Tuesday, February 22, 2011

How to install a certificate in Exchange 2010 using an Internal CA

Hi all,
we can install an Active Directory Certificate Services in windows server 2008, in order to configure an Internal PKI infrastructure.After that you will be able to submit server certificates for your Exchange 2010 environment, bear in mind that you will need deploy an installation of your Root CA certificates in your machines in order to trust and avoid the certificate pop up message,

Once you have your PKI infrastructure created (one Enterprise CA is enough), go to your CAS server

[PS] C:\>Set-Content -path "C:\Cert\cert.req" -Value $Data[PS] C:\>$data=New-ExchangeCertificate -GenerateRequest -SubjectName "c=CA,o=Company,cn=webmail.company.ca" -DomainName we
bmail.company.net, webmail.company.ca,autodiscover.company.ca, autodiscover.company.net, CAS1,CAS1.test.ca -FriendlyName webmail.company.net -privatekeyexportable:$true
Creating a new session for implicit remoting of "New-ExchangeCertificate" command...


[PS] C:\>Set-Content -path "C:\Cert\cert.req" -Value $DataWith this request you should go to your CA




Go to Request certificate and Advance and  then to the option
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.



Note: if you need subject alternative names, add in attributes box as
SAN:dns="webmail.test.net"&dns="autodiscover.test.net"&dns="webmail.test.ca"&dns="CAS1""&dns="CAS1.test.ca"

Submit the request and save as .cer file
In your CAS server
[PS] C:\>Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\cert\certnew.cer -Encoding byte -ReadCount 0))

Thumbprint Services Subject
---------- -------- -------
633CB9DE67BD2015F649323593FC95B19B1DA95D IP.... CN=webmail.test.ca, O=Company,=CA


[PS] C:\>Enable-ExchangeCertificate -services "IIS,IMAP,SMTP"cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Thumbprint: 633CB9DE67BD2015F649323593FC95B19B1DA95D

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'C51882DC5CE37F08B57C63BB5F1D7BDB944410A7' (expires 4/27/2015 12:32:57 PM)
Replace it with certificate: '633CB9DE67BD2015F649323593FC95B19B1DA95D' (expires 5/3/2012 6:00:34 AM)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): L

[PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
633CB9DE67BD2015F649323593FC95B19B1DA95D IP.WS. CN=webmail.test.ca, O=Company, C=CA
5113A9E9CC355BB8C96C6F986269AFD1584F07C3 ...... C=CA, O=Company, CN=webmail.test.net
C853F48A8A9E8500C3665777A8CF79A2AF30911D ...... C=CA, O=Company, CN=webmail.test.net
C51882DC5CE37F08B57C63BB5F1D7BDB944410A7 .P..S. CN=CAS1

Set autodiscover service

[PS] C:\>Set-ClientAccessServer -Identity CAS1 -AutoDiscoverServiceInternalUri https://webmail.test.net/autodiscover/autodiscover.xml

Set OAB service:
[PS] C:\>$a=get-OABVirtualDirectory -Server CAS1[PS] C:\>Set-OABVirtualDirectory $a -InternalURL https://webmail.test.net/OAB
[[PS] C:\>Set-OABVirtualDirectory -Identity "OAB (Default Web Site)" -RequireSSL:$true
Set Web services URL
[PS] C:\>$a=get-WebServicesvirtualdirectory -Server CAS1Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...
[PS] C:\>Set-WebServicesvirtualdirectory $a -InternalURL https://webmail.test.net/EWS/Exchange.asmx

Set Exchange ActiveSync URL
[PS] C:\>$a=get-ActiveSyncvirtualdirectory -Server CAS1[PS] C:\>Set-ActiveSyncvirtualdirectory $a -InternalURL https://webmail.est.net/Microsoft-Server-ActiveSync

You must configure that in all CAS servers in your environment , of course this depends of your environment.
Further information dario.may@gmail.com, I'll glad to help you

-Dario
Posted by at No comments:

Chile ...no te olvides !!!! DST Patch for Windows Operative Systems...

Just a reminder.. for Chile,, we are close to 2nd Saturday of March

The December DST CU contains 2011 adjusted DST start and end-dates for the following timezones:

·    Israel Standard Time
·    Morocco Standard Time
·    PacificSA Standard Time
·    Samoa Standard Time
·    Syria Standard Time




Important This update supersedes and replaces update 2158563, which was released in September 2010. This update also includes additional time zone changes made after update 2158563 was created.

If you have already deployed update 2158563, read the descriptions of the specific time zone changes that are addressed in this article to determine whether you must deploy this update immediately. If systems are not directly affected, you can schedule deployment at the next available opportunity.

We recommend that you deploy the most current Windows cumulative time zone update to guarantee the consistency of the time zone database on all systems.


Important
  • Before you apply the update that is described in this article, be aware of potential issues that may affect Microsoft Outlook.
    For more information about these issues, click the following article number to view the article in the Microsoft Knowledge Base:
    931667  (http://support.microsoft.com/kb/931667/ ) How to address time zone changes by using the Time Zone Data Update Tool for Microsoft Office Outlook
  • If you are running Microsoft Exchange Server in an Information Technology (IT) environment, you must take additional measures to guarantee the correct operation of Exchange Server.

    For more information about the Exchange daylight saving time (DST) update, click the following article number to view the article in the Microsoft Knowledge Base:
    941018  (http://support.microsoft.com/kb/941018/ ) How to address daylight saving time by using the Exchange Calendar Update Tool
  • Cumulative time zone updates contain only data that has changed for a specific region or that was added to maintain parity with other operating system versions. Therefore, if a time zone key is deleted, some original values may not be restored after you apply the cumulative zone update.
    We do not recommend that you delete any registry keys that are related to time zones. On a computer that has incomplete time zone keys, first restore the time zone keys from a known good backup. Then, apply the update.
See http://support.microsoft.com/kb/2443685

Gracias amigos chilenos!!

-Dario
Posted by at No comments:

Error: “Couldn’t find the Enterprise Organization Container” when Creating a New Mailbox Export Request

Hi all,
this is a new cmdlet from Exchange 2010 Sp1, that allow you to create a PST from an active mailbox. First of all you must create a share folder with the below permissions at NTFS and Share level for the Exchange Trusted Subsystem group


After that be sure if your account has the necessary permissions or create a New role for that



Add your user to this role




run the command


Further information see http://technet.microsoft.com/en-us/library/ff459227.aspx

Enjoy

-Dario
Posted by at No comments:
Subscribe to: Posts (Atom)