Gretech.be Just another WordPress weblog…

Installing Exchange 2010 on Windows Server 2008 R2 DC

A time ago I installed a Exchange 2010 server on Windows server 2008 R2 x64 for a friend of mine that couldn't get his Mac (buit-in Mail program) with Snow Leopard working with Exchange 2003.

First some technical data:

Exchange version (Get-ExchangeServer | fl name,edition,admindisplayversion): 14.0 Build 639.21

After installing and forwarding the http/https ports, there were no problems for the mac, after a while I was also preparing to switch my account to 2010 on all computers, then the problems began.

On the Exchange 2003 server I used ISA server 2007, where you just select the RPC protocol to be allowed and ISA does the rest. (Client PCs connect on 135, and then the server assigns the client a private port in the 49152-65535 range, wich the ISA firewall will open automatically if needed)

The new Exchange 2010 server is behind an transparent Linux firewall (using Shorewall), and the RPC range is too big to just open all the RPC ports. I thought, limiting the RPC range is an option, but RPC over HTTPS is a much safer way and because the Belgium internet provider Telenet blocks all outgoing traffic on port 135, from clients to the internet (since the blast virus centuries ago!), RPC over HTTPS had to be configured anyway.

Some errors I ran into:

• Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust (http://support.microsoft.com/kb/297681)
• Indefinitely loop of asking for logon credentials (login and password) when opening outlook, username and password were correct of course, but they weren't accepted(I found out this was because the authentication type wasn't the same for IIS, the client and Outlook Anywhere)(on the bottom there is a link with other causes and solutions)
• After using outlook for a while (2-3minutes) (configured to connect without SSL), it prompts 3 certificate errors

Steps that worked for me:

Because windows seems to have a seriously strict certificate policy I also just installed the certificate services on the server.

Step 1 Installing Windows Server 2008 R2 x64 and Exchange 2010

1. Install Windows Server 2008 R2 x64 (Configure your static IP and computername)
2. Run DCPROMO
3. Install Roles
   1. Active Directory Certificate Services
      • Certification Authority
      • Certification Authority Web Enrollment
   2. Web Server IIS
      • Security: Basic Authentication
      • Security: Windows Authentication
      • Performance: Static Content Compression
      • IIS 6 Management Compatibility: IIS6 Metabase Compatibility
4. Install Features
   1. RPC over HTTP Proxy
5. Install 2007 Office System Converter: Microsoft Filter Pack
6. Set startup mode of "Net.Tcp Port Sharing Service" to Automatic: Using the powershell: Set-Service NetTcpPortSharing -StartupType Automatic
7. Install Updates (to be sure) and reboot
8. Install Exchange 2010

Step 2 Installing Certificate

1. Follow this tutorial to install the certificate signed by your own CAhttp://gretech.be/blog/index.php/2010/04/24/installing-exchange-certificate-using-ad-certificate-services-gui-on-exchange-2010/

Step 3 Enable Outlook Anywhere (RPC over HTTP)

1. Open Exchange Management Console
2. Server Configuration > Client Access > Right click your server > Enable Outlook Anywhere
3. Fill in the External host name, check NTLM, complete the wizard(I chose to use NTLM, because with NTLM it is possible to remember your password in windows, so you aren't always asked to enter credentials when opening outlook. check later steps to configure that on your client windows PC)
4. Reboot
5. Check that it is activated: Event viewer > Richt click Application log > Filter > Event ID: 3006, normally there is a log that says it is enabled;
6. HOSTS file edit, Normally this action is only needed if the exchange server is a Domain member, and is not required if the Exchange server and DC are the same. But just to be sure I did it anyway:
   1. Open C:\Windows\system32\drivers\etc\hosts file
   2. comment #::1 if needed
   3. add something like this: (gretechmail is the computername):::1 localhost91.196.171.202 gretechmail

      91.196.171.202 gretechmail.adn.gretech.be

Enable Outlook Anywhere Video tutorial (Only step 1 needed)

Default settings for Exchange-related virtual directories in Exchange Server 2007

Step 4 Autodiscover

1. Create the CNAME autodiscover.emaildomain.com (f.e. if your email domain is @gretech.be, create a domain autodiscover.gretech.be and point it to the mailserver, in our case: gretechmail.adn.gretech.be)or you can also use a SRV record if your DNS allows this
   : http://support.microsoft.com/kb/940881

More autodiscover options and troubleshooting can be found here: http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/

Testing Autodiscovery: Test-OutlookWebServices -Identity Administrator | fl

Problem: First Autodiscover didn't work for me, after running the above command in the Exchange shell, I've got the following error:

When contacting https://gretechmail.adn.gretech.be/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (500) Internal Server Error.

The solution that worked for me was:

Remove-AutodiscoverVirtualDirectory -Identity "gretechmail\Autodiscover (Default Web Site)"

New-AutodiscoverVirtualDirectory

Step 5 Configuring Exchange 2007 Hub Transport role to receive Internet mail (this applies only when installing all exchange services on 1 server, so no edge server)

http://msexchangeteam.com/archive/2006/11/17/431555.aspx

• Server Configuration > Hub Transport > Default Receive connector: Allow anonymous connections on the receive connector
• Organization Configuration > Hub Transport > Accepted domains: Accept your domains to enter the server
• Organization Configuration > Hub Transport > Create new Send Connector (to Internet, all domains) (http://www.petri.co.il/configuring-exchange-2007-send-external-email.htm)
• Enable Anti-spam (using the poweshell):cd "C:\Program Files\Microsoft\Exchange Server\V14\Scripts\"./install-AntispamAgents.ps1

  restart-service msexchangetransport

• Disable the Microsoft Exchange EdgeSync service service

Step 6 Configure outlook and remember my password

1. Install the CA certificate in IE with admin rights
   (XP: use the created Rootinstall.asp page of step 2
   Vista/7: Download, Open and install the CA-cert.cer file created in step 2 in the "Trusted Root certification authorities" folder)
2. Control Panel > View profiles > Add > Enter a profile name.
3. Normally if autodiscover works, you can enter your name and email according to the AD data.

But, for testing purposes, screenshots of the manual procedure below.

1. Control Panel > View profiles > Add > Enter a profile name.
2. Manually configure server settings > Select Microsoft Exchange and click next
3. Server: f.e gretechmail.adn.gretech.be (in our case)Username: f.e. Gregory BeankensClick more setting (ignore errors)
4. On the Security tab
   1. Encryption > Check Encrypt data between Microsoft Outlook and Microsoft Exchange
   2. Logon network security > Negotiate Authentication
5. On the Connection tab
   1. Check Connect to Miscrosoft Exchange using HTTP
   2. Click Exchange Proxy Settings (check screenshot below)
6. Click OK in all the windows and then Next to finish the wizard

How to remember my password:

1. Control panel > User accounts, if necessary click on your account name
2. On the left, manage your credentials (manage your network passwords in vista) > Add
   Domain:
3. The AD domain name (f.e. adn.gretech.be)Username: Username (f.e. Gregory Beankens)
   (ADdomainName\Username in Windows XP and Vista)

Handy installation guide for 2007, looks like 2010 installation.

http://www.commodore.ca/windows/exchange/how_to_setup_exchange_2007_in_2hours.htm

Other solutions for the indefinitely loop of asking for logon credentials (login and password) when opening outlook.

http://dominicfallows.co.uk/2008/11/03/outlook-2007-keeps-asking-for-a-password-when-connecting-to-exchange-2007-rpc-over-http-outlook-anywhere/