Preface

Windows server update services (WSUS) retrieves Windows and other Microsoft products (such as office application products) updates and store them internally as a distribution point. So, it is not hectic for bandwidth consumption as each Microsoft device does not have to contact Microsoft servers for the update. WSUS is also a valid source if we consider a security point of view as well. The WSUS is a distribution point for local Windows servers and workstations to get the security and other updates from Microsoft servers. The WSUS servers can act as replica servers where the replica copies of Microsoft updates fetch from a central WSUS server and distribute the updates for a subnet or site. WSUS services can be used for testing updates before it approved for a server or workstation.

In this article, I am going to demonstrate how to deploy Microsoft Windows Server Update Services from the Windows server role group and configure to synchronize patches from Microsoft update servers. We are also going to look at how to configure Group Policy Object to auto-update the approved windows patches from the WSUS server and schedule the restart after the update installation. We are going to configure client-side targeting to group the computers to a specific target name so that it will be easier for administrators to troubleshoot or update the systems.

The following points are discussed in this article while demonstrating the WSUS role installation. I would recommend going through this article step by step for the audience who are new to this concept called WSUS. But for experienced administrators, you can go to the configuration step where you are stuck at configuring. Let us begin the installation and when you are ready with the server installed Windows server 2019 and joined to the Active Directory domain.

• Add Windows Server Update Services role
• WSUS Configuration Wizard
• Launch Windows Server Update Services Console
• Configure the Group Policy object for WSUS Clients
• Testing WSUS Client

Add Windows Server Update Services role

The demonstration begins with installing the WSUS role from the Windows server 2019 role group from the server manager snap-in. Launch server manager and click on Add roles and features to start adding the server role.

The wizard instructions give you a gist of how the Add roles and features wizard help you install the roles or features to your local or remote computer. You may go through the instruction if you are new to add roles and features of Windows Server. If you don’t want to see “before you begin page” anymore, click skip this page and click next to move on to the next page of the wizard.

The WSUS role comes under role-based or feature-based installation. So, click Role-Based or Feature-Based installation and click Next.

On the server selection, the local server listed, and our intention is also to install the WSUS role on the local server. Click Next to continue.

From the server roles list, select Windows Server Update Services, and when you click on the role, you will be prompted to choose the features to install, leave the default selection and click Add Features to return to the role selection window.

As the Windows Server Update Services role with checkbox selected, click Next to continue.

The next screen is to select features related to the role, leave the default selection, and click Next.

On the WSUS page, the instruction of WSUS would be given, go through the WSUS instruction, and click Next to continue.

On the select role service page, leave the WID connectivity and WSUS roles selected, and move on to the next page by clicking Next.

On the content location selection, give a path to a drive that has at least 50 GB disk space and enough space to grow as your update selection. It is also a good idea to select a keep the content away from the system drive. As this is a demonstration, I have pointed C:\WSUS as a content path. Type the folder path and click Next to continue.

The WSUS clients such as Windows client workstations and Windows Servers mostly depend on Web services of WSUS for connectivity. For detailed information, you may go through the details on this page and click Next to continue.

On the Role Services page, leave the default selection and click Next to continue.

On the confirmation page, you would see all the roles and features selected so far to install the WSUS role, click install to start the installation.

The view installation progress, let you know the installation progress of the installation, leave the WSUS installation to complete.

Once the installation completed, you would see launch post-installation, click post-installation to start.

Click the notification flag to check the post-installation progress and status of it. After about two minutes, you would get the state as installation succeeded.

WSUS Configuration Wizard

Select the WSUS role from the left side navigation and right-click the server and click Windows Server Update Services to start the WSUS configuration wizard.

On the before you begin page, there are some questions prompted to check if the firewall allowed to access the clients, connectivity to the internet to access the Microsoft servers to download the updates, and in there is any proxy server credentials to access the Microsoft servers. Go through the questions and get on them if required and click Next to continue.

As this is a demonstration, I have unchecked the Microsoft update improvement program to participate. You can choose either to join or not, whatever you wish. Click next to continue.

This server is going to get the updates from the Microsoft Server, so select synchronize from Microsoft update and click next.

If you are using a proxy server to access the internet, type the proxy server details. Mostly the internet is connected directly, click Next to continue.

The next page is to connect the upstream server; this will take about ten minutes to complete the connection, wait for the server to connect to the upstream server.

The connection progress will give you the status of the connectivity, wait for the connection to happen to the upstream server.

Once the connectivity has completed connection to the upstream server, click Next to continue.

As all Microsoft systems installed with the English language in my lab network, I have selected English. In your installation, if multiple languages are needed or any specific language to choose, select the appropriate language, and click Next.

In this demonstration, I’m using a Windows 10 computer to test the Windows update settings, and you can go through the list and choose the appropriate selection for other windows to update such as Windows Server 2019, Office pro plus, and so on. Click Next to continue.

Select the updates as you need, I have selected Critical, definition, and security updates. You may also choose updates such as upgrades, drivers, and so on. Click Next to continue.

On the Synchronization schedule, select “synchrone automatically” and choose a time suitable for synchronization to happen, also windows update synchronization per day, default is 1. Select a time in the early morning window will be a good idea. Click Next to continue

On the Finished page, Select Begin initial synchronization and click Next.

On the what’s next page, click finish to end the WSUS configuration wizard and launch WSUS.

Launch Windows Server Update Services Console

The next is to go to the server manager and select the WSUS role on the left side navigation and right-click the server from the middle pane and click Windows Server Update Services.

On the updates tab, expand it and select critical updates and change the status to any on the top filtering options and click refresh. You would see the critical updates available for installation.

Same way, select security updates, and you would see the security updates ready for installation as in the below screen.

On the Computers hierarchy, we are going to create a group called workstations where all the workstation computers are grouped by client-side target GPO, which we are going to look at in the upcoming demonstration. On the All Computers node right-click and click Add computer Group and type a name, I am creating a group called workstations. Click Add to add the computer group.

Apart from already configured from WSUS configuration wizard, we are also going to do a slight configuration change on the options navigation under computers. Double click Computers and select User Group Policy or registry settings on computers to assign the computers to the group with the help of client-side targeting to assign the computers to the group.

Configure the Group Policy object for WSUS Clients

To configure client computers automatically get the configuration details of the WSUS server, we are going to use the Group Policy object to update the configurations.

Login to Domain Controller and launch server manger. On the server manager snap-in click on tools and Group Policy Management to open Group Policy management console

Right-click the OU where the Computer objects of the computers to which you want to configure WSUS and click create and link Group policy object to create and link a new Group Policy object. The Group Policy object happens to be Computers OU under Company root OU in this demonstration.

As this is Workstations Policy, I have given name as WSUS Workstations Policy. Type a name descriptive and click OK.

Right-Click the Policy created just before, and click Edit.

We are going to enable three Group Policies in the following GPO Section.

Computer Configuration -> Policies –> Administrative templates-> Windows Component-> Windows Update

The first one we are going to edit is “Specify Intranet Microsoft update Service location,” double click on it.

Click enable to enable this setting and type the URL of the WSUS server. In this demonstration, the server name of WSUS is WSUS.mrigotechno.club. Replace this hostname as per your installation and add 8530 to it. So the URL to provide on Set the intranet  update service for detecting update and set the  intranet statistics server is http://wsus.mrigotechno.club:8530

The Next setting is “Configure Automatic Updates,” double click to edit the setting.

Click Enabled to enable the setting, and in the options section, select one of the four options which match your environment. The auto downloads and schedule the install under configure automatic updating is the good option as there is less overhead on the administration point of view. Also, select a time to schedule install. Click OK to go back to the GPO settings list.

The third setting is client-side targeting. Double click on the “Enable Client-Side Targeting” setting.

On the Client-Side Targeting settings, click enabled to enable these settings and type the group name that we created for the group created on the WSUS console previously. The group name was workstations, and you type the name that you have created and click OK

Testing WSUS Client

We have completed setting up Group Policy. Now I’m going to start the Client computer installed with Windows 10 and joined to the Active Directory domain. Open a command prompt and type the following command to get the group policy update.

gpupdate /force

You can see the command output as in the screen below on the Windows 10 computer.

Once the group policy is updated on the client computer, the client’s computer name and update status visible on the WSUS console under Computer Group, which happens to be client-side targeting.

Conclusion

This is the end of the Windows Server Update Services demonstration. In this article, we have covered installing the WSUS role and Configuring WSUS using configuration wizards. Once the WSUS installed and configured computer group created and Group Policy Object created on the Group Policy Management console on the domain controller. The Windows client computer tested with WSUS as the final verification of the WSUS deployment.

I have demonstrated other roles of Windows Server 2019 in Get An Admin article. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Preface:

Remote Desktop Services is a robust role in the windows role group. RDS is used to remote into the central RDS server or any member server or the user’s desktop computer through the RDS server using the Remote Desktop web services either on the internal network or through the internet.

This article discusses the access of the servers and desktops accessed over the internet using RD Gateway using the https port. The Servers and desktops on the on-premises can be accessed without the need RDP port 3389 opened on the firewall. Where the RDP port 3389 is the hacking target for hackers over the internet. As the https port used for the access of remote desktop, the port is usually used for most of the businesses to access the webserver hosted internally.

The Remote Desktop Services will be cost-effective when the number of users or devices accessing applications with an excessive amount of licenses needed. Also, this role is most useful where the client computers installed on the company network or home is not the latest, and the application demands such as hardware or operating systems.

We are going to delve deep into this installation and configuration on an active directory domain network with network policy server (NPS) security. We are using a public CA certificate in this demonstration and hostname assigned on the public DNS.

The following points discussed in this article. Following this article, one can install and configure Remote Desktop Services on a Windows Server 2019 and publish the RDP app to access a server or a desktop as per need on the remote desktop web app portal.

• Add Remote Desktop Services Role
• Add Server to RD Licenses and RD gateway
• Install public CA certificate to each role of RDS
• Configure RD Licenses
• Configure Remote App Collection
• Publish and Configure Remote App
• Access RD Web and Remote App

To begin with, the demonstration, let’s add the Remote desktop Roles group on the server manager and going forward to configure each component.

Add Remote Desktop Services Role

There are two Windows Server 2019 servers used on this demonstration where the first server is installed as a domain controller, and the RDS server has been joined to the domain of the domain controller, which we have added in the first place.

On the planned RDS installation server called remote, we are going to install the RDS role by launching the server manager dashboard and by clicking the “Add roles and features” link.

The instruction of wizard will show up on the screen, and if you don’t want to see this page on adding roles and features anymore, just check the skip this page checkbox and continue by clicking next.

The RDS Installation can be installed through Role-based or feature-based installation. Still, it requires a lot of effort as there are a number of components to be selected and configured after installation. To make life easier, Microsoft has consolidated all the component installation in one group. That installation method can be used by clicking the Remote Desktop Services installation option at the select installation type.

On the deployment type, select Quick Start so that all components will be installed by itself, and the Quick App Collection will be added to the Remote Desktop Services deployment. Select Quick Start and click Next.

In this article, we are going to look into Session-based desktop deployment, so select session-based desktop deployment and click Next.

On the Server Selection page, select the local server where we have planned for RDS deployment and click next.

On the confirmation page, check the checkbox “Restart the destination server automatically if required” and click deploy to start the RDS deployment.

When the Deploy tab is clicked, the RDS Role installation will start installing roles, and the progress can be monitored on the popup.

The server will be restarted in the middle of the installation. When the server restarted and logged in as the same administrator account, the installation will continue, and the progress will show succeeded on the RDS roles deployment completion.

Once the Remote Desktop Services role has been added, the very next step is to configure it. On the server manager, you would find a Remote Desktop Service deployment setup on the left side navigator. Click on that, and additional configuration of this service will be available.

Add Server to RD Licenses and RD gateway

The icons in green or not configured with a deployment server, here the RD licensing and RD Gateway, are in green, and we are going to configure them in the coming up steps. Click RD Licensing, and the configuration window will show up.

On the RD Licensing deployment windows select the server which in our case the local server and selects the server and click on the arrow next to it to deploy RD Licensing server and click Next.

Once the RD licensing server added, the result indicates succeeded next to the progress bar. Click close to close out the RD License server deployment wizard.

As we have already planned, this RDS server is accessed through the internet also, so our very next move is the deploy RD Gateway. Click the RD Gateway icon on the deployment overview area, which is in green, which means it has not been deployed yet. The RD Gateway deployment wizard will open, and we can deploy it with adding the server.

We are adding the local server as an RD Gateway server to the Remote Desktop Services by clicking the arrow in the middle of the selection, and once the server added, click next to configure SSL certificate name.

In this demonstration, I have already created a hostname under my public domain mrigotechno.club called remote, but you need to give a name that is relevant to your RDS gateway hostname and certificate pertinent to be purchased and installed on the internet information Server (IIS). Once the Certificate Name typed, click Next.

On the confirmation, click add to add RD Gateway server to the deployment. Click Add.

On the Results page, the progress indicator will show succeeded and click Configure Certificate to install the certificate.

Install public CA certificate to each role of RDS

On each role services on the Manage Certificate, we need to configure the certificate, there are four roles, and we need to configure the certificate for them. I have installed the third-party CA certificate on Internet information server and export it as a pfx file format while exporting I have secured the certificate with a password. Please have your third party certificate in pfx format file and the password of the pfx file handy as we are going to apply the certificate from the topmost role and apply one by one till the fourth role.

Select the first role and select an existing certificate to apply the certificate dialogue window.

On the Choose a different Certificate, click browse and select the pfx certificate file and type the password of the certificate and check “Allow the certificate to be added to the trusted root certification authorities certificate store on the destination computer.” Click OK to go back to manage the certificate window.

On the state of the certificate configuration for the role, you would see Ready to Apply on state column, click apply and wait to change for the level to Trusted and status to OK and the state to Success. 

Do the same steps to apply the certificate to the next three roles, and you would see the State changes to Success as in the below screen capture. Click OK to complete the certificate Configure.

Configure RD Licenses

The Next step is to Edit Deployment properties, on the deployment overview click tasks, and select edit deployment propertied to start the wizard.

As we have already completed Certificate configuration, we have only edit that we need to do RD Licensing. On the RD Licensing under Configure the deployment, select the RDS Licensing mode as per your requirement in the example. I have chosen Per user, but choose the one which is relevant to your environment and click OK.

Configure Remote App Collection

On the left side navigation on the Remote Desktop Services Setup, you would see Quick Session Collection, where the App publisher available to published App, which we would access through RD Web Access. On the Properties area, click properties and select edit properties.

We are going to edit only one option in these properties that we are going to add the User groups to associate to this collection. I have already created a security group called RDS_Users and added some test users to it. I’m adding that group here to associate with the collection., click OK and back to the main window.

Publish and Configure Remote App

In this demonstration we are going to see how to access a member server or a user desktop from the RD web access from the internet, without opening RDP port 3389, the same steps will apply to add a user’s desktop. But make sure the member server or user desktop is enabled Remote Desktop on the system property of the computer. So I got a server on the network that can be configured to access from RD Web, we are going to configure Remote Desktop App by publishing the RDP app to the Quick Collection Apps.

On the Remote App Programs area, click tasks on the screen below and click “Publish RemoteApp Programs.”

You will be presented with selecting the RemoteApp programs list and choose the App you want to publish. In this case, the Remote Desktop Connection. Select “Remote Desktop connection” and click Next.

On the confirmation page, click publish.

On the completion page, you would see published status message click close to go back to the main window.

On the Remote Desktop Connection RemoteApp that we just published right-click and select edit properties to configure the properties of the App.

On the General page, type a name that is appropriate for the RDP Connection Computer. In this case, it a server called server1, so I type the name server1 on the name box.

The next page is parameters, on the parameters page, click “Always use the following command paraments” radio button and type the IP address of the server or desktop to which the RDP connection to be established. In this case the private IP4 address of server1 is 192.168.24.190. The correct parameter value is /v:192.168.24.190. Replace the IP address with the one of the servers or Desktop IP address on your network.

The next item is User Assignment, add the user account to which users need to find this Remote App program that has to be visible on the RD Web Access login. Click add and choose the relevant user or group.

On the next page, leave the file type association with default setting and click OK.

Access RD Web and Remote App

We have completed all RDS configuration and moving on to the RD Web portal to login to the portal and access the apps assigned to the use. The URL for the RD Web is https://remote.mrigotechno.club/rdweb

Replace the remote.migotechno.club with the one you have configured for your environment.

Type the username and password with the domain\user format and password of the user and click Sign In.

The portal will show the web resources, the Remote desktop connection app that we have configured with the name server1 is available for us to access from the RD Web access login. Click Server1 and follow the login screen.

Click connect on the notification popup.

On the security login dialogue, type the user name and password of the user and click OK.

The RDP connection is remote into the server1 computer, as shown below.

The RDP access is successful to the IP address 192.168.24.190, and this concludes our demonstration.

Conclusion

In this article, we have discussed and gone through the demonstration of deploying Remote Access Services on Windows Server 2019 elaborately. You can follow the same step and deploy Remote Desktop Services on your lab or production environment.

I have demonstrated other roles of Windows Server 2019 in Get An Admin article. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

When you migrate Exchange Server 2010 Public folders to Exchange Server 2016, you may come across the following error on the public folder mailbox sync. This error can be found on the report of the sync report.

[EXCH2016] Public folder “/Public Folder/Sub Folder” could not be mail-enabled. The error is as follows: “No mail public folder was found in Active Directory with object ID ‘78340878-dc63-40da-be4b-d24ec47c55c4′”

This can be resolved by disable-mailpublicfolder command by disabling the publicfolders one by one.

Disable-MailPublicFolder -Identity “/PublicFolder”

If you find you want to disable mailpublicfolders in bulk, you can use recurse switch and point the parent public folder. Here is the command to do so.

Get-PublicFolder -Recurse -Identity “/Projects” | Disable-MailPublicFolder

In this command /Projects is the parent folder where that folder and subfolders of Projects are mail disabled.

I hope this info would help someone looking for resolution for the above error. You may send me a note if you want more info or your questions.

When you migrate Exchange Server 2010 Public Folders to Exchange 2016 you may come across large items error and if you download the mailbox report on the details page you would see the error as mentioned below

Fatal error TooManyLargeItemsPermanentException has occurred.

In this case, your open Exchange Management Shell and run the following command and restart the Migration batch. Bingo, the mailboxes completed syncing without any error.

Set-MigrationBatch -Identity PFMigration -LargeItemLimit 100 -BadItemLimit 100

I hope this info would help someone looking for a resolution for the above error. You may send me a note if you want more info or your questions.

Today I was trying to upgrade Exchange Server 2019 RTM to cumulative update CU 5 stopped with an error. The upgrade went up to Step 10 and errored out with the following error message.

Error:

 The following error was generated when "$error.Clear();
 Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
 if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
 {
 Install-AuthCertificate -DomainController $RoleDomainController
 }
 " was run: "Microsoft.Exchange.Management.Clients.FormsAuthenticationMarkPathUnknownSetError: An unexpected error occurred while modifying the forms authentication settings for path /LM/W3SVC/1. The error returned was 5506.
 at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
 at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
 at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
 at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
 at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
 at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)". 

Solution:

To resolve this issue, I opened the Internet Information Services Manager and went to the Default website and right click and bindings option and changed the certificate from the third party one to the self-signed certificate.

Restarted the IIS using the command iisreset from the command prompt.

Restarted the Exchange CU upgrade and the upgrade completed successfully.

After the upgrade, I changed the Default website binding back third party certificate for the https binding.

Hope this would help someone.

Preface

The Azure Point to Site VPN Setup, also called Azure P2S VPN Setup, is most widely used where the number of clients connecting to Azure Virtual Network is less. The Point to Site VPN allows you to connect to the Azure Virtual network using a secure connection over the internet. The client computers running Windows, MAC X OS, Linux can connect to Azure Virtual Network securely from a remote location, such as home or conference, useful for telecommuters. There are multiple client protocols available to connect using Point to Site VPN, such as OpenVPN, SSTP, and Ikev2. In this article, we are going to use SSTP and IKEv2. Where windows client uses SSTP and MAC X OS, and Linux client uses iKEv2.

We are using the Azure certificate authentication, and here we demonstrate how to create a self-signed certificate on Windows 10 computer and upload a root certificate to Azure. The client those are using the VPN connection client needs to be installed with a client certificate created. We are going to see how to export root and client certificates and how to upload the root certificate to Azure VPN gateway. In the end, we are going to install the Azure VPN client downloaded from Azure Virtual private gateway on the Windows 10 client and establish the VPN connection using the client certificate already installed.

The following steps are involved in setting up Azure Virtual Network Gateway. We see the steps one by one and create complete Virtual Network Gateway setup and connect the VPN gateway from a Windows 10 client computer.

1. Create Azure Virtual Network
2. Create Gateway Subnet
3. Deploy Virtual Network Gateway
4. Generate self-signed Certificate
5. Export the Root and Client Certificates using certificates MMC
6. Connect Azure Virtual Network using VPN client on Windows 10 PC.

Create Azure Virtual Network

Open Azure Portal using Azure Portal client or Web browser.

Click Menu Icon and Virtual Network

In this demonstration, we are creating a new Virtual Network named VNet3. On the Azure portal, click add on the Virtual Network screen opened in the previous step. Clicking Add on the Virtual Network tab will add a Net Virtual Network.

A new Resource Group for this demo created with the name RGDEMO. Type a name for this Virtual Network. I have given Vnet3 as a Virtual Network name for this demonstration.

The address space with the IP address 192.168.0.0/16 set on the IP Address Tab on the create virtual network window with subnet range 192.168.100.0/24 added.

Azure Point to Site VPN Setup

Once the subnet range added within the address space, click Review+create to validate the settings.

As the validation passed, click Create to start the Virtual Network deployment.

Click Go to Resource to open the Virtual networks list to continue with setting up Gateway subnet.

Azure Point to Site VPN Setup

Click Go to Resource to open the Virtual networks list to continue with setting up Gateway subenet.

On the newly created Virtual Network, click +Gateway Subnet to add a Gateway subnet to configure this Virtual network deploy Virtual Network Gateway. A new subnet range 192.168.101.0/24 assigned for  gateway subnet. Type the subnet range and leave other settings default and click OK.

The newly created Gateway subnet will be listed on the subnet list with the name GatewaySubnet.

We have completed adding Gateway Subnet. Next, we are deploying Virtual Network Gateway.

Go to Menu ico on the top left corner and select All Services and Networking category on the menu.

Azure Point to Site VPN Setup

On the Virtual Network Gateway tab click Create virtual network gateway on the middle of the window.

The create virtual network gateway window open and type a name for this gateway and select Region. Select Virtual network name, in this case, the newly created Virtual Net Vnet3 selected.

Scroll down and type a name for public IP address, leave all the other settings to deailt and click Review+Create.

The Virtual network gateway parameters are correct, so we get validation passed. Click  Create to start the deployment of Virtual Network Gateway. This deployment process will take more than 15 mins, so wait for the deployment to complete.

Azure Point to Site VPN Setup

The Virtual Network Gateway deployment is complere. Click Go to resource to configure it.

Open PowerShell ISE as an administrator in a Windows 10 Client computer and copy and paste Powheshell ISE script editor window (you can customize the subject name as you want).

$rootcert = New-SelfSignedCertificate -Type Custom  `
-Subject "CN=P2SROOT" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign

The above command will create a variable with the root certificate for the Client certificate that we are generating in the next step. Select the command as in the picture below and run it.

Azure Point to Site VPN Setup

With the root certificate that we created in the previous step, we are using the root certicate variable that we have created and us the code below to generate a client certificate with the name P2SClient on the PowerShell ISE.`

New-SelfSignedCertificate -Type Custom `
-DnsName P2SCLIENT `
-KeySpec Signature `
-Subject "CN=P2SCLIENT" `
-KeyExportPolicy Exportable `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $rootcert `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

In the previous two steps, we have created a root certificate and client certificate using that root certificate. We are going to export the root certificate and the client certificate using the Microsoft Management Console (MMC) with the certificate snap-in.

Press Windows+R and type mmc and click OK.

On the Microsoft Management Console, click File and  Add/Remove Snap-In

Azure Point to Site VPN Setup

Select Certificates from available snap-in and click Add.

Select My user account on the available certificate snap-ins and click Finish.

As Certificates snap-in selected, click OK.

Azure Point to Site VPN Setup

We are exporting Root certificate first and then client certificate subsequently. Right click the P2SRoot and click Export under All Tasks.

A Certificate export wizard will open with a Welcome page, click Next to continue.

On the Root certificate export, we are not exporting a private key, select No, do not export the private key, and click Next.

On Export file format page, select “Base-64 Encoded X.509 (.CER)” and click Next.

Type the file path and file name with .cer extension and store the certificate in a secure page and click Next.

On the certificate export complete page of the Wizard, click Finish closing the Wizard.

Click OK on Certificate export wizard, “The export was successful”  message popup.

The next step is to export the client certificate with the private key.

Right-click the client certificate P2SCLIENT and click export under All Tasks.

The certificate export wizard will start with a welcome page, click Next to continue.

This time we are selecting “Export private key.” This certificate is going to be installed on the client computer that needs Azure Point to Site VPN access for authentication. Select ”Yes, Export Private key” and click Next.

Leave the default selections and click Next.

Type a password for the certificate file and click Next.

Type a file path and file name with extension and click Next.

On the completing export wizard, click Finish.

Click OK on the confirmation message popup.

Go to file path that we exported and right-click the root certificate, and select the Notepad in the open with apps selection.

Copy the certificate content as selected in the image below.

As the certificate content copied on the clipboard, open Azure Network gateway on the Azure portal and click configure now.

Type an Address pool range, IKEv2, and SSTP as tunnel type, Azure as authentication type and type a name for root certificate name and paste the certificate content, which is there in the clipboard on the public certificate data box.

Click Save and exit from the screen.

As the last step, click download VPN client to download he VPN client.

AZURE VPN Client Configuration

Right click eenergycleint.pfx certificate and select Install PFX

Select Current User and click Next,

On the File to import page, leave the default and click Next.

Type the password and click Next.

Please the certificate in the following store select the personal store and click Next.

On the completing wizard page click Finish

Click OK to confirmation popup.

Next we are going to install the VPN client binary, right click the install file and select Run as administrator.

Click yes to install confirmation dialog box.

On the Task bar click the network icon and click VNET3.

The Network & Internet settings page will open, select the VNET3, and click connect.

Click connect to Azure point to client VPN.

Check “Do not show this message again for this connection” and click Continue.

Once connected, use the private IP address of the VM to RDP access.

Goto Virtual Machine overview on Azure Portal and copy the private IP of the VM.

Go to StartàRun and type “mstsc” and click OK.

Paste the private IP address copied on the clipboard from Azure Portal and click Connect.

The remote desktop connection will prompt for credentials, type credentials and click OK.

The ipconfig command on the picture shows you have logged in using the private IP with VPN Connectivity.

Conclusion

In this article we have gone through the Azure VPN client setup for Point to Site setup. We have created subnet gateway, deployed VPN gateway and connected windows 10 client and accessed the resource inside the Azure network with the private IP address of the device.

If you have any questions or feed back, please post it in the comment column below. I’m happy to help you resolve the issues or answer to the questions if any at the earliest possible.

Preface

We already posted an article to set up a VPN on Windows Server 2019 using Secure Socket Tunneling Protocol (SSTP) using a third-party certificate. This one, we are going to discuss ‘How to Setup VPN using PPTP’ based article . The Point to Point Tunneling Protocol using the Generic Routing Encapsulation feature along with tunneling over TCP/IP wrapped transmission. The PPTP creates a tunnel on TCP/IP and transfer the packets securely—this very old and reliable method of transferring or accessing the private network over the internet. We can deploy this method to connect a Home or a user with a laptop to access their home network or small office network efficiently and quickly.

Configuring Point to Pointing Tunneling Virtual Private Network on a Windows Server 2019 is straightforward. We can use this method of deploying a VPN where the Secure Socket Layer type of VPN is not possible. In this method of configuring VPN, we need to open the port 1723 and enable a feature called Generic Routing Encapsulation (GRE) on the edge firewall or router under security settings. I am going to explain the step by step and cover the entire setup process from install and configure Remote Access Role to configure Client device to connect the network where we have installed the PPTP VPN.

So, let get to the server and start the Remote Access Role installation and subsequently look at configuring VPN policy on the Network Policy Server on the Windows Server 2019. If you are ready to take a configuration task, we are here, to begin with, so let us get started.

• Add Remote Access Server Role
• Configure Remote Access with VPN Access
• Configure Remote Access Settings for VPN
• Configure Dian-in connection on the user object
• Configure Dial-in policy on Network Policy Server
• Crete VPN network connection on Windows 10 device
• Connect VPN Server over the Internet

Add Remote Access Server Role

The first step in deploying a VPN server is Adding the Remote Access Server Role on the server—the remote access server role to be installed by going to the Server Manager Dashboard. Once the Server Manager windows would open, click on the Add Roles and Features, and the ‘Add Roles and Features’ wizard would start, and we can go through this wizard to complete the Remote Access role installation.

The wizard will start with instructions on using this tool to add the roles and features. If you don’t want to see this page, you can click the checkbox next to ‘Skip this page by default,’ and you won’t be prompted with this page anymore.

In this wizard, we are going to use the role-based installation to add this role, so select Role-based or Feature-based Installation to begin with and click Next to continue.

Make sure the local server in the server pool and select it and click Next.

In the Select Server Role page, select Remote Access checkbox, and click Next.

On the next page, leave the Features as it is and click Next.

If you need more details, you may go through the details about remote access on this page, and once you are ready to move, click Next.

This step is significant, select the Direct Access and VPN (RAS) alone, and you would be prompted with related features on the pop-up and click Add Features, which will return to select the role services page.

We have selected the roles services and its feature, and we are right to move to continue, click Next.

The next page is an information page, and it describes that adding this role service also install the Web Server (IIS) role, Click Next to continue.

The Web Server (IIS) role will install this role services, leave the default selection, and click Next.

On the confirmation page, verify that the Roles mentioned above and Role Services correct and click Install to start the Remote Access role installation. Sit back and relax for a few minutes to get the installation to complete.

The Remote Access role installation started. Let wait till the installation complete, and then we start the configuration.

You would notice the installation succeeded message and there is a link to open the getting started wizard to start the configuration of the Remote Access Role, click the link.

Clicking the link will start Configure Remote Access Wizard, on the wizard click Deploy VPN only tab as in the screen below.

Configure Remote Access with VPN Access

On the Configure Remote Access prompt select the Deploy VPN Only to define the Remote Access multiple configuration methods.

The Routing and Remote Access management console will be opened and right-click on the server node and click ‘Configure and Enable Routing and Remote Access.’

The Routing and Remote Access Server Setup Wizard will start with a Welcome Screen, Click Next to begin the wizard.

Select the Radio button next to Custom Configuration and click Next.

On the Custom Configuration page, select the checkbox next to VPN Access and click Next.

The VPN Access configuration selected on the wizard, and that is the end of the wizard and click Finish.

Click OK to the warning message that the Remote Access Configuration couldn’t open the required port. We will open the port on the Windows Firewall manually.

As we have configured Routing and Remote Access services with VPN Access and the wizard will end by prompting to start service.

Once the Routing and Remote Access Service Started, you will see a green arrow on the server node implying that the service started and running.

Configure Remote Access Settings for VPN

There are specific settings we need to update to set the VPN to function securely and get the IP4 IPs to the client system.

Right-click the server node and click properties as in the screen below.

On the Remote Access, Server Properties go to the IPV4 tab and Select the Static Address pool radio button under IPv4 Assignment and click add to add IP address pool. Choose an IP address Pool and type start and end IP address of the pool. The IPV4 address pool is a static one, and if you are running the DHCP server on the server, you can leave the IP address to assign from the DHCP server. As we are not running a DHCP service, we are creating a static address pool in this example.

Choose IP address pool and type start and end IP address on the Add dialog box. We have chosen 172.16.1.1 to 172.16.1.10 range to assign the IP addresses to the VPN clients.

Click OK once the IP address properly typed.

How to Setup VPN using PPTP

Configure VPN Policy on Network Policy Server

Open the Server Manager window and on the Tools menu select Network Policy Server to begin with configuring VPN Policy

Expand the Network Policy Server and select New to create a new policy for VPN access.

On the New Network Policy Window type VPN Access as Policy Name and in the drop-down list of typer of network access server select Remote Access Server (VPN-Dial Up) and Click Next.

On the Specify Condition page, select Windows Group and Click Add.

I have already created an Active Directory group called “vpngroup” for this purpose, and we are going to add that group. Please note that we are adding all users who need VPN access to this group.

How to Setup VPN using PPTP

Once we confirmed the group added, click Next to continue.

As we are granting access to this AD Group users, we are selecting Access Granted and Clicking Next.

On the Configure Access methods, select Add and Microsoft Secure Password (EAP-MSCHAP v2 as Extensible Authentication Protocol on the list of authentication methods.

Also, uncheck the boxes near Less Secure Authentication methods.

How to Setup VPN using PPTP

Once the Authentication method has been selected, click Next.

On the Configure Constraints page, leave the defaults and click Next.

Also, Configure Settings page leave the default and click Next.

Click Finish to end the wizard.

Create a Windows Firewall rule to open port PPTP VPN

Go to Control Panel>System and Security>Windows Defender Firewall and click Advanced settings.

Select Inbound Rule from the left navigation and New Rule on the Actions Menu

Select Port as Rule type and click Next

How to Setup VPN using PPTP

The PPTP port number is 1723, Select Rule “Apply to TCP” and Specific local ports 1723 and, click Next.

Select Allow Connections and click Next.

Select all the Network Locations and click Next.

Type a name for the Rule and Click Finish

Create VPN Network Connection

So, we have completed all server configurations, now is the time to create a VPN connection on the Windows 10 client computer.

Right-click network Icon on the taskbar and select ‘Open Network & Connection Sharing.’ On settings, windows click ‘Network and Sharing Center’ that will open the ‘Network and Sharing Center’ where we need to select ‘Set up a New Connection or Network’ as in the steps provided on the screenshot below.

How to Setup VPN using PPTP

Select the steps as in the steps below.

1. Open Network & Internet Sharing
2. Network Sharing Center
3. Set up a New Connection or network

There is a Wizard start, and in the connection options, select ‘Connect to a workplace’ and click Next.

In the destination name type, a name implies the connection purpose. I left the default name in this example.

Leave the selection of ‘Remember my credentials’ and click create.

1. Type the VPN server’s internet hostname or IP address.
2. Give a name to the VPN Connection.
3. Click Create to create a workplace connect.

To change the type of VPN, right-click newly created Network Connection and select properties.

On the Security tab, select Point to Point Tunneling Protocol (PPTP) and click OK.

How to Setup VPN using PPTP

Click Network icon on the taskbar and the newly created VPN connection will appear on the list of connections, click that, and there will be a credentials box open.

On the Sign-in prompt type, the AD user and password and click OK.

The VPN connection will show connected. Now we can access the internal devices on the office network using their private IP address.

Conclusion

In this article, we have gone through step by step instructions on how to 1. Install and configure Remote Access VPN role 2.  Network Policy Server VPN policy 3. Creating windows firewall rule and 4. Making a VPN Connection on the Windows client system and connected to Office network remotely using PPTP. Also, we have one more step to that on the router or Firewall device connecting to the internet we need to add a port forwarding rule to point the VPN server connecting port 1723. On the security settings on the firewall, we need to enable Generic Routing Encapsulation to connect the VPN from remote windows client to the VPN Server that we just configured.

You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Exchange Server Cumulative Update upgrade error on stopping Windows Management Instrumentation service. The following error shows on stopping this service.

<!-- wp:paragraph -->
<p>Error:</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>The
following error was generated when "$error.Clear(); </p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp; $RoleBinPath\ServiceControl.ps1
-Operation:DisableServices -Roles:($RoleRoles.Replace('Role','').Split(','))
-SetupScriptsDirectory:$RoleBinPath;</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &amp; $RoleBinPath\ServiceControl.ps1
-Operation:Stop -Roles:($RoleRoles.Replace('Role','').Split(',')) -IsDatacenter:([bool]$RoleIsDatacenter)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; " was run:
"Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException:
Service 'WinMgmt' failed to reach status 'Stopped' on this server.</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception,
ErrorCategory errorCategory, Object target, String helpUrl)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception,
ErrorCategory category, Object target)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.ManageSetupService.WaitForServiceStatus(ServiceController
serviceController, ServiceControllerStatus status, Unlimited`1 maximumWaitTime,
Boolean ignoreFailures, Boolean sendWatsonReportForHungService)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.ManageSetupService.StopService(ServiceController
serviceController, Boolean ignoreServiceStopTimeout, Boolean
failIfServiceNotInstalled, Unlimited`1 maximumWaitTime)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.ManageSetupService.StopService(String
serviceName, Boolean ignoreServiceStopTimeout, Boolean
failIfServiceNotInstalled, Unlimited`1 maximumWaitTime)</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Management.Tasks.StopSetupService.InternalProcessRecord()</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at
Microsoft.Exchange.Configuration.Tasks.Task.&lt;ProcessRecord&gt;b__91_1()</p>
<!-- /wp:paragraph -->

<!-- wp:paragraph -->
<p>&nbsp;&nbsp; at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String
funcName, Action func, Boolean terminatePipelineIfFailed)".</p>
<!-- /wp:paragraph -->

Resolution

Go to Task Manager and in the Services tab find Windows Management Instrumentation Service and find the Process ID (PID) of this service process. Note down the process ID and come to details on the task Manager and kill the process. Leave the Windows Management Instrumentation Service start state to be disabled and run the Exchange Server Cumulative Update setup again either through Graphical user interface or command line and this time the error won’t come up.

I want to hear from you, if you have any questions or feedback, leave your comments below and I reply you.

Exchange Server Installation Error while running ‘ldifde.exe’ to import the schema file

I received following error on Exchange 2016 setup right after the readiness check of the installation complete.

 Error:
 The following error was generated when "$error.Clear(); 
                 install-ExchangeSchema -LdapFileName ($roleInstallPath + "Setup\Data\"+$RoleSchemaPrefix + "schema0.ldf")
 " was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running 'ldifde.exe' to import the schema file 'C:\Windows\Temp\ExchangeSetup\Setup\Data\PostExchange2003_schema0.ldf'. The error code is: 8224. More details can be found in the error file: 'C:\Users\theman\AppData\Local\Temp\2\ldif.err'
    at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
    at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchemaFile(String schemaMasterServer, String schemaFilePath, String macroName, String macroValue, WriteVerboseDelegate writeVerbose)
    at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalProcessRecord()
    at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)". 

There error turn outs to be a Domain controller was offline and once I bring that domain controller back to online and restart the Exchange 2016 setup the error disappeared this time

Preface

In this article, we are going to immerse the installation of Exchange Server 2019 and configure some of the exchange components such as Virtual Directories, Outlook anywhere, etc. This article will cover how to Install and Configure Exchange Server 2019 using  GUI.

I have already created a three-part article for the Migrating Exchange server 2013 to Exchange Server 2019 Installation and Configuration covered in that. It was installed using the command line interface, and most of the admins prefer the Graphical User Interface method to Install and Configure Exchange Server. Having that in mind, I have created this new article for the Exchange admins using GUI. Even though we have demonstrated the Exchange Server 2019 installation in those article series, configuring the Exchange server in the new Exchange Organization is somewhat different from configuring Exchange Server in an existing organization.

Also, this article will cover a complete configuration for a necessary Exchange Server deployment. This article will assume you have a Domain Controller up and running on your network, and you are going to install the Exchange Server 2019 on the active directory environment. If you are doing this installation on no Domain controller installed on the network or Test network, I would recommend installing a domain controller using my other article before installing the Exchange Server 2019. I also recommend going through this Microsoft link if you want to know all the Active Directory schema changes when you install Exchange Server 2019 on your Active Directory environment. You are advised to go through the complete document before starting the installation that way, and you will not get stuck on any step when you are trying to do Install and Configuring Exchange Server 2019. We are going to do the following tasks on Installing and Configuring Exchange Server 2019.

1. Install Exchange Server Pre-requisite
2. Install Exchange Server 2019 using GUI
3. Create new outbound send connector to send emails to internet email
4. Configure Virtual Directories
5. Configure Outlook Anywhere
6. Set Service Connection Point
7. Rename default database and move database path
8. Install Certificate

Pre-requisite to Install and Configure Exchange Server

The Windows Server 2019 has to be prepared and installed with Exchange Server 2019 Pre-requisites installing the Exchange Servers binaries.

The following Windows Server packages need to be installed before installing Exchange 2019 Server

.NET Framework 4.8
Visual C++ Redistributable Package for Visual Studio 2013
Unified Communications Managed API 4.0
Windows feature

Install .NET Framework 4.8

The .Net Framework 4.8 is required to install as a prerequisite software package. The package needs to be downloaded from the link below.

https://go.microsoft.com/fwlink/?linkid=2088631

Exchange Server 2019 Installation and Configuration

Once the offline installer has been downloaded, right-click the package and run it as an administrator to install it on the server.

Check the license agreement checkbox and click install.

Click Finish to complete the installation.

Install Visual C++ Redistributable Package for Visual Studio 2013

The next pre-requisite to install on the server is Visual C++ redistributable package for visual studio 2013. You can download this package from the link below, choose the language that you are planning to install on the server.

https://support.microsoft.com/en-in/help/4032938/update-for-visual-c-2013-redistributable-package

Once the package has been downloaded, right-click the downloaded file and run as administrator.

Accept the license and click Install to install the package.

Click close when the install completes.

Install Unified Communications Managed API 4.0

The next pre-requisite package we are going to install on the server is Micrsft Unified Communications managed API 4.0 runtime setup. Download the package from the below link.

https://www.microsoft.com/en-us/download/details.aspx?id=34992

Once the package is downloaded, run it as an administrator to begin the installation. Click Next to continue.

Click Install to install the package and click Finish when the install is over.

Exchange Server 2019 Installation and Configuration

Install Windows Feature

The next pre-requisite is Windows Server features installation. Open a Powershell window as administrator and run the following commands once the installation of features is completed do a restart of the Windows Operating System.

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS 

Install and Configure Exchange Server

Exchange Server 2019 Installation and Configuration

Open the Exchange server installation media and double click the setup.exe to start the installation. Select Connect to the Internet and check for update and click Next.

On the next screen, the installation wizard will try to download the updates If there is any from the Microsoft update server. Click Next to continue.

Go through the introduction and click next to continue the wizard.

Accept the license agreement and click next to continue.

Select Use Recommended Settings and click Next.

Select the server role, this demonstration for Exchange server Mailbox role, select Mailbox role, and the management tools checkbox will be automatically selected. Also, check Automatically install roles and features and click Next.

Select the Drive where the exchange server to be installed. In most cases, it would be on the Drive other than System Drive. I have left the installation path as-is for this demonstration. But you can choose a drive and path as you want.

Specify an Organization name. In this case, I leave it to default. Click Next.

If you are planning to use some third party Malware Protection, you can select to disable Malware Protection. If you want to use the Exchange server inbuilt one, select Disable malware protection to No and click Next.

The install wizard will start Readiness Check, wait for that to complete and check if you have received an error message.

If there is any error, act on that error and rectify that and then restart the Exchange Server Installation. If you have followed these installation steps, most probably, you won’t have any error. Click Install to start the installation.

Exchange Server 2019 Installation and Configuration

The Setup will start, and you can monitor the progress along the way, it would take some time to complete. Be patient and wait for the setup to complete.

The Setup is in progress and may take some more time to complete.

Exchange Server Setup is complete, select launch Exchange Administration Center, and click Finish.

Exchange Admin Center or Exchange Control panel is the web console where is Exchange Server is configured or managed. This console can be accessed initially with the web URL https://localhost/ecp

The login screen is shown in the image below, where the administrator can log in to get the full admin access console with username as domain\username and password.

Create A Send Connector

The fresh exchange server installation will not have a connector send email to an internet email address. We need to create one to do so. Here are the how-to steps to create a send connector using the Exchange admin center. Login to Exchange Admin Center and goto MailflowàSend Connector. Click Add or + sign on top of the icons.

The New Send Connector wizard will open. Type a descriptive name and select Internet as type.

As we are going to send emails to internet users straight from the exchange server, we are going to select an MX record associated with the recipient domain and click Next.

Add address space, click + sign on the address space commands.

Type * in the FQDN column and click save.

Once the address space has been saved, click next.

On the Source Server, click + sign to add the only server we just installed.

Add the Exchange Server and click OK

We have completed Creating Send connector, click Finish to close the wizard.

Configure Virtual Directories

Exchange Server 2019 Installation and Configuration

We are going to configure virtual directories such as OWA, ActiveSync, and so on with the internal and external URLs using Exchange Management Shel. You can navigate to StartàMicrosoft Exchange Server from the Menu and right-click the Exchange Management shell and choose to run as Administrator to open elevated Shell to configure Virtual Directories.

The following script will set the virtual directories of each feature. We need to specify the Server_Name and FQDN variables relevant to our Exchange Server name and external domain name.

 $Server_name = "ex"
 $FQDN = "mail.mrigotechno.club"
 Get-OWAVirtualDirectory -Server $Server_name | Set-OWAVirtualDirectory -InternalURL "https://$($FQDN)/owa" -ExternalURL "https://$($FQDN)/owa"
 Get-ECPVirtualDirectory -Server $Server_name | Set-ECPVirtualDirectory -InternalURL "https://$($FQDN)/ecp" -ExternalURL   "https://$($FQDN)/ecp"
 Get-OABVirtualDirectory -Server $Server_name | Set-OABVirtualDirectory -InternalURL "https://$($FQDN)/oab" -ExternalURL   "https://$($FQDN)/oab"
 Get-ActiveSyncVirtualDirectory -Server $Server_name | Set-ActiveSyncVirtualDirectory -InternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync" -ExternalURL "https://$($FQDN)/Microsoft-Server-ActiveSync"
 Get-WebServicesVirtualDirectory -Server $Server_name | Set-WebServicesVirtualDirectory -InternalURL "https://$($FQDN)/EWS/Exchange.asmx" -ExternalURL "https://$($FQDN)/EWS/Exchange.asmx"
 Get-MapiVirtualDirectory -Server $Server_name | Set-MapiVirtualDirectory -InternalURL "https://$($FQDN)/mapi" -ExternalURL https://$($FQDN)/mapi 

You would see the Exchange Management Shell as shown in the below out after you copy and paste the script to the EMS.

Configure Outlook Anywhere

To Outlook Clients access from internal and external networks, we need to configure Outlook anywhere from the Servers/Outlook Anywhere settings with the exchange hostname(FQDN) such as mail.comain.com. You can navigate to Outlook Anywhere settings, as shown in the steps on the image.

Click OK to the Warning to Negotiate client authentication.

Set Service Connection Point

Exchange Server 2019 Installation and Configuration

The next step is to set the Autodiscover internal URI for internal outlook clients to get the Autodiscover details from the active directory. The Autodiscover internal URI will set the Service Connection Point(SCP) on the Active Directory.

Set-ClientAccessService -Identity ex -AutodiscoverServiceInternalURI  https://mail.mrigotechno.club/Autodiscover/Autodiscover.xml

Rename default database and move database path

Move mailbox database path to separate disk for database and transactional log files to recover the database quickly in case of disk failure. I have mentioned C: drive where you can substitute with a relevant drive letter with the command below.

Get-MailboxDatabase -Server ex | Set-MailboxDatabase -Name MBX-DB-2019
Move-DatabasePath -Identity MBX-DB-2019 -EdbFilePath C:\ExchangeDatabases\MBX-DB-2019\MBX-DB-2019.EDB -LogFolderPath C:\ExchangeDatabases\MBX-DB-2019_Log

Install Certificate

We are going to create a Certificate Signing Request(CSR) on the Exchange Admin Center and install the certificate for the services like IIS, SMTP, and so on. Login to Exchange Admin Center and go to ServersàCertificate to create certificate signing request (CSR) file to generate a certificate from third-party Certification Authority (CA) like Verisign or GoDaddy.

The Certificate Signing certificate must be created by clicking the + sign on the Certificate tab.  Select “Create a request for a certificate from a Certification Authority” and click Next.

Type a friendly name of the certificate and click Next.

We are going to request a Subject Alternative Name (SAN) certificate, so leave the default and click Next.

The request has to be saved on the Exchange server, click browse and select the only exchange server and click ok.

The exchange server has been selected click Next.

We skip this page, and we are going to create a request with some names where we can specify names on the list. Click Next.

Select only the FQDN that we used on the virtual directories and Outlook Anywhere. As you know, we provided the name mail.mrigotechno.club, alongside we need to add the name for Autodiscover, the subject name will be Autodiscover.mrigotechno.club, remove other local hostnames.

The local hostnames are removed and added only FQDN And autodiscover hostnames, click Next.

Type information about your organization and click Next.

Save the request in a file, type the UNC path, and click Next.

The Certificate Request has been created and using the CSR file, and we need to generate a Certificate from a third-party certification authority. Once certificates are received, come back to the Certificate tab on the Exchange Admin Center and select the request entry and click Complete to apply the Certificate.

Type the UNC path of the certificate received from the CA and click ok.

The next step is to assign services to the certificate, open the certificate entry on the EAC, and check the hostnames.

Go to Services on the same window select the services you want this certificate to use IIS and SMTP are selected generally, but if you wish to use IMAP and POP to use the certificate or these services are enabled, select them and click Save.

Click Yes to the confirmation message, and you would see valid in the Certificate Status.

Conclusion

In this article, we have discussed how to Install Exchange Server 2019 using Graphical User Interface and configured the server using the Exchange Admin Center and Exchange Management Shell. In my other three-part article, I have demonstrated how to migrate Exchange Server 2013 to Exchange Server 2019. I have added the link to those articles below. If you are interested in knowing how to install Exchange Server using the Command line, that article covers the installation process. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I’m so happy to answer your questions.

Migrating Exchange Server 2013 to 2019 Part 1
Migrating Exchange Server 2013 to 2019 Part 2
Migrating Exchange Server 2013 to 2019 Part 3