Exchange 2013 – Pre-stage CNO for DAG creation

The basic steps to creating a DAG of course means having Exchange servers setup prior with their respective databases.

The core components to pre-stage for a DAG are:
1. Designate a Witness Server – In production, best practice suggests in a separate location than that of your DAG(s).
2. Database Availability Group Name
3. Witness Directory
4. Database Availability Group IP address
5. Cluster Name Object
Start by creating a witness server for your DAG.
To pre-stage the witness server you create a folder on the C: drive of the witness server. On my server I call it “ExchangeFWS” so that the witness server has a spot to store its logs, and I can logically identify it later.
Then you will need to add the Exchange Trusted Subsystem to the local administrators group of the witness server.
Follow this by going to your domain controller and creating a computer object (I give mine the same name as the DAG, in my case: DAG01.) This will be the CNO.
While still in Active Directory Users and Computers, enable Advanced Features under the view drop down menu and navigate back to the location of my the DAG01 computer object.
Right click the object and select properties and navigate to to the security tab.
Once here, add the exchange servers computer objects with full permissions.
Exit out of the properties window and right click your DAG computer object and disable it. This is done for security so that you don’t have an unused computer object hanging out in your active directory.
And that’s it!
Now you can get ready to create your DAG.

Exchange 2013 – Moving and Renaming a Mailbox Database

The default location of a mail database is not really that easy to remember either, so I am going to move my databases from their default location:

That being said, you can either create a new one, or move the existing one.
In this post I am going to move my existing mail database using powershell:
First I need to change the Mailbox Database name to something more suitable.
I do this by logging into the EAC, selecting Servers – Databases – Edit – then change the name of the given database to something like DB01 and then pressing OK.
Then I need to get the exact name of the database:

I used a command like this one to dismount my database:

Now I can move the MailboxDatabase and my LogFolderPath:

Then I need to check the status of my Mailbox Database with something like:

Followed by mounting the database again:

For my own sanity, I finalize this process by running:

Exchange 2013 – Exporting Certificate Private Keys

As I continue to work with Exchange, I came to a point where I needed to export the private key from a certificate to complete a request with a 3rd party Certificate Authority.
I did some quick research for how to do an export of a private key from a Certificate Enrollment Request Certificate found in my local Exchange Server’s local computer certificate store.
I exported the certificate with the private key and all extended properties.
What I ended up doing was downloading Openssl for Windows, and installing it on my C: drive of my Exchange lab server.
Once installed I opened the Windows CLI and navigated into the directory.
I was able to successfully export the key by running a command similar to this one:

Since you must have a password to obtain the private key, I was prompted to enter the password associated with the certificate file.
After successfully entering the password I was able to find my .pem file which I opened with notepad and was able to copy and paste to the GUI of the 3rd party CA I wanted to use.

Exchange 2013 – Blocked Port 25? No problem.

Playing in my home lab with Exchange 2013, I came to a point where I wanted to setup e-mail that would be routed to and from the Internet.
My current ISP (Comcast) subscription is a normal home account. That being said, Comcast blocks port 25 (SMTP) from any outbound and inbound connections.
I would just upgrade my account with Comcast to a Business account but I also live with a couple of roommates. I found it hard to justify the jump in price to them if I were to switch the account over to a business account. I’m also just cheap.
As I started to do some research through hours of googling, I couldn’t find any sort of straight forward answer for how to accomplish what I want to do.
If you want to send e-mail out to the internet but your ISP blocks port 25, and you want to do so without having to upgrade to a business account, there are a few things you will need to do:
1. Have about $30 – $40
2. Buy a publicly routable domain name
3. Adjust some port settings on your router
4. Subscribe to an “Outbound E-mail Relay” provider
5. Subscribe to a “Mail Redirection” provider
There are two sites I used to accomplish this:
1and1 – This is where I bought my domain name. New customers get their first domain name for $0.99
DNSExit – This is where I bought the services for Outbound E-mail Relaying and also Mail Redirection. It costs $4.50 a month for 150 outbound mail relays per day. Through this site I was also able to get a trial for 14 days of their mail redirection service. After the 14 days, the mail redirection service is $24.99 /domain /year.

The setup could be summarized as follows:

Buy a Domain

As I stated above, I bought my domain name with I was able to use their interface to set up the DNS records needed to point to my router. I was also able to set up a subdomain name and point it to my router as well.
So the requirements here were:
  • Set A record for domain name and point to router (My Public IP)
  • Set A record for subdomain name and point to router (My Public IP)
  • Set MX record for mail server. (This will be the FQDN of the mail server that will be forwarding your mails from the internet to your home server. In my case it was “”)

Setup Port Forwarding

In my case, I opened port 26 on my routers firewall and set a couple of port forward rules. The rules I set said: For anything coming from the internet on port 26, port forward to my internal Exchange server’s IP addresses on port 26.
I use DD-WRT as my router firmware. The settings above are accomplished by logging into your router, selecting NAT/QOS and selecting the Port Forwarding tab.
An example entry looks like:
Application     Protocol     Source Net     Port from     IP Address               Port to
MAIL              Both         26               26
If you have already installed your Exchange environment navigate to the Exchange Admin Console and perform the following:
  •      Select Mail Flow
  •      Select the receive connectors tab
  •      Select the Default Frontend
  •      Select Scoping
Within the Network adapter bindings change your IP Addresses port number to one of the supported ports of your chosen provider. In my case I chose port 26.
  •      Save your changes
  •      Select the Send Connectors tab
  •      Create or edit an existing send connector
Set the new send connector to route mail through smart hosts and specify the address the relay provider gives you. In my case it was I also left the external DNS blank.
  • Select the basic authentication option and enter in the credentials that your provider gives you.
  • Set the address space to “*” and add your exchange servers.
  • Save your new send connector.
If port 25 is blocked, you will need to do the following as well:
  • Open the Exchange Management Shell
  • You will need to use the Set-SendConnector cmdlet to specify the port of your new send connector.

Where SENDCONNECTORNAME is the name of the send connector which you named in Step 1 and port 26 could be any open ports from your provider.
If no errors show in the shell then it worked and you are done setting up the outbound relay.
Send a test e-mail from your Exchange server to verify.
Assuming the above is all setup, you should be able to send and receive e-mail from your home Exchange server.
Feel free to drop a comment or share your experience!

Exchange 2013 – Importing Certificates

In Exchange 2013 installing certificates is fairly straightforward. With a CAS/Mailbox duo setup on three of these configured, I encountered one problem with the certificates that I thought was worth noting.

I wanted to add a certificate to my lab. So I went to one of the free sites (in my case, StartSSL) and got myself a certificate for my lab domain, after submitting my certificate request from my first Exchange server.

Once I had finally received my certificate, I used the Exchange EAC web GUI to import my certificate onto all of my Exchange servers. Exchange seemed happy, notifying me that the import was successful to all servers.

At this point, something isn’t right. I ran into a weird problem. I went to check the certificate I just imported on all of my servers through the GUI and I found that the certificate was only visible on my first Exchange server. This was weird to me because I had not received any errors when the first Exchange server was importing. Naturally I checked the logs, and found no error on any of my servers.

Logically the next step that came to mind was to try to re-import the certificate on the servers that it was not showing on.

What’s interesting is that when I tried to import the certificate directly onto either of the servers, it still wasn’t showing up. I was prompted by Exchange that the certificate had already been installed with its respective thumbprint. This continued after exporting and removing the certificate from each of the servers and starting back from square one.

After getting frustrated, I decided to do a little more digging, I loaded up MMC with the Certificate snap-in to take a closer look at the certificate I had just imported to my Exchange server. I was able to successfully see the certificate I had just imported, but on closer inspection I saw that it didn’t have the private key installed, which in turn makes the certificate useless.

With this new found information, I removed the certificate from all stores on all of my labs Exchange servers. During the removal however from my first Exchange server, I exported a copy of it which included the private key and all extended properties. I then decided to try to import the certificate using the Exchange shell so I could see more of what might be happening on the back-end.

What I found worked, could be summarized as follows:

If you have already installed a certificate like me, make sure you have already removed the certificate from each server you imported it to.

Import the certificate using the Import-ExchangeCertificate powershell command:

This command will import the certificate from a file called mycert.pfx from a file share called share. (Use the UNC path here) The password parameter prompts for a password here, as it is required for a file storing both a certificate and its private key.

Then you would use the command Get-ExchangeCertificate to receive a list of the installed certificate. I used the -server <Server Name> parameter to view each individual server and verify the certificate installed.

Next you would use the Enable-ExchangeCertificate cmdlet to assign the certificate it’s roles with exchange.

This command will enable the certificate with the thumbprint you specify to secure communication over IMAP, POP3, IIS, and SMTP etc.

At this point, you should be practically ready to go with your Exchange certificate. After refreshing the view in the Exchange admin console, you should see the certificate you’ve installed listed on all servers you imported it on.

I will not however that when importing the certificate through PowerShell it does not allow you to give it a friendly name, so you will have to give it one through EAC if you want to easily identify it this way.