoft.com/en-us/library/bb691354(v=exchg.160).aspx

Pre-reqs

We will start by installing the IIS Role and the features that are required for an Exchange 2016 Installation.  Follow the procedures below to install the IIS Prerequisites:

1.  Log onto KHL-EX.

2.  Open an Elevated Powershell Prompt.

3.  Copy and Paste the following then hit Enter (Server will Reboot):

Install-WindowsFeature ADLDS

Deploying Exchange 2016

Now we are almost ready to install Exchange 2016.  Follow the steps below to download and extract the Exchange 2016 Setup Files.

1.  Open Server Manager.

2.  In the Left-Pane click on Local Server then under the Properties section click on the IE Enhanced Security Configuration toggle.

IE-Enhanced1

3.  At the Internet Explorer Enhanced Security Configuration screen under Administrators select Off.

4.  Launch Internet Explorer 11.

5.  In the Top-Right corner select the Settings gear then select Internet Options.

InternetOptions

6.  At the Internet Options window select the Security tab then click on Custom level.

InternetOptions2

7.  At the Security Settings window make sure the File download settings is set to Enable then click OK, OK.

SecuritySettings

8.  From within Internet Explorer navigate to the following URL:

https://www.microsoft.com/en-us/download/details.aspx?id=54450

9.  From your Downloads folder double-click ExchangeServer2016-CU4.iso.

This should mount the ExchangeServer2016-CU4.iso as Drive Letter F:

Installing Exchange 2016

We will use the command prompt to install Exchange since it allows us to xxxxxxxxxx.  Follow the instructions below to install Exchange 2016

1.  Type following command then hit Enter:

F:\setup.exe /mode:install /roles:et /IAcceptExchangeServerLicenseTerms

     2.  When setup is completed reboot the server

Validating the Installation

Now that our server has been rebooted.  Lets do some quick checks to verify that it is operating correctly.  We will start by making sure all of our Exchange Services are up and running.

1.  Right-click on the Windows Logo and select Command Prompt (Admin).

2.  Type following commands then hit Enter:

Services.msc

3.  Within the Services MMC scroll down and make sure all of the following Exchange Services are started:

  • Microsoft Exchange ADAM
  • Microsoft Exchange Anti-spam Update
  • Microsoft Exchange Credential Service
  • Microsoft Exchange Diagnostics
  • Microsoft Exchange Health Manager
  • Microsoft Exchange Health Manager Recovery
  • Microsoft Exchange Service Host
  • Microsoft Exchange Transport
  • Microsoft Exchange Transport Log Search

One purpose of Microsoft Exchange Edge Servers is to check each email and validate that it is destined for a valid recipient within the organization.  This validation process leverages a process called Edge Synchronization.  The Edge Synchronization process replicates data from Active Directory to the ADAM instance that is installed on the Edge Server.  By default Configuration information (Connectors Updates, etc.) are replicated ever 3 minutes and Recipient data is replicated ever 5 minutes).  This process depends on an Edge Subscription which is a relationship between an Edge Transport Server and an Mailbox Server.   Follow the steps below to create an Edge Subscription between KHL-EX and OP-EX.

Creating Edge Subscription

1.  Log onto KHL-EX

2.  From the Taskbar click on the Windows Logo then click on the Down Arrow.

3.  Locate and right-click Exchange Management Shell and select Run as administrator.

4.  At the Exchange Management Shell enter the following command and click enter:

mkdir C:\EdgeSubscriptions

New-EdgeSubscription -FileName C:\EdgeSubscriptions\KHL-EX.xml

!!!Note:  As shown below you must make sure that both the Edge and Mailbox Servers can resolve each other FQDN's.  Since the Edge Server (KHL-EX) is apart of the KHL-Azure Virtual Network it is already using KHL-DC as it's DNS Server and has name resolution for OP-EX.  We also created an A Record for KHL-EX within our Domain DNS Zone (killerhomelab.com) earlier in the post to provide OP-EX name resolution for KHL-EX.  As shown in the image below you will have 24 Hours before this Edge Subscription is expires.

Importing Edge Subscription

Now we must copy the EdgeSubscription file over to our Mailbox Server and import it.  This can be done by copying the file C:\EdgeSubscriptions\KHL-EX.xml from your RDP session on your Edge Server to the RDP session of your Mailbox Server using a simple Cut & Paste.  Once the file has been copied follow the steps below to import.

1.  Log onto OP-EX.

2.  Open the Exchange Management Shell and use the commands below to import the Edge Synchronization File.

[byte[]]$Temp = Get-Content -Path "C:\EdgeSubscriptions\KHL-EX.xml" -Encoding Byte -ReadCount 0
New-EdgeSubscription -FileData $Temp -Site "Onpremise-Lab"

 

Testing Exchange 2016

OWA

Now we will log into our Test Mailbox and send some test emails.

     1.  Launch Internet Explorer and navigate to the URL below:

https://owa.it.dmgva.com/OWA

     2.  When prompted enter the Test User1  Credentials.

     3.  Since this is your first time logging into this mailbox select a Time zone then click Save.

     4.  Once you are logged in click on New.

NewMail

     5.  In the To: field enter the email address of another email account you can access then add a subject and click Send:

NewMessage

     6.  Log into your other email account and check to see if you received the message.

As you can see below our message was successfully sent from our New Exchange Server and delivered to another email account.  As you can see below, Outlook actually considered my message to be Junk Email, so make sure to check your Junk Email folder for whatever account you at using for this test.

SuccessfulEmail1

Now that we have sent a successful outbound email, lets reply to our email so we can check our inbound email.

     1.  Open the message from Test User1 then click on Reply all.

     2.  Enter some text within the body of the message then click Send:

ReplyEmail2

If we switch back over to our Test User1 mailbox to we should see our message from our other email account!

MailTest

Now that we know our mail flow is working and OWA is accessible.  Lets move on to test our other Client Connectivity Options.

To keep our Logon consistent with our Email Addresses and in preparation for our Part 7 (Syncing On-Premise with Office 365) we will be creating a new UPN Suffix. A UPN Suffix is an alternate User Principal Name that can be used to logon instead of your default User Logon Name.  Once we have added this UPN Suffix we will change our Test User 1.  Follow the steps below to complete this task:

1.  Logon to KHL-DC.

2.  Right-click on the Windows Logo and select Run then enter the following and click OK:

domain.msc

3.  At the Active Directory Domains and Trusts pop-up in the Left-Pane right-click Active Directory Domains and Trusts [KHL-DC.killerhomelab.com] then click Properties.

upnsuffix1

4.  At the pop-up enter it.dmgva.com under Alternative UPN suffixes: then click Add, OK.

upnsuffix2

5.  Close the Active Directory Domains and Trusts mmc.

6.  Right-click on the Windows Logo and select Run then enter the following and click OK:

dsa.msc

7.  At the Active Directory Users and Computers mmc in the Left-Pane expand killerhomelab.com and select Users.

8.  Locate Test User1 and double-click it.

9.  At the Test User1 Properties click on the Account tab.

10.  Under the User logon name: use the pull-down to change the value from killerhomelab.com to it.dmgva.com then click OK.

(If  it.dmgva.com is not present manually for replication or wait 15 minutes)

Outlook

Although OWA has grown more robust, there are still times when a full email client is needed.  The client of choice is Outlook.  Outlook leverages a feature called Autodiscover that is able to locate and configure Outlook settings for users automatically.  This process is slightly different dependent on whether the client is Domain or N0n-Domain Joined.  For Domain Joined clients, Outlook uses objects within Active Directory called Service Connection Points (SCPs).  There is a SCP created each time an Exchange Client Access Server is installed.  These SCPs provide client connectivity information such as URL used to attach to specific Exchange Services.  Below I will walk you thru setting up a Domain Joined Outlook Client.  This client can be any machine that you have On-Premise that can have Outlook Installed.  The steps and screenshots below are for Outlook 2013, but can be used for almost every Outlook Client:

     1.  From a Domain Joined Outlook Client launch outlook.

     2.  If prompted with a Welcome to Outlook screen click Next.

WelcometoOutlook

     3.  At the Add an Email Account click Next.

     4.  At the Auto Account Setup screen notice that your Name and Email Address have been populated.   This is actually pulled from your mail

outlookscp1

     5.  At the Searching for your mail server settings... screen wait for Autodiscover to complete then click Finish to launch Outlook.

outlookscp2

Now that we are within Outlook lets confirm that we are connected to Exchange by looking in the bottom-right corner as shown below:

OutlookConnected

For Domain Joined clients the connection to Exchange utilizes RPC over HTTP.  This allows Outlook to traverse Firewalls using Port 443/TCP.  Let's take a look at our connection status to actually see our RPC being encapsulated by HTTP.  Follow the steps below:

     1.  Launch Outlook.

     2.  In the Bottom-Right of your client Taskbar locate the Outlook icon as shown below then hold down the Ctrl Key and Right-click it:

ConnectionStatus1

     3.  Once presented with the menu shown below click on Connection Status:

ConnectionStatus2

Now that our connection status is opened you can see in the image below that our Connection (Conn) is HTTP however we are still utilizing RPC Ports (6001 & 6004)

rpcoverhttp1

Outlook (Mapi over HTTP )

Now that we have tested with a Domain Joined client.  Let's make sure Outlook  will also work with an Non-Domain Joined external client.  Before testing our Non-Domain Client, we will need to import our Certificate Authority in order to Trust the Certificate used to secure our MAPI over HTTP connection.  Navigate to the URL below and then follow the steps below to import your Certificate Authority:

http://khl-ca.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

  1.  At the File Download click Open.

cadownload1

  2.  At the Certificate pop-up click on Install Certificate.

cadownload2

  3.  At the Certificate Import Wizard click Next.

cadownload3

  4.  At the Certificate Store screen select Place all certificates in the following store then click Browse.

cadownload4

  5.  At the Select Certificate Store pop-up select Trusted Root Certification Authorities then click OK, then Next.

cadownload5

  6.  At the Completing the Certificate Import Wizard screen click Finish.

cadownload6

  7.  At the Security Warning click Yes then at the Import was successful screen click OK.

cadownload6a cadownload7

Now that Certificate Authority is trusted lets follow the steps below to configure our External Outlook Client.

     1.  Launch Outlook and at the Welcome Screen click Next.

outlook1

  2.  At the Add an Email Account screen click Next.

outlook2

     3.  At the Auto Account Setup screen enter your information as shown below then click Next:

outlook3

     4.  At any of the Windows Security pop-up's enter your username & password, check the Remember my credentials box then click OK as shown below:

outlook4

     5.  Once Autodiscover is complete click Finish to open Outlook.

outlook5

For external Non-Domain Joined clients the connection to Exchange utilizes MAPI over HTTP.  This allows Outlook to traverse Firewalls using Port 443/TCP.  Let's take a look at our connection status to actually see that we are not utilizing any RPC ports.  Follow the steps below:

     1.  Launch Outlook.

     2.  In the Bottom-Right of your client Taskbar locate the Outlook icon as shown below then hold down the Ctrl Key and Right-click it:

ConnectionStatus1

     3.  Once presented with the menu shown below click on Connection Status:

ConnectionStatus2

   3.  Once presented with the menu shown below click on Connection Status:

ConnectionStatus2

Now that our connection status is opened you can see in the image below that the Protocol that we are using is HTTP and that we no longer utilize any RPC Ports!

mapioverhttp

ActiveSync

The last client we will test is ActiveSync.  ActiveSync is primary service that is used to allow smart phone connectivity to your Exchange Server.  Although OWA can be loaded on most new smart phones with an increased ease of use, most consumers prefer using ActiveSync. To validate that our ActiveSync is working you will need a smart phone that supports ActiveSync.  A few to choose from are Windows Phone, iPhone and Android.  Follow the steps below to test and configure your phone for ActiveSync:

Windows Phone

     1.  Open Microsoft Edge and navigate to the following URL:

http://khl-ca.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

WindowsPhoneCert1

2.  At the pop-up tap Save.

windowsphone2

     3.  At the pop-up tap anywhere to go to Downloads.

windowsphone11

     4.  At the DOWNLOADS pop-up tap on the .cer file as shown below:

windowsphone13

     5.  At the Install certificate screen tap Install.

WindowsPhoneCert5

     6.  At the Your certificates are installed screen tap OK.

WindowsPhoneCert6

       7.  Tap on Settings.

WindowsPhoneCert7

     8.   Tap on Exchange.

WindowsPhoneCert8

     9.  Under Email address tap within the box and enter tuser2@it.dmgva.com then tap Next.

windowsphone3

    10.  At the next screen tap anywhere under Password and enter your password then click Sign in.

windowsphone4

    11.  At the All done! screen click Done.

windowsphone5

    14.  Now your account is configured as shown below:

windowsphone9

    13.  Now you can launch and view your email using the mail app as shown below:

WindowsPhoneCert13        WindowsPhoneCert15

iPhone

     1.  Open Safari and navigate to the following URL:

http://khl-ca.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

iPhoneCert1a

2.  At the Install Profile screen click on Install.

iPhoneCert1

3.  At the Enter Passcode screen enter your passcode.

iPhoneCert2

4.  At the Warning screen click Install.

iPhoneCert3a

     5.  At the Install pop-up click Install.

iPhoneCert4

     6.  At the Profile Installed screen click Done.

iPhoneCert5

     7.  Open Settings.

iPhone1

     8. Scroll down to and click on Mail, Contacts, Calendars.

iPhone2

     9.  Under ACCOUNTS click on your Add Account.

iphone1

    10.  At the Add Account screen click on Exchange.

iPhone5

    11.  At the Exchange screen enter your Email, Password and Description then click Next:

    12. Once completed successfully you will see the screens below then click Save:

 iphone2   iPhone8a

    13.  Now you can launch and view your email using the mail app as shown below:

iPhone9    iPhone12

    14.  If you have multiple accounts on your phone please use the Back Arrow to navigate to your Killer Home Lab Email as shown below:

iPhone10a    iPhone11a    iPhone12

Android

      1.  Open the Google App and navigate to the following URL:

http://khl-ca.it.dmgva.com/CertEnroll/OP-DC.killerhomelab.com_KHL-CA.crt

AndroidCert1

2.  At the Certificate name pop-up tap OK.

AndroidCert2

3.  Go back to Home and click on Settings.

samsung1

4.  At the Settings pop-up click on General then click on Add Account.

samsung2

5.  At the Add Account screen click on Microsoft Exchange ActiveSync.

samsung3

6.  At the Configure Exchange account in a few steps screen enter your Email Address & Password then tap Next.

samsung4

7.  At the Email activation pop-up tap OK.

8. At the Remote security administration screen tap OK.

samsung5

9.  At Account options screen tap Next.

AndroidCert9

10.  At the Set up account screen tap Done.

samsung6

11.  Now you can launch and view your email using the mail app as shown below:.

samsung7     samsung8

Congratulations!!!   You now have a fully functional Exchange Server that is accessible via OWA, Outlook, ActiveSync and can receive and send email to the Internet.  This completes Part 5 of the Killer Home Lab Series. In Part 6 we will securely publish our Exchange 2016 Server using Active Directory Federation Service (ADFS) and Web Application Proxy (WAP) within our lab. Have fun with the lab!!!

Comments (0)

Skip to main content