Escolar Documentos
Profissional Documentos
Cultura Documentos
You will use this account to log on to the exchange servers and run the entire Exchange
deployment.
• Enterprise Admins
• Organization Management
• Schema Admins
First, install .NET Framework 4.6.2 on the computer that will be used to prepare Active Directory.
There are a couple of ways you can prepare Active Directory for Exchange. The first is to let the
Exchange 2016 Setup wizard do it for you. If you don't have a large Active Directory deployment,
and you don't have a separate team that manages Active Directory, we recommend using the
wizard. The account you use will need to be a member of both the Schema Admins and
Enterprise Admins security groups. For more information about how to use the Setup wizard,
check out Install the Exchange 2016 Mailbox role using the Setup wizard.
If you have a large Active Directory deployment, or if a separate team manages Active Directory,
this topic is for you. Following the steps in this topic gives you much more control over each
stage of preparation, and who can do each step. For example, Exchange administrators might
not have the permissions needed to extend the Active Directory schema.
Curious about what's happening when Active Directory is being prepared for Exchange? Check
out What changes in Active Directory when Exchange 2016 is installed?
Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange
Server, Exchange Online, or Exchange Online Protection.
Before you extend your schema, there are a few things to keep in mind:
• The account you're logged in as needs to be a member of the Schema Admins and
Enterprise Admins security groups.
• The computer where you'll run the command to extend the schema needs to be in the
same Active Directory domain and site as the schema master.
• If you use the DomainController parameter, make sure to use the name of the domain
controller that's the schema master.
• The only way to extend the schema for Exchange is to use the steps in this topic or use
Exchange 2016 Setup. Other ways of extending the schema aren't supported.
Tip:
If you don't have a separate team that manages your Active Directory schema, you can skip
this step and go directly to Step 2. Prepare Active Directory. If the schema isn't extended in
When you're ready, do the following to extend your Active Directory schema. If you have
multiple Active Directory forests, make sure you're logged into the right one.
1. Make sure the computer is ready to run Exchange 2016 Setup. To see what you need to
run Setup, check out the Active Directory preparation section in Exchange 2016 prerequisites.
2. Open a Windows Command Prompt window and go to where you downloaded the
Exchange installation files.
3. Run the following command to extend the schema.
4. <drive>:\Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
After Setup finishes extending the schema, you'll need to wait while Active Directory replicates
the changes to all of your domain controllers. If you want to check on how replication is going,
you can use the repadmin tool. Repadmin is included as part of the Active Directory Domain
Services Tools feature in Windows Server 2012 R2 and Windows Server 2012. For more
information about how to use it, see Repadmin.
Before you prepare Active Directory for Exchange, there are a few things to keep in mind:
• The account you're logged in as needs to be a member of the Enterprise Admins security
group. If you skipped step 1 because you want the PrepareAD command to extend the
schema, the account you use also needs to be a member of the Schema Admins security
group.
• The computer where you'll run the command needs to be in the same Active Directory
domain and site as the schema master. It'll also need to contact all of the domains in the
forest on TCP port 389.
• Wait until Active Directory has replicated the changes made in step 1 to all of your
domain controllers before you do this step.
When you run the command below to prepare Active Directory for Exchange, you'll need to
name the Exchange organization. This name is used internally by Exchange and isn't normally
seen by users. The name of the company where Exchange is being installed is often used for the
organization name. The name you use won't affect the functionality of Exchange or determine
what you can use for email addresses. You can name it anything you want, as long as you keep
the following in mind:
When you're ready, do the following to prepare Active Directory for Exchange. If the
organization name you want to use has spaces, enclose the name in quotation marks (").
1. Open a Windows Command Prompt window and go to where you downloaded the
Exchange installation files.
2. Run the following command:
After Setup finishes preparing Active Directory for Exchange, you'll need to wait while Active
Directory replicates the changes to all of your domain controllers. If you want to check on how
replication is going, you can use the repadmin tool. repadmin is included as part of the Active
Directory Domain Services Tools feature in Windows Server 2012 R2 and Windows Server 2012.
For more information about how to use the tool, see Repadmin.
Notes
If you have multiple domains in your Active Directory forest, you have a couple of choices in
how you prepare them. Select the option that matches what you want to do. If you only have
one domain, you can skip this step because the PrepareAD command in step 2 already prepared
the domain for you.
Before you prepare all of the domains in your Active Directory forest, keep the following in
mind:
• The account you use needs to be a member of the Enterprise Admins security group.
• Wait until Active Directory has replicated the changes made in step 2 to all of your
domain controllers. If you don't, you might get an error when you try to prepare the
domain.
When you're ready, do the following to prepare all of the domains in your Active Directory
forest for Exchange.
1. Open a Windows Command Prompt window and go to where you downloaded the
Exchange installation files.
2. Run the following command:
3. Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
If you want to choose which Active Directory domains you want to prepare, you can use
the PrepareDomain parameter when you run Setup. When you use the PrepareDomain parameter,
you need to include the fully qualified domain name (FQDN) of the domain you want to
prepare.
Before you prepare the domains in your Active Directory forest, keep the following in mind:
• The account you use needs permissions depending on when the domain was created.
When you're ready, do the following to prepare an individual domain in your Active Directory
forest for Exchange.
1. Open a Windows Command Prompt window and go to where you downloaded the
Exchange installation files.
2. Run the following command. Include the FQDN of the domain you want to prepare. If
you want to prepare the domain you're running the command in, you don't have to
include the FQDN.
3. Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare>
/IAcceptExchangeServerLicenseTerms
4. Repeat the steps for each Active Directory domain where you'll install an Exchange server
or where mail-enabled users will be located.
Never change values in ADSI Edit unless you're told to do so by Microsoft support. Changing
values in ADSI Edit can cause irreparable harm to your Exchange organization and Active
Directory.
After Exchange extends your Active Directory schema and prepares Active Directory for
Exchange, several properties are updated to show that preparation is complete. Use the
information in the following list to make sure these properties have the right values. Each
property needs to match the value in the table below for the release of Exchange 2016 that
you're installing.
• In the Schema naming context, verify that the rangeUpper property on ms-Exch-Schema-
Version-Pt is set to the value shown for your version of Exchange 2016 in the Exchange
2016 Active Directory versions table.
• In the Configuration naming context, verify that the objectVersion property in the
CN=<your organization>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value
shown for your version of Exchange 2016 in the Exchange 2016 Active Directory
versions table.
• In the Default naming context, verify that the objectVersion property in the Microsoft
Exchange System Objects container under DC=<root domain is set to the value shown for
your version of Exchange 2016 in the Exchange 2016 Active Directory versions table.
You can also check the Exchange setup log to verify that Active Directory preparation has
completed successfully. For more information, see Verify an Exchange 2016 installation. You won't
be able to use the Get-ExchangeServer cmdlet mentioned in the Verify an Exchange 2016
installation topic until you've completed the installation of at least one Mailbox server role in an
Active Directory site.
The following table shows you the Exchange 2016 objects in Active Directory that get updated
each time you install a new version of Exchange 2016. You can compare the object versions you
Exchange
rangeUpper objectVersion objectVersion
version
Follow the instructions in this section to install the prerequisites on computers running Windows
Server 2012 or Windows Server 2012 R2 where you want to install the Mailbox server role.
After you've installed the operating system roles and features, install the following software in
the order shown:
Follow the instructions in this section to install the prerequisites on computers running Windows
Server 2012 or Windows Server 2012 R2 where you want to install the Edge Transport server
role.
After you've installed the operating system roles and features, install .NET Framework 4.6.2
Notes
To view the new AD properties created by Exchange use ADSIEdit.msc. Connect to the
Configuration and the Exchange properties are under Services.
Run Exchange installation wizard. The installation will also prepare the AD for exchange if
needed.
We don’t use Auto Reseed. Storage for databases has to be calculated and 50GB per mailbox.
After the installation, you can check if the server is running by starting the Exchange
Management Shell and typing Get-ExchangeServer.
Figure 8: Get-ExchangeServer
Add an A record in the DNS server to point to the Exchange server under qualtechmail.com.
Notes
Get-ECPVirtualDirectory|fl
Get-OWAVirtualDirectory|fl
When you install a Mailbox server it by default creates the mailbox database in the C drive
C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database
1716673664\Mailbox Database 1716673664.edb
We are not going to use the C drive for the mailboxes. We’ll add a disk or disks as necessary and
will create the databases under:
<new drive1>:\ExchangeDatabases\DB01
<new drive2>:\ExchangeDatabases\DB03
The first task is to create a new database and move the mailbox of the exchange admin to the
new database.
Don’t forget confirm that the new databases have been mounted or you won’t be able to move
the default database or do anything with it.
Figure 10: After creating a new database the Microsoft Exchange Information service must be re-started
The next setup after a new deployment of the Exchange server is to move the default mailboxes
to one of the new databases we have just added.
In recipients>mailboxes on the right hand tab under Move Mailbox select To another database.
Fill up the migration form and create the batch migration job.
Once the move is complete we dismount the default database so it can’t be used.
View the status or start the migration job by selecting the migration form.
We need to update the external path before we can access Exchange applications from the
outside.
Double click the service you want to update the path to and in the External URL text box type
the external path.
If you change the path to the ECP service (central admin) will get a message to also change the
OWA.
Configure certificates
Add certificate
Select servers>certificates. Add the certificate and assign it to the services.
Because we use wildcard certificates we can only set the SMTP and IIS services. To set our
certificate to the other services we’ll have to use powershell commands.
You can see what services are associated with the Get-ExchangeCertificate command:
The installation doesn’t create a send connector for the outbound email. We have to create the
connector for that and we route the outbound email through our external email server
mail.qualtechsoftware.com.
Select mail flow and click the plus sign in the send connectors to create a new connector.
Type a name for the connector. Check Custom (For example, to send mail to other non-
Exchange servers)
Click Next. In the form 2 check Route mail through smart hosts. Click the plus sign to add the
fully qualified smart host. Click Save and then Next.
Next we need to set the authentication to connect to the smart host. We don’t have
authentication in the internal server it only accepts connections from specific servers. That is
setup in the internal SMTP server.
In the form 3 we will inform the domains Exchange hosts which will use this connector to route
outbound email.
Notes
This is VERY IMPORTANT. Because we relay our outbound email through our external smtp
servers when you define the accepted domain make sure you set the Domain Type as External
Relay otherwise Exchange will try to find the recipient in that server and because it won’t find
it there it will return a '550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by
SMTP address lookup'
Configure POP3
Step 1: Start the POP3 services, and configure the services to start
automatically
You can perform this step by using the Windows Services console, or the Exchange
Management Shell.
Use the Windows Services console to start the POP3 services, and configure the
services to start automatically
Use the Exchange Management Shell to start the POP3 services, and configure the
services to start automatically
For more information about these cmdlets, see Start-Service and Set-Service.
To verify that you've successfully started the POP3 services, use either of the following
procedures:
• On the Exchange server, open Windows Task Manager. On the Services tab, verify that
the Status value for the MSExchangePOP3 and MSExchangePOP3BE services is Running.
• In the Exchange Management Shell, run the following command to verify that the POP3
services are running:
• Get-Service MSExchangePOP3; Get-Service MSExchangePOP3BE
To configure the POP3 settings for external clients, use the following syntax:
This example configures the following settings for external POP3 connections:
Set-PopSettings -ExternalConnectionSettings
"mail.contoso.com:995:SSL","mail.contoso.com:110:TLS" -X509CertificateName mail.contoso.com
To verify that you've successfully configured the POP3 settings for external clients, run the
following command in the Exchange Management Shell and verify the settings:
After you enable and configure POP3, you need to restart the POP3 services on the server by
using the Windows Services console, or the Exchange Management Shell.
To verify that you've successfully restarted the POP3 services, run the following command:
1. Open a mailbox in Outlook on the web, and then click Settings > Options.
2. Click Mail > Accounts > POP and IMAP and verify the correct POP3 settings are displayed.
1. You can test POP3 client connectivity to the Exchange server by using the following
methods:
• Internal clients Use the Test-PopConnectivity cmdlet. For example, Test-
PopConnectivity -ClientAccessServer<ServerName> -Lightmode -
MailboxCredential (Get-Credential). For more information, see Test-
PopConnectivity.
• Note: The Lightmode switch tells the command test POP3 logons to the server. To test
sending (SMTP) and receiving a (POP3) message, you need to configure the
authenticated SMTP settings as described in Configure authenticated SMTP settings in
Exchange 2016 for POP3 and IMAP4 clients.
• External clients Use the Exchange Server > POP Email test in the Microsoft Remote
Connectivity Analyzer at http://go.microsoft.com/fwlink/p/?LinkID=313839.
Next steps
To enabled or disable POP3 access to individual mailboxes, see Enable or disable POP3 or IMAP4
access to mailboxes.
Configure IMAP
By default, IMAP4 client connectivity isn't enabled in Exchange. To enable IMAP4 client
connectivity, you need to perform the following steps:
1. Start the IMAP4 services, and configure the services to start automatically:
• Microsoft Exchange IMAP4 This is the Client Access (frontend) service that IMAP4 clients
connect to.
• Microsoft Exchange IMAP4 Backend IMAP4 client connections from the Client Access
service are proxied to the backend service on the server that hold the active copy of the
user's mailbox. For more information, see Client access protocol architecture.
2. Configure the IMAP4 settings for external clients.
By default, Exchange uses the following settings for internal IMAP4 connections:
• IMAP4 server FQDN <ServerFQDN>. For example, mailbox01.contoso.com.
• TCP port and encryption method 993 for always TLS encrypted connections, and 143 for
unencrypted connections, or for opportunistic TLS (STARTTLS) that results in an
encrypted connection after the initial plain text protocol handshake.
To allow external IMAP4 clients to connect to mailboxes, you need to configure the IMAP4
server FQDN, TCP port, and encryption method for external connections. This step causes the
external IMAP4 settings to be displayed in Outlook on the web (formerly known as Outlook Web
App) at Settings > Options > Mail > Accounts > POP and IMAP.
For more information about IMAP4, see POP3 and IMAP4 in Exchange 2016.
Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange
Server, Exchange Online, or Exchange Online Protection..
You can perform this step by using the Windows Services console, or the Exchange
Management Shell.
Use the Windows Services console to start the IMAP4 services, and configure the services to
start automatically
1. On the Exchange server, open the Windows Services console. For example:
o Run the command services.msc from the Run dialog, a Command Prompt window, or
the Exchange Management Shell.
o Open Server Manager, and then click Tools > Services.
2. In the list of services, select Microsoft Exchange IMAP4, and then click Action > Properties.
3. The Microsoft Exchange IMAP4 Properties window opens. On the General tab, configure the
following settings:
o Startup type Select Automatic.
o Service status Click Start.
When you are finished, click OK.
4. In the list of services, select Microsoft Exchange IMAP4 Backend, and then
click Action > Properties.
Use the Exchange Management Shell to start the IMAP4 services, and configure
the services to start automatically
To verify that you've successfully started the IMAP4 services, use either of the following procedures:
• On the Exchange server, open Windows Task Manager. On the Services tab, verify that
the Status value for the MSExchangeIMAP4 and MSExchangeIMAP4BE services is Running.
• In the Exchange Management Shell, run the following command to verify that the IMAP4 services
are running:
• Get-Service MSExchangeIMAP4; Get-Service MSExchangeIMAP4BE
To configure the IMAP4 settings for external clients, use the following syntax:
This example allows configures the following settings for external IMAP4 connections:
Notes:
• For detailed syntax and parameter information, see Set-ImapSettings.
• The external IMAP4 server FQDN that you configure needs to have a corresponding
record in your public DNS, and the TCP port (143 or 993) needs to be allowed through
your firewall to the Exchange server.
• The combination of encryption methods and TCP ports that you use for
the ExternalConnectionSettings parameter need to match the corresponding TCP ports and
encryption methods that you use for
the SSLBindings or UnencryptedOrTLSBindings parameters.
• Although you can use a separate certificate for IMAP4, we recommend that you use the
same certificate as the other Exchange IIS (HTTP) services, which is likely a wildcard
certificate or a subject alternative name (SAN) certificate from a commercial certification
authority that's automatically trusted by all clients. For more information, see Certificate
requirements for Exchange services.
• If you use a single subject certificate, or a SAN certificate, you also need to assign the
certificate to the Exchange IMAP service. You don't need to assign a wildcard certificate
to the Exchange IMAP service. For more information, see Assign certificates to Exchange
2016 services.
To verify that you've successfully configured the IMAP4 settings for external clients, run the
following command in the Exchange Management Shell and verify the settings:
After you enable and configure IMAP4, you need to restart the IMAP4 services on the server by
using the Windows Services console, or the Exchange Management Shell.
To verify that you've successfully restarted the IMAP4 services, run the following command:
Because IMAP4 isn't used to send email messages, you need to configure the authenticated
SMTP settings that are used by internal and external IMAP4 clients. For more information,
see Configure authenticated SMTP settings in Exchange 2016 for POP3 and IMAP4 clients.
1. Open a mailbox in Outlook on the web, and then click Settings > Options.
Note: If you configured 993/SSL and 143/TLS values for the ExternalConnectionSettings parameter
on the Set-ImapSettings cmdlet, only the 993/SSL value is displayed in Outlook on the web. Also,
if the external IMAP4 settings that you configured don't appear as expected in Outlook on the
web after you restart the IMAP4 services, run the command iisreset.exe /noforce to restart
Internet Information Services (IIS).
Note: You can't use IMAP4 to connect to the Administrator mailbox. This limitation was
intentionally included in Exchange 2016 to enhance the security of the Administrator mailbox.
After you enable and configure POP3 or IMAP4 on an Exchange 2016 server as described
in Enable and configure POP3 on an Exchange 2016 server and Enable and configure IMAP4 on an
Exchange 2016 server, you need to configure the authenticated SMTP settings for POP3 and
IMAP4 clients so they can send email messages.
The default Receive connector named "Client Frontend <Server name>" in the Client Access
services on the Mailbox server listens for authenticated SMTP client submissions on port 587. By
default, this connector uses the following settings for internal and external client (authenticated)
SMTP connections:
To configure the authenticated SMTP settings that are used by POP3 and IMAP4 clients, perform
the following steps:
1. Configure the FQDN on the "Client Frontend <Server name>" Receive connector.
2. Specify the certificate that's used to encrypt authenticated SMTP client connections.
3. Configure Outlook on the web (formerly known as Outlook Web App) to display the
SMTP settings for authenticated SMTP clients
at Settings > Options > Mail > Accounts > POP and IMAP.
For more information about POP3 and IMAP4, see POP3 and IMAP4 in Exchange 2016.
Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange
Server, Exchange Online, or Exchange Online Protection..
You can skip this step if you want to keep the default server FQDN value (for example,
mailbox01.contoso.com). Or, you can specify an FQDN value that's more compatible with your
Internet naming convention or a TLS certificate that you want to use.
Regardless of the FQDN value, if you want external POP3 or IMAP4 clients to use this connector
to send email, the FQDN needs to have a corresponding record in your public DNS, and the TCP
port (587) needs to be allowed through your firewall to the Exchange server.
Use the EAC to configure the FQDN for authenticated SMTP clients
To configure the FQDN for authenticated SMTP clients, use the following syntax:
To verify that you've successfully the FQDN on the "Client Frontend <Server name>" Receive
connector, use either of the following procedures:
• the EAC, go to Mail flow > Receive connectors > select Client Frontend <Server name>,
click Edit ( ) > Scoping, and verify the value in the FQDN field.
• In the Exchange Management Shell, run the following command:
• Get-ReceiveConnector -Identity "Client Frontend*" | Format-List Name,Fqdn
The certificate needs to match or contain the FQDN value that you specified in the previous
step, and the POP3 and SMTP clients need to trust the certificate, which likely means a certificate
from a commercial certification authority. For more information, see Certificate requirements for
Exchange services.
Also, you need to assign the certificate to the Exchange SMTP service. For more information,
see Assign certificates to Exchange 2016 services.
To specify the certificate that's used for authenticated SMTP client connections, use the
following syntax:
$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"
To verify that you've specified the certificate that's used to encrypt authenticated SMTP client
connections, perform the following steps:
To configure Outlook on the web to display the SMTP settings server for authenticated SMTP
clients, run the following command:
Note: To prevent the SMTP settings from being displayed in Outlook on the web, change the
value from $true to $false.
To verify that you've configured Outlook on the web to display the SMTP settings for
authenticated SMTP clients, perform the following steps:
1. Open a mailbox in Outlook on the web, and then click Settings > Options.
Note: If the SMTP settings that you configured don't appear as expected in Outlook on the web,
run the command iisreset.exe /noforce to restart Internet Information Services (IIS).
Port 443
Exchange admin center
https://qualtechdevex1.qualtechcloud.com/ecb
Outlook online
https://qualtechdevex1.qualtechcloud.com/owa
Port 587
This is the secure inbound SMTP receive connector configured in the Client Frontend connector.
In the properties of the Client Frontend connector the FQDN property to the external FQDN as
in qualtechdevex1.qualtechcloud.com.
Adding users
Tasks
We already structure customers in the AD the way it’s required. We have a top OU called
Customers and inside this OU we create a new OU for each customer. This is a good structure to
manage customers and it’s required for SP and Exchange.
We already use the proper AD structure. We have a top OU called Customers and inside this OU
we have 1 OU for each customer. Nothing to do here.
If the user is just a single user we will use our domain which will be mail1.qualtechmail.com.
If it is a business with multiple users and they would like to use their own domain name we’ll
have to add a new USPN to the AD:
Ex:
Ex:
Ex:
You’ll also need to create an Email Address Policy. This example also includes first.last@domain
email aliasing, or you can set the primary email address to first.last@domain by using the -
EnabledPrimarySMTPAddressTemplate “SMTP:%g.%s@domain.new” attribute and data.
Note: strictly speaking, you don’t need to create an email address policy.
The Address Book Policy is what ties everything together. Here we create a policy containing all
the different Address Lists and Books we created in Step 2. This Address Book Policy can then be
assigned to individual users.
This step is not needed, but you might need it for your setup.
Here we create a new Room Mailbox for ressources. Note how the Adress Book Policy is assigned
to the new mailbox using the -AddressBookPolicy parameter.
It is vital that we set a Custom Attribute for the mailbox, or it will not be included by the Address
Book Policy we just created.
Notes
This is here just as an example. We add the users to the customer OU in the AD so instead of
creating a new mailbox in Exchange which will create the user in the AD we create a mailbox
for an existing AD user.
In creating the new User with a mailbox, we specify location in AD and assign the Address Book
Policy we created.
The password is entered using the popup that shows using the first line $c = Get-Credential
For the ‘username’ field you can type anything you want as it is the password attribute we want for
the mailbox being created.
$c = Get-Credential
As with a room mailbox we need to also set a custom attribute to the tenant. This step cannot
be performed in the same step as when you create the mailbox.
Browse for an existing user and select the user you want to create the mailbox for and save.
Double click the newly created mailbox or select it and click the edit button from the toolbar to
edit the mailbox.
In the Edit User Mailbox form select mailbox features and from the Address book policy
dropdown select the address book policy we created above (QualTechCyberSec) and save.
Select the email address and change the domain in the email address to match the customers
domain (tony.amaral@qualtechcybersec.com).
• The Exchange Trusted Subsystem group in Active Directory must be added to the local
Administrators group on the server that will be the file share witness.
• The File Server feature (FS-FileServer) must be installed on the file share witness
Note:
If you specify a witness server, you must use either a host name or a fully
qualified domain name (FQDN). Using an IP address or a wildcard name isn't
supported. In addition, the witness server can't be a member of the DAG.
• Witness directory Use this field to type the path to a directory on the witness server that
will be used to store witness data. If the directory doesn't exist, the system will create it
for you on the witness server. If you leave this field blank, the default directory
(%SystemDrive%\DAGFileShareWitnesses\<DAG FQDN>) will be created on the witness
server.
• Database availability group IP addresses Use this field to assign one or more static IPv4
addresses to the DAG. Enter an IPv4 address and click to add it. Leave this field blank if
you want the DAG to use Dynamic Host Configuration Protocol (DHCP) to obtain the
necessary IPv4 addresses. Optionally, enter 255.255.255.255 to create a DAG without an
The following example creates a DAG named DAG1, which is configured to use the witness
server FILESRV1 and the local directory C:\DAG1. DAG1 is also configured to use DHCP for the
DAG's IP addresses.
The next example creates a DAG named DAG2. For the DAG's witness server, the system
automatically selects an Exchange 2016 server with Client Access services that is in the local
Active Directory site. DAG2 is assigned a single static IP address because in this example all DAG
members have the MAPI network on the same subnet.
This example creates the DAG DAG4 that's configured to use DHCP. In addition, the witness
server will be automatically selected by the system, and the default witness directory will be
created.
This example creates the DAG DAG5 that will not have an administrative access point (valid for
Windows Server 2012 R2 DAGs only). In addition, MBX4 will be used as the witness server for the
DAG, and the default witness directory will be created.
Notes
Open the Active Directory Users and Computers, select View>Advanced features.
1. In the Computers OU locate the DAG by the name you named it during creation.
If you come across the error “A computer account name <dag name> already exists and is
enable” do the following:
Windows Failover Clustering must be installed on servers being added to the DAG.
Access was denied. Check that the current user (NT AUTHORITY\SYSTEM) has permissions to
create computer accounts in the domain or to claim the computer account.
• In the EAC, navigate to Servers > Database Availability Groups. The newly created DAG is
displayed.
• In the Exchange Management Shell, run the following command to verify the DAG was
created and to display DAG property information.
• Get-DatabaseAvailabilityGroup <DAGName> | Format-List
When you add a server to a DAG, the server works with the other DAG members to provide
automatic database-level recovery from database, server, or network failures. When you remove
a server from a DAG, the server is no longer automatically protected from failures.
Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange
Server, Exchange Online, or Exchange Online Protection..
This example adds the Mailbox server MBX1 to the DAG DAG1.
This example removes the Mailbox server MBX1 from the DAG DAG1. Before running this
command, make sure that no replicated databases exist on the Mailbox server.
This example removes the configuration settings for the Mailbox server MBX4 from the DAG
DAG2. MBX4 is expected to be offline for an extended period, so its configuration is being
removed from the DAG while it's offline to establish quorum with the remaining online DAG
members.
• In the EAC, navigate to Servers > Database Availability Groups. The current DAG
membership is displayed in the Member Servers column.
• In the Shell, run the following command to display DAG membership information.
• Get-DatabaseAvailabilityGroup <DAGName> | Format-List Servers
Note:
Each Mailbox server that's a member of a DAG is also a node in the underlying cluster used
by the DAG. As a result, at any one time, a Mailbox server can be a member of only one DAG.
If the Mailbox server being added to a DAG doesn't have the failover clustering component
installed, the method used to add the server (for example, the Add-
DatabaseAvailabilityGroupServer cmdlet or the Manage Database Availability Group wizard)
installs the failover clustering feature.
When the first Mailbox server is added to a DAG, the following occurs:
Notes
1. If you get errors adding the servers to the DAG follow the steps below.
Add the name of the DAG to the DNS server or you’ll get the error
If it continues to fail look in the log file and see the message that says to restart the computer
[2017-04-08T00:46:12] Working
[2017-04-08T00:46:12] Running PS> Import-Module -Name ServerManager
[2017-04-08T00:46:13] Running PS> Add-WindowsFeature -Name RSAT-Clustering -
IncludeAllSubFeature
[2017-04-08T00:46:14] Produced result: Success: True, ExitCode: NoChangeNeeded,
RestartNeeded: Yes
[2017-04-08T00:46:14] Warning: Please restart this computer before adding or removing roles
or features.
[2017-04-08T00:46:14] Running PS> Import-Module -Name ServerManager
[2017-04-08T00:46:14] Running PS> Add-WindowsFeature -Name Failover-Clustering -
IncludeAllSubFeature
[2017-04-08T00:46:14] Produced result: Success: True, ExitCode: NoChangeNeeded,
RestartNeeded: Yes
[2017-04-08T00:46:14] Warning: Please restart this computer before adding or removing roles
or features.
[2017-04-08T00:46:14] Updated Progress 'The task has installed the Windows Failover
Clustering component.' 4%.
[2017-04-08T00:46:14] Working
Error:
Give full control to the Exchange Trusted Subsystem in the DAG in the AD.
Disable the DAG account before re adding the server
http://mxlookup.online-domain-tools.com/
In a large or multiple site environment, especially those in which the DAG is extended to
multiple Active Directory sites, you must wait for Active Directory replication of the DAG object
containing the first DAG member to complete. If this Active Directory object isn't replicated
throughout your environment, adding the second server may cause a new cluster (and new
CNO) to be created for the DAG. This is because the DAG object appears empty from the
perspective of the second member being added, thereby causing the Add-
DatabaseAvailabilityGroupServer cmdlet to create a cluster and CNO for the DAG, even
though these objects already exist. To verify that the DAG object containing the first DAG server
has been replicated, use the Get-DatabaseAvailabilityGroup cmdlet on the second server
being added to verify that the first server you added is listed as a member of the DAG.
When the second and subsequent servers are added to the DAG, the following occurs:
• The server is joined to the Windows failover cluster for the DAG.
• The quorum model is automatically adjusted:
o A Node Majority quorum model is used for DAGs with an odd number of
members.
o A Node and File Share Majority quorum model is used for DAGs with an even
number of members.
• The witness directory and share are automatically created by Exchange when needed.
• The server is added to the DAG object in Active Directory.
• The cluster database is updated with information about mounted databases.
The quorum model change should happen automatically. However, if the quorum model
doesn't automatically change to the proper model, you can run the Set-
DatabaseAvailabilityGroup cmdlet with only the Identity parameter to correct the quorum
settings for the DAG.
The CNO is a computer account created in Active Directory and associated with the cluster's
Name resource. The cluster's Name resource is tied to the CNO, which is a Kerberos-enabled
object that acts as the cluster's identity and provides the cluster's security context. The
formation of the DAG's underlying cluster and the CNO for that cluster is performed when the
first member is added to the DAG. When the first server is added to the DAG, remote PowerShell
contacts the Microsoft Exchange Replication service on the Mailbox server being added. The
Microsoft Exchange Replication service installs the failover clustering feature (if it isn't already
installed) and begins the cluster creation process. The Microsoft Exchange Replication service
runs under the LOCAL SYSTEM security context, and it's under this context in which cluster
creation is performed.
Warning:
If your DAG members are running Windows Server 2012, you must pre-stage the CNO prior
to adding the first server to the DAG. If your DAG members are running Windows Server
2012 R2, and you create a DAG without a cluster administrative access point, then a CNO will
not be created, and you do not need to create a CNO for the DAG.
• Assign full control of the computer account to the computer account of the first Mailbox
server you're adding to the DAG.
• Assign full control of the computer account to the Exchange Trusted Subsystem USG.
Assigning full control of the computer account to the computer account of the first Mailbox
server you're adding to the DAG ensures that the LOCAL SYSTEM security context will be able to
manage the pre-staged computer account. Assigning full control of the computer account to
the Exchange Trusted Subsystem USG can be used instead because the Exchange Trusted
Subsystem USG contains the machine accounts of all Exchange servers in the domain.
For detailed steps about how to pre-stage and provision the CNO for a DAG, see Pre-stage the
cluster name object for a database availability group.
There are scenarios in which you must remove a Mailbox server from a DAG before performing
certain operations. These scenarios include:
• Witness server The name of the server that you want to host the file share for the file
share witness. We recommend that you specify a server running Client Access services as
the witness server. This enables the system to automatically configure, secure, and use
the share, as needed, and enables the messaging administrator to be aware of the
availability of the witness server.
• Witness directory The name of a directory that will be used to store file share witness
data. This directory will automatically be created by the system on the specified witness
server.
• Database availability group IP addresses One or more IP addresses must be assigned
to the DAG, unless the DAG members are running Windows Server 2012 R2 and you are
creating a DAG without an IP address. Otherwise, the DAG’s IP addresses can be
configured using manually assigned static IP addresses, or they can be automatically
assigned to the DAG using a DHCP server in your organization.
The Exchange Management Shell enables you to configure DAG properties that aren't available
in the EAC, such as DAG IP addresses, network encryption and compression settings, network
discovery, the TCP port used for replication, and alternate witness server and witness directory
settings, and to enable Datacenter Activation Coordination mode.
For detailed steps about how to configure DAG properties, see Configure database availability
group properties.
DAGs support the use of encryption by leveraging the encryption capabilities of the Windows
Server operating system. DAGs use Kerberos authentication between Exchange servers.
Microsoft Kerberos security support provider (SSP) EncryptMessage and DecryptMessage APIs
handle encryption of DAG network traffic. Microsoft Kerberos SSP supports multiple encryption
Network encryption is a property of the DAG and not a DAG network. You can configure DAG
network encryption using the Set-DatabaseAvailabilityGroup cmdlet in the Exchange
Management Shell. The possible encryption settings for DAG network communications are
shown in the following table.
Setting Description
Enabled Network encryption is used on all DAG networks for replication and
seeding.
SeedOnly Network encryption is used on all DAG networks for seeding only.
As with network encryption, network compression is also a property of the DAG and not a DAG
network. You configure DAG network compression by using the Set-
Setting Description
Enabled Network compression is used on all DAG networks for replication and
seeding.
SeedOnly Network compression is used on all DAG networks for seeding only.
Once you have a second server in the DAG to as a backup of a front end server you should
create the copy of the front end server to the second server for fail over.
Go to servers>databases, select the database to copy click the 3 doted button and fill out the
form.
Notes:
• The destination for these clients and services is the Client Access services on a Mailbox
server. In Exchange 2016, Client Access (frontend) and backend services are installed
together on the same Mailbox server. For more information, see Client access protocol
architecture.
• Although the diagram shows clients and services from the Internet, the concepts are the
same for internal clients (for example, clients in an accounts forest accessing Exchange
servers in a resource forest). Similarly, the table doesn't have a source column because
the source could be any location that's external to the Exchange organization (for
example, the Internet or an accounts forest).
• Edge Transport servers have no involvement in the network traffic that's associated with
these clients and services.
Outlook Anywhere
(RPC over HTTP)
Note:
The network ports that are required for mail flow in an Exchange organization that has only
Mailbox servers are described in the following diagram and table.
DNS for 53/UDP,53/TCP Mailbox DNS server See the Name resolution section.
name (DNS) server
resolution
of the next
mail hop
(not
pictured)
Network ports required for mail flow with Edge Transport servers
A subscribed Edge Transport server that's installed in your perimeter network affects mail flow in
the following ways:
• Outbound mail from the Exchange organization never flows through the Front End
Transport service on Mailbox servers. Mail always flows from the Transport service on a
Mailbox server in the subscribed Active Directory site to the Edge Transport server
(regardless of the version of Exchange on the Edge Transport server).
For more information, see Mail flow and the transport pipeline.
The network ports that are required for mail flow in Exchange organizations that have Edge
Transport servers are described in the following diagram and table.
Inbound mail - 25/TCP (SMTP) Internet (any) Edge The default Receive
Internet to Transport connector named
Edge Transport server "Default internal
server Receive
connector <Edge
Transport server
name>" on the Edge
Transport server listens
for anonymous SMTP
mail on port 25.
Inbound mail - 25/TCP (SMTP) Edge Transport Mailbox The default Send
Edge Transport server servers in connector named
server to the "EdgeSync - Inbound
internal subscribed to <Active Directory
Exchange Active site name>" relays
organization Directory inbound mail on port
site 25 to any Mailbox
server in the
subscribed Active
Directory site. For
more information,
see Send connectors
created automatically
by the Edge
Subscription.
Outbound mail 25/TCP (SMTP) Mailbox servers Edge Outbound mail always
- Internal in the Transport bypasses the Front End
Exchange subscribed servers Transport service on
organization to Active Directory Mailbox servers.
Edge Transport site
Mail is relayed from
server
the Transport service
on any Mailbox server
in the subscribed
Active Directory site to
an Edge Transport
server using the
implicit and invisible
intra-organization
Send connector that
automatically routes
mail between
Exchange servers in
the same organization.
Outbound mail 25/TCP (SMTP) Edge Transport Internet The default Send
- Edge server (any) connector named
Transport "EdgeSync - <Active
server to Directory site
Internet name> to Internet"
relays outbound mail
on port 25 from the
Edge Transport server
to the Internet.
DNS for name 53/UDP,53/TCP Edge Transport DNS server See the Name
resolution of (DNS) server resolution section.
the next mail
hop (not
pictured)
SOCKS4, 1081,
SOCKS5 1080
Wingate, 23
Telnet,
Cisco
HTTP 6588,
CONNECT, 3128,
HTTP POST 80
Also, if your
organization uses a
proxy server to control
outbound Internet
traffic, you need to
define the proxy server
name, type, and TCP
port that sender
reputation requires to
access the Internet for
open proxy server
detection.
Name resolution
DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange
organization. Exchange servers that are responsible for receiving inbound mail or delivering
outbound mail must be able to resolve both internal and external host names for proper mail
routing. And all internal Exchange servers must be able to resolve internal host names for proper
mail routing. There are many different ways to design a DNS infrastructure, but the important
result is to ensure name resolution for the next hop is working properly for all of your Exchange
servers.
A database availability group (DAG) is the base component of the Mailbox server high
availability and site resilience framework built into Microsoft Exchange Server 2016. A DAG is a
group of up to 16 Mailbox servers that hosts a set of databases and provides automatic
database-level recovery from failures that affect individual servers or databases.
Important:
All servers within a DAG must be running the same version of Exchange. You can't mix
Exchange 2013 servers and Exchange 2016 servers in the same DAG.
A DAG is a boundary for mailbox database replication, database and server switchovers and
failovers, and an internal component called Active Manager. Active Manager, which runs on every
Mailbox server, manages switchovers and failovers within DAGs. For more information about
Active Manager, see Active Manager.
Any server in a DAG can host a copy of a mailbox database from any other server in the DAG.
When a server is added to a DAG, it works with the other servers in the DAG to provide
automatic recovery from failures that affect mailbox databases, such as a disk, server, or network
failure.
Contents
Note:
Note:
It's supported to create a DAG that contains a combination of physical Mailbox servers and
virtualized Mailbox servers, provided that the servers and solution comply with the Exchange
2016 system requirements and the requirements set forth in Exchange 2016 virtualization. As
with all Exchange high availability configurations, you must ensure that all Mailbox servers in
the DAG are sized appropriately to handle the necessary workload during scheduled and
unscheduled outages.
In addition to a failover cluster being created, the infrastructure that monitors the servers for
network or server failures is initiated. The failover cluster heartbeat mechanism and cluster
database are then used to track and manage information about the DAG that can change
quickly, such as database mount status, replication status, and last mounted location.
This example shows you how to use the Exchange Management Shell to create a DAG with a
cluster administrative access point that will have three servers. Two servers (EX1 and EX2) are on
the same subnet (10.0.0.0), and the third server (EX3) is on a different subnet (192.168.0.0).
The commands to create a DAG without a cluster administrative access point are very similar:
Then, EX2 is added, and the Add-DatabaseAvailabilityGroupServer cmdlet again retrieves the IP
addresses configured for the DAG. There are no changes to the cluster's IP addresses because in
EX2 is on the same subnet as EX1.
Then, EX3 is added, and the Add-DatabaseAvailabilityGroupServer cmdlet again retrieves the IP
addresses configured for the DAG. Because a subnet matching 192.168.0.5 is present on EX3, the
192.168.0.5 address is added as an IP address resource in the cluster group. In addition,
an OR dependency for the Network Name resource for each IP address resource is automatically
configured. The 192.168.0.5 address will be used by the cluster when the cluster core resource
group moves to EX3.
For DAGs with cluster administrative access points, Windows failover clustering registers the IP
addresses for the cluster in the Domain Name System (DNS) when the Network Name resource
is brought online. In addition, when EX1 is added to the cluster, a cluster name object (CNO) is
created in Active Directory. The network name, IP address(es), and CNO for the cluster are not
used for DAG functions. Administrators and end users don't need to interface with or connect to
the cluster/DAG name or IP address for any reason. Some third party applications connect to the
cluster administrative access point to perform management tasks, such as backup or monitoring.
If you do not use any third party applications that require a cluster administrative access point,
and your DAG is running Exchange 2016 on Windows Server 2012 R2, then we recommend
creating a DAG without an administrative access point. This simplifies DAG configuration,
eliminates the need for one or more IP addresses, and reduces the attack surface of a DAG.
DAGs are also configured to use a witness server and a witness directory. The witness server and
witness directory are either automatically configured by the system, or they can be manually
configured by the administrator. In the examples above, EX4 (a server that is not and will not be
a member of the DAG) is being manually configured as the DAG’s witness server.
After the DAG is created, Mailbox servers can be added to the DAG. When the first server is
added to the DAG, a cluster is formed for use by the DAG. DAGs make use of Windows failover
clustering technology, such as the cluster heartbeat, cluster networks, and the cluster database
(for storing data that changes, such as database state changes from active to passive or vice
versa, or from mounted to dismounted and vice versa). As each subsequent server is added to
the DAG, it's joined to the underlying cluster, the cluster's quorum model is automatically
adjusted by Exchange, and the server is added to the DAG object in Active Directory.
After Mailbox servers are added to a DAG, you can configure a variety of DAG properties, such
as whether to use network encryption or network compression for database replication within
the DAG. You can also configure DAG networks and create additional DAG networks.
After you add members to a DAG and configure the DAG, the active mailbox databases on each
server can be replicated to the other DAG members. After you create mailbox database copies,
you can monitor the health and status of the copies using a variety of built-in monitoring tools.
In addition, you can perform database and server switchovers.
DAGs with an even number of members use the failover cluster's Node and File Share Majority
quorum mode, which employs an external witness server that acts as a tie-breaker. In this
quorum mode, each DAG member gets a vote. In addition, the witness server is used to provide
one DAG member with a weighted vote (for example, it gets two votes instead of one). The
cluster quorum data is stored by default on the system disk of each member of the DAG, and is
kept consistent across those disks. However, a copy of the quorum data isn't stored on the
witness server. A file on the witness server is used to keep track of which member has the most
updated copy of the data, but the witness server doesn't have a copy of the cluster quorum
data. In this mode, a majority of the voters (the DAG members plus the witness server) must be
operational and able to communicate with each other to maintain quorum. If a majority of the
voters can't communicate with each other, the DAG's underlying cluster loses quorum, and the
DAG will require administrator intervention to become operational again.
DAGs with an odd number of members use the failover cluster's Node Majority quorum mode.
In this mode, each member gets a vote, and each member's local system disk is used to store
Quorum requires a majority of voters to be able to communicate with each other. Consider a
DAG that has four members. Because this DAG has an even number of members, an external
witness server is used to provide one of the cluster members with a fifth, tie-breaking vote. To
maintain a majority of voters (and therefore quorum), at least three voters must be able to
communicate with each other. At any time, a maximum of two voters can be offline without
disrupting service and data access. If three or more voters are offline, the DAG loses quorum,
and service and data access will be disrupted until you resolve the problem.
Exchange Server 2016 uses a single building block architecture that provides email services for
deployments at all sizes, from small organizations to the largest multi-national corporations.
This architecture is describe in the following diagram.
Step 5 is the fundamental change that enables the removal of session affinity at the load
balancer. For a given protocol session, the Client Access services located on the Mailbox
server now maintains a 1:1 relationship with the Mailbox server hosting the user’s
data. In the event that the active database copy is moved to a different Mailbox server,
MBX closes the sessions to the previous server and establishes sessions to the new
server. This means that all sessions, regardless of their origination point (i.e., MBX
servers in the load balanced array), end up at the same place, the Mailbox server hosting
the active database copy.This is vastly different in releases prior to Exchange 2013 – for
example, in Exchange 2010, if all requests from a specific client did not go to the same
endpoint, the user experience was negatively affected.
The protocol used in step 6 depends on the protocol used to connect to MBX. If the
client leverages the HTTP protocol, then the protocol used between Mailbox servers is
HTTP (secured via SSL using a self-signed certificate). If the protocol leveraged by the
However, there is a concern with this architectural change. Since session affinity is not
used by the load balancer, this means that the load balancer has no knowledge of the
target URL or request content.All the load balancer uses is layer 4 information, the IP
address and the protocol/port (TCP 443):
The load balancer can use a variety of means to select the target server from the load
balanced pool, such as, round-robin (each inbound connection goes to the next target
server in the circular list) or least-connection (load balancer sends each new connection
to the server that has the fewest established connections at that time).
As long as the OWA health probe response is healthy, the load balancer will keep the
target MBX in the load balancing pool. However, if the OWA health probe fails for any
reason, then the load balancer will remove the target MBX from the load balancing pool
for all requests associated with that particular namespace. In other words, in this
example, health from the perspective of the load balancer, is per-server, not per-
protocol, for the given namespace.This means that if the health probe fails, all client
Note: By having session affinity enabled, the load balancer’s capacity and utilization are
decreased because processing is used to maintain more involved affinity options, such
as cookie-based load balancing or Secure Sockets Layer (SSL) session-ID. Check with
your vendor on the impacts session affinity will have in your load balancing scalability.
Note: As seen in the picture depicted above, ECP is provided its own namespace. ECP
and OWA are intimately tied together, and thus, ECP does not necessarily require its
own namespace. However, ECP does have its own application pool, is the endpoint for
the Exchange Administration Center, and used by Outlook clients for certain
configuration items. Therefore, you may want to provide a unique namespace for ECP.
The load balancer is configured to not maintain session affinity (layer 4). The load
balancer is also configured to check the health of the target Mailbox servers in the load
balancing pool; in this case, the health probes are effectively configured to target the
health of each virtual directory, as each virtual directory is defined with a unique
namespace, and while the load balancer still has no idea what the URL is being accessed,
the result is as if it does know.
As long as the OWA health probe response is healthy, the load balancer will keep the
target MBX in the OWA load balancing pool. However, if the OWA health probe fails for
any reason, then the load balancer will remove the target MBX from the load balancing
pool for OWA requests. In other words, in this example, health is per-protocol; this
Conclusion