exchange 2013 deployment assistant

WelcomeDeployment Options

The Exchange 2013 Deployment Assistant is the IT pros source for Exchange deployment technical guidance. Tell us what kind of deploymentyoure interested in, answer a few questions about your environment, and then view Exchange deployment instructions created just for you.

On-Premises

Install a new on-premisesExchange 2013 deploymentor upgrade your currentenvironment to Exchange2013

Exchange 2013 Deployment Assistant http://technet.microsoft.com/en-us/exdeploy2013/PrintChecklist?state=1...

1 of 32 8/14/2013 6:34 PM

On-Premises Deployment QuestionsSelect your on-premises deployment

Select your deployment scenario to get started

New installation of Exchange 2013

Upgrade from Exchange 2007Upgrade from Exchange 2010

Upgrade from Exchange 2007 and Exchange 2010


2 of 32 8/14/2013 6:34 PM

Client Access and Mailbox server installation location

Are you planning to install the Client Access and Mailbox server roles on the same or a different server?

Exchange 2013 has two server roles: Mailbox and Client Access. During deployment, you can install the server roles on the same server or on different servers. Where you install these roles depends on the number of serversavailable, their physical capacities, and the layout of your network. For example, you might want to dedicate certain servers to specific functions. For more information, see Exchange 2013 System Requirements.

Same server

Different servers


3 of 32 8/14/2013 6:34 PM

Disjoint namespace

Are you running a disjoint namespace?

In most domain topologies, the primary DNS suffix of the computers in the domain is the same as the DNS domain name. In some cases, you may require that these namespaces be different from one another. This is called a disjointnamespace. For example, a merger or acquisition may cause you to have a topology with a disjoint namespace. In addition, if DNS management in your organization is split between administrators who manage Active Directory andadministrators who manage networks, you may need to have a topology with a disjoint namespace. For more information, see Disjoint Namespace Scenarios.

Yes

No


4 of 32 8/14/2013 6:34 PM

Edge coexistence

Do you have an existing Edge Transport server?

The Edge Transport server isnt currently available in Exchange 2013. However, you can continue to use an existing Edge Transport server from your legacy Exchange organization.

Note:

The Deployment Assistant checklist steps show you how to configure an existing Edge Transport server. The Deployment Assistant doesnt cover installing a new Edge Transport server in the Exchange 2013 organization.

Yes

No


5 of 32 8/14/2013 6:34 PM

On-Premises Deployment StepsNavigate your checklist Now that weve asked you a few questions about the type of deployment you want, its time to review how to use your Exchange 2013 deployment checklist.

How can I see my answers to the deployment questions?

That's easy. Simply expand the deployment questions section in the left menu of this page, and select a question to see how you answered it.

How can I change my answers?

Go to the deployment questions section in the left menu. Select the question youd like to change the answer for, revise your answer, and then click Next . You can also click Start Over at the top of any page. When youchange your answers, you'll get a whole new checklist that's tailored to those answers.

How can I move through the checklist?

You can browse the checklist by clicking a step in the left pane or by using the Previous and Next buttons. While you can browse in any order you want, you do need to complete the steps in the order shown.

What do I do when I finish a step?

Pat yourself on the back! Then you can move on to the next step by clicking Next .

How long will it take to complete the checklist?

Good question! It depends. The checklist is based on answers you gave to the questions about your environment, and because there are many possible combinations of answers, its hard to know the total time it will take you tocomplete the entire process. Plus, youll need to do some planning before you start the configuration steps. However, to give you some idea as to how long a step should take, weve included an estimate of time to complete at thebeginning of each configuration step in your checklist.

What if I get interrupted?

You can exit the Exchange Deployment Assistant at any time and return to the same computer later to continue where you left off. Please be aware that if you access the Deployment Assistant from a different computer, progressfrom your session on the original computer is not available.

Can I print this stuff?

Yes! See Print Checklist at the top of this page? Use that icon to print the entire deployment checklist. You can also use Print This Page at the bottom of each page to print just a single checklist step.

Can I copy and paste?

You can copy the code examples while youre in the checklist. Just click Copy in the code example to copy the code to your clipboard. For everything else, you can just highlight any text passage and copy to your clipboard andpaste into the text editor of your choice.

How do I tell you what I think about this?

We'd love to hear what you think of the Deployment Assistant. Your feedback is encouraged and welcome! See Feedback at the top of the page? Click it to send feedback to us via email anytime.


6 of 32 8/14/2013 6:34 PM

Before you begin Welcome to Exchange 2013! Before you deploy Exchange 2013 in your organization, you'll need to first do some careful planning. Before you go any further with the Exchange 2013 Deployment Assistant (ExDeploy), we urge you toreview this entire topic to make sure that you fully understand how deploying Exchange 2013 could affect your existing network and Exchange organization.

Things to consider before deploying Exchange 2013

Before you deploy Exchange 2013, you need to carefully consider some important issues. Its important that you understand these issues before you begin your deployment so you dont run into any surprises along the way.

Server roles

Exchange 2013 includes two server roles; the Mailbox and Client Access server roles. Each organization requires at a minimum one Client Access server and one Mailbox server in the Active Directory forest. Additionally, each ActiveDirectory site that contains a Mailbox server must also contain at least one Client Access server. If you're separating your server roles, we recommend installing the Mailbox server role first.

The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). TheMailbox server handles all activity for the active mailboxes on that server. The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, andSMTP. The Client Access server, a thin and stateless server, doesnt do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.

Learn more at: Mailbox and Client Access Servers

Active Directory schema update

When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Depending on the size ofyour organization, and how infrastructure responsibilities are divided within your organization, the schema update may need to be done by another team or department. Additionally, replicating the changes made to your schemamay take several hours or days and is dependent on your Active Directory replication schedule.

Before installing the first Exchange 2013 server, talk with your Active Directory management team, if you have one, so they can review, sign-off, and implement the schema update. We also recommend that you test the schemaupdate in a lab environment and back up your production Active Directory schema prior to applying the schema update.

Learn more at: Exchange 2013 Active Directory Schema Changes, Exchange Server 2003 to Exchange Server 2010 Active Directory Schema Changes Reference, March 2013, Prepare Active Directory and Domains, and Testing forActive Directory Schema Extension Conflicts

Certificates

Secure Sockets Layer (SSL) certificates help to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection. Certificates can beissued by third-party certificate authorities (CAs), issued by an internal CA, or self-signed. Heres a short description of each type of certificate:

Third-party certificates Third-party certificates are issued by a public CA such as GoDaddy, Verisign, Thawte, Comodo, or GlobalSign. Certificates published by public CAs are trusted by most operating systems andbrowsers. This is important if you want to use certificates to help protect communications between your Exchange 2013 organization and external organizations. The external organization must trust the certificate you givethem. While you can accomplish the same thing with certificates issued by internal CAs or using self-signed certificates, the external organization must manually trust the certificates on each computer that will communicatewith your Exchange 2013.Some public CAs also offer services to verify the identity of the organization theyre issuing a certificate to. This can be useful when an external organization must make sure theyre connecting to the correct organization.Public CAs charge for each certificate they issue. The cost varies depending on the type of certificate your purchase, the number of domains that will be listed on the certificate, and the pricing structure of the public CA.Private certificates Private certificates are issued by an internal, private CA. A private CA is hosted within your organization and issues certificates for your internal use. Private CAs are useful because there is no cost toissuing certificates, internal clients and servers can be configured to trust them automatically, and you manage the issuance process. However, the drawback is that external organizations dont trust your internal CA bydefault. If you want to secure communication between your Exchange 2013 and external organizations using a private certificate, the external organization must manually trust the certificates on each computer that willcommunicate with your Exchange 2013.Self-signed certificates Self-signed certificates are issued by an individual computer and not by any CA. Self-signed certificates arent trusted by any other computers, operating systems, or browsers. They dont allow otherclients or servers to verify the identity of the organization. To connect to a computer that uses a self-signed certificate, the client or server thats connecting must manually trust the certificate. This process must be repeatedeach time the certificate expires. When you have clients or external organizations that need to connect to your Exchange 2013 servers, using self-signed certificates on your Client Access server isn't feasible.

When deploying Exchange 2013, we strongly recommend that you obtain a certificate issued either by a third-party or internal CA for use on your Client Access server. This certificate will be used to help protect communicationbetween the Client Access server and clients and other servers that are connecting to your server. However, you dont need to get or configure certificates for communication between your Mailbox server and Client Access server.The certificates used for communication between internal Exchange 2013 servers are managed automatically by Exchange. You dont need to configure certificates on the Mailbox server.

Learn more at: Digital Certificates and SSL

Split DNS

Split domain name service (DNS) is a concept that allows you to configure different IP addresses for the same host name, depending on where the originating DNS request came from. This is also known as split-horizon DNS,split-view DNS, or split-brain DNS. Split DNS can help you reduce the number of host names that you must manage for Exchange by allowing your clients to connect to Exchange through the same host name whether they'reconnecting from the Internet or from the Intranet. Split DNS allows requests that originate from an intranet to receive a different IP address than requests that originate from the Internet. For example, external Internet users whovisit www.contoso.com will be sent to the companys public website while employees on the internal intranet will be sent to the companys private intranet site.

We recommend that you deploy Exchange 2013 in a split DNS configuration. In addition to simplifying deployment, split DNS also reduces the number of subject alternative names (SANs) required on the SSL certificates youll useto help secure connections to your Client Access server. The steps in this checklist configure your new Exchange 2013 organization to use split DNS. When youre done, youll be able to use the same URL, such as owa.contoso.com,to access your Exchange 2013 server from your intranet and the Internet.

Note:

ExDeploy configures your Exchange 2013 deployment so that the URL internal and external users use to access your Exchange server is the same. If you have a different addressing scheme for your organization, you can changethe internal and external URLs to match that scheme.

Supported clients

Exchange 2013 and Exchange Online support the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:

Outlook 2013 (15.0.4420.1017)Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000). For more information, see Description of the Outlook 2010 update: November 13, 2012.Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000). For more information, see Description of the Outlook 2007 update: November 13, 2012.Entourage 2008 for Mac, Web Services EditionOutlook for Mac 2011

Important:

The information above provides the minimum versions required for a client to connect to Exchange and Exchange Online. We strongly recommend that you install the latest available service packs and updates available so thatyour users receive the best possible experience when connecting to Exchange and Exchange Online.

Outlook clients earlier than Outlook 2007 are not supported. Email clients on Mac operating systems that require DAV, such as Entourage 2008 for Mac RTM and Entourage 2004, are not supported.

Outlook Web App supports several browsers on a variety of operating systems and devices. For detailed information, see What's New for Outlook Web App in Exchange 2013.


7 of 32 8/14/2013 6:34 PM

Hybrid deployments with Office 365

A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deploymentprovides the seamless look and feel of a single Exchange organization between an on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as anintermediate step to moving completely to an Exchange Online organization. To configure a hybrid deployment after your initial Exchange 2013 installation is complete, select Hybrid in the Exchange 2013 Deployment Assistant andcomplete the checklist steps.

Learn more at: Exchange Server 2013 Hybrid Deployments

Accessibility

For information about keyboard shortcuts that may apply to the procedures in this checklist, see Keyboard Shortcuts in the Exchange Admin Center.


8 of 32 8/14/2013 6:34 PM

Prepare Organization


9 of 32 8/14/2013 6:34 PM

Verify prerequisites Before you go any further with the Exchange Deployment Assistant, make sure that your organization's operating system, hardware, software, clients, and other elements meet the requirements for Exchange 2013. If they don't, youwon't be able to complete the steps in the Deployment Assistant and you won't be able to deploy Exchange 2013.

Release notes

Make sure you read the release notes before you begin your deployment. The release notes contain important information about issues you might encounter during and after your deployment.

Learn more at: Release Notes for Exchange 2013

System requirements

System requirements tell you what hardware and operating systems are supported on the computer where you install Exchange 2013. Youll also learn about what Active Directory configurations can be used, which legacy Exchangeversions can coexist with Exchange 2013 in the same Active Directory forest, which email clients are supported, and whats required for hybrid deployments with Office 365.

Learn more at: Exchange 2013 System Requirements

Exchange 2013 prerequisites

Prerequisites tell you what Windows components, software packages, and updates need to be installed on the computer where youll install Exchange 2013. These prerequisites need to be installed on the computer before you beginyour Exchange 2013 installation.

To prepare the Exchange 2007 servers in your organization for coexistence with for Exchange 2013, youll need to install Update Rollup 10 (RU10) for Exchange 2007 Service Pack 3 (SP3) on all the Exchange 2007 servers in yourorganization before you can install Exchange 2013. The service pack is available in the Microsoft Download Center at Exchange Server 2007 Service Pack 3. The update rollup is available in the Microsoft Download Center at UpdateRollup 10 for Exchange Server 2007 Service Pack 3 (KB2788321). (Although this topic isn't an exact match, you can reference it for steps about how to upgrade to Exchange 2007 SP3: How to Upgrade to Exchange 2007 SP1)

Also, in order for Exchange 2013 to coexist with previous versions of Exchange, all your Exchange 2013 servers must be running Cumulative Update 2 (CU2) for Exchange 2013. To download Exchange 2013 CU2, see CumulativeUpdates for Exchange 2013.

Learn about all prerequisites at: Exchange 2013 Prerequisites

Permissions to install and manage Exchange 2013

Exchange 2013 requires different permissions to install and to manage your server roles. When you're installing Exchange 2013 servers in your organization, the account you use might not be the same account that you use foradministering and managing your server roles. To manage your server roles, Exchange 2013 uses the Role Based Access Control (RBAC) permissions model.

Exchange 2013 uses RBAC to manage permissions on the Mailbox and Client Access server roles. With RBAC, you can control what resources administrators can configure and what features users can access. The RBAC model isflexible and provides you with several ways to customize the default permissions.

RBAC has two primary ways of assigning permissions to users in your organization, depending on whether the user is an administrator or specialist user, or an end-user: Management role groups and management role assignmentpolicies. Each method associates users with the permissions they need to do their jobs. The following tables list the tasks found in the Exchange Deployment Assistant and the permissions required to complete the task.

Note:

Some features may require that you have local administrator permissions on the server you want to manage. To manage these features, you must be a member of the Local Administrators group on that server.

Learn more at: Permissions

Installation permissions

The table below lists the permissions that you need to successfully use the Deployment Assistant and to install Exchange 2013. By default, the account that's used to install Exchange 2013 in the organization is added as a memberof the Organization Management role group.

When you install the first Exchange 2013 server role (Mailbox) into your Exchange 2013 organization, Exchange Setup will prepare your Active Directory schema if you have the correct permissions. If you want to separate your ActiveDirectory schema preparation from the Exchange server installation, see Prepare Active Directory and Domains.

For information about how to add permissions, see Manage Role Group Members.

Task Permissions required

Install the Mailbox server role (first server role installed) Local AdministratorEnterprise AdministratorSchema Admins

Install the second server Local AdministratorOrganization Management or Delegated Setup

Exchange management permissions

The table below lists the configuration permissions that you need to successfully use the Deployment Assistant. For information about how to add permissions, see Manage Role Group Members.

Task Permissions required

Configure disjoint namespace Local AdministratorDomain Administrator

Configure mail flow Organization Management

Configure accepted domains Organization Management

Configure email address policies Organization Management

Configure external URLs Organization Management or Server Management


10 of 32 8/14/2013 6:34 PM


11 of 32 8/14/2013 6:34 PM

Collect required information Before you start your Exchange 2013 deployment, you're going to need information about your organization. We suggest you print this step so you can record your organization's information and have easy access to it as you gothrough the checklist.

You can use the following table to gather information about your organization that you're going to need before you get started. When you're working through your checklist, replace the example information that you see in thechecklist with the information you've provided in this table. For example, if the external fully qualified domain name (FQDN) of your Exchange 2013 server will be exchange.adatum.com, enter that FQDN in the "Value in yourorganization" field.

Description Example value in checklist Value in your organization

Active Directory forest root corp.contoso.com

Internal Exchange 2013 computer name EX2013

Internal Exchange 2007 computer name EX2007

External Exchange 2013 FQDN for thefollowing services:

Outlook AnywhereOffline Address BookExchange Web Services (EWS)Exchange ActiveSync

mail.contoso.com

Note:

This is the FQDN that, before installing Exchange 2013, points to your Exchange 2007 server. As part of the upgrade process, this FQDN will bemoved from your Exchange 2007 server to the new Exchange 2013 server. Your Exchange 2007 server will be assigned a new FQDN, such aslegacy.contoso.com.

Internal Exchange 2013 FQDN for thefollowing services:

Outlook AnywhereOffline Address BookRemote PowerShellExchange Web Services (EWS)Exchange ActiveSync

Internal URL same as external URL mail.contoso.comInternal URL different than external URL internal.contoso.com


Outlook Web AppECP (Exchange Admin Center)

owa.contoso.com

Internal Exchange 2013 FQDN for thefollowing services:

Outlook Web AppECP (Exchange Admin Center)

Internal URL same as external URL owa.contoso.comInternal URL different than external URL internal.contoso.com


Outlook Web AccessEWSUnified Messaging

legacy.contoso.com

Note:

This FQDN doesn't need to start with "legacy". It can be any available FQDN as long as it doesn't match any of the ones assigned to theExchange 2013 server (for example, mail.contoso.com). You could, for example, use oldmail.contoso.com instead of legacy.contoso.com.

External Autodiscover FQDN autodiscover.contoso.com

Internal service connection point FQDN autodiscover.contoso.com

Primary SMTP namespace contoso.com

User principal name domain

contoso.com

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection


12 of 32 8/14/2013 6:34 PM

Configure default offline address book Estimated time to complete: 5 minutes or longer, depending on the number of mailbox databases in your organization

Before you install Exchange 2013, you need to make sure that all of the existing Exchange mailboxes in your organization are assigned a default offline address book (OAB). If you don't do this, any mailbox that isn't assigned adefault OAB when Exchange 2013 is installed will automatically download the new OAB generated by Exchange 2013. If you have hundreds or thousands of mailboxes, this could cause significant network traffic and server load.

The steps below show you how to assign a default OAB to Exchange mailbox databases. Assigning a default OAB to a mailbox database has two advantages:

Mailboxes stored in a mailbox database will inherit the OAB assigned to a mailbox database if the mailbox itself has no OAB assigned. This allows you to assign an OAB to many mailboxes without having to individuallyupdate each mailbox.When the mailbox is moved from an existing Exchange server to Exchange 2013, the mailbox will automatically begin using the new Exchange 2013-generated OAB if the mailbox itself isn't assigned an OAB.

How do I do this?

Open the Exchange Management Shell on your Exchange server.1.Run the following command to retrieve a list of OABs.

Get-OfflineAddressBook

2.

Run the following command to view all the mailbox databases (except Exchange 2013 mailbox databases) in your organization and the OABs assigned to them.

Get-MailboxDatabase | Format-Table Name, Server, OfflineAddressBook -Auto

3.

For every mailbox database that doesn't have an OAB assigned, assign an OAB from the list you retrieved earlier. You can either set the OAB on each mailbox database individually or set the OAB on all mailbox databases atonce. Use the command below that best suits your requirements.

To set the OAB on each mailbox database individually, run the following command. The command example uses "Sales Employees" for the mailbox database name on the Ex2007 server, and the "Default OfflineAddress Book" for the name of the OAB.

Set-MailboxDatabase "Ex2007\Sales Employees" -OfflineAddressBook "Default Offline Address Book"

To set the same OAB on all mailbox databases at once, run the following command. The command example uses "Default Offline Address Book" for the name of the OAB.

Warning:

The following command will overwrite the OAB assigned to every mailbox database in your organization. If you want to verify the command has the intended effect, run it with the WhatIf switch parameter first.

Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book"

4.

How do I know this worked?

To verify that every mailbox database in your organization is assigned a default OAB, run the following command. Every mailbox database should have an OAB listed in the OfflineAddressBook column.

Get-MailboxDatabase | Format-Table Name, Server, OfflineAddressBook -Auto



13 of 32 8/14/2013 6:34 PM

Create legacy Exchange host name Estimated time to complete: 5 minutes

You need to create a legacy domain name system (DNS) host name so your legacy Exchange 2007 environment and Exchange 2013 can coexist. For example, if your domain name is currently contoso.com, you're likely using a hostname of mail.contoso.com or www.contoso.com for external client access to Exchange. During coexistence, we recommend creating and using, for example, a host name of legacy.contoso.com. You'll associate the legacy host namewith your existing Exchange 2007 server and associate your current host name (for example, mail.contoso.com) with your Exchange 2013 Client Access server. Your end users will not see or use the legacy host name. It will be usedby Autodiscover and Client Access servers when redirecting legacy users to a legacy server.

All client connections will be redirected, including Exchange ActiveSync, Outlook Web App, POP3, and IMAP4. After the legacy host name has been configured, users will be able to access their mailbox regardless of whether it's onExchange 2007 or Exchange 2013. If you're upgrading from Exchange 2007 to Exchange 2013, Availability service requests will also be redirected.

How do I do this?

You need to create a public DNS record for the legacy.contoso.com host name to point to the external IP address of your Exchange 2007 server. The following is an example of the DNS record that you'd create with your public DNSprovider, such as GoDaddy.

Important:

You might need to make changes to your firewall to support this new legacy host name. You might need to add new firewall rules, add an external IP address for your Exchange 2007 server, or make other configuration changes.If your organization has a network management group, a security review process, or change management process, you may need to request permission to perform these changes or have someone else make them for you.

Host name DNS record type Value

Legacy.contoso.com A 172.16.10.10


To verify that you've successfully configured your public DNS records, do the following:

Open a command prompt and run nslookup.exe.1.Change to a DNS server that can query your public DNS zone.2.In nslookup, look up the record for the legacy.contoso.com host name you created. Verify that the IP address that's returned matches the external IP address of your Exchange 2007 server.3.



14 of 32 8/14/2013 6:34 PM

Install Exchange 2013 Estimated time to complete: 50 to 60 minutes

The Mailbox server role in Exchange 2013 hosts user mailboxes and public folder mailboxes, provides Unified Messaging services, generates the Offline Address Book (OAB), and more. In Exchange 2013, the Client Access server roleprovides clients with access to mailboxes via Outlook, Outlook Web App, and other protocols; accepts inbound SMTP connections from the Internet and other Active Directory sites; accepts connections from telephony systems; andmore.

Learn more at: Mailbox and Client Access Servers

Caution:

After you install Exchange 2013 on a server, you must not change the server name. Renaming a server after you have installed an Exchange 2013 server role is not supported.

How do I do this?

Important To prepare your organization for Exchange 2013, make sure that youve done everything in the Verify prerequisites step earlier in this checklist. That step has lots of important information, like the following:

In order for Exchange 2013 to coexist with previous versions of Exchange, all your Exchange 2013 servers must be running Cumulative Update 2 (CU2) for Exchange 2013. For information on how to download Exchange 2013,see Cumulative Updates for Exchange 2013.You'll also need to install Update Rollup 10 for Exchange 2007 Service Pack 3 (SP3) on all the Exchange 2007 servers in your organization before you can install Exchange 2013. Download from Exchange Server 2007 ServicePack 3 and Update Rollup 10 for Exchange Server 2007 Service Pack 3(KB2788321).

In terms of the order in which to upgrade your sites, assuming you have Exchange servers in more than one site, start with any Internet-facing Active Directory sites, followed by the internal sites. The first site you will want toupgrade is the one where AutoDiscover requests from the Internet come in.

After you have downloaded Exchange 2013 CU2, log on to the computer on which you want to install Exchange 2013.1.Navigate to the network location of the Exchange 2013 installation files.2.Start Exchange 2013 Setup by double-clicking Setup.exe.

Important:

If you have User Access Control (UAC) enabled, you must right-click Setup.exe and select Run as administrator.

3.

On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013. If you select Connect to the Internet and check for updates,Setup will download updates and apply them prior to continuing. If you select Don't check for updates right now, you can download and install updates manually later. We recommend that you download and installupdates now. Click Next to continue.

4.

The Introduction page begins the process of installing Exchange into your organization. It will guide you through the installation. Several links to helpful deployment content are listed. We recommend that you visit theselinks prior to continuing setup. Click Next to continue.

5.

On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.6.On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send error reports and information about yourcomputer hardware and how you use Exchange to Microsoft. If you select Don't use recommended settings, these settings remain disabled but you can enable them at any time after Setup completes. For moreinformation about these settings and how information sent to Microsoft is used, click ?.

7.

On the Server Role Selection page, select both Mailbox role and Client Access role. The management tools are installed automatically if you install any other server role.Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer tocomplete the installation of some Windows features. If you don't select this option, you must install the Windows features manually.

Note:

This option installs only the Windows features required by Exchange. You must install other prerequisites manually. For more information, see Exchange 2013 Prerequisites.

Click Next to continue.

8.

On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want toinstall Exchange. Click Next to continue.

9.

On the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disablemalware scanning, we recommend that you keep it enabled. Click Next to continue.

10.

On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If they haven't completed successfully, you must resolve any reported errorsbefore you can install Exchange 2013. You don't need to exit Setup when resolving some of the prerequisite errors. After resolving a reported error, click Back and then click Next to run the prerequisite check again. Be sureto also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.

11.

On the Completion page, click Finish.

Note:

If you didn't separate your Active Directory schema preparation from the installation of Exchange 2013, the amount of time this takes is dependent upon your Active Directory site topology. It might take some time forthe changes to replicate across your organization.

12.

Restart the computer after Exchange 2013 has completed.13.


Run Get-ExchangeServer

To verify that Exchange 2013 installed successfully, run the Get-ExchangeServer cmdlet in the Exchange Management Shell. A list is displayed of all Exchange server roles that are installed on the specified server when this cmdlet isrun.

For detailed syntax and parameter information, see Get-ExchangeServer.

Review the setup log file

You can also learn more about the installation and configuration of Exchange 2013 by reviewing the setup log file created during the setup process.

During installation, Exchange Setup logs events in the Application log of Event Viewer on computers that are running Windows Server 2008 R2 with Service Pack 1 (SP1) and Windows Server 2012. Review the Application log, andmake sure there are no warning or error messages related to Exchange setup. These log files contain a history of each action that the system takes during Exchange 2013 setup and any errors that may have occurred. By default, thelogging method is set to Verbose. Information is available for each installed server role.

You can find the setup log file at \ExchangeSetupLogs\ExchangeSetup.log. The variable represents the root directory of the drive where the operating system is installed.

The setup log file tracks the progress of every task that is performed during the Exchange 2013 installation and configuration. The file contains information about the status of the prerequisite and system readiness checks that areperformed before installation starts, the application installation progress, and the configuration changes that are made to the system. Check this log file to verify that the server roles were installed as expected.

We recommend that you start your review of the setup log file by searching for any errors. If you find an entry that indicates that an error occurred, read the associated text to figure out the cause of the error.



15 of 32 8/14/2013 6:34 PM

Create an Exchange 2013 mailbox To simplify configuration of Exchange 2013 and to help test your new server later on, you need to create an Exchange 2013 mailbox. We'll make this new mailbox a member of the Organization Management role group and you'lluse this mailbox when you configure Exchange 2013.

Later on in the checklist you'll need to log into your Exchange 2013 servers. Log in using the Exchange 2013 mailbox you'll create in this step. This will make sure you have the correct permissions to perform each of the steps andthat the EAC opens correctly.

How do I do this?

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ecp?ExchClientVer=15.

Important:

You need to include ?ExchClientVer=15 in the URL when you want to open the EAC with a user that doesn't have an Exchange 2013 mailbox.

1.

Enter the user name and password of the account you used to install Exchange 2013 in Domain\user name and Password, and then click Sign in.2.Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.3.Provide the information required for the new user and then click Save.4.Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .5.Under Members, click Add .6.Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.7.


To verify that you've successfully created an Exchange 2013 mailbox and added it as a member of the Organization Management role group, do the following:

In the EAC, go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management.1.In the details pane, view the Members list. If the Exchange 2013 mailbox has been successfully added as a member of the Organization Management role group, the mailbox will be listed here.2.



16 of 32 8/14/2013 6:34 PM

Configure ServicesExchange 2013 external URLs Estimated time to complete: 10 to 15 minutes

There are several settings that you need to configure on the Exchange 2013 virtual directories, which include Outlook Anywhere, Exchange ActiveSync, Exchange Web Services, Offline Address Book (OAB), Outlook Web App, theExchange admin center, and the availability service.

Learn more at: Virtual Directory Management

How do I do this?

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.1.Enter your user name and password in Domain\user name and Password, and then click Sign in.2.Go to Servers > Servers, select the name of the Internet-facing Client Access server and then click Edit .3.Click Outlook Anywhere.4.In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.contoso.com.5.While youre here, lets also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail.contoso.com.6.Click Save.7.Go to Servers > Virtual directories and then click Configure external access domain .8.Under Select the Client Access servers to use with the external URL, click Add .9.Select the Client Access servers you want to configure, and then click Add. After youve added all the Client Access servers you want to configure, click OK.10.In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.contoso.com. Click Save.

Note:

Some organizations make the Outlook Web App FQDN unique to protect users against changes to underlying server FQDN changes. Many organizations use owa.contoso.com for their Outlook Web App FQDN instead ofmail.contoso.com. If you want to configure a unique Outlook Web App FQDN, do the following after you completed the previous step. This checklist assumes you have configured a unique Outlook Web App FQDN.

In Select server, choose your Exchange 2013 Client Access server.1.Select owa (Default Web Site) and click Edit .2.In External URL, type https://, then the unique Outlook Web App FQDN you want to use, and then append /owa. For example, https://owa.contoso.com/owa.3.Click Save.4.Select ecp (Default Web Site) and click Edit .5.In External URL, type https://, then the same Outlook Web App FQDN that you specified in the previous step, and then append /ecp. For example, https://owa.contoso.com/ecp.6.Click Save.7.

11.


To verify that you have successfully configured the external URL on the Client Access server virtual directories, do the following:

In the EAC, go to Servers > Virtual directories.1.In the Select server field, select the Internet-facing Client Access server.2.Select a virtual directory and then, in the virtual directory details pane, verify that the External URL field is populated with the correct FQDN and service as shown below:

Virtual directory External URL value

Autodiscover No external URL displayed

ECP https://owa.contoso.com/ecp

EWS https://mail.contoso.com/EWS/Exchange.asmx

Microsoft-Server-ActiveSync https://mail.contoso.com/Microsoft-Server-ActiveSync

OAB https://mail.contoso.com/OAB

OWA https://owa.contoso.com/owa

PowerShell http://mail.contoso.com/PowerShell

3.



17 of 32 8/14/2013 6:34 PM

Exchange 2013 internal URLs Estimated time to complete: 10 to 15 minutes

Before clients can connect to your new Exchange 2013 server from your Intranet, you need to configure the internal domains, or URLs, on the Exchange 2013 Client Access servers virtual directories.

You choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange servers or whether they should use a different URL. What you choose depends on the addressing scheme youhave in place already or that you want to implement. If youre implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users toaccess your Exchange servers because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For moreinformation about administering DNS zones, see Administering DNS Server.

For more information internal and external URLs on virtual directories, see Virtual Directory Management.

What do you want to do?

Configure internal and external URLs to be the same

Open the Exchange Management Shell on your Exchange 2013 Client Access server.1.Store the host name of your Client Access server in a variable that will be used in the next step. For example, Ex2013.

$HostName = "Ex2013"

2.

Run each of the following commands in the Shell to configure each internal URL to match the virtual directorys external URL.

Set-EcpVirtualDirectory "$HostName\ECP (Default Web Site)" -InternalUrl ((Get-EcpVirtualDirectory "$HostName\ECP (Default Web Site)").ExternalUrl)

Set-WebServicesVirtualDirectory "$HostName\EWS (Default Web Site)" -InternalUrl ((get-WebServicesVirtualDirectory "$HostName\EWS (Default Web Site)").ExternalUrl)

Set-ActiveSyncVirtualDirectory "$HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl ((Get-ActiveSyncVirtualDirectory "$HostName\Microsoft-Server-ActiveSync (Default Web Site)").Exter

Set-OabVirtualDirectory "$HostName\OAB (Default Web Site)" -InternalUrl ((Get-OabVirtualDirectory "$HostName\OAB (Default Web Site)").ExternalUrl)

Set-OwaVirtualDirectory "$HostName\OWA (Default Web Site)" -InternalUrl ((Get-OwaVirtualDirectory "$HostName\OWA (Default Web Site)").ExternalUrl)

Set-PowerShellVirtualDirectory "$HostName\PowerShell (Default Web Site)" -InternalUrl ((Get-PowerShellVirtualDirectory "$HostName\PowerShell (Default Web Site)").ExternalUrl)

3.


To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:

In the EAC, go to Servers > Virtual directories.1.In the Select server field, select the Internet-facing Client Access server.2.Select a virtual directory and then click Edit .3.Verify that the Internal URL field is populated with the correct FQDN and service as shown below:

Virtual directory Internal URL value

Autodiscover No internal URL displayed

ECP https://owa.contoso.com/ecp

EWS https://mail.contoso.com/EWS/Exchange.asmx

Microsoft-Server-ActiveSync https://mail.contoso.com/Microsoft-Server-ActiveSync

OAB https://mail.contoso.com/OAB

OWA https://owa.contoso.com/owa

PowerShell http://mail.contoso.com/PowerShell

4.


Configure different internal and external URLs

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.1.Go to Servers > Virtual directories.2.In the Select server field, select the Internet-facing Client Access server.3.Select the virtual directory you want to change, and then click Edit .4.In Internal URL, replace the host name between https:// and the first forward slash (/ ) with the new FQDN you want to use. For example, if you want to change the EWS virtual directory FQDN fromEx2013.corp.contoso.com to internal.contoso.com, change the internal URL from https://Ex2013.corp.contoso.com/ews/exchange.asmx to https://internal.contoso.com/ews/exchange.asmx.

5.

Click Save.6.Repeat steps 5 and 6 for each virtual directory you want to change.

Note:

The ECP and OWA virtual directory internal URLs must be the same.You cant set an internal URL on the Autodiscover virtual directory.

7.


To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:

In the EAC, go to Servers > Virtual directories.1.In the Select server field, select the Internet-facing Client Access server.2.Select a virtual directory, and then click Edit .3.Verify that the Internal URL field is populated with the correct FQDN. For example, you may have set the internal URLs to use internal.contoso.com.

Virtual directory Internal URL value

Autodiscover No internal URL displayed

4.


18 of 32 8/14/2013 6:34 PM

ECP https://internal.contoso.com/ecp

EWS https://internal.contoso.com/EWS/Exchange.asmx

Microsoft-Server-ActiveSync https://internal.contoso.com/Microsoft-Server-ActiveSync

OAB https://internal.contoso.com/OAB

OWA https://internal.contoso.com/owa

PowerShell http://internal.contoso.com/PowerShell



19 of 32 8/14/2013 6:34 PM

Exchange 2013 certificates Estimated time to complete: 10 to 15 minutes (not including response time from the certificate authority)

Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2013 server. The following steps show you how to configure an SSL certificate from a third-party certificateauthority (CA). These steps also show you how to add the legacy host name that'll be configured on your Exchange 2007 server. In a later step, this certificate will be imported on your Exchange 2007 to help simplify the switch tothe legacy host name.

How do I do this?

Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.1.Enter your user name and password in Domain\user name and Password, and then click Sign in.2.Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .3.In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.4.Specify a name for this certificate and then click Next.5.If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate andinstead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.

6.

Click Browse and specify an Exchange 2013 server to store the certificate on. The server you select should be the Internet-facing Exchange 2013 Client Access server. Click Next.7.For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:

If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show owa.contoso.com.OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.contoso.com.If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the Internet) should show owa.contoso.com and Outlook Web App (when accessed from the Intranet)should show internal.contoso.com.

These domains will be used to create the SSL certificate request. Click Next.

8.

Click Add to add the legacy host name to the certificate.9.In the Domain name field, enter your legacy host name. For example, legacy.contoso.com. Click OK.10.Add any additional domains you want included on the SSL certificate.11.Select the domain that you want to be the common name for the certificate and click Set as common name. For example, contoso.com. Click Next.12.Provide information about your organization. This information will be included with the SSL certificate. Click Next.13.Specify the network location where you want this certificate request to be saved. Click Finish.14.

After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server musttrust the CA that you use. After you receive the certificate from the CA, complete the following steps:

On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.1.In the certificate request details pane, click Complete under Status.2.On the Complete pending request page, specify the path to the SSL certificate file and then click OK.3.Select the new certificate you just added, and then click Edit .4.On the certificate page, click Services.5.Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can alsoselect SMTP to make this certificate available to Exchange 2013 transport. Click Save.

6.

If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.7.


To verify that you have successfully added a new certificate, do the following:

In the EAC, go to Servers > Certificates.1.Select the new certificate and then, in the certificate details pane, verify that the following are true:

Status shows ValidAssigned to services shows, at minimum, IIS and optionally IMAP, POP, UM call router, and SMTP.

2.



20 of 32 8/14/2013 6:34 PM

Exchange 2007 certificates Estimated time to complete: 10 to 15 minutes

When you create the new third-party certificate for your Exchange 2013 server, you included the legacy host name as one of the host names on the certificate. The certificate includes both the primary host name your users use toconnect to your organization, for example mail.contoso.com, and the new legacy host name, for example legacy.contoso.com. By importing this certificate on your Exchange 2007 server, you can avoid certificate errors when youconfigure your Exchange 2007 server to use the new legacy host name.

If you have multiple Exchange 2007 Client Access servers in your organization, you need to import the third-party certificate and assign Exchange services on each Exchange 2007 Client Access server.

How do I do this?

First, you need to export your certificate from your Exchange 2013 server with the certificate's private key using the following steps.

Log on directly to your Exchange 2013 Client Access server with an administrator user account.1.Open an empty Microsoft Management Console (MMC).2.Click File, and then Add/Remove Snap-in.3.In the Add or Remove Snap-ins window, select Certificates and then click Add >.4.In the Certificates snap-in window that appears, select Computer account and then click Next.5.Select Local computer and click Finish. Then, click OK.6.Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.7.Select the third-party certificate you created in the previous step.8.Right-click on the certificate, select All Tasks, and then Export.9.In the Certificate Export Wizard, click Next.10.Select Yes, export the private key and then click Next.11.Make sure Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.12.Select Password and then enter a password to help secure your certificate. Click Next.13.Specify a file name for the new certificate. Use the file extension .pfx. Click Next, and then click Finish.14.You'll receive a confirmation prompt if the certificate export was successful. Click OK to close it.15.Copy the .pfx file you created to your Exchange 2007 Client Access server.16.

After you've exported the certificate from your Exchange 2013 server, you need to import the certificate on your Exchange 2007 server using the following steps.

Log on directly to your Exchange 2007 Client Access server with an administrator user account.1.Open an empty Microsoft Management Console (MMC).2.Click File, and then Add/Remove Snap-in.3.In the Add or Remove Snap-ins window, select Certificates and then click Add >.4.In the Certificates snap-in window that appears, select Computer account and then click Next.5.Select Local computer and click Finish. Then, click OK.6.Under Console Root, expand Certificates (Local Computer), and then Personal.7.Right-click Personal , select All Tasks and then Import.8.In the Certificate Import Wizard, click Next.9.Click Browse and select the .pfx file you copied to your Exchange 2007 Client Access server. Click Open, and then click Next.

Note:

You may need to change the File name filter in the Open window to All Files (*.*) to see the .pfx file.

10.

In the Password field, enter the password you used to help secure the certificate when you exported it on the Exchange 2013 Client Access server.11.Verify that Include all extended properties is selected and click Next.12.Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next. Click Finish.13.You'll receive a confirmation prompt if the certificate import was successful. Click OK to close it.14.

Now that the new certificate has been imported on your Exchange 2007 Client Access server, you need to assign it to your Exchange services using the following steps.

Open the Exchange Management Shell on your Exchange 2007 Client Access server.1.Run the following command to list the certificates installed on the Exchange 2007 server.

Get-ExchangeCertificate

2.

Find the third-party certificate that contains the domain you configured on the certificate in the Subject column.3.Copy the GUID of the certificate that's located in the Thumbprint column and save it. You'll use this value in the next step.4.Run the following command to assign the certificate to the Internet Information Services (IIS), POP, IMAP, and Unified Messaging (UM) services. You'll need to paste the thumbprint you saved in the previous step into thiscommand. The thumbprint GUID used in this example is BBF70EF91B214CCBC0D336EFA9BD9FE0035858C3.

Enable-ExchangeCertificate BBF70EF91B214CCBC0D336EFA9BD9FE0035858C3 -Services IIS, POP, IMAP, UM

Note:

Only include the Unified Messaging service in the command if you've installed the Unified Messaging (UM) server role on this Exchange 2007 server.

5.


To verify that you've successfully imported the new third-party certificate on your Exchange 2007 Client Access server, do the following:

Open the Exchange Management Shell on your Exchange 2007 Client Access server.1.Run the following command to list the certificates installed on the Exchange 2007 server.

Get-ExchangeCertificate

2.

Verify that the services that you assigned to the new third-party certificate are listed in the Services column of the certificate. The following characters are used to indicate each service:

Character Service

I IMAP

P POP

U Unified Messaging

Note:

This service will only be assigned to the certificate if you have the UM server role installed on this Exchange 2007 and included the UM service when you ran the Enable-ExchangeCertificate command.

W IIS

3.


21 of 32 8/14/2013 6:34 PM

S SMTP

Note:

This service wasn't included in the Enable-ExchangeCertificate command in the procedure earlier in this topic. Unless you included the SMTP service in the command, this service will be assigned to apreviously installed certificate.



22 of 32 8/14/2013 6:34 PM

Perform SwitchoverImportant note about switchover Up until this point, you've been getting everything ready to bring your new Exchange 2013 server into production and switch some services from your Exchange 2007 server to your Exchange 2013. There has been no impact to yourusers. The next several steps in the checklist will transition Outlook Web App, Exchange Web Services, Autodiscover, and Exchange ActiveSync access from your Exchange 2007 server to your Exchange 2013 server. During thisperiod, your users may experience some disruption as settings are updated and domain name configuration is replicated across the Internet. We recommend that you perform these steps outside of business hours and that youcommunicate possible service disruption to your users.


23 of 32 8/14/2013 6:34 PM

Enable and configure Outlook Anywhere Estimated time to complete: 10 to 15 minutes

To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2007 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2007 servers in your organization. If someExchange 2007 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, thefollowing configuration is set on each Exchange 2007 server:

The Outlook Anywhere external URL is set to the external hostname of the Exchange 2013 server.Client authentication, which is used to allow clients like Outlook 2013 to authenticate with Exchange, is set to Basic.Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate, set to NTLM and Basic.

How do I do this?

Perform the following steps to enable and configure Outlook Anywhere on your Exchange 2007 servers.

Open the Exchange Management Shell on your Exchange 2007 Client Access server.1.Store the external host name of your Exchange 2013 Client Access server in a variable that will be used in the next steps. For example, mail.contoso.com.

$Exchange2013HostName = "mail.contoso.com"

2.

Run the following command to configure Exchange 2007 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.

Warning:

The following command will change the configuration of Outlook Anywhere on any Exchange 2007 server in your organization on which it's already enabled.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Se

3.

Run the following command to enable Outlook Anywhere on the rest of your Exchange 2007 servers to accept connections from Exchange 2013 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-Out

4.


To verify that you've successfully configured Outlook Anywhere on your Exchange 2007 servers to accept connections redirected from Exchange 2013, do the following:

Open the Exchange Management Shell on your Exchange 2007 Client Access server.1.Run the following command to view the Outlook Anywhere configuration on your Exchange 2007 servers:

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-OutlookAnywhere | Format-Table Server, ClientAuthenticationMethod, IISAuthenti

2.



24 of 32 8/14/2013 6:34 PM

Configure service connection point Estimated time to complete: 10 minutes

Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCPobject to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.

You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you're updating.

How do I do this?

Perform the following steps to configure the SCP object on your Exchange 2007 servers.

Open the Exchange Management Shell on your Exchange 2007 Client Access server.1.Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.contoso.com.

$AutodiscoverHostName = "autodiscover.contoso.com"

2.

Run the following command to set the SCP object on every Exchange 2007 server to the AutoDiscover URL of the new Exchange 2013 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostNa

3.

Perform the following steps to configure the SCP object on your Exchange 2013 servers.

Open the Exchange Management Shell on your Exchange 2013 Client Access server.1.Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.contoso.com.

$AutodiscoverHostName = "autodiscover.contoso.com"

2.

Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 15*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostN

3.


To verify that you've successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2007 servers with the value of the Exchange 2013 AutoDiscover URL, do the following:

Open the Exchange Management Shell on your Exchange 2007 Client Access server.Run the following command to view the SCP object configuration on Exchange 2007 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -Auto

To verify that you've successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2013 servers with the value of the Exchange 2013 AutoDiscover URL, do the following:

Open the Exchange Management Shell on your Exchange 2013 Client Access server.1.Run the following command to view the SCP object configuration on Exchange 2013 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 15*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -Auto

2.



25 of 32 8/14/2013 6:34 PM

Exchange 2007 URLs Estimated time to complete: 10 minutes

When a user with an Exchange 2007 mailbox connects to your Exchange 2013 Client Access server, Exchange 2013 will redirect the connection to the Exchange 2007 Client Access server. To do this redirection, the Exchange 2013server uses the external hostname configured on the Exchange 2007 server's Outlook Web Access, Exchange Web Services, and Unified Messaging virtual directories. The external hostname of the Exchange 2007 server needs to bedifferent from the hostname of the Exchange 2013 server and needs to be pointed to the Exchange 2007 server's own Internet-accessible IP address. You need to manually configure the external hostname of the Exchange 2007server, for example legacy.contoso.com.

Warning:

The commands in this step overwrite the value stored in the ExternalUrl property of the Outlook Web Access, Exchange Web Services, and Unified Messaging virtual directories on all the Exchange 2007 Client Access servers inyour organization.

How do I do this?

Open the Shell on the Exchange 2007 Client Access server.1.Run the commands in the "How do I know this worked" section to retrieve the current values of the ExternalUrl property of the Outlook Web Access, Exchange Web Services, and Unified Messaging virtual directories. Makenote of these values in case you need to revert back to them.

2.

Store the external host name of your Exchange 2007 Client Access server in a variable that will be used in the next steps. For example, legacy.contoso.com.

$LegacyHostName = "legacy.contoso.com"

3.

Run the following command to configure the external URL of the Outlook Web App virtual directory on the Exchange 2007 Client Access server using the external host name you stored in the $LegacyHostName variable.

Get-OwaVirtualDirectory | Where {$_.OwaVersion -Eq "Exchange2007"} | Set-OwaVirtualDirectory -ExternalUrl https://$LegacyHostName/owa

4.

Run the following command to configure the external URL of the Exchange Web Services virtual directory on the Exchange 2007 Client Access server using the external host name you stored in the $LegacyHostNamevariable.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl htt

5.

Run the following command to configure the external URL of the Unified Messaging virtual directory on the Exchange 2007 Client Access server using the external host name you stored in the $LegacyHostName variable.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-UMVirtualDirectory | Set-UMVirtualDirectory -ExternalUrl https://$LegacyHostNa

6.


Run the following command to verify that the external URL of the Outlook Web Access virtual directory on all the Exchange 2007 servers in your organization has been configured correctly.

Get-OwaVirtualDirectory | Where {$_.OwaVersion -Eq "Exchange2007"} | Format-Table Server, ExternalUrl -Auto

1.

Run the following command to verify that the external URL of the Exchange Web Services virtual directory on all the Exchange 2007 servers in your organization has been configured correctly.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-WebServicesVirtualDirectory | Format-Table Server, ExternalUrl -Auto

2.

Run the following command to verify that the external URL of the Unified Messaging virtual directory on all the Exchange 2007 servers in your organization has been configured correctly.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-UmVirtualDirectory | Format-Table Server, ExternalUrl -Auto

3.



26 of 32 8/14/2013 6:34 PM

Configure DNS records Estimated time to complete: 15 to 20 minutes

Now that you've configured your Exchange 2007 and Exchange 2013 servers, it's time to change your DNS records to direct connections to your new Exchange 2013 server. You'll move the host names (for example,mail.contoso.com) users have been using to connect to Outlook Web Access, Autodiscover, and so on from your Exchange 2007 server to your Exchange 2013 server. When an Exchange 2007 user tries to open their mailbox, theExchange 2013 server will redirect them to the host name of the Exchange 2007 server (for example, legacy.contoso.com). Configuring DNS includes the following:

Verify that the Exchange 2007 host name resolves to the external publicly accessible IP address of the Exchange 2007 Client Access server.Change the primary host names, such as mail.contoso.com, autodiscover.contoso.com, and owa.contoso.com (if used) to point to the external publicly accessible IP address of the Exchange 2013 Client Access server withyour public DNS provider.Change the primary host names, such as mail.contoso.com (or internal.contoso.com if you're using different internal host names), autodiscover.contoso.com, and owa.contoso.com (if used) to point to the internal machinename of the Exchange 2013 Client Access server on your internal DNS servers.

Important:

Read this topic completely before starting.You might need to make changes to your firewall to support the new Exchange 2013 server. You might need to add new firewall rules, add an external IP address for your Exchange 2013 server, or make other configurationchanges. If your organization has a network management group, a security review process, or change management process, you may need to request permission to perform these changes or have someone else make them foryou.

How do I verify my Exchange 2007 host name is properly configured?

Earlier in the checklist, you configured the host name of the Exchange 2007 server with your public Internet DNS provider. Now you need to verify that the host name of the Exchange 2007 server, for example legacy.contoso.com,resolves to the external IP address of the Exchange 2007 server and that you can access an Exchange 2007 mailbox.

To verify that you've successfully configured your Exchange 2007 host name with your public DNS provider, do the following:

Open a command prompt and run nslookup.exe.1.Change to a DNS server that can query your public DNS zone.2.In nslookup, look up the record for the legacy.contoso.com host name you created. Verify that the IP address that's returned matches the external IP address of your Exchange 2007 server.3.

Now, verify that you can access your Exchange 2007 server using the legacy host name. Using a computer outside of your internal network, open your favorite browser and browse to the Outlook Web Access URL of the Exchange2007 server, for example, https://legacy.contoso.com/owa. Verify that you can connect to Outlook Web App, log in, and view the contents of an Exchange 2007 mailbox. Also verify that you don't receive any certificate warnings orerrors.

If you can access an Exchange 2007 mailbox and don't receive any certificate warnings or errors, you can continue on with the rest of this topic. If you do receive certificate errors or if you can't access the Exchange 2007 mailbox, dothe following:

Make sure that you've created the legacy DNS host name. For more information, see "Create legacy Exchange host name" earlier in the checklist.Make sure that you've successfully requested and received the new certificate on your Exchange 2013 Client Access server and imported it on your Exchange 2007 server. For more information, see "Exchange 2013certificates" and "Exchange 2007 certificates" earlier in the checklist.Make sure that you've correctly configured the internal and external URLs on your Exchange 2007 server. For more information, see "Configure Exchange 2007 URLs" earlier in the checklist.


How do I configure my public DNS records?

To send users to your Exchange 2013 Client Access server, you need to configure the existing DNS host (A) record with your external DNS provider. The public DNS records should point to the external IP address or FQDN of yourInternet-facing Exchange 2013 Client Access server and use the externally accessible FQDNs that you've configured on your Client Access server. The following are examples of recommended DNS records that you should create toenable mail flow and external client connectivity.

Important:

Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long aDNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change theTTL of your DNS records, don't make any other changes until the original TTL interval has passed.

FQDN DNS record type Value

contoso.com MX Mail.contoso.com

mail.contoso.com A 172.16.10.11

owa.contoso.com CNAME Mail.contoso.com

autodiscover.contoso.com A 172.16.10.11

How do I configure my internal DNS records?

You choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange server or whether they should use a different URL. What you choose depends on the addressing scheme youhave in place already or that you want to implement. If youre implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users toaccess your Exchange server because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For moreinformation about administering DNS zones, see Administering DNS Server.

Configure internal and external URLs to be the same

To send users to your Exchange 2013 Client Access server, you need to configure the existing DNS host (A) record on your internal DNS servers. The internal DNS records should point to the internal host name and IP address ofyour Exchange 2013 Client Access server. The internal host names you use should match the external host names, for example, mail.contoso.com and owa.contoso.com. The following are examples of recommended DNS recordsthat you should create to enable mail flow and external client connectivity.

Important:




27 of 32 8/14/2013 6:34 PM

mail.contoso.com CNAME Ex2013.corp.contoso.com

owa.contoso.com CNAME Ex2013.corp.contoso.com


Configure different internal and external URLs

To send users to your Exchange 2013 Client Access server, you need to configure the existing DNS host (A) record on your internal DNS servers. The internal DNS records should point to the internal host name and IP address ofyour Exchange 2013 Client Access server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.

Important:



internal.contoso.com CNAME Ex2013.corp.contoso.com



To verify that you have successfully configured your public DNS records, do the following:

Open a command prompt and run nslookup.exe.1.Change to a DNS server that can query your public DNS zone.2.In nslookup, look up the record of each FQDN you created. Verify that the value that's returned for each FQDN is correct.3.

Now, verify that you can access your Exchange 2013 server using your primary host name. Using a computer outside of your internal network, open your favorite browser and browse to the Outlook Web Access URL of the Exchange2013 server, for example, https://mail.contoso.com/owa. Perform the two following tests:

Log into an Exchange 2013 mailbox Log into an Exchange 2013 mailbox and verify that you can access the contents of the mailbox without any certificate warnings or other errors. Log out and close your browser. If youneed to create a new Exchange 2013 mailbox, see Create User Mailboxes.Log into an Exchange 2007 mailbox Log into an Exchange 2007 mailbox. When you log into this mailbox, you will be redirected to your Exchange 2007 Client Access server (the URL in the browser address bar with switchfrom mail.contoso.com to legacy.contoso.com). Verify that you are logged in successfully, that you can access the contents of the mailbox, and that you don't receive any certificate warnings or other errors.Test inbound and outbound mail flow Send a message from an external mail provider, such as outlook.com, to Exchange 2013 and Exchange 2007 mailboxes. Verify that the message is received successfully. Reply to themessage from each mailbox and verify that the external recipient receives the message. You can also examine the message headers of the messages you sent and received to verify the path the message took using theMessage Analyzer in the Microsoft Remote Connectivity Analyzer.

With the exception of the mail flow test, repeat the previous tests from a computer inside your network to test your internal DNS configuration. If you've configured your internal DNS records to use the same host names as yourexternal DNS, attempt to access an Exchange 2013 and Exchange 2007 mailbox using those host names, for example mail.contoso.com or owa.contoso.com. If you've configured your internal DNS records to use a different hostname, attempt to access an Exchange 2013 and Exchange 2007 mailbox using the internal host name, for example internal.contoso.com.



28 of 32 8/14/2013 6:34 PM

Finalize Your Deployment


29 of 32 8/14/2013 6:34 PM

Post-configuration tasks After you complete a new installation of Exchange 2013, add an additional Exchange 2013 server role to an existing Exchange 2013 server, or install Exchange 2013 in an existing organization, you should consider thepost-installation tasks. The post-installation tasks will help you verify the installation and configure the components that you have just installed.

Product key

When you install Exchange 2013, your server is licensed as a trial edition. The trial edition expires 120 days after the date of installation. A server that has a trial edition license functions as an Exchange Standard Edition server, but itisn't eligible for support from Microsoft support services. If you have Exchange 2013 servers for which the trial edition has expired, Exchange displays a separate warning for each expired server. You need to enter a product keybefore the trial edition expires if you want to continue using Exchange 2013 on the server.

Learn more: Enter Product Key

Permissions configuration

For the purposes of the Exchange Deployment Assistant, your administrator account was granted permissions that you might not need going forward. You should verify that this account doesn't have more permissions thanrequired to configure and manage your Exchange 2013 environment.

Role Based Access Control

exchange 2013 deployment assistant

Documents

yesno exchange

deployment assistant

deployment scenario

type of deployment

legacy exchange organization

existing edge transport

mailbox server roles

new edge transport server