Exchange Server 2016 installation and basic configuration

This article is part of a series that comes from my notes during the migration of an Exchange organization from version 2010 to 2016. It's not a complete procedure, but a description of the main points and areas. The examples are related to a specific design, but they can generally be applied. Also, even though it's a migration description, the information is also suitable for a new installation or administration.

The official documentation for Exchange Server 2016 is quite good and contains a lot of information. Some things are just harder to find, while others are repeated over and over. It's a good idea to start by looking at a few chapters:

• Exchange architecture
• Planning and deployment for Exchange Server
• Deploy new installations of Exchange

Exchange 2016 Architecture

In this article, we won't focus on the functioning of the Exchange server, but only on its installation for the planned migration from version 2010 to 2016. We assume administrator-level knowledge of Exchange Server 2010. Nevertheless, let's start with one important mention about the architecture.

Exchange 2010 used a variety of roles (Mailbox, Client Access, Hub Transport, Unified Messaging and Edge Transport). Often, we installed all of them, except the last one, on a single server. Exchange 2016 has reduced everything to only two roles (so we're going back to the time when Exchange 2003 had no roles). The main one is the Mailbox server role, which contains all the components from the original Mailbox, Client Access, Hub Transport and Unified Messaging roles in Exchange 2010. That's what we'll focus on here. And then the Edge Transport server role, which is installed in the DMZ and secures mail communication with the internet (viruses, spam, mail rules).

Below is the official diagram from the Microsoft pages.

Initial Requirements (System Requirements)

First, we need to check that we meet the basic Exchange Server system requirements.

• The Domain Functional Level and Forest Functional Level must be at least Windows Server 2008
• All Exchange servers must be at least Exchange Server 2010 SP3 Update Rollup 11, which means Build 14.03.0266.002, the list of versions is in the article Exchange Server Updates: build numbers and release dates - migration (coexistence) is supported from Exchange 2010 SP3 RU11 or Exchange 2013 CU 10
• The installation will be performed on a new server with an OS of Windows Server 2012, Windows Server 2012 R2 or Windows Server 2016 (supported from Exchange Server 2016 CU3), in the Standard or Datacenter edition
• The server must be a member of a domain, the GUI version must be used (Core or Nano versions are not supported)
• The higher the Cumulative Update (CU) we install, the newer the .NET Framework version we need (currently the latest CU10 requires .NET Framework 4.7.1)
• Clients are supported from Outlook 2010 SP2 with updates KB2956191 and KB2965295
• To determine various parameters, we can use the Exchange Server Role Requirements Calculator
• The system and database storage partitions must be formatted with NTFS, the partitions with transaction logs or Mailbox DBs can be formatted with ReFS

The requirements also include minimum hardware requirements. Today, we will probably use a virtual machine (VM) in most cases, where the advantage is that we can increase the resources as needed. I initially created the servers with the same resources as I had on Exchange 2010, but very quickly I had to increase the vRAM and the number of vCPUs, and I ended up about twice as much.

Fulfilling Prerequisites

To create a deployment plan for various scenarios, including migration, we can use the online tool Exchange Server Deployment Assistant. Before starting the actual installation, we need to perform the preparatory steps described in the Exchange Server prerequisites.

The documentation states that if we want to (at least for a while) run coexistence with Exchange 2010 SP3, which is running on Windows Server 2008 R2 SP1, we have to install KB3140410 hotfix for Outlook Anywhere. But I don't have this patch on my systems, and it can't be installed (it reports that it's not intended for my system).

System Components

To be able to install Exchange 2016, certain Windows components (roles and features) must be installed on the server. We can use PowerShell to install the required Windows Features. The following command (you need to remove the line breaks so that it's a single command) should install everything needed for Windows Server 2016.

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface,
 RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth,
 Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging,
 Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console,
 Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content,
 Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS 

Note: In practice, we encountered performance issues if the Windows Defender component was on the server. Uninstalling it with Uninstall-WindowsFeature -Name Windows-Defender.

Required Applications

Microsoft states that the following software must also be installed:

• .NET Framework 4.7.1 or Download .NET Framework
• Microsoft Knowledge Base article KB3206632 - this security update is a cumulative update from 12/13/2016 (OS version 1607, build 14393.1770), it has been replaced several times (currently the latest is KB4051033 - OS Build 14393.1914). The latest version should be automatically installed from Windows Update.
• Visual C++ Redistributable Packages for Visual Studio 2013
• Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

Preparing Active Directory Domain Services

The Exchange server uses Active Directory Domain Services (AD DS) extensively. Before installing the first server, we need to make changes to AD DS. The easiest way is to let the installation wizard perform these changes, which we must run with sufficient permissions. The account must be a member of the Schema Admins and Enterprise Admins groups. Alternatively, we can manually trigger it in the command line using the Exchange server installer.

Note: After modifying AD, no Exchange 2013 server can be installed anymore.

Updating (Extending) the Active Directory Schema

Exchange adds its own attributes to the AD DS schema and modifies existing classes and attributes. Therefore, before installation, it's necessary to extend the schema with these attributes. With Exchange 2016, the schema is even changed in some Cumulative Updates (so the schema needs to be updated before their installation).

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

Preparing Active Directory and the Domain

Further, it's necessary to prepare the Active Directory forest and its domains so that Exchange can store information about user mailboxes and server configuration in the organization. This process creates containers, objects, and other items in Active Directory, which is referred to as the Exchange Organization.

The first command will prepare the Active Directory forest and the current domain (creates additional containers, security groups, and sets permissions). If we have multiple domains, we need to use the second command in each one (we don't use it at all with a single domain).

Setup.exe /PrepareAD /OrganizationName:"organization name" /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

Installing the Exchange Server

We get the installation media depending on how we obtained the license. But since the installation of a Cumulative Update (CU) is essentially a complete installation, we can publicly download the installation of the latest CU10 version of Exchange Server (we need to enter the license key within a certain time after installation) from the Cumulative Update 10 for Exchange Server 2016 (KB4099852). Links to the latest versions are added to the article Exchange Server Updates: build numbers and release dates.

Detailed installation instructions, including screenshots, can be found at Microsoft's Install the Exchange 2016 Mailbox role using the Setup wizard. The individual installation steps:

• We start setup.exe from the installation DVD
• We can check if there are any online updates available
• The files are copied to the local disk in %WinDir%\Temp\ExchangeSetup
• A page with tips on where to get information is displayed
• We must agree to the license terms
• We can choose the recommended settings, where the setting of sending information to MS, or not using it and disabling the sending is turned off
• We choose the Mailbox role, the Management Tools are automatically added, and the installation of the Edge Transport role is not allowed, just to make sure we check that the Windows components are installed, but we have already installed them in advance

• We can leave the standard installation path C:\Program Files\Microsoft\Exchange Server\V15, and we'll find out that the installation will take 8201.1 MB (such a small amount)
• Since we are performing a migration, the Exchange Organization already exists, so the step where we would create it is not displayed now
• In the next step, we choose whether we want to use Microsoft Malware Protection
• Then a readiness check is performed to see if all prerequisites are met, if an error is found, we can only choose Retry if we remove it
• The problem may be, for example, that we haven't made the AD DS changes and Setup is not running with sufficient privileges (Schema Admins and Enterprise Admins), in which case we need to run it again, then AD will be prepared during installation
• If everything is fine, we click Install (the installation takes a long time)

Note: Even during the installation, we can look at the logs C:\ExchangeSetupLogs\ExchangeSetup.log to see if everything is proceeding correctly.

Information about Server Versions

In the article Exchange Server Updates: build numbers and release dates, we can find a list of versions and their corresponding Build numbers, for example Exchange Server 2016 CU10 is 15.01.1531.003. We can list the versions using PowerShell.

[PS] C:\>Get-ExchangeServer | FT Name, Edition, AdminDisplayVersion -AutoSize
Name                    Edition AdminDisplayVersion
----                    ------- -------------------
MAIL         StandardEvaluation Version 15.1 (Build 1531.003)

Management Interface

For management, we still have the command line (PowerShell) Exchange Management Shell, but instead of the Exchange Management Console, the web-based Exchange Administrative Center (EAC) is now used, which also replaced the Exchange Control Panel (ECP).

Connecting to the EAC (Exchange Admin Center)

The virtual directory on IIS for the EAC is called ECP (it remained that way historically). If the account we use to manage the Exchange server doesn't have a mailbox, we normally connect to the server address https://<<server name>>/ecp/. But if it has a mailbox, and it's located on the original Exchange 2010 (we haven't moved it yet), then even on the address of the new server, we'll get to the 2010 server where there's no administration. We need to use a special link https://<<server name>>/ecp/?ExchClientVer=15. This is mentioned in Create an Exchange 2016 mailbox.

Entering the Product Key

The edition, Standard or Enterprise, is determined by the key.

• EAC - Exchange Admin Center
• Servers - Servers
• We select the server and click Enter Product Key
• We enter the key and click Save
• We restart the Microsoft Exchange Information Store service

Exchange and Certificates

Documentation Configure Exchange 2016 certificates, Digital certificates and encryption in Exchange Server

After installation, Exchange creates 2 self-signed certificates (the third is for IIS), their Friendly name:

• Microsoft Exchange - 5 years, IMAP, POP, IIS, SMTP, trusted by all Exchange servers in the organization, encrypts internal communication between Exchange servers and within server services, not used for clients
• Microsoft Exchange Server Auth Certificate - 5 years, SMTP, used for authentication between servers using OAuth (it seems that the same one is on all Exchange servers)
• WMSVC-SHA2 - 10 years, for remote administration of IIS (used by the Web Management service), we must not delete it, otherwise this service won't start and then Exchange updates can't be installed

On the internet, there are discussions about someone deleting the WMSVC-SHA2 certificate (which I also did) - Event ID 1007 — IIS Web Management Service Authentication. But guides like Web Management Service (WMSvc) could not be started: 2147483640 are unnecessary. I found that since it's a Self-signed certificate, it was also inserted into the Trusted Root Certification Authorities. And even if we delete it in Personal, it will remain in Trusted. So it's enough to right-click on it and choose Copy and paste it into Personal.

New Certificates

For client access, we should issue a trusted certificate at least from an internal authority. For encrypting SMTP traffic with external servers, we need a publicly trusted certificate. The number of certificates is recommended to be minimized, so we will create one for all servers with a series of SAN (Subject Alternative Name) names.

We can generate a request and then use it on an internal or public certification authority:

• EAC - Exchange Admin Center
• Servers - Certificates
• by clicking the plus (New) button, a wizard starts where we can issue a Self-signed certificate or prepare a request for a CA
• we go through the wizard, where we choose the domains (SAN) and certificate parameters, which we save to a file (a network path must be specified)
• once the certificate is issued, we then complete it - on the right under Status, click Complete

Assigning Services

• to start using the certificate, we need to assign it to certain services
• we select the certificate and its Edit
• the Services tab and assign the services we want

When we set a new certificate and assign all services to it, the Microsoft Exchange certificate will still have the IIS and SMTP services assigned. Microsoft states that there's no need to do anything about it. On IIS, the certificate for the Default Web Site will change, but it will remain on the Exchange Back End.

Unable to open OWA, ECP, or EMS after a self-signed certificate is removed from the Exchange Back End Website

Databases for Mailboxes and Logs

Mailbox Databases

Documentation Manage mailbox databases in Exchange Server

• EAC - Exchange Admin Center
• Servers - Databases

During the installation of the Exchange server, the first database with the name Mailbox Database <number> was created, and the system mailboxes were placed in it. The database and transaction log files are located by default in the path C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\. Since it's a good idea to have the data files and logs placed on separate disks (and elsewhere than the operating system), we either move the files of the default database, or we create a new database (which seems better to me).

When we create one or more new DBs, we can enter a reasonable name and define the path to the data files and logs. After creating a new Mailbox DB, it's necessary to restart the Microsoft Exchange Information Store service. Then we edit the DB and set the required limits (Limits) on mailbox size and in the client settings (Client Settings) assign the address book (Offline address book).

If we have a testing server, or it's simply not yet included in the standard backup, we need to set up transaction log truncation so that the disk doesn't get too full. Exchange 2016 Enable Circular Logging

• EAC - Exchange Admin Center
• Servers - Databases
• We select the Mailbox DB - Edit - Maintenance - Enable Circular Logging - Save
• We need to perform a Remount DB

Moving System Mailboxes to a New DB

The Exchange server contains certain special system mailboxes. When a new version of the Exchange server is installed, new system mailboxes are created in the first Mailbox DB. If we want to remove such a DB, we first need to move all mailboxes. Documentation Recreate missing arbitration mailboxes, Move system mailboxes.

We can list the system mailboxes, either from all DBs

Get-Mailbox -Arbitration | FT Name, ServerName, Database

or only from a specific DB

Get-Mailbox -Database "Mailbox Database 0168801019"
Get-Mailbox -Database "Mailbox Database 0168801019" -Arbitration | FT Name, ServerName, Database

Then move them to the newly created DB

New-MoveRequest "Migration.8f3e8816-2011-43e4-9691-aba62d229136" -TargetDatabase DB01

We first need to move the Migration mailbox, then we can use the EAC for the move.

Deleting the Old Mailbox Database

• EAC - Exchange Admin Center
• Servers - Databases
• We select the Mailbox DB - Delete

If there are any mailboxes in the database, we will get an information message and the deletion will not proceed. If the deletion is performed, we will get information that the DB has been deleted. But we have to manually delete the files of this database.

We can also get the information that it failed to delete the monitoring mailbox object of the given DB in AD DS (we find them in ADUC - Microsoft Exchange System Objects - Monitoring Mailboxes), because we don't have the necessary permissions. We can do this manually, but we need to find the name of this HealthMailbox. Info Exchange 2013/2016 Monitoring Mailboxes. The easiest is to list the monitoring mailboxes, and the one we're looking for will be displayed as corrupted.

[PS] C:\> Get-Mailbox -Monitoring
Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
HealthMailboxa3f38237d... HealthMailboxa3f3... mail1         Unlimited
WARNING: The object firma.local/Microsoft Exchange System Objects/Monitoring Mailboxes/HealthMailboxa3f38237d8334a5da13b26ea3a9956f2 has been corrupted or isn't compatible
with Microsoft support requirements, and it's in an inconsistent state. The following validation errors happened:
WARNING: Database is mandatory on UserMailbox.

After removing the DB, an error may be logged

Event ID 1006: The Microsoft Exchange Mailbox Replication service was unable to process jobs in a mailbox database.

The solution is to restart the Microsoft Exchange Mailbox Replication service.

Exchange and Logs

Various logs are created on the Exchange server. We'll leave aside the transaction logs of the Mailbox DB. Since there are a number of web services, we have standard IIS logs. They have one bad property, which is that they don't get deleted. The default path is C:\inetpub\logs\LogFiles. Compared to Exchange 2010, we really need to deal with deleting old logs (best automated with a script), because a month's worth of logs can take up tens of GB.

The Exchange itself now logs significantly more than before. The logs reach several tens of GB and contain tens of thousands of files. Path C:\Program Files\Microsoft\Exchange Server\V15\Logging and C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\Logs.

Some description of the logs and a script for deleting them (at the time I downloaded it, it had bugs, so I rewrote it a bit) is in Exchange 2013/2016/2019 Logging - Clear out the Log files.

Exchange Server Health Checker

A useful script that checks the Exchange server settings according to Best Practices, security settings and vulnerabilities. Latest version for download HealthChecker.

.\HealthChecker.ps1
.\HealthChecker.ps1 -BuildHtmlServersReport