Overview of Exchange 2019-Part 4
Amir Reza Shokouh
Network Infrastructure | Network Security | Virtualization | FortiGate | FortiWeb | Forti Mail | Forti Analyzer | Exchange | SharePoint | OpManager | Exchange Reporter Plus | MikroTik | Skype for Business | SAP Basis |
Exchange 2019 management tools include the following tools:
Exchange Admin Center (EAC)
Exchange Management Shell (EMS)
Naming different parts of EAC:
1: Cross-premises navigation
2: Feature pane
3: Tabs
4: Toolbar
5: List view
6: Details pane
7: Notifications
8: Me tile and Help
Access to the EAC console:
https: // <Exchange Server Name> /ecp
Note: All Exchange features can be managed via EMS. But some of them are not manageable through EAC. So EMS is more powerful than EAC. When a process is created through EAC, it is actually the EMS commands for which the process is executed in the Background.
Note: Learning Power Shell is not an option but a must to work with Exchange. Books such as Microsoft Exchange Server 2016 PowerShell Cook Book can be used for this purpose.
Introduction to Exchange PowerShell commands:
PowerShell commands are generally called cmdlets. Cmdlets have a simple nominal-current structure. Common verbs used in cmdlet include the following:
Get, Set, Remove, Test, Enable, Disable, Install, Uninstall, New,…
?Such as: Get-Service
Using Pipeline (|), cmdlets can be executed as strings. In other words, pass the result from the left cmdlet to the right cmdlet, or use the right cmdlet as a condition for the left cmdlet:
Get-Service | Where {$ _. Status –eq “Running”}
Some examples of cmdlets used in Exchange:
Get-Mailbox: Returns all Mailboxes on the server.
Get-Mailboxstatistics <Mailbox>: Provides information about the mailbox.
Get-Mailbox -OrganizationUnit Sales: Mailbox returns users who are in an OU called Sales.
Get-Mailbox | Set-Mailbox –Prohibitsendquota 500 MB: Sets the maximum Mailbox size of users to 500 MB. So that when this volume is reached, it will not be possible to send emails to users who have reached this volume.
Note: If a complete cmdlet is not written, pressing the TAB key completes the rest. (AutoComplete)
Get-Command: Displays all cmdlets
Get-ExCommand: Displays all Exchange cmdlets.
View running services:
Get-Service | Where {$ _. Status –eq “Running”}
Display complete information about Administrator User Mailbox:
Get-Mailbox Administrator | fl
For information on how to use a cmdlet, such as Get-Mailbox, use the following cmdlet:
Get-Help Get-Mailbox
See examples of a cmdlet (for example, Get-Mailbox):
Get-Help Get-Mailbox -examples
Note: You can use a CSV File and a Script in Powershell in DC to create users in Active Directory. The following cmdlet is also used to create Mailboxes for users in an OU:
Get-User -OrganizationalUnit << OU Name >> | Where-Object {$ _. RecipientType -eq "user"} | Enable-Mailbox -Database << Database Name >>
Exchange activation
For this purpose in:
EAC ------> servers ------> TAB servers
In the Detail Pane, click on the Enter Product Key option and enter the Exchange serial.
Federation Trust
Launching the Federation Trust allows users in two or more different organizations that have an Exchange Server to share information about their Calendar being Free / Busy.
In this solution, in each organization, a Client Access Service establish Trust with a Microsoft authentication platform called Azure Active Directory, which is a free service. In fact, this Microsoft service, also called the Microsoft Federation Gateway (MFG), acts as an intermediary and exchanges information between two or more organizations.
Federation Trust setup prerequisites:
1. EWS (Exchange Web Services) and Autodiscover features must be published on the Internet by a Revers Proxy such as TMG.
* These features and how to publish them will be discussed in detail in a separate section.
2. WSSecurity is enabled on the EWS and Autodiscover Virtual Directories. To check this, we use the following cmdlets:
Get-ClientAccessServer | Get-WebServicesVirtualDirectory | select * auth *
CertificateAuthentication:
InternalAuthenticationMethods: {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods: {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication:
WSSecurityAuthentication: True
LiveIdBasicAuthentication: False
BasicAuthentication: False
DigestAuthentication: False
领英推荐
WindowsAuthentication: True
OAuthAuthentication: True
AdfsAuthentication: False
Get-ClientAccessServer | Get-AutodiscoverVirtualDirectory | select * auth *
InternalAuthenticationMethods: {Basic, OAuth}
ExternalAuthenticationMethods: {Basic, OAuth}
LiveIdNegotiateAuthentication: False
WSSecurityAuthentication: False
LiveIdBasicAuthentication: False
BasicAuthentication: True
DigestAuthentication: False
WindowsAuthentication: False
OAuthAuthentication: True
AdfsAuthentication: False
?As can be seen, in the example above, WSSecurity is not enabled for Autodiscover Virtual Directory. To enable it, the following cmdlet is used:
Get-ClientAccessServer | Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $true
And Restart IIS.
Launching Federation Trust:
For this purpose, in EAC, in the Organization Feature section, in the Sharing TAB section, click on Enable.
When the Federation Trust is Enabled:
1- A Self-Sign Certificate is created for use in the Federation Trust.
2. The New-FederationTrust command is executed in order to create a Federation Trust using the created Certificate.
After enabling the Federation Trust, two parts of Organization Sharing and Individual Sharing are created in Sharing TAB.
Federation Trust configuration:
In the Federation Trust section, clicking Modify opens the Sharing-Enabled Domains page. In the first step (Select an accepted domain), the main Share Domain for the Federation Trust must be selected. This domain is usually the "SMTP" main domain in the Forest.
The domain name is used to create the Organization Identifier (OrgID) by adding FYDIBOHF25SPDLT. For example, if the domain name is Contoso.Com, a string is:
FYDIBOHF25SPDLT.Contoso.Com
Created as the OrgID, which is the Exchange Organization ID of that organization, for the Federation Trust.
Proof of Domain Ownership:
To prove domain ownership to MFG, a TXT Record must be created in the organization's Public DNS. This TXT Record is noname and its content is created automatically when you select an Accepted Domain.
After creating the TXT Record in Public DNS, we now click on Update to send the request to MFG. After updating, we return to the Sharing-enabled Domains page, and if there is more than one domain, in the Add Additional Domains section, we can enter the desired sub domains.
Note: For each of the Sub Domains, you must create the corresponding TXT Record before clicking the Update button, as mentioned above.
Organization Relationship configuration:
EAC ---> Organization ----> Sharing TAB -----> Organization Sharing
In this section, we click on + to open the Organization Relationship page. In the Relationship name field, enter your desired name. In the Domain to Share With section, enter the names of another organization's domains that they have also trusted with the Microsoft MFG and with which we want to share Free / Busy information. In the Enable Calendar Free / Busy information sharing section, we specify the desired Sharing level. In the Share Calendar Free / Busy information for section, we specify the users who have permission for this Sharing.
Note: If we want to have more settings in this area (such as Enable or Disable MailTips, etc.), we must use EMS.
Sharing Policy Configuration:
Sharing policies apply to User Mailboxes and allow them to share their Free / Busy information and Contacts with other users in an external Federated Organization.
EAC ----> Organization -----> Sharing TAB -----> Individual Sharing
To create a Sharing Policy, click on + to open the Sharing policy page. Then in the Policy Name field, enter your desired name and then in the field:
Define Sharing rules for this policy
We create the desired rule or rules. Also, by checking the Make this policy my default sharing policy, you can determine that the created policy is the Default Policy.
To create a Sharing Rule for a Sharing Policy, click on + to open the Sharing rule page and make the appropriate settings. Here you can specify the Sharing settings for each external domain.
Note: Default Sharing Policy applies to all users. But if we create a new Sharing Policy, we have to apply it to the intended user or users. To do this in:
EAC -----> Recipients -----> Mailbox TAB
Edit the mailbox of the desired user. In the Mailbox Features section, the Sharing Policy section, in the menu of this section, we apply the desired Sharing Policy.
If we want to apply this policy to multiple users, hold down the CTRL key, select the desired users, then in the Detail Pane, Bulk Editing, select More Options, and in the Sharing Policy, click Update And apply the desired Sharing Policy
App TAB:
EAC -----> Organization -----> App TAB
The applications in this section are applied to users' Outlook and enable users to do more in their Outlook. In this section, you can download (Download) and install Outlook-specific apps from the Office Store.