Exchange Server 2013 CU2 Service Templates for System Center Virtual Machine Manager (Printer Friendly)
Welcome to the latest blog post about System Center service templates!
When we asked our field what needed to be developed next, a very common ask was for a service template to deploy Exchange. This blog post is intended to teach you how to use System Center Virtual Machine Manager and a feature named Service Templates to deploy VM's and automatically install Exchange Server 2013 CU2, with minimal post-installation tasks left to complete to configure the unique settings for your environment.
If you are “the Exchange person” and you want to have the ability to easily provision a live environment to validate change management work such as Security Updates, then I have just the solution for you. If you are a hoster and among all the 1,000’s of things you are thinking about, provisioning Exchange for new tenants is one of them, I have a solution for you. If you are a developer and you need to manage a virtual sandbox environment based on Exchange for testing your latest innovation, I have a great solution for you. If you are “on the server team” and your round table discussion on DR uncovered that rebuilding from scratch takes too long, or you want to provision 20 additional HA servers at a departmental scope on VM’s as a “just in case”, do I ever have a solution for you!
… and best of all we are going to use new features of System Center Virtual Machine Manager 2012 R2.
Exchange Server 2013 Service Templates for System Center Virtual Machine Manager
I really want to motivate you to complete the walk through, which is not totally simple. Here is a 120 second “TV commercial” style video to explain what results this effort will yield using Single Server Architecture as an example. This gives you an idea of the big picture.
[View:https://www.youtube.com/watch?feature=player_embedded&v=65m8MZIcIQo]
You might notice, I added the option to choose your network on the fly after this was created. To review this and other technical details, check out the full length walk-through at the very bottom of the post.
Now, go build!
What is in this post?
Philosophy – Define scope and assumptions.
Prerequisites – Document any unique pre-work and link to all downloads that should be ready before getting started.
Setup the Service Templates in VMM – Document the process to setup and configure the service templates in VMM.
Summary – Wrap up and embed a video demonstrating step by step what you need to do.
If you are really serious, read this first
I mean it. 
This is a very thorough overview that documents more than I could begin to in a blog post. Virtualization best practices, why and how to use System Center, and much, much more. I highly recommend it. Store it on your Windows Phone device now and read it at your convenience! There are 3 pages of links to more information!
Best Practices for Virtualizing and Managing Exchange 2013
https://download.microsoft.com/download/4/A/C/4AC32FD3-220E-45DC-AA97-DBDBE19C15B2/Best_Practices_for_Virtualizing_and_Managing_Exchange_2013.pdf
Philosophy
| If this topic is of interest to you also consider: |
Let’s define scope before we get started. This is a case where it becomes tempting to keep adding on. “We can automate it all!” Well yes, you can, but for the sake of sanity I think we should componentize. Let’s start off with the assumption that we already have an environment where we utilize System Center Virtual Machine Manager as a provisioning engine either by itself or together with additional tools. We will define the prerequisite work separately and link to more information where detail is not given. Then walk through each template architecture setup and I will even do a detailed video walk-through for each.
The first question, I know, will be how many users. That is a bit like saying how much wind does it take to push over a building without providing any more detail. You need to know a LOT more information. Hardware, networking, storage, co-location of other VM’s, activity profile of the user, etc, etc. In the end you have to validate your environment. I highly recommend Jeff Mealiffe’s post on Exchange capacity planning and doing more to guestimate performance rather than me making an off-the-cuff blog remark.
Sizing Exchange 2013 Deployments https://blogs.technet.com/b/exchange/archive/2013/05/06/ask-the-perf-guy-sizing-exchange-2013-deployments.aspx
I am including service templates for both “Single Server Architecture” and “Multiple Server Architecture” in the download. As you might expect by their names, SSA is for a single server multi-role design and MSA is a two-tier design with options for scale-out using VMM. It is up to you which design better fits your environment. There is nothing at all wrong with using them together so you might as well load them both.
The second question will be what we are doing special to make Exchange a service template. There is no magic going on here. We are simply staging the prerequisites and the CU2 installation bits then running setup using the documented parameters for unattended installation. There is purposefully no scripting magic at all so it should be very easy for you to make changes according to your goals. Just for reference, here is the command we run to install Exchange in the single server architecture:
setup.exe /mode:Install /OrganizationName:@Organization@ /role:ClientAccess,Mailbox /Iacceptexchangeserverlicenseterms /MDBName:%ComputerName%_Default /DbFilePath: D:\DB\%ComputerName%_Default.edb /LogFolderPath: D:\Logs /UpdatesDir:".\Updates"
You might think of additional customizations. This is your template to customize as you see fit. There is a page on TechNet providing all the unattended parameters and how they are used.
Install Exchange 2013 Using Unattended Mode
https://technet.microsoft.com/en-us/library/aa997281(v=exchg.150).aspx
Use Case Scenarios
There are many scenarios you could consider for deploying Exchange via service template. Let’s face it, there are only a limited number where you really NEED automation. If you are building 1 server and will probably never build another, then you probably don’t need to automate it. If you are considering this scenario as it relates to deployment of Exchange in a streamlined and repeatable process then a service template is definitely something to consider.
New or existing forests, isolated or not isolated? Answer is all of the above! This is not a result of anything I had to do in the service template itself, it is a KUDOS to the Exchange team for having a great design. Exchange stores information about the Exchange org in Active Directory. If you are provisioning the first server in the forest you have decisions to make, but you don’t have to change the Setup.exe parameters. Same goes for existing forests. Setup will identify the Org and add to it as long as you provide the right name. Building isolated or not is another KUDOS but to the Virtual Machine Manager team. VMM can handle either scenario and will make sure the custom resources you create will be available to the VM even in isolated virtual networks.
At the beginning of the post I listed a few scenarios. To add some additional thinking about why you might use a service template:
- Test labs (aka Sandbox) – For Exchange admins, a service template would give you the ability to quickly replicate a functional test environment where you could validate changes before introducing them in to production. This is also perfect for software development projects that integrate with Exchange to test against.
- Disaster Recovery Planning – In the worst of worst scenarios, you might someday need to rebuild your environment from scratch. Having a service template ready would give you the ability to create a new Exchange environment where you could restore from off site backup, even if it is only a temporary solution to get up and running until you can completely restore service.
- High Availability Options – It could be that you already have an Organization but you are thinking about extending a Database Availability Group to include additional standalone servers, potentially offsite, in case the platform where your existing servers are running has an issue.
- Quickly Adding Remote Sites – If you need the ability to provision server nodes across a high number of remote sites, you could automate the installation using service templates.
- Hosting – Whether you are a large enterprise thinking about isolating departments or a service provider, you have a lot to think about. Unattended installation does not a service provider make, but a service template provides one additional step you can include in automating creation of a new tenant.
A similar scenario I can see is the case of a consultant who wants to automate setup so he or she can go from environment to environment and reduce the total amount of clicks and eliminate the chances of human error. For that case, there is a lot to be learned by going through the motion of building a service template but there is a detailed post in the TechNet Gallery that I recommend reading through on scripting an install specifically focused on that scenario.
Exchange 2013 Unattended Installation Script
https://gallery.technet.microsoft.com/Exchange-2013-Unattended-e97ccda4
Michel de Rooij who posted the script has a full step by step walkthrough here:
Exchange 2013 Unattended Installation Script (Updated)
https://eightwone.com/2013/02/18/exchange-2013-unattended-installation-script/
Always read and test a script of course but he covers so many aspects of the process, I would be remiss not to link him up.
Prerequisites
There are pre-requisite downloads to build out everything you need, and then you need to pre-stage that content inside a VHDX file in the VMM library so that it can be used by the template. Unfortunately this is not a 1-click import. We are going to walk through every step together in detail but as a result, this is a long article. Don’t be afraid!
Assumptions
Before we get started, I want to be clear about the groundwork. I am working under the assumption that you have Hyper-V, XenServer, or VMware, and you have System Center Virtual Machine Manager 2012 R2 installed with a Library available and a VM template based on Windows Server 2012 RTM. If not, I would direct you to the TechNet resources for VMM as a starting point. Adding those steps would force me to more or less re-create their documentation!
Virtual Machine Manager
https://technet.microsoft.com/en-us/library/gg610610.aspx
I am creating your go-to source here, so you can always come back to 1 place if you need to rebuild. In fact I am going to bracket this section to make it extra easy to find, just in case we should refer to it in future posts. 
Prerequisites |
||
Download FilesYou need to download 2 prerequisite executables from the Microsoft Download Center.
You also need Exchange 2013. You can download the RTM build from MSDN, but I recommend going directly to the Cumulative Update 2 installation. It can be used either as an upgrade or as a full install, so you might as well build on the latest code. I am linking you to the Exchange CAT team’s blog that references the download so that if they ever need to make a correction, you are going to the guys in the know.
Finally, there is a security update available for CU2. The Exchange setup.exe understands how to patch the installation prior to install. All you have to do is copy the update to a folder. Again, let’s start with the latest code.
Create a formatted, fixed size VHDX file and add it to the VMM LibraryWe need to create a blank virtual hard disk to home the installation files, the Exchange DB, and logs. If you want to review storage practices (and if you are building more than a test lab, you should) I recommend the TechNet article below as well as the PDF linked at the beginning of the article, which goes in to great detail. Even in a Single Server Architecture, storage will be key to performance.
I recommend a Fixed Size VHDX. You can do this via Disk Manager in Windows or via PowerShell if you have the Hyper-V cmdlets available. To keep things moving, I will provide the workflow from the UI.
Add the files you downloaded to the new virtual hard driveI have tested this solution in many different permutations. Unless you plan to use UCMA or the Office filters for other applications (in which case a VMM custom resource would be in order) and since we are already planning to have a data drive for the servers, my recommendation is to just stage the installations in the VHD for the data drive and call them from there. In 2012 you can mount the VHD file and modify it easily. Simply double click on it and it should launch a new window. To detach it you can open Explorer, right click on the drive icon and select ‘Eject’. For the folder and files, please create this structure and stage each set of content so that the parameters in the template do not require modification:
Copy the content you downloaded in to each respective folder. You should have something like this:
The last step is to copy the new VHDX file to the VMM library in the folder of your choosing. You only have to do that once! Now that you have a prepared VHDX file you can use it for any Exchange servers you create using the service template. Refresh your VMM libraryThis is just a good idea to move things along after you have added the item above. Note that you need to run this from the VMM shortcut to PowerShell so the VMM cmdlets will be available.
Make decisions about how you will extend Active DirectoryRun As AccountVMM needs an account to run the commands for installing Exchange. What account you select depends on your scenario so let’s be a little bit careful here. Question – will your forest and domain already be prepped for the new Exchange Org using the Exchange 2013 CU2 Schema Extensions? If the answer is YES, then the Run As account will only need to be a domain account with permissions to write to the directory to add references to the Exchange server object. This is similar to permissions that would allow for joining the computer to the domain. You probably already have that setup in VMM for provisioning new VMs to automate the OS installation process, in which case you can select that account and move on (if your directory permissions are granularly delegated, you may need to consult your Directory Services administrator to agree on which account should be used for this process). If the answer is NO, you have a decision to make. Exchange setup will attempt to extend the schema during install if it has not already been completed, unless you suppress it. You need to decide whether you will want to create a Run As account with this level of permission. In enterprise scenarios, you are almost certainly not going to allow this in production as schema extensions should be carefully planned and executed under change management process. In a test lab, it is very possible that you are fine with it. In a tenant provisioning process, you might have the ability to temporarily utilize such permissions during build and then revoke access before data is introduced. The direction you proceed pivots on the scenario you are trying to build. I can however guide you through the technical process. Open the VMM console and connect to the VMM server where you will import the service template. Click on the Settings button on the bottom left corner and then expand out Security. Click Run As Accounts and review what you already have in place. If a new account is needed, click the Create Run As Account button and complete the form. When you are done click OK.
|
Setup the Service Templates in VMM
Download the service templates from TechNet Gallery and extract the contents of the ZIP file. Here you will find the XML files and a ReadMe.txt that references this site. The resources for each template are the same, so I am only providing one walk-through of import and domain settings. Even though the screenshots reference the SSA, the same process is true for MSA. The application settings are slightly different. Details are explained in the application settings section.
Import
Launch the VMM console and click on the button in the bottom left corner for Library, then expand Templates on the left pane and select Service Templates, and then click the button on the ribbon Import Template. Now browse to the location of the XML file. There are no sensitive settings in the XML so you can ignore the checkbox and click Next.
On the next page you will see a series of warning signs as well as a red X. As IT Pro’s we have a well developed synapse that triggers a gut reaction that everything is broken. Relax, nothing is broken. Take a sip of coffee as we prepare to edit each line and map the template to the resources in VMM created during the prerequisite section.
Click the pencil icon next to each line and map to the item you created in VMM. To simplify as much as possible, here is a reference table to assist.
Resource Name |
Mapping |
Data.vhdx |
Map this to the formatted Data.VHDX file you created and stored in the library. |
WindowsServer2012Template |
Map this to the VM Template for Windows Server 2012 (created independently of this guidance). |
ExchangeInstallAccount |
Map this to the Run As Account you created that will be used to install Exchange. |
NT AUTHORITY\System |
Map this to the Run As Account by the same name in VMM. This should exist by default without creating anything new. |
When complete, click Next.
Finally, review the settings that will import the ST. You may also want to click on “View Script” so you can see exactly how you would do this using PowerShell if you were to automate such a workflow in the future. Click Import and you are done!
Domain Settings
OK, that was not the end of the world, was it? We went through a lot of steps. Hang in there. We are going to add the finishing touches so the VM joins a domain.
Right click on the new service template and select “Open Designer”. This will give you the view below.
Right click on the center box and select Properties (for MSA you will see two boxes). This is your opportunity to customize anything you feel comfortable with according to your environment. Browse through the Hardware Configuration and validate the configuration. Pay special attention in the OS Configuration tab to customize the fields in the list below:
- Identity Information – this is defaulted to “EX” followed by a 2 digit counter supplied by ##. Does this comply with the standards you have in mind?
- Admin Password – set this according to the password standards for your environment.
- Domain / WorkGroup – to make the import go smoothly this is set with a placeholder in the Workgroup field. Switch to the Domain radio button and provide the full DNS name for your domain and either enter stored credentials or select a Run As Account.
Application Settings
This is the one area I want to fork and explain SSA and MSA a little bit differently per workflow. I made the conscious decision to make the SSA backwards compatible with VMM 2012 SP1. It is a simple workflow, and 2012 SP1 can handle it with no problem. On the other hand, MSA is more interesting because you have multiple servers all coming online at about the same time. The first server is going to extend the Active Directory schema and the others should wait for it to finish. If you have multiple Mailbox servers across fault domains, that creates a minor race problem. Never fear. There are new capabilities in service templates for VMM 2012 R2 that make this a breeze and actually make a difference in how we work with more advanced application installs going forward.
Part 1: Customize Application Settings for Single Server Architecture
Select the Application Configuration tab. You will notice three Script items. This is the set of commands that the service template is going to run in order. Review script items Pre-Install 1 and Pre-Install 2. These should not require any editing but if you click on the Advanced tab you can review the configuration including the location where logs will be written within each VM during installation.
Now select Pre-Install 3. This script is where we actually run Exchange Setup unattended. We really don’t need to make any changes but I want to call attention to 2 items.
- Place your mouse cursor in the Parameters: field. Ctrl-A to select all and copy the full string to Notepad. Verify the install string. You will notice @Organization@. This creates a mandatory parameter you can enter at run time. The value is used to name the Exchange Organization. If this will always be the same, you can replace it with something static.
- Note that the database name is based on the server name so it is unique per server. See comments at the end of the post regarding impact of database name when considering database availability groups.
- Review the value in the field Run As Account. If a change is required, select the account to run the Exchange install.
Part 2: Customize Application Settings for Multiple Server Architecture
If you are a frequent user of VMM 2012 SP1 and ready to move to VMM 2012 R2, take a look at the graphic below. Specifically, check out the application section. There is a new Script Application type in R2!
Right click on the each server role box (the large two in the middle) and select Properties. In the above section we validated the Parameters string and the Run As Account. For each server role in this case, please do the same. You just want to make sure these align with how Exchange should be installed in your environment.
Note the Specify a script block section. If you require something more advanced to be run during install such as looking up values and passing them in as parameters, VMM now allows you to do this directly.
There is also a Timeout (seconds) value. This is the duration of time that the script is given to execute before VMM cuts it off and considers the job to have failed. I have set this to an hour. If for any reason you need more time, or if you believe that is too long, this is a new ability to tweak the setting.
Looking specifically at the Mailbox Server role, in the Application Configuration dialogue, you will see I have a third pre-install script with a unique title. Another new feature of VMM 2012 R2 is the ability to execute a script only for the first VM, or only on VMs other than the first VM. The same is true for deleting VM’s should you ever decide you need a “cleanup” task.
I have utilized this functionality to separate out the action of extending the schema for Active Directory. This will occur only prior to creation of the first VM.
Save and Validate
You can browse the remaining tabs and click OK. You may wish to further customize the template and that is OK. This is yours now! You may wish to utilize Quota Points, Custom Properties, etc, in self-service scenarios or in the case of additional automation.
Don’t forget to click “Save and Validate” in the top right hand corner to save your changes.
Deploy the Service Template
Everything is setup and you are ready to deploy. I am not going to recreate the TechNet documentation here. If you are unfamiliar with the process please visit the link below.
How to Deploy a Service in VMM
https://technet.microsoft.com/en-us/library/gg650471.aspx
I do want to post a reference just so you have a complete walk-through. You will need to select the Virtual Network when you create the deployment configuration and provide a name for your organization. The organization field is mandatory before you will be able to deploy the service. The space to enter the value is in the lower left hand corner of your screen.
Follow Best Practices (VERY IMPORTANT FOR PRODUCTION SERVERS)
There are post-installation tasks I consider requirements for production. The service template deploys the Exchange application but if you plan to introduce the new server or servers in to production, you should think about how this fits in to your normal Exchange configuration workbook. You can reference the Exchange documentation on TechNet as well as the tool the Exchange team has provided to serve as a checklist. These additional items would be suitable for Orchestrator or SMA if your are deploying at scale.
Exchange 2013 Post-Installation Tasks https://technet.microsoft.com/en-us/library/bb124397(v=exchg.150).aspx
Microsoft Exchange Server Deployment Assistant https://technet.microsoft.com/en-us/exchange/jj657516
Install production certificate, assign services, update URLs
If you deploy a new server in to an AD site where there are production users and do not complete the unique configurations for your environment, you could disrupt users by prompting them regarding an invalid certificate, and eventually lead to errors occurring in the Outlook client.
Make sure you read over the URL configuration and SSL certificate sections on this page!
Configure Mail Flow and Client Access
https://technet.microsoft.com/en-us/library/jj218640(v=exchg.150).aspxDigital Certificates and SSL (specific to Exchange 2013)
https://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
This would be a great way to extend the service template provided here to include unique information about your environment. In an automation platform where VMM is combined with Orchestrator/SMA, this would also be an excellent task to occur next in a production-targeted workflow.
Move the Data VHDX to a different spindle than the OS VHDX
The Exchange guidance clearly indicates that the best practice for virtualization is to put the OS and Data on different spindles (different hard drives). The service template creates separate Virtual Hard Disk files but does NOT automatically guarantee that they will be located on different storage. This creates one post-install task you should take as the admin, that is to consider your storage configuration and determine if you are using a large storage array and the files will already benefit from spreading disk IO across spindles or if you are using something like direct attached storage. If so, you will want to Live Storage Migrate the Data.VHDX file to a separate drive from the VHD where your OS virtual hard disk lives. The key word here is Live so it will not require downtime but you should complete the activity prior to using the VM as anything more than a test server.
Live migration of storage between two locations on a stand-alone host
https://technet.microsoft.com/en-us/library/jj860434.aspx#BKMK_Storage
Consider whether you will add additional databases
While reading various posts and talking to people about this project I learned it is not unusual to create a new database after install. To automate the process I have set the unattend parameters to create a default database using the naming convention “<ServerName>_Default”. Especially if this server will be part of a Database Availability Group that will be replicated across servers, it will make sense to create a new database for user accounts with a standardized naming convention that suits your environment.
Manage Mailbox Databases in Exchange 2013
https://technet.microsoft.com/en-us/library/jj150580(v=exchg.150).aspxCreate a Database Availability Group
https://technet.microsoft.com/en-us/library/dd351172(v=exchg.150).aspx
Summary
You now have a service template for Exchange! Thank you for sticking with the entire walkthrough. We have deployed all prerequisites, configured the service template at import, and configured the unique settings in Designer. I know it is a lengthy post but details count. If you feel lost, I have recorded a full length walk-through. I would recommend you skip to the place where you would like a visual aid. I have included bookmarks to help.
[View:https://www.youtube.com/watch?feature=player_embedded&v=juutEgj_Hlk]
Thank you, and stay tuned to Building Clouds!