• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » How to Install a new Microsoft Exchange 2019 Server – Step by Step

How to Install a new Microsoft Exchange 2019 Server – Step by Step

April 15, 2020 - by Zsolt Agoston - last edited on April 12, 2022

Our local diner, AlwaysHot Café hired us to build a mail server. They have a small network that consists of a switch and a firewall with a single static public IP. After discussing our options we decided to go with Microsoft Exchange, as it integrates very well with their existing small business domain controller. We could use the domain controller to host our Exchange installation, but if security is an important factor we better separate them, keeping the authority of Exchange (or more precisely the Trusted Exchange Subsystem) as low as possible. A local admin on a domain controller would become a domain admin which we try to avoid.

Before We Begin

Prerequisites:
Domain Controller: CPU: 2 cores, RAM: 4 GB, HDD: 40GB
Exchange: CPU: 4 cores, RAM: 8GB, HDD: 80GB (in our lab it only hosts a couple of mailboxes)

The operating system we use on the boxes is Microsoft Windows 2019, the domain in running on 2016 forest and domain functional levels. The mail server is Microsoft Exchange 2019. As a starting point we configure the DC, and join the soon-to-be mail server to the domain.

1. Install Prerequisites

We need three things to be installed before we start:

  1. "Media Foundation" feature in Windows
  2. Microsoft Unified Communications API 4.0
  3. Visual C++ 2013 Redistributable

We install media foundation with a quick powershell command

Install-WindowsFeature -Name Server-Media-Foundation
How to Install a new Microsoft Exchange 2019 Server – Step by Step

Download and install the other two from the official locations:

Unified Comms 4.0:    https://go.microsoft.com/fwlink/?LinkId=260990
Visual C++ 2013 re:     https://www.microsoft.com/download/details.aspx?id=40784

 

2. Install MS Exchange 2019

For simplicity we use the GUI installer by simply starting the Setup.exe on the installer disc. The setup will prepare the schema and AD for us during the setup.

Larger companies need to do this in separate steps as one department has rights to extend the schema, but only another can prepare AD. In this case they need to use Setup.exe with the /PrepareSchema and /PrepareAD switches respectively.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

On the first screen we choose the "Don't check for updates" option to speed up the installation process. We and planning to update the server afterwards anyway.

How to Install a new Microsoft Exchange 2019 Server – Step by Step
How to Install a new Microsoft Exchange 2019 Server – Step by Step

Going through the following screens we accept the Introduction, and the license agreement.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

Now listen, it's important: You should never go with the recommended settings!

If there's an option to use custom settings, you always want to go with that. The more granular we can be with any kind of configuration, the better 🙂

How to Install a new Microsoft Exchange 2019 Server – Step by Step

An Exchange 2019 server can have two roles: it either can be a Mailbox server, or an Edge Transport server, never both. A Mailbox server is a regular email server, it stores emails in one or more mailbox databases, sends and receives messages and it has the full client access array, so clients can connect to their mailboxes: MAPI for Outlook client apps, ActiveSync for mobile devices, IMAP, POP3 for virtually any client as those protocols are industry standards.

The Edge Transport role is a special role. If we want a perimeter server, which serves as the single internet-facing server in the organization, which sole purpose is receiving and sending messages, filter them for malware, etc - in other words for tighter security - we use the Edge role. It is so focused on security, an Edge server is not even a member of the domain, it's always deployed as a standalone workstation. We'll dive deeper in that topic in another article.

This time, we go with the Mailbox role

How to Install a new Microsoft Exchange 2019 Server – Step by Step

Leave the default folder location for the Exchange files. Note that this is the default location for all the Exchange executable files, databases and scripts too.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

Next, the organization name is needed to to be set. We use our NetBIOS name for simplicity. At this point we need to speak a few words about AD split permissions. Normally we go without checking this box. If we are in a very locked down environment, where only certain people should do certain tasks, Split Permissions is the right choice as it restricts Exchange in a fundamental way. All the Exchange servers and admins will be blocked to carry out any changes in AD (except for changing a few Exchange-related attributes).

For instance, when a mailbox is created a user account is created in AD first. Then a mailbox can be linked to it afterwards. When split permissions are in place, Exchange won't be able to create the user in AD. An AD admin is needed to create the user first, then the Exchange admin will mail-enable the user afterwards.

We go without split permissions.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

As it is a lab, we disable malware scanning as it would use extra resources on the mailbox server which we will avoid here, in a live environment we make sure that malware filtering is on.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

After the readiness check we hit Install

How to Install a new Microsoft Exchange 2019 Server – Step by Step

When the installation is done, simply exit the installer

3. Install multi-SAN SSL certificate

A Mailbox server needs a publicly trusted SSL certificate with at least the following subject alternative names included:

mail.alwayshotcafe.com: in our case it the mailserver's address. It's used both for SMTP mail traffic, and by clients to access their mailboxes
autodiscover.alwayshotcafe.com: AUTODISCOVER needs to point to a mail server that has the Autodiscover information file. Any mailbox server will do the job, as we have one, we set up a CNAME record to point to mail.alwayshotcafe.com. Autodiscover is a nice feature for users to configure their mailboxes on their devices easily, as they only need to type in their email address and passwords. All other info, like the server address is retrieved automatically from the webserver.

The clients are searching for a specific file, called an Autodiscover.xml that contains all the information the clients need. The location of the file on the mailbox server is hardcoded, the clients will search the locations in the following order:

  • SCP record: inside the domain, this record specifies the location of the Autodiscover.xml file
  • https://alwayshotcafe.com/autodiscover/autodiscover.xml: by design this is the next location that is queried if the SCP lookup doesn’t work. This will likely fail as the root domain usually assigned to the domain's website.
  • https://autodiscover.alwayshotcafe.com/autodiscover/autodiscover.xml: externally 99% of the time this address will be used for client configuration.

We go ahead and get a Let's Encrypt certificate as detailed here, note that we use the following command to include both SANs in the one certificate:

certbot certonly --standalone --preferred-challenges http -d mail.alwayshotcafe.com -d autodiscover.alwayshotcafe.com
How to Install a new Microsoft Exchange 2019 Server – Step by Step

Now we set this up as the active Exchange certificate.

#Import the Exchange cmdlets
PS C:\> Add-PSSnapin microsoft.exchange.management.powershell.snapin

#Get the thumbprint of the new certificate
PS C:\> Get-ExchangeCertificate

Thumbprint Services Subject
---------- -------- -------
955A6C1C35A46C07B1E1F031E60B6B2D38E1941A ....... CN=mail.alwayshotcafe.com
...
...

# Enable the new cert
PS C:\> Enable-ExchangeCertificate -Thumbprint 955A6C1C35A46C07B1E1F031E60B6B2D38E1941A -Services iis,smtp,imap,pop

# Verify that the cert is active
PS C:\> Get-ExchangeCertificate

Thumbprint Services Subject
---------- -------- -------
955A6C1C35A46C07B1E1F031E60B6B2D38E1941A IP.WS.. CN=mail.alwayshotcafe.com

4. Setting up the Default Send Connector

As on-prem Exchange servers don't have any send connectors configured after the installation is completed, we need to set one up in order to be able to send emails externally.

Browse to https://mail.alwayshotcafe.com/ecp to access the WebUI of the new server.

Under "Mail Flow/Send Connectors" use the "+" sign to create the connector

How to Install a new Microsoft Exchange 2019 Server – Step by Step

We name the new connector "Out", and go with the "custom" type so we can be as granular as possible.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

We don't have a smarthost that relays our email, so we go with the regular MX lookup. This case recipients will see the actual public address of our server, so make sure an SPF record is set up. This helps our messages to get through their spam filter. Details HERE.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

As this is the default connector, we add the scope "*" to it, and assigning cost 5.

How to Install a new Microsoft Exchange 2019 Server – Step by Step

We add our only server to the connector. If we had more, we could specify which one could use it to send emails externally. Remember, internal emails don't need any send connectors to be set, as email transmission happens internally. The connectors are only for egress SMTP traffic.

5. Add Public DNS records

We add the following DNS records to our public DNS zone file:

type record value
A mail [our public IP]
MX @ mail.alwayshotcafe.com
CNAME autodiscover [our public IP]
TXT @ v=spf1 ip4:[our public IP] ~all"

6. Add Users to the system

We create a user called John Doe:

PS C:\> New-Mailbox -Name "John Doe" -DisplayName "John Doe" -FirstName "John" -LastName "Doe" -SamAccountName jdoe -UserPrincipalName jdoe@alwayshotcafe.com -PrimarySmtpAddress John.Doe@alwayshotcafe.com

cmdlet New-Mailbox at command pipeline position 1
Supply values for the following parameters:
Password: *****************

Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
John Doe jdoe mail Unlimited

7. Test Mailflow

How to Install a new Microsoft Exchange 2019 Server – Step by Step

Email messages to and from my email address successfully arrive!

Hope this guide was helpful, let me know in the comments below if something needs to be added 🙂

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Before We Begin
  • 1. Install Prerequisites
  •  
  • 2. Install MS Exchange 2019
  • 3. Install multi-SAN SSL certificate
  • 4. Setting up the Default Send Connector
  • 5. Add Public DNS records
  • 6. Add Users to the system
  • 7. Test Mailflow

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}