Shulou(Shulou.com)06/03 Report--

In the previous article, we completed the installation of Exchange Server 2016 CU8, "Exchange 2016 deployment implementation case-03.Exchange deployment (part two)". Next, we will enter the configuration-related content. The initial plan is to divide the configuration into upper and lower disk characters to write the configuration, but in the actual configuration process, we found that there are a lot of screenshots, so we have to divide the configuration into upper, middle and next three pages to write the configuration again, please understand.

DNS configuration (DNS polling)

Friends who have deployed Exchange Server may know that after deploying Exchange, you can only use IP or LocalHost to access it, unless you add an A record to your DNS, but have read the active Directory deployment article "Exchange 2016 deployment implementation case-02." Friends of "active Directory deployment" may know that the domain name of the domain we deployed is ITSoul.inter, so how can we use Mail.Itsoul.cn to access that?

First of all, we need to create an ITSoul.cn DNS domain in the DNS of the domain. (if you have a business system that is also using ITSoul.CN domain access, and if you are going through the public network, create a copy of all the records in the private network DNS) as follows

Open the DNS of the domain, and right-click "New Zone" in the forward lookup area, as shown in the figure:

When you click finish, the following screen pops up, and click "next"

After clicking "next", the following interface pops up, refer to the screenshot, select "main area" and click "next"

Choose whether the DNS scope is synchronized to this domain or to the forest according to the requirements

Enter the name of the DNS scope you want to create. We want to use Mail.Itsoul.cn to access mail, so the scope is ITSoul.cn, so we can type ITSoul.cn here.

Similarly, you can choose according to the needs and the actual environment.

Check the summary information, confirm it and click "finish".

At this point, our DNS scope has been created. Friends who have come into contact with Exchange Server 2016 may know that there are only two roles (MailBox and edge) left in Exchange Server 2016, so what to do with the high availability of our front end? there are two normal ways for the high availability of the front end of Ex2016. (1, use DNS rotation training 2, if resources are recommended to use hardware load balancing equipment), some friends may ask me Why not use NLB? first of all, NLB requires binding on network devices, and secondly, the two roles NLB and DAG cannot be installed on the same server. Although tests in the actual environment show that they can be used on one server, it is not too recommended. If you really want to use NLB, it is recommended that you install 2 Ex2016 alone, use these two EX2016 for current use, and create NLB on these two servers.

Here I will use DNS rotation training as the high availability of the front end. First of all, we need to make sure that the DNS rotation training feature is enabled on DNS. As shown in the figure, right-property on the server:

As shown in the picture, I have enabled DNS rotation training here.

Next, we can create an A record, as shown in the figure, right-click on the ITSoul.cn and select create-A record.

Enter Mail,IP in the name and enter the IP address of the first server

Then, as above, create an A record again, and IP enter the IP address of the second server

At this point, our DNS rotation training came to an end.

Certificate configuration

After the DNS rotation training configuration is completed, we can use Mail.ITsoul.cn to access email, but the web page will report a certificate error. We can only use a public network certificate or use a private network certificate to bind to the EX. In order to cover up the certificate installation, I will use the private network certificate here.

Certificate server installation opens server manager, click add roles and functions

Just keep it by default. There's nothing to choose from.

Select according to the screenshot and click "next"

Select according to the screenshot and click "next"

Refer to the screenshot, select the AD certificate and click "next"

Just keep the function interface by default, and click "next" directly.

Click "next" directly for this step.

For the next step, we must select Certificate Authority Web enrollment and click next.

The IIS interface can also be kept by default. Click "next" directly.

Check the summary information and click "install" after confirming it.

We still need to configure it after the installation is complete.

Refer to the screenshot and click "next" directly.

Select the role you want to configure and click next

With reference to the screenshot, we must select "Enterprise CA" for this step. There are instructions in the screenshot, so I won't introduce them too much.

Since our CA is the first CA, we can choose to follow CA.

Select according to the screenshot and click "next"

The encryption options are selected according to the actual needs, so I will keep the default here.

Enter information such as CA name and click "next"

The default CA is 5 years. It is recommended to set a larger point in the actual environment to avoid expiration. If it expires, it will not be fun.

Select a storage location such as database, log, etc., and click next.

Check the summary information, confirm it and click "configuration".

At this point, our CA configuration is complete.

Certificate request

Next, we will apply for a certificate for Exchange Server. The detailed steps are as follows:

Refer to the screenshot, open the ECP of Exchange, and click "Server"-"Certificate"-"+"

Select according to the screenshot and click "next"

The certificate friendly name can be filled in according to your own habits.

If you want to use a wildcard certificate, you can configure it here. I won't use a wildcard certificate here.

Select Certificate Store Server

Configure it according to the actual needs, or keep it by default and configure it in the next step.

If there is no configuration above, you can just add it here. Since we still need to use the OOS server later, I applied for the domain name of OOS as well.

The interface can be input according to the actual input.

Select the storage location of the certificate application file, which must be the shared path

After the application profile is created, this step shows the shelved request

Open the CA certificate application interface

Refer to the screenshot and select "Advanced Certificate Application"

Select with reference to screenshot

Use TXT to open the application file you just created

As shown in the picture, paste the application document you just copied into the application website, and select "Web" as the template.

Download certificate

Refer to the screenshot and click finish

Select a certificate store location

Import completed

Next, we click Edit to assign the service.

Refer to the screenshot and select the service to be assigned

Just click "Yes"

Service allocation completed

At this point, we have completed the certificate import and service allocation of the first server, and then we have carried out the certificate import and allocation of the second server.

Refer to the screenshot and click Export Certificate

Select the certificate storage location and enter the password

Refer to the screenshot, navigate to the second server and click Import Certificate

Refer to the screenshot, select the normal storage location, and enter the password

Select the server on which you want to import the certificate and click finish

The certificate import is complete, and then we assign the service.

Assign servic

Service allocation completed

At this time, we will not report a certificate error when we log in.

Support us to complete the installation and application of the certificate server and the distribution of services.

Authentication method modification

After the certificate is imported, open OWA and you will find that it is too troublesome to log in by entering the domain\ user name. Next, we modify it and log in using only the user name.

First, we open ECP and navigate to server-virtual directory-OWA- to modify.

Select according to the screenshot and click "Save"

According to the screenshot, we need to restart IIS before it takes effect.

We all know the graphical interface, so how do we use the command to set that? the command is as follows:

Set-owavirtualdirectory-identity "EXSrv02\ owa (default web site)"-LogonFormat UserName-DefaultDomain "ITSoul.inter"

Restart IIS

Open OWA again and the modification has been completed

I hope you can give us your likes or attentions. thank you very much:

Follow the individual:

Log in to your 51CTO account or use Wechat to log in. After successful login, click the link below.

Link: http://home.51cto.com/space?uid=8658374, click to follow.

Follow the blog (quietly, if your account is bound to Wechat, you will be notified on Wechat every time you update the blog post):

Open the following link: https://blog.51cto.com/itsoul reference screenshot and click follow

Log in to your 51CTO account or choose to log in using Wechat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.