Welcome to Deploying a Working Microsoft Exchange Lab in Azure!

In this free 9-part lab series, you will complete a set of guided lab tasks that will allow you to build out a basic, yet working, Exchange 2016 Organization that’s hosted completely in Azure. You will build out a single Windows Server 2016 Active Directory domain that is hosted on a domain controller called DC01, that runs on a virtual machine in Azure. An Exchange 2016 server, called EX01 (also a VM running in Azure), will be deployed to the Active Directory. The Exchange organization, which will be called “Exchange Lab” will accept mail for a single internet-routable email domain, called labtest365.com.

The entire environment will reside entirely in Azure. As such, due to Azure restrictions, the Exchange server WILL NOT be able to send emails out to the internet. However, the Exchange server WILL be able to RECEIVE internet emails, as well as send and receive internal emails (internal to the Exchange org).

Throughout this lab, you will:

  • Deploy and Secure a Virtual Network and Subnet in Azure
  • Deploy Two Virtual Machines in Azure (DC01 and EX01)
  • Configure Custom DNS in Azure
  • Deploy and Configure Active Directory on the DC01 Virtual Machine
  • Install Exchange Prerequisites on the EX01 Virtual Machine
  • Deploy and Configure Exchange on the EX01 Virtual Machine
  • Install a Public Certificate on the EX01 Server
  • Configure Public and Internal Split-DNS for Mail Functionality
  • Confirm Email Functionality


While the primary intent of this multi-part lab (which has been excerpted from our paid video-based version of the lab) is to teach you how to deploy Microsoft Exchange, you can also use this lab as a foundation for our larger lab, entitled Performing a Full-Hybrid Exchange Migration to O365

Lab Diagram

The diagram below depicts what the final Exchange lab will look like. We’ll deploy two virtual machines in an Azure resource group called ExchangeLab. The virtual machines will be called DC01 and EX01, and they will be deployed to a virtual network with an address space of 10.1.0.0/16, on a subnet with an address range of 10.1.0.0/24. The virtual network will be called LabNetwork and the subnet will be called LabSubnet.

Port 3389 (RDP) will be opened to both VMs from the student’s workstation only. Ports 25, 443, and 8080 will be opened from the Internet to EX01.

The email domain we will use throughout this lab is labtest365.com, so the external access domain and Autodiscover records will be mail.labtest365.com and autodiscover.labtest365.com, respectively.

The Active Directory forest that we deploy will be called labtest365.local.


DEPLOY AZURE RESOURCES

Before deploying resources to support the Exchange lab, you must first deploy a resource group in Azure. The resource group will contain all the Azure resources that comprise the lab. In this lab task, we’ll provision a resource group called ExchangeLab.

Complete the Following Tasks:

  • Login to the Azure portal and click on Dashboard in the left pane.
  • From the dashboard, click +New dashboard along the top to create a clean dashboard for the lab resources.
  • Name the dashboard “Exchange Lab” and save it. Creating a dashboard will allow you to more easily access the lab resources throughout the lab.
  • Create a resource group by clicking Resource Groups in the left pane, and then, from the resource groups pane, clicking +Add.
  • In the resource group pane that opens, name the resource group “ExchangeLab” and select a subscription to provision it in. Most people put this in their pay-as-you-go subscription that they provisioned just for this lab, but you can put it where you wish.
  • Select Central US from the resource group location drop-down box, check the Pin to Dashboard box, and then click Create.


The resource group might take a few seconds to create. Once it is created, you see the resource group on the Azure portal dashboard.

Deploy Virtual Network

To allow the Azure virtual machines to communicate with each other and with the internet, a virtual network needs to be created. In this lab task, we will create a virtual network called LabNetwork that contains a subnet called LabSubnet.

Complete the Following Tasks:

  • Click Create a Resource in the left pane.
  • Click Networking, and then Virtual Network.
  • Provide the following information:
    • Name:  LabNetwork
    • Address space:  1.0.0/16
    • Subscription:  Choose Your Subscription
    • Resource Group:  ExchangeLab
    • Location:  Central US
    • Subnet Name:  LabSubnet
    • Subnet Address Range:  1.0.0/24


Leave the remaining values at their default settings and then click Create.

If you need additional assistance with this lab, you can enroll in the full, video-based version here.


DEPLOY VIRTUAL MACHINES

The Exchange lab requires two virtual machines. One will serve as the domain controller and the other will host Exchange. In this lab, you’ll deploy the virtual machine that will ultimately serve as the domain controller.

Complete the Following Tasks:

  • Ensure your lab dashboard is open.
  • Click Create a Resource in the left pane.
  • Click Compute, and then click Windows Server 2016 Datacenter
  • Create a virtual machine and call it DC01. Set its size to Standard DS1v2 and create an admin account called labadmin.
  • Create and attach a 10GB non-cached data disk and attach it to the virtual machine.
  • Connect the new virtual machine to the LabSubnet on the LabNetwork, leave the public IP option at the default
  • Allow RDP access to the VM.


Set DC01 Private IP to Static

Because the DC01 virtual machine is going to function as a domain controller and also provide DNS services for the active directory domain, you need to make sure that the internal IP address never changes. This is necessary because in azure, by default, IPs are given out via DHCP from Azure. If you don’t set the private IP to static, it could change later on, and break AD and DNS.

Complete the Following Tasks:

  • Click on the new VM in the dashboard to view its overview page.
  • Click on Networking in the left pane
  • Click on the network interface.
  • Click IP configurations and then click on the private IP address.
  • Set the private IP address to Static and then click Save.

These steps ensure that the private IP address never changes, even when the VM is restarted through the azure portal.

Prepare Data Disk for Use

Once the domain controller VM comes up, you need to prepare the data disk that you attached when you created the virtual machine. This data disk will be used to host Active Directory.

Complete the Following Tasks:

  • Login to the virtual machine
  • Launch the Disk Management console.
  • Initialize the data disk.
  • Format the data disk.


Deploy Exchange VM

At this point, you can deploy the virtual machine that will function as the Exchange server. The virtual machine that you deploy should be sized to “DS3v2” so that the Exchange install can run without running out of resources. You can always resize the VM smaller AFTER Exchange has been installed.

Complete the Following Tasks:

  • Deploy a DS3v2 virtual machine and call it EX01.
  • Configure a NIC-scoped Network Security Group to open ports 25, 443, and 80 to the VM from the Internet.
  • Ensure RDP is opened so you can manage the VM.
  • Deploy the Exchange VM to the LabSubnet on the LabTest
  • Set the public IP address for the VM to Static.


Set EX01 Private IP to Static

Because the EX01 virtual machine is going to function as an Exchange server, you need to make sure that the internal IP address never changes. This is necessary because in Azure, by default, IPs are given out via DHCP. If you don’t set the private IP to static, it could change later on, and break Exchange.

Complete the Following Tasks:

  • Stop the Exchange VM
  • Click on Networking in the left pane and then click on the network interface.
  • Click IP Configurations
  • Click on the private IP address.
  • Set the private IP address to Static and then click Save.


This ensures that the private IP address never changes, even when the VM is restarted through the azure portal.


DEPLOY ACTIVE DIRECTORY

At this point, you need to stand up an Active Directory forest to host the Exchange organization. In this lab, you will install the Active Directory Domain Services on the DC01 virtual machine.

Complete the Following Tasks:

  • RDP into the DC01 virtual machine.
  • Launch Server Manager.
  • Click on Add Roles and Features, then click Nextwhen the wizard opens.
  • Keep the defaults and then click Next.
  • Choose the Role-Based option and then click 
  • Ensure the DC01 server is selected in the Server Selection screen and click Next.
  • In Server Roles, check the box for Active Directory Domain Services.
  • When prompted to install associated features for the role, click on Add Features.
  • Click Next to continue.
  • Don’t make any changes on the features page, and then click 
  • From the AD DS screen, simply click Next.
  • On the Confirmation screen, check the box to reboot if necessary and then click 


Once installation completes, you are ready to move onto the next step.

Promote DC01 to a Domain Controller

Once installation of AD Domain Services completes the server needs to be promoted to a Domain Controller. In this lab, you will promote the DC01 virtual machine to a domain controller in an Active Directory forest.

Complete the Following Tasks:

  • Click Promote this Server to a Domain Controller.
  • Create a new forest. Use the domain name that you registered with GoDaddy, but use a .local extension. 
  • Click Nextand then provide a DSRM password.
  • Ignore the DNS delegation message and, for the NETBIOS name, keep the default value.
  • When prompted to configure paths for the NTDS, SYSVOL and LOG file folders, store them on the data disk that you attached to the virtual machine earlier.
  • After the machine is promoted, it will restart automatically. When it comes back up, login as “labadmin“.


Note: Using a .local (or any other non-routable domain name) for AD is no longer a recommended practice. However, we are using one in this lab so that you can use this lab as the foundation for the Full-hybrid lab, if you wish to take that later.

Configure Site in Active Directory

If you’re going to configure a lab environment, you might as well do it correctly. As such, you need to properly configure Active Directory Sites and Services, now that the Domain Controller is up and running. In this lab, you’ll configure the default AD site to properly reflect the deployed subnet address range.

Complete the Following Tasks:

  • Logon to the DC and launch the AD Sites and Services
  • Create a new subnet in AD Sites and Services that represents the address range that reflects that of the LabSubnet.
  • Rename the Default-First-Site-Namesite to something like 
  • Assign the new subnet to the site.


When you’ve completed the steps above, continue on to the next step below.

Configure Custom DNS on Virtual Network

Virtual machines that connect to a virtual network will register with the DNS servers that are specified for the virtual network. They will also use the specified DNS server for name resolution. Since your VMs will need to be able to resolve the AD domain, you’ll need to specify custom DNS servers for the virtual network that your VMs are attached to.

Complete the Following Tasks:

  • Click on the LabNetwork vNet from the dashboard.
  • Click on DNS Servers.
  • Check the radio button for Custom and specify the internal IP address of the DC01 virtual machine. It should be something like 10.1.0.x.
  • Save the custom DNS settings for the vNet and then restart both the DC01 and EX01 virtual machines so they pick up the new DNS.


If you need additional assistance with this lab, you can enroll in the full, video-based version here.


INSTALL EXCHANGE SERVER

Before installing Exchange on the EX01 server, the server must be joined to the AD domain. In this lab, you’ll join the EX01 virtual machine to the Active Directory domain.

Complete the Following Tasks:

  • RDP into the EX01 server and launch Server Manager.
  • Click on the Workgroup.
  • Choose the option to join a domain.
  • Specify the Active Directory domain name that you used when you deployed Active Directory.
  • Restart the machine when prompted.


When you’ve completed the steps above, continue on to the next step below.

Install Exchange Server Prerequisites on EX01

The Exchange server in this lab will host the Mailbox server role. However, before installing the Mailbox Role, we need to install several prerequisites that support the Mailbox Role. In this lab, you’ll install the necessary Exchange prerequisites on EX01.

Complete the Following Tasks:

  • RDP into the virtual machine and launch an elevated (run as administrator) PowerShell console.
  • Run the command below to install the operating system roles and features that are necessary for Exchange Server 2016:
    • Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS
  • After installing the prerequisites above, install the following software, in order:


If prompted to reboot during the install process, do so.

Prepare Active Directory for Exchange

The initial installation of Exchange in an AD environment requires an Active Directory schema update. Since your lab doesn’t have an existing Exchange server installed, you’ll need to prepare AD before installing Exchange. You’ll prepare AD for Exchange 2016 in this lab.

Complete the Tasks Below:

  • Search for “exchange 2016 cu11 download” and download the Exchange 2016 CU11 ISO to the EX01 virtual machine.
  • Mount the ISO as a drive on the EX01 server (right-click the ISO file and click Mount).
  • Open an elevated command prompt as an admin and switch to the mounted ISO drive.
  • Run the command below:
    • setup /PrepareAD /OrganizationName:”Exchange Lab” /IAcceptExchangeServerLicenseTerms


Setup will launch but it won’t actually install Exchange. It will simply update the AD schema.

Install Exchange Server on EX01

After preparing Active Directory, Exchange can be installed on the EX01 server. For this project, you will install just the Mailbox server role, since it contains all the components required to run an Exchange Server 2016 server. You can, optionally, install the Edge Transport role, but that is not a mandatory role and is not used in this lab.

Complete the Following Tasks:

  • Launch an elevated command prompt on the EX01 server.
  • Run setup /Mode:Install /Role:Mailbox /IAcceptExchangeServerLicenseTerms


The installation process is SLOW. Let it do its thing. After setup completes, restart the server.

Resize the EX01 Virtual Machine

To save on costs, you can try resizing the EX01 virtual machine down, once Exchange has been installed. Personally, I’ve had mixed results with running Exchange on anything smaller than a DS3v2 virtual machine, but to save costs, it can’t hurt to try and size things down a bit. In this lab, you’ll resize the EX01 virtual machine to something smaller.

Complete the Following Tasks:

  • Click on the EX01 virtual machine in the dashboard.
  • Click on Size in the left pane.
  • Choose a size that offers at least two CPUs and 8GB of RAM (I suggest avoiding the burstable B-series virtual machines).
  • Reboot the VM if prompted to do so.


When the resize completes, ensure that all Exchange services are running as expected and that you can access the EAC.  If you can’t, choose a larger size.

If you need additional assistance with this lab, you can enroll in the full, video-based version here.


CONFIGURE MICROSOFT EXCHANGE

To configure the new Exchange server to receive mail, you first need to add an accepted domain. In this exercise, you’ll add the domain that you registered with GoDaddy.

Complete the Following Steps:

  • Launch the Exchange Admin Center and click on Mail Flow.
  • Click Accepted domains.
  • Click 
  • In the New accepted domain window that opens, provide the following information:
    • Name: the domain name that you registered with GoDaddy 
    • Accepted domain: the domain name that you registered with GoDaddy 
    • This domain is: Select Authoritative
  • When you’re finished, click Save.


When you’ve completed the steps above, continue on to the next step below.

Create Send Connector

When install your first Exchange Server 2016 or Exchange 2019 server, the server isn’t able to send mail outside of your Exchange organization. To send mail outside your Exchange organization, you need to create a Send connector. Although Azure restrictions prevent a VM from sending SMTP traffic out, the server should still be configured correctly – and this includes a send connector.

Complete the Following Steps:

  • Log into the EAC.
  • Click Mail Flow and then Send Connectors. 
  • Click Add to launch the New Send Connector Once the wizard launches, provide the following information:
    • Name: Outbound to Internet
    • Type: Internet
  • Click Next.
  • On the next page, verify that MX record associated with recipient domain is selected.
  • When you’re finished, click Next.
  • In the Address Space section, enter an asterisk (*), so that the Send connector applies to all messages addressed to all external domains.
  • Select the EX01 server as the “Source Server” for the send connector.
  • Click Add, click OK, and then click Finish


After you create the send connector, it appears in the send connector list. 

Configure E-Mail Address Policy

To ensure mailboxes created in Exchange get an email address that matches the accepted domain, you need to modify the default email address policy so that it stamps mailboxes with the email domain. In this exercise, you’ll modify the default email address policy in Exchange.

Complete the Following Steps

  • Log on to the Exchange Admin Center (EAC)and click Mail Flow in the left pane.
  • Click on the email address policies
  • Select the default policy and then click the Edit 
  • Click Add to add new email address format.
  • Choose, from the dropdown box, the accepted domain that you added earlier.
  • Choose the [email protected] option for the email address format
  • Check the box next to Make this format the reply email address, and then click Save.
  • Click Apply to apply the policy and then confirm that the mailboxes are stamped with your registered domain name.


When you’ve completed the steps above, continue on to the next step below.

Configure Virtual Directory URLs

After installing Exchange, various virtual directory URLs must be configured, because Exchange uses these URLs to provide various Exchange services. Each virtual directory has a different URL that can be the same or different for internal users vs external users. Because you are using a split DNS in this lab, you’re going to configure the internal and external URLs to be the same. This is a common configuration.

Before configuring the URLs, you need to decide what name you want to use to access exchange, both internally and externally. For this lab, you are going to access Exchange via a FQDN of mail.labtest365.com internally and externally. The virtual directories we are most concerned with are OWA, ActiveSync, Autodiscover, ECP and Outlook Anywhere.

Complete the Following Steps to Configure the External Access Domain:

  • Launch the EAC and click on Servers, in the left pane
  • Click Virtual Directories, in the top menu bar. 
  • Click on the wrench icon and add EX01.
  • Enter labtest365.com in the domain name field. 


Complete the Following Steps to Configure the Virtual Directory URLs:

  • Double-click on OWA in the list. 
  • Copy the value from the External URL field into the Internal URL field and save the settings.
  • Repeat the process for the remaining URLs (ECP, ActiveSync, OAB, and EWS).


When you’ve completed the steps above, continue on to the next step below.

Configure Outlook Anywhere

Exchange 2016 now uses MAPI over HTTP protocol by default. Outlook Anywhere, which is RPC over HTTP, is used as a fallback method if clients don’t support MAPI over HTTP. The Outlook anywhere feature is used by outlook to connect to an Exchange server over the Internet. In this exercise, you’ll configure Outlook Anywhere.

Complete the Following Tasks:

  • Click on Servers in the EAC.
  • Double-click the EX01 server.
  • Click on Outlook Anywhere.
  • Set both the internal and external URLs to labtest365.com.
  • Click Save.

When you’ve completed the steps above, continue on to the next step below.

Configure MAPI over HTTP

After configuring Outlook Anywhere, we need to configure the MAPI over HTTP URL. The MAPI over HTTP URL can only be configured via the Exchange Management Shell.

Complete the Following Steps:

  • Launch the Exchange Management Console on the EX01 server and run the following command:
    • Set-MapiVirtualDirectory -Identity “EX01\mapi (Default Web Site)” -InternalUrl https://mail.labtest365.com/mapi -ExternalUrl https://mail.labtest365.com/mapi -IISAuthenticationMethods Negotiate
  • Verify the MAPI URLs by running following command:
    • Get-MapiVirtualDirectory -Identity ” EX01\mapi (Default Web Site)” | fl server, internalurl, externalurl

If you need additional assistance with this lab, you can enroll in the full, video-based version here.


CONFIGURE DNS

Before you can begin using Exchange, DNS needs to be configured to support it. In this lab, you’ll modify public DNS to support Exchange.

Complete the Following Tasks:

  • Login to the public DNS management console for your domain.
  • Create a HOST record in public DNS that points mail.labtest365.com at the public IP address of the EX01 server.
  • Create a CNAME record that points autodiscover.labtest365.com at the HOST record that you created.


The changes we make will facilitate mail delivery to the Exchange server while facilitating Outlook connectivity to the Exchange server as well.

Configure Internal DNS

In much the same manner that public DNS was configured, you need to configure the internal Active Directory DNS to support the Exchange organization as well. Because you are using a .local domain name in this lab, you’ll need to setup split-DNS in our AD DNS environment. I did this intentionally because you are likely to see this type of DNS configuration in the real world.

Complete the Following Tasks to Create a Forward Lookup Zone in AD DNS:

  • Launch the DNS console on the domain controller.
  • Right-click Forward Lookup Zonesand create a new forward lookup zone.
  • Name the zone so it matches the email domain that you registered and check the box to store the zone in Active Directory.


Once you’ve provisioned the new zone, you need to add two DNS records to it. You need to add a HOST record and a CNAME record, just like you did when you configured public DNS. However, instead of pointing the HOST record (mail.labtest365.com) at the public IP address of the Exchange server, you need to point it at the private IP address. The CNAME record is created in the same way that it was created in public DNS.

Complete the Following Tasks to Add the Necessary Internal HOST Record:

  • Expand the newly-created zone.
  • Create a new DNS record by right-clicking on an empty space in the right pane.
  • Create a new “host” record, or “A” record and call it mail.
  • Point the new host record at the private IP address of the EX01 server.
  • Click Add Host.
  • Click OK and then Done.


Complete the Following Tasks to Add the Necessary Internal CNAME Record:

  • Right-click an empty space and create a new record.
  • Choose CNAME record and call it Autodiscover.
  • Point the new CNAME record to youremaildomain.com.
  • Click OK to create the record.


Making these changes won’t have any real visible impact on the lab’s functionality, but it is the proper way to configure split-DNS. In a production environment, what this would do, is ensure all workstations on the local LAN (that use AD DNS resolution) resolve mail.labtest365.com and autodiscover.labtest365.com to the INTERNAL address of the Exchange server, rather than taking people OUT of the local network and back in.

Create MX Record

To allow email to flow into the Exchange organization from the internet, you need to create an MX record in public DNS. The MX record that you create needs to point to the public IP for the Exchange server.

Complete the Following Tasks:

  • Login to the DNS manager for the email domain’s public DNS.
  • Copy the FQDN (youremaildomain.com) that points to the public IP of the Exchange server.
  • Create a new MX record in DNS and set the Host value to @
  • In the Points To field, paste in the FQDN that you copied.
  • Save the change and wait a few minutes.


After waiting for a few minutes, confirm that the MX record is being seen by performing an MX lookup for the email domain, using mxToolbox.

If you need additional assistance with this lab, you can enroll in the full, video-based version here.


INSTALL A CERTIFICATE

In this lesson, you’re going to create a certificate request on the Exchange server so you can use an actual third-party trusted certificate. After all, this is what’s used in production environments. Once you have the certificate request created, you’ll move into the next lesson, were you’ll purchase a cert from Sectigo and then install it on the exchange server.

What you’ll do, is create a certificate request from within the Exchange Admin Center – and then supply the information from the certificate request to Sectigo, so they can provide you with a working certificate.

Complete the Following Tasks:

  • Launch the EAC and navigate to Servers and then Certificates.
  • In the Select server list, select the Exchange server where you want to install the certificate, and then click Add.
  • The New Exchange certificate wizard opens.
  • Verify that Create a request for a certificate from a certification authority is selected, and then click Next.
  • On the Friendly name for this certificate page, provide a descriptive name for the certificate, and then click Next.
  • Leave the wildcard checkbox unchecked and click Next.
  • In the Store certificate request on this server page, click Browse and select the EX01 server.
  • Click OK, and then click Next.
  • Click Next on the Specify the domains you want to be included in your certificate
  • Remove all names except for labtest365.com, autodiscover.labtest365.com, and labtest365.com.
  • Click Next.
  • Provide your Organization Name, Department Name, a City or Locality, a State or Province, and a Country or Region name.
  • Click Next.
  • On the Save the certificate request to the following file page, provide a UNC path and filename for the certificate request. (for example, EX01\c$\ExchCertRequest.req)
  • Click Finish.


You can see now that the certificate request appears in the list of Exchange certificates with a status value of Pending. In the next lesson, you’ll provide this cert request to Sectigo so they can generate a cert for you.

Purchase Certificate

Since you’re purchasing a certificate for a lab environment, you don’t want to go broke doing so. That said, what I do for my lab environments is use gogetssl.com to find the cheapest UCC or multi-domain cert I can find. GoGetSSL usually has them for as low as 20 bucks or so.

Once you purchase the Sectigo cert from GoGetSSL, you’ll use the certificate request that you generated earlier to create and download the actual certificate. Feel free to purchase a multi-domain or UCC certificate from wherever you wish. However, if you want to follow along with this lab, purchase a cert from Sectigo/Comodo through GoGetSSL. 

Verify Domain and Create Certificate

As part of the certificate purchase process, you’ll need to validate ownership of your email domain before the certificate provider will generate a certificate for you. For this lab, we purchased our certificate from GoGetSSL / Sectigo. If you do the same, you’ll need to verify domain ownership before they release the certificate to you. Follow their instructions for domain verification.

Complete Certificate Request

After obtaining the certificate from Sectigo, you need to complete the certificate request on the Exchange server so that you can assign the new certificate to the Exchange services.

Complete the Following Tasks:

  • Launch the EAC and browse to Servers and then 
  • In the Select Server list, select the EX01 server. You’ll see the pending request that you created earlier.
  • Click the Complete
  • On the Complete Pending Request page that opens up, in the File to Import From field, enter the UNC path and filename for the certificate file. 
  • After entering the UNC to the cert, click OK


The certificate request will become a certificate in the list of Exchange certificates with a Status value of Valid

Assign Certificate to Services

Once the new certificate is acquired and the request is completed, the new certificate needs to be assigned to the Exchange services so that Exchange uses the new certificate.

Complete the Following Tasks:

  • Launch the EAC and browse to Servers in the left pane.
  • Click Certificates in the top menu bar.
  • From the Select Server list, select the Exchange server that holds the certificate. 
  • Choose the new public certificate and then click Edit.
  • On the Services tab, select SMTP, IMAP, POP, and IIS
  • When you’re finished, click Save.


What this does is assign the newly installed certificate to the selected Exchange services. Moving forward, you should be able to begin securely accessing the EAC and OWA via https://mail.youremaildomain.com. We’ll test this in the next lesson.


WRAP-UP

Once you know everything is accessible as expected, you’ll want to lock down RDP on the lab subnet. What you don’t want, is RDP being open to the entire internet. So, what we’re going to do here, is limit RDP access on the lab subnet to just my workstation IP address.

Complete the Following Tasks to Lock Down RDP:

  • Browse to whatsmyip.org from your workstation and note your public IP address.
  • Browse to your lab dashboard and click Create a Resource in the left pane.
  • Search the marketplace for “network security group” and deploy a new network security group.
  • Name the new network security group NSG-LabSubnet and deploy it to your ExchangeLab resource group.
  • Pin the new NSG to your dashboard when prompted to do so, and then open it up.
  • Click Inbound Security Rules and then click Add to create a new rule.
  • In the Source dropdown, select IP address, and then set the Source to your workstation’s public IP address.
  • Change Destination Port Ranges to 3389 and then rename the rule to “Port_3389_from_Workstation”.
  • Click Add to create the rule.


What the RDP rule will do is block inbound RDP access from all locations EXCEPT your workstation. In addition to locking down RDP, you also need to allow port 8080 and port 443 in, because you need to be able to access Exchange on these ports from the internet.

Complete the Following Tasks to Allow HTTPs Traffic:

  • Add new inbound rule.
  • In the Source dropdown, select IP address, and then set the Source to your workstation’s public IP address.
  • Change Destination Port Ranges to “8080,443” and then rename the rule to “Port_3389_from_Workstation”.
  • Click Add to create the rule.


By creating these rules, you can ensure that only YOU have access to the lab machines from the internet.

After you’ve completed the NSG configuration, restart both virtual machines so they pick up the changes.

CAUTION: If you lock down RDP to your workstation IP address, you are going to lose RDP access to your VMs if your pubic IP address from your ISP ever changes. Keep this in mind.

Verify Exchange Admin Center Functionality

After you’ve finished configuring Exchange, installing the certificate, setting up DNS, and configuring URLs, you can test the Exchange EAC to confirm that everything works as expected.

To do so, browse to https://mail.labtest365.com/ecp from your workstation. Because HTTP and HTTPs have both been allowed in, via a Network Security Group, you should have no issues accessing the EAC from your workstation.

After connecting to the EAC, click around and make sure everything is accessible.

Create Test Mailboxes & Test Mail Flow

At this point, you can begin testing mailbox access and mail flow.

Complete the Following Tasks:

  • In the EAC, click on Recipients, and then Mailboxes.
  • Click New and then select User Mailbox
  • Provide an Alias (test1).
  • Select New user.
  • Enter test1 in the Display Name field and in the Name field
  • Enter test1 as the User Logon Name
  • Provide a password and uncheck the Require password change on next logon 
  • Click Save to create the mailbox and the associated Active Directory user account.
  • Repeat the process to create a test2


Confirm Outlook Autodiscover Works

After confirming that mail flow is working, test for Outlook connectivity. More specifically, check to make sure Autodiscover is working for Outlook clients.

Complete the Following Tasks:

  • Launch Outlook on your workstation and create a new profile.
  • When prompted for an email address, provide the email address for the Test1
  • When prompted to authenticate, change the login account to yourADdomain\test1.
  • Complete authentication.


If everything is working as it should, you’ll see Outlook complete the connection and you’ll be able to open the mailbox.

Shutdown Virtual Machines

With the Exchange lab wrapped up, you can stop and deallocate the virtual machines from the Azure portal so charges for them don’t continue to accrue.

Complete the Following Tasks:

  • Browse to the lab dashboard
  • Click on each VM and then click Stop.
  • Ensure that both machines show Stopped (Deallocated).


If the virtual machines don’t show Stopped (Deallocated), you will continue to be charged for them.