Exchange 2013 – Deploying, Configuring & Upgrading – Part 1

MS Exchange

This is part one of an article series which goes through deploying, configuring and upgrading Exchange 2013 in detail.

Exchange is the most popular and widely used email platform and the latest release brings lot of new features and changes to the architecture. In this multi-part article series, we will go through an overview of Exchange 2013, steps to deploy the RTM version, configure the server with all options for production use including DAG and finally upgrade it to Cumulative Update 1 (CU1). There is a lot to cover, let’s get started.

Changes in 2013:

Going over all the changes in 2013 is an article series in itself. Below are the main ones to get you started.

Exchange 2013 has only two roles – Mailbox & Client Access, compared to the five roles in 2010. An Edge role for 2013 is expected later on. We can use 2010 Edge in a 2013 deployment for the time being.

The 2013 Mailbox role does a lot more job than in 2010. Everything to do with a mailbox is done by the mailbox server. Client Access server in 2013 is a stateless server, which performs three main functions – authentication, proxying and redirection. It doesn’t store any data, not even in the message queues.

A layer 4 hardware load balancer can be used to load balance the CAS servers, thereby reducing the cost and complexity.

The Exchange Management Console that we are all familiar with from the 2007 days is not available in 2013. Instead, the EMC & ECP in 2010 has been brought together into a single web based console called the Exchange Administration Center (EAC). The Exchange Management Shell is the other way to manage a 2013 deployment.

Outlook 2007 & above are the supported clients for Exchange 2013. The much known MAPI access has been dropped and is replaced with Outlook Anywhere – for internal & external Outlook connections.

Public folders have been given a face lift and are now part of the DAG with a single master replication model.

Exchange 2013 RTM Deployment:

Minimum Requirements:

The forest functional level should be Windows Server 2003 or higher. There should be atleast one global catalog in the AD site where Exchange 2013 will be installed. The global catalog and schema master should be running Windows 2003 SP2 or higher. It is recommended to keep IPv6 enabled on all Exchange 2013 servers. Windows Server 2008 SP1 or higher is required as the operating system for 2013.

If you are running Exchange 2013 on Windows Server 2012, both CAS and Mailbox role requires only the standard edition of 2012. If the base OS is Windows 2008 R2 SP1, the Mailbox role requires Enterprise edition (if DAG is needed), while CAS is fine with Standard edition.

Lab Environment:

In this multi-part series, we will use a Windows 2012 domain controller, two 2013 Mailbox servers and two CAS servers. The Mailbox servers will be configured as part of a Database Availability Group (DAG) and the CAS servers will be load balanced using a layer 4 load balancer. All Exchange servers will be running on Windows 2012 with the latest updates.

A snapshot of the lab that we are using is given below.

Domain HEW.LOCAL
Functional Level Windows 2012
Domain Controller DC1
Mailbox Server 1 MBX1
Mailbox Server 2 MBX2
CAS Server 1 CAS1
CAS Server 2 CAS2
Windows 7 with Outlook 2010 Win7
Windows 7 with Outlook 2013 Win713

It is recommended to have multi-role servers wherever possible in a production network. I am going with role separation in this series to slice out the options required for each role.

Install Exchange 2013 Prerequisites:

Now that all the servers have been built and are part of the HEW.LOCAL domain, let’s go ahead with installing the prerequisites.

There are two ways of installing the prerequisites required for Exchange 2013. The easiest way is to run the Install-WindowsFeature command with all the features required in a PowerShell window. Unlike in Windows 2008 R2, you don’t have to import the server manager module into a 2012 PowerShell window. The required modules are automatically loaded when the command is run.

2013 Prerequisites Installation – Method 1:

To install the prerequisites, open up an elevated PowerShell window and run the command below.

For Mailbox Role:

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Restart

For CAS Role:

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Restart

The RSAT-ADDS installs the Remote Administration tools for AD, which is a requirement if you want to extend the AD schema. It will also bring the familiar AD Users & Computers snap-in on the Exchange server. The “-Restart” at the end will restart the server automatically after the prerequisites are installed.

Once the server is restarted, next step is to install the Unified Communications Managed API.

Exchange 2013 requires Unified Communications Managed API Runtime (UCMA) 4.0. Download the file and run the executable. You need to agree to the terms and conditions for the installation to complete.

UCMA

This completes the prerequisites installation using the first method.

2013 Prerequisites Installation – Method 2:

The second way of installing the prerequisites is to use the option in the 2013 setup to install the windows features that are required by Exchange. This can be used for both the server roles.

Install Windows Feature Exchange 2013

But, Unified Communications Managed API has to be installed before the Exchange 2013 setup and in order to install UCMA, the Windows Desktop Experience feature is required. Hence, open up an elevated PowerShell window and run the command below.

Install-WindowsFeature Desktop-Experience 

Desktop Experience

The server needs to be restarted after the feature is installed successfully. Once the server is back online, run the UCMA & complete the installation by clicking Next & agreeing to the license. The rest of the required features will be installed by the Exchange 2013 setup.

Now that the prerequisites are installed, let’s go ahead with the Exchange installation on the Mailbox server. It is recommended to install Exchange on the Mailbox server first and then the CAS. Installing the CAS first will not break the environment, but you won’t be able to manage the environment until a Mailbox server is installed as the PowerShell endpoint is a mailbox server.

Prepare Schema, AD & Domain

While Exchange 2013 setup takes care of preparing the schema, AD and domain, it is nice to have it done manually from the command prompt, especially if you have a large organization with replication delays due to the AD site topology.

Prepare Schema

In order to prepare the schema, run the following command from an elevated command prompt after browsing to the Exchange 2013 DVD/ISO. Note that there is no more Setup.Com in Exchange 2013.

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

You will need Enterprise Admins and Schema Admins rights. The command has to be run on a 64-bit computer in the same domain and in the same AD site as the schema master. I will run it from MBX1, as the remote administration tools (RSAT-ADDS) have been installed on the server. You can run it from the domain controller as well.

After the command is run, wait for the changes to replicate across your Exchange organization before continuing to the next step. The amount of time this takes depends on your AD site topology.

The above command will connect to the schema master and import the LDIF files to update the schema with Exchange 2013 specific attributes. The LDIF files are copied to the Temp directory on the server and then deleted after they are imported into the schema.

Prepare AD

If you skip the prepare schema step explained above, preparing the AD will go ahead and prepare the schema first. In order to prepare the AD, run the following command from an elevated command prompt after browsing to the Exchange 2013 DVD/ISO.

Setup.exe /PrepareAD /OrganizationName:HEWOrg /IAcceptExchangeServerLicenseTerms

The “/OrganizationName” is only required if you are installing a greenfield 2013 environment, which we are. You will need Enterprise Admins right to execute the command successfully. The command has to be run on a 64-bit computer in the same domain and in the same AD site as the schema master. If you have a multi-domain environment, the server should be able to contact all domains in the forest on port 389.

This command will create the “Microsoft Exchange Security Groups” OU in the root domain of the forest, assign specific permissions on this OU, creates the management role groups (used for RBAC) within the OU, creates Exchange containers and objects in the configuration partition & assigns specific permissions throughout the config partition, prepares the local domain among other things.

Prepare Domain

In order to prepare a domain, run the following command from an elevated command prompt after browsing to the Exchange 2013 DVD/ISO.

Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms

If you have a single domain environment, you don’t have to prepare the domain as the local domain is prepared for 2013 as part of preparing the AD. But, if you have a multi-domain environment, all other domains (except the one on which the AD was prepared) has to be ready for 2013.

You can prepare all the domains in one go by running the command below.

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms (you will need Enterprise Admin rights).

You can also prepare one domain at a time by specifying the domain FQDN.

Setup.exe /PrepareDomain:<domain fqdn> /IAcceptExchangeServerLicenseTerms (you will need domain admin rights for the domain you are preparing).

You must run the setup.exe /preparedomain command in every domain in which you will install Exchange 2013 and in every domain that will contain mail-enabled users, even if the domain doesn’t have Exchange 2013 installed.

The above command will create a domain global group in the current domain called “Exchange Install Domain Servers”. This group will be placed in the Microsoft Exchange System Objects container and will also be added to the Exchange Servers USG in the root domain. The command will also assign permissions for universal security groups, set the ObjectVersion property correctly among other things.

This completes part one of this articles series. Now that the servers have the Exchange 2013 prerequisites installed and the schema, AD and domain have been prepared, we are ready to introduce Exchange 2013 into the environment, which will be covered in part two.

Stay tuned ;)

Other Popular Articles


MS Exchange

Keep Track Of Exchange 2013 Database Failovers

MS Exchange

Playing With Exchange 2013 Performance Logs

MS Exchange

Tackle .Net Framework 4.6.1 On Exchange Servers

  1. Hi,

    As you said Ex2013 cas server performs three main functions – authentication, proxying and redirection So Is this mean mail flow will work internally if cas server is down.

    Reply

Leave a Comment

Disable Windows Copilot Using Intune

Windows Copilot is Microsoft’s take on making life easier for Windows users using the power of AI. This article explains how to disable the feature using Intune, if your organization is not ready yet to walk into the AI world.

Disable Windows Copilot Using Intune

We need to create a Configuration Profile for Windows devices in the Intune portal to disable Windows Copilot. Below are the steps that we need to create the profile.

Launch the Intune Portal and login as a Global Admin or Intune Admin.

Navigate to Devices -> Windows -> Configuration Profiles.

Windows Configuration Profile Intune

Click on Create -> New Policy.

Select Windows 10 & later as the platform and Settings Catalog as the profile type & click on the Create button.

Settings Catalog Intune CoPilot

Give the policy a meaningful name & description and click Next.

Policy Name Disable CoPilot

Within the configuration settings, click on the Add Settings option.

Add Settings Disable CoPilot

Search for ‘copilot’, Windows AI will come up as the category. Click on Windows AI and the Turn off Copilot in Windows (User) setting will come up. Check the box and click Next.

Turn off CoPilot Setting Intune
Turn off CoPilot Setting Intune Summary 1

Specify scope tags if required and click Next.

Select tags CoPilot Intune

Select who this policy should apply to in the Assignments section. I have selected to add all users. If you want to test the setting, you can create a test group and select that group here.

Similarly, you can also exclude certain group from disabling AI (say IT team) if required.

Add all users disable copilot intune

A summary of selected settings will be displayed. Click on the Create button to setup the policy to disable Windows Copilot.

Create configuration policy disable CoPilot Intune 1

Wait for the replication to complete in the cloud backend and login to your machine. Your chatty Copilot should now be disabled.

Disable Windows Copilot On Windows 11 Pro

Follow the steps below to disable Copilot on a personal Windows 11 Pro machine (say your own laptop).

Search for ‘group’ in Windows 11 and click on Edit Group Policy option.

Group Policy Windows 11 Disable Copilot

Navigate to User Configuration -> Administrative Templates -> Windows Components -> Windows Copilot.

Windows Copilot GPO setting

Double click on Turn off Windows Copilot setting on the right pane.

Select Enabled and click OK.

Turn off copilot gpo Windows 11 Pro 1

Close the Group Policy Editor. This will disable Windows Copilot on a Windows 11 Pro machine.

Summary

We have learned to disable Windows Copilot using Intune and Group Policy on Windows 11 machines.

Please let me know if you have any questions in the comments section.

Promote Windows Server 2025 To Domain Controller

Domain controllers are the backbone of any Active Directory domains in the Microsoft world. Any Windows server can be promoted to be a domain controller. In this article, we will go through the steps of promoting a Windows 2025 Server to be a domain controller.

Windows Server 2025

The latest version of the server operating system has been named Windows Server 2025. You can start with a 2025 Server & create an AD domain or you can promote a member server that is already a part of a domain.

The Windows Server 2025 needs to be installed on a machine before it can be promoted to be a domain controller.

Promote Windows Server 2025 To Domain Controller

If you have been working with Windows servers long enough, everything starts with the Server Manager app. Promoting a server to a domain controller is no different.

Launch ‘Server Manager’ & click on Add roles and features.

Windows 2025 Server Manager

You land on the summary page that explains what is required to run this wizard successfully. Click Next.

Windows Server 2025 Add Remove Roles

Select Role-based or Feature-based installation and click Next.

Windows Server 2025 Role Based Install

Select the server that needs to be promoted and click Next.

Windows Server 2025 Destination Server

Select Active Directory Domain Services (second option) and click on Add Features.

Windows Server 2025 AD Domain Services

Go with the default options for features that need to be installed.

Windows Server 2025 AD Domain Services Features

A summary of AD DS pops up next, click next to continue.

Windows Server 2025 AD DS

Select Restart the server automatically if required and click Install.

Windows Server 2025 AD Restart Server

You get to keep an eye on the progress of the installation.

Windows Server 2025 AD Install Progress

Once the role has been installed, you will find an exclamation mark on the top right corner of the Server Manager. Click on that and select Promote this server to be a domain controller.

Windows Server 2025 AD Install Continue

You get an error straight away (which you have never seen before) – Error determining whether the target server is already a domain controller. Role change is in progress or this computer needs a restart.

Windows Server 2025 Domain Controller Setup Error

We never needed to restart the server after installing the role in the DC promotion process. Given that it is an insider build of Server 2025, I am hoping that this will get fixed before the public release.

Restart the server, launch Server Manager and click on the Promote this server to be a domain controller option again.

Windows Server 2025 AD Install Continue 1

I am setting up a brand new AD forest and hence I select the third option (Add a new forest) and enter my root domain name.

Windows Server 2025 Add a forest

Next window brings the option to set your forest & domain functional level and the DSRM password. In the insider build, it shows what looks like a variable (the Windows server version on which the you are working).

Windows Server 2025 Forest Functional Level

You can leave the default options in the DNS options wizard and click next.

Windows Server 2025 DNS Options

Enter the netbios name of the domain in the next window and click next.

Windows Server 2025 Netbios Domain Name

You can stick with the default paths for the AD database, log & sysvol folder or pick a location of your choice.

Windows Server 2025 AD Paths

Review the selections that you have made so far and click next.

Windows Server 2025 Options Review

Wait for the green check mark on the prerequisites page and click next.

Windows Server 2025 Pre reqs Check

Click Install in the final window & wait for the magic to happen. Once the machine gets restarted (which it will do automatically), you will have a brand new domain controller based on Windows Server 2025.

Windows Server 2025 AD Snap In

Summary

Promoting a Server 2025 to a domain controller follows pretty much the same steps as previous operating systems. The Insider build has few errors that needs to be fixed, but hey, it is an insider build!

Please let me know if you have any questions in the comments section.

Install Windows Server 2025 – Full Guide

Microsoft has released an insider preview of it’s next server operating system named Windows Server 2025. We will have a look at the installation steps involved in setting up a 2025 server.

Windows Server 2025

Microsoft has gone with the same look and feel of Windows 11 operating system in it’s current server operating system – Windows Server 2025. As the product is in insider preview, there might be slight changes before it hits the public shelves.

It is refreshing to see a ‘modern’ feel in the installation process of a server operating system. Gone are the days where the installation of a consumer based OS felt much better compared to it’s server counterpart.

Installing Windows Server 2025

Let’s take a look at the steps involved in setting up a Windows Server 2025 machine. First step is to download the ISO from the Windows Insider portal.

Next step is to boot the virtual / physical machine from the ISO which will kick off the installation of Server 2025.

First option to select is the language settings. Pick the one based which relates to you and click next.

Windows Server 2025 language settings

Select the keyboard settings in the next screen and click next.

Windows Server 2025 keyboard

You get the option to select whether you want to Install Windows Server or Repair the installation. The bottom left corner also has the option to go to the previous version of setup.

Windows Server 2025 setup option

You are asked to enter the product key, which is available in the Windows Insider portal.

Windows Server 2025 product key

Next option to choose is the type of image you want to install – Windows 2025 core or full blown desktop experience.

Windows Server 2025 Desktop

You need to agree to the licensing terms to move forward in the next step.

Windows Server 2025 Agreement License

Select the partition on which the server OS should be installed and click next. You also have the option to slice the partitions the way you see fit in the same screen.

Windows Server 2025 Disk Partitions

The Ready to Install window comes up, click the install button.

Windows Server 2025 Install 1

Installation of Server 2025 is underway and you get to see the progress.

Windows Server 2025 Install Progress

Once the installation is complete, you need to enter an administrator password of your choice to finalize the setup.

Windows Server 2025 Password

And there you go! You see a Windows 11 login screen staring at you ;-)

Windows Server 2025 Login Screen

After logging in, you get to set the options around sending diagnostic data to Microsoft, which I always set as ‘required only’.

Windows Server 2025 Diagnostic Data

The Windows Server 2025 desktop looks similar, doesn’t it? ;-)

Windows Server 2025 Desktop Feel scaled

Now that the server is up and running, you can promote it to be a domain controller.

Summary

The Windows Server 2025 has the same look and feel as a Windows 11 operating system. The installation options also provide that modern ‘feel’ and makes it a bit soothing to the eyes!

Please let me know if you have any questions in the comments section.