Module 3: The Client Access Server

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Module 3: The Client Access Server

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. These materials are intended for distribution to and use only by Microsoft Premier Customers. Use or distribution of these materials by any other persons is prohibited without the express written permission of Microsoft Corporation. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2010 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Lab 3A: Configuring RPC Client Access

Introduction
In this lab, you will configure RPC Client Access.

Objectives
After completing this lab, you will be able to: Configure a Client Access server array. Configure Exchange Server to use the Client Access server array for RPC client access.

Prerequisites (if applicable)

Ensure that the AD1DCMCLNT, AD1HC1, and, AD1HC2 virtual machines are running.

Estimated time to complete this lab

40 minutes

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Module 3: The Client Access Server

Exercise 1: Configuring a Client Access Server Array

In this exercise, you will: Create the internal DNS entry. Setup network load balancing using Windows load balancing. Create the Client Access server array.

The first two tasks are network related, and are not related to the third task, which enables Microsoft Exchange Server 2010 to find and use the Client Access server array. The third task creates the array object in Active Directory Domain Services (AD DS) for the Autodiscover service to use when configuring new clients and for database creation to be associated with the Client Access server array. Only one Client Access server array can exist in each Active Directory site.

Scenario
You have two Client Access servers. You wish to combine them into one Client Access server array in an existing environment.

Create the internal DNS entry

1. On AD1DCMCLNT, log on as Contoso\Administrator with password Password1. 2. Click Start, point to Administrative Tools, and then click DNS. 3. Right-click contoso.com, and then select New Host (A). 4. In the New Host dialog box, under Name, type casarray. 5. Under IP address, type 10.0.1.110. 6. Click Add Host.

Setup network load balancing using Windows load balancing

1. On AD1HC1, log on as Contoso\Administrator with password Password1. 2. Execute the following command:
servermanagercmd.exe -install nlb

3. Repeat this step on the AD1HC2 server. 4. On AD1HC1, click Start, point to Administrative Tools, and then click Network Load Balancing Manager. 5. Select Cluster, and then click New. 6. In the Host entry, add AD1HC1 as the first Client Access server, and then click Next. 7. Click Next again.
Microsoft | Services 2008 Microsoft Corporation Microsoft Confidential

8. Select the IP address you wish to associate with the array. This is the same as the IP address and name you gave the array in your DNS entry 10.0.1.110. Click Add, and then click Next. 9. In the wizard, in Cluster Parameters, do the following, and then click Next. A. Specify the fully qualified domain name (FQDN) of the array in the Full Internet name text box: casarray.contoso.com B. Select Multicast. 10. In the Port Rules dialog box, accept the defaults, and then click Finish. In the Network Load Balancing Manager, you might see an hour glass by the name of the server you added, but after the server has been configured, you will see the server listed with no hour glass. 11. In the left pane of the Network Load Balancing Manager, click casarray.contoso.com, and then confirm that the status is Converged. 12. Right-click on the name of the cluster, and then select Add Host to Cluster. 13. Add the AD1HC2 server, and then accept all of the defaults. 14. You should see the two servers with a Converged status. It might take several minutes for the status to change. If the status does not change, ensure that you selected Multicast. To perform a simple test, try pinging the array name you used in DNS and as the name of the cluster in the Network Load Balancing Manager. You should see a response.

Create the Client Access server array

1. On AD1HC1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 2. Confirm that you do not have a Client Access server array already configured by executing the following cmdlet:
Get-ClientAccessArray

There is no return response if an array does not yet exist in your environment. If an array already exists, then someone created it and you only need to reconfigure it for the FQDN you created in your DNS entry and network load balancing configuration. 3. Execute the following cmdlet:
New-ClientAccessArray Fqdn casarray.contoso.com Site Site1

The array object casarray.contoso.com now exists in AD DS at the following location:

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Module 3: The Client Access Server

CN=Arrays,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com

The name of the Exchange administrative group may be different if you create the object in an environment with no previous Exchange Server versions. You can view the array object and verify its networkAddress attribute by using ADSIEdit. The networkAddress attribute corresponds to the FQDN.

From this point on, all newly created mailbox databases in this site will be associated with this array. The database creation process pulls the value of the networkAddress attribute from the array object in AD DS and assigns it to the databases RPCClientAccessServer attribute.

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Exercise 2: Configuring Exchange Server to Use the Client Access Server Array for RPC Client Access
In this exercise, you will configure existing mailbox databases so that they are associated with the Client Access server array you created in the previous exercise. By default, all mailbox databases are associated with a Client Access server, and the Microsoft Office Outlook client communicates directly with the Client Access server until you have updated the mailbox database so that it associates the Client Access server array. This step is required so that when a users mailbox is found in AD DS, Exchange Server 2010 knows what to send to the client to connect to the array. You can check which server a mailbox database is associated with the following cmdlet:
Get-MailboxDatabase | fl name,Rpc*

If you have more than one database, you see multiple listings and the RpcClientAccessServer value could be on different servers.

Scenario
To enable RPC client access to work properly, you must associate your mailbox database with the Client Access server array.

Associate the Client Access server array with existing mailbox databases
1. On AD1HC1, click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 2. Execute the following cmdlet to associate the mailbox database with the Client Access server array:
Set-MailboxDatabase MBXDB01 RpcClientAccessServer casarray.contoso.com

This cmdlet changes the legacyExchangeDN attribute of the mailbox database. To view this value, use ADSIEdit:

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Module 3: The Client Access Server

The value is stored in the following location:

CN=MBXDB01,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com

After changing the value stored in this attribute, the client knows where the RPC endpoint is located. 3. On AD1DCMCLNT, use Office Outlook to log on to an Exchange Server 2010 mailbox to ensure connectivity. Use the Administrator user account with a password of Password1.

Question A:

View the profile and check whether the Exchange server entry is the Mailbox server or the Client Access server array. What does it point to? ____________________________________________________ ____________________________________________________

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Lab 3B: Using the Certificate Wizard

Introduction
You can view all certificate-related operations from the Exchange Management Console after selecting Server Configuration, and then selecting the name of the server you want to modify. In this lab, you will learn how to use the Exchange Server 2010 Certificate wizard. You will use the internal Certificate Authority (CA) to simulate a public CA scenario.

Objectives
After completing this lab, you will be able to: Use the Certificate wizard to generate a certificate request. Submit a certificate request to the CA. Enable and verify a certificate.

Prerequisites
Ensure that the AD1DCMCLNT, AD1HC1, AD1HC2, AD2DCHCM, and AD3DCHCM virtual machines are running.

Estimated time to complete this lab

45 minutes

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

10

Module 3: The Client Access Server

Exercise: Using the Certificate Wizard

In this exercise, you will: Create a new certificate request. Submit the certificate request to the Certificate Authority. Complete the pending certificate request. Enable the certificate for IIS. Export the Contoso certificate from AD1HC1 and import it into AD1HC2. Import the Contoso certificate to AD1HC2. Enable the certificate on AD1HC2. Add mail and Autodiscover records to DNS. Verify successful certificate installation.

Scenario
You need to provide a certificate requested for the IIS-related services on their Client Access server.

Create a new certificate request

1. On AD1HC1, click Start, click Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console. 2. In the console tree, click Server Configuration. 3. Select AD1HC1 from the middle pane. By default, there is a self-signed certificate already created for this server. You are attempting to create a new non-self-signed trusted certificate. 4. In the Actions pane, click New Exchange Certificate. 5. In the wizard, on the Introduction page, enter Contoso as the name for the certificate, and then click Next. 6. Leave the Enable wildcard certificate checkbox unchecked, and then click Next. 7. On the Exchange Configuration page, click on the dropdown arrow to unhide each section of the configuration. 8. Check the following checkboxes and specify the following domains, and then click Next. Client Access Server (Outlook Web App)
Microsoft | Services

Outlook Web App is on the Intranet (mail.contoso.com) Outlook Web App is on the Internet (mail.contoso.com)
2008 Microsoft Corporation Microsoft Confidential

Client Access Server (Exchange ActiveSync)

Exchange Active Sync is enabled (mail.contoso.com)

Client Access Server (Web Services, Outlook Anywhere, and Autodiscover)

Exchange Web Services is enabled Outlook Anywhere is enabled (mail.contoso.com) Autodiscover used on the Internet (Long URL) (autodiscover.contoso.com)

Legacy Exchange Server

Use legacy domains (legacy.contoso.com)

9. In the Certificate Domains page, verify that mail.contoso.com is set as the common name, and then click Next. 10. In the Organization text box, type Contoso, and then in the Organization Unit text box, type Contoso. 11. Fill in the Country, City, and State text boxes as appropriate. 12. Click Browse, and then select Desktop. 13. Name the certificate request Contoso Certifcate Request.req. 14. Click Save, click Next, and then click New. After the request has been created, you are provided with instructions for the next steps. 15. Click Finish, and then minimize the Exchange Management Console.

Submit the certificate request to the Certificate Authority

1. On AD1DCMCLNT, click Start, and then click Run. 2. Type https://AD1DCMCLNT/CERTSRV, and then press ENTER. 3. Click Request a certificate, and then click Advanced certificate request. 4. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or click Submit a renewal request by using a base-64-encoded PKCS #7 file. 5. Minimize Windows Internet Explorer. 6. Copy the certificate request file from server AD1HC1 local to AD1DCMCLNT, and then open the certificate request file in Notepad. 7. Select and copy the content of the file. 8. Maximize Internet Explorer, and then paste the content into the Save Request field.
Microsoft | Services 2008 Microsoft Corporation Microsoft Confidential

12

Module 3: The Client Access Server

9. In the Certificate Template dropdown box, select Web Server. 10. Click Submit, and then, if prompted, click Yes. 11. Click Based 64 encoded, and then click Download certificate. 12. Save the certificate to the desktop with the name certnew.cer.

Complete the pending certificate request

1. Maximize the Exchange Management Console. 2. Ensure that Server Configuration and AD1HC1 are selected. 3. On the Exchange Certificate tab, ensure that Contoso is selected. 4. Click Complete Pending Reques, click Browse, and then browse to certnew.cer on the desktop. 5. Click Complete, and then click Finish.

Enable the certificate for IIS

1. Click Assign Services to Certificate. 2. Verify that AD1HC1 appears in the Selected Servers window, and then click Next. 3. Select the IIS option, and then click Next. 4. Click Assign, and then click Finish.

Export the Contoso certificate from AD1HC1 and import it into AD1HC2
1. Click Export Exchange Certificate, click Browse, and then select c:\. 2. Save the certificate with the name Exported Contoso Certificate.pfx. 3. Enter the password Password1. 4. Click Export, and then click Finish.

Import the Contoso certificate to AD1HC2

1. In the Exchange Management Console, in the middle pane, select AD1HC2. 2. Click Import Exchange Certificate. 3. Browse to Exported Contoso Certificate.pfx on the desktop, and then click Open. 4. Enter the password P, and then click Next. 5. In the Select Servers window, verify that AD1HC2 is listed, and then click Next. 6. Click Import, and then click Finish.

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Enable the certificate on AD1HC2

Enable IIS for the certificate that you have just imported on AD1HC2 using the same steps as you performed for the AD1HC1 server.

Add mail and Autodiscover records to DNS

1. On AD1DCMCLNT, click Start, point to Administrative Tools, and then click DNS. 2. Browse to Forward Lookup Zones | Contoso.com. 3. Right-click contoso.com, and then click New Host (A or AAAA). 4. Under Name, type mail, and then under IP Address, type 10.0.1.110. 5. Click Add Host. 6. Follow the same procedure to add the Autodiscover A record to DNS. 7. Click Done.

Verify successful certificate installation

1. On AD1HC1, click Start, and then click Run. 2. Type https://mail.contoso.com/owa. 3. In Internet Explorer, click the lock icon, and then click View Certificates.

4. Verify the following: A. Certificate was issued to mail.contoso.com. B. Certificate was issued by contoso-AD1DCMCLNT-CA. 5. In the Details tab, click Subject Alternative Name, and then verify that mail.contoso.com, autodiscover.contoso.com, and legacy.contoso.com are listed.

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

14

Module 3: The Client Access Server

Question B:

What cmdlet and parameters did the Certificate wizard use to create your request? __________________________________________________ __________________________________________________ __________________________________________________ What cmdlet and parameters did the Certificate wizard use to complete the pending request? ____________________________________________________ ____________________________________________________ ____________________________________________________ What cmdlet and parameters did the Certificate wizard use to assign services to the certificate? ____________________________________________________ ____________________________________________________ ____________________________________________________ Is it possible to create a self-signed certificate by using the Certificate wizard, or do you have to use a cmdlet in the Exchange Management Shell? ____________________________________________________ ____________________________________________________ ____________________________________________________ After creating a certificate that includes a legacy URL, how would you install the certificate on an Exchange Server 2007 Client Access server? Describe the basic steps. ____________________________________________________ ____________________________________________________ ____________________________________________________ When using cmdlets to import or export certificates on Exchange Server 2010, which parameter do you have to use so that you can access a certificate file located on the local hard drive? ____________________________________________________ ____________________________________________________ ____________________________________________________ Why has accessing files changed? ____________________________________________________ ____________________________________________________ ____________________________________________________

Question C:

Question D:

Question E:

Question F:

Question G:

Question H:

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

Lab 3C: Configuring and Testing MailTips in Exchange Server 2010

Introduction
MailTips are implemented through Exchange Web Services, which runs on the Client Access server role. Other programs such as Outlook can retrieve MailTips. In this lab, you will configure and test the MailTips functionality within Exchange Server 2010.

Objectives
After completing this lab, you will be able to:

Configure organizational MailTips. Configure customized MailTips. Test MailTips.

Prerequisites
Ensure that the AD1DCMCLNT, AD1HC1, and AD1HC2 virtual machines are running.

Estimated time to complete this lab

60 minutes

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

16

Module 3: The Client Access Server

Exercise 1: Configuring MailTips

In this exercise, you will:

Enable all MailTips for the organization. Enable mailbox-based MailTips. Enable all MailTips for external recipients. Configure the minimum size after which the large audience MailTips will be displayed. Enable group metrics MailTips. Force an update of the group metrics.

Scenario
Contoso, Ltd, is required to provide informational guidance to users while the users are composing email messages. This guidance will be provided in the form of MailTips, which will test various conditions and provide additional guidance to users.

Enable all MailTips for the organization

1. On AD1HC1, click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Shell. 2. At the prompt, execute the following cmdlet:
Set-OrganizationConfig MailTipsAllTipsEnabled $true

Enable mailbox-based MailTips

At the prompt, execute the following cmdlet:

Set-OrganizationConfig MailTipsMailboxSourcedTipsEnabled $true

Enable all MailTips for external recipients

At the prompt, execute the following cmdlet:

Set-OrganizationConfig MailTipsExternalRecipientsTipsEnabled $true

Configure the minimum size after which the large audience MailTip will be displayed

At the prompt, execute the following cmdlet:

Set-OrganizationConfig MailTipsLargeAudienceThreshold 10

Enable group metrics MailTips

At the prompt, execute the following cmdlet:

2008 Microsoft Corporation Microsoft Confidential Microsoft | Services

Set-OrganizationConfig MailTipsGroupMetricsEnabled $true

Force an update of the group metrics

1. At the prompt, execute the following cmdlets:
Update-FileDistributionService -Identity AD1HC1 -Type GM

2. On AD1HC1, click Start, click Computer, and then navigate to C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\GroupMetrics. 3. Verify that the group metrics files were placed into the folder. 4. Close Windows Explorer.
Note: The mailbox server running OABGen generates the group metrics file every 24 hours by default. The files are then placed in a share called \\mailboxserver\GroupMetrics. The Exchange File Distribution service, running on Client Access CAS Server connects to this share and copies the Group Metrics information local the CAS Server. If you cannot see the updated Group Metrics File on the CAS Server AD1HC1, restart the Exchange Service Host service on the Mailbox Server AD1DCMCLNT, verify that the Group Metric Files were updated in \\ AD1DCMCLNT\GroupMetrics. Then run the command above again (Update-FileDistributionService).

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

18

Module 3: The Client Access Server

Exercise 2: Testing MailTips

In this exercise, you will:

Restrict a user from sending to a mailbox. Test sending to a restricted mailbox. Set a quota on a mailbox. Test sending to a mailbox that is over quota. Test sending to an external recipient. Remove a quota on a mailbox.

Scenario
After enabling MailTips in your Exchange Server 2010 environment, you need to confirm that MailTips is working as expected.

Restrict a user from sending to a mailbox

On AD1HC1, at the prompt, execute the following cmdlet:

Set-Mailbox AZubery RejectMessagesFromSendersOrMembers Administrator

Test sending to a restricted mailbox

1. Log on to Outlook Web App at https://ad1hc1/owa as Contoso\Administrator with password Password1. 2. Click New E-mail, on the To line, type AZubery, and then on the task pane, select Check Name.

Question I: Question J: Question K:

Does a MailTips appear? ____________________________________________________ If yes, what message appeared? ____________________________________________________ Why did the message appear? ____________________________________________________ ____________________________________________________

3. Close the email, and then click No when prompted to save changes.

Set a quota on a mailbox

1. On AD1HC1, at the prompt, execute the following cmdlet:
Set-Mailbox DAhsy UseDatabaseQuotaDefaults $false ProhibitSendReceiveQuota 8KB

2. At the prompt, execute the following cmdlet:

Microsoft | Services 2008 Microsoft Corporation Microsoft Confidential

Get-Mailbox DAhsy | FL Prohibit*

3. Ensure the quota was set for DAhsys mailbox. 4. On AD1DCMCLNT, at the prompt, execute the following cmdlet:
Restart-Service MSExchangeIS

Test sending to a mailbox that is over quota

1. Switch to Outlook Web App and log in as Administrator. 2. Click New E-mail, on the To line, type DAhsy, and then in the task pane, select Check Name.

Question L:

Do you see a MailTips?_________________________________

Note: You should see a MailTips. If you do not, send mail to DAhsy several times until a MailTips displays. Include an attachment to help fill the mailbox quota quicker.

Question M:

What does the MailTips say? ____________________________________________________ ____________________________________________________

3. Close the email message, and then click No when prompted to save changes.

Test sending to an external recipient.

1. In your Outlook Web App session, click New E-mail, and then in the To field, enter User@external.com.

Question N:

Wait for the MailTips to appear indicating that the email includes external recipients. What does it say? ____________________________________________

2. Close the email, and then click No when prompted to save changes. 3. Exit Outlook Web App.

Remove a quota on a mailbox

1. On AD1DCMCLNT, at the prompt, execute the following cmdlet:
Set-Mailbox DAhsy UseDatabaseQuotaDefaults $true ProhibitSendReceiveQuota Unlimited

2. At the prompt, execute the following cmdlet:

Stop-Service MSExchangeIS

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential

20

Module 3: The Client Access Server

3. After the service has stopped, execute the following cmdlet:

Start-Service MSExchangeIS

Question O:

If you wanted to set a MailTips for a specific user or distribution group, what cmdlet and parameters would you run? ____________________________________________________ ____________________________________________________ ____________________________________________________

Microsoft | Services

2008 Microsoft Corporation Microsoft Confidential