基本信息
- 镜像下载地址:https://next.itellyou.cn/Original/#
- 文档:https://learn.microsoft.com/zh-cn/Exchange/plan-and-deploy/system-requirements?view=exchserver-2019
必要软件
- Exchange 2019 最低要求是 16GB 内存
显示计算机、网络图标,在运行窗口输入
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
桌面壁纸显示ip地址信息
https://learn.microsoft.com/zh-cn/sysinternals/downloads/bginfo
Boot Time:
OS Version:
Host Name:
Logon Domain:
Machine Domain:
CPU:
Memory:
IP Address:
DHCP Server:
MAC Address:
Subnet Mask:
DNS Server:
Default Gateway:
Volumes:
A .NET框架4.8
https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0fd66638cde16859462a6243a4629a50/ndp48-x86-x64-allos-enu.exe
B.Visual C++ Redistributable Package for Visual Studio 2012
https://www.microsoft.com/download/details.aspx?id=30679
C.在 Windows PowerShell 中运行以下命令,安装远程工具管理包:
Install-WindowsFeature RSAT-ADDS
D.Exchange Server 2019 CU12 (2022H1)补丁包
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026
下载地址
https://www.microsoft.com/en-us/download/details.aspx?id=30679
E.IIS URL 重写模块
IIS 的 URL 重写模块需要在累积更新 11 或更高版本中使用。
下载地址https://www.iis.net/downloads/microsoft/url-rewrite
F.添加所需的 Lync Server 或 Skype for Business Server 组件:
Install-WindowsFeature Server-Media-FoundationG.安装 Unified Communications Managed API 4.0。此程序包可供下载并位于 Exchange Server 媒体的\UCMARedist 文件夹中。
https://www.microsoft.com/download/details.aspx?id=34992
H.使用 Exchange 安装程序安装所需的 Windows 组件,请在 Windows PowerShell 中运行以下命令之一
#把window2019的安装ios加到到本电脑上的z磁盘
Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source Z:\sources\sxs
#扩展AD架构
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD /OrganizationName:"tyun"
#在AD用戶与計算机上,你会发现 Microsoft Exchange Security Groups
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains
I.批量发送邮件给自己
send-mailmessage -to administrator@tyun.cn -subject "TEST49" -Body "請注意!SRVEX 磁碟空間目前已剩下不到 78% 的可用空間 " -smtpserver srvex.ianext.com -from administrator@tyun.cn -Encoding Unicode
J.单exchange服务停止批量启动
#查看exchange服务
Get-Service -Name "MSExch*"
#显示完成的exchange名称
Get-Service -Name "MSExch*" | ft -auto
# 直接重啟 Exchange 已经停止的服务
Get-Service -Name "MSExchange*" | Where-Object {$_.Status -eq "Stopped"} | Restart-Service
K.exchange用户信息
#用户登录Exchange信息
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox | Get-MailboxStatistics | Sort-Object Lastlogontime -Descending | Select-Object DisplayName,MailboxTypeDetail,LastLogonTime,ServerName
#查看目前有架构下所有的 Exchange Server 完整主机名称等等信息
Get-ExchangeServer | Select FQDN, ServerRole,AdminDisplayVersion,IsEdgeServer
#查看本机所有 Exchange 服务的执行状态
Get-Service -Name *Exchange* | Select Status, DisplayName | Sort Status | FT -Auto
#测试主机连接smtp服务是否正常
Test-NetConnection srvex.tyun.cn -Port 25 -InformationLevel "Detailed"
#测试连接的所有网络、来源地址、目的地址以及路由信息
Test-NetConnection -ComputerName srvex.tyun.cn -DiagnoseRouting -InformationLevel Detailed
#Exchange DNS 查看
Get-TransportService | FL *dns*
#把ad用户导入到exchange
Get-User -RecipientTypeDetails User -Filter { UserPrincipalName -ne $Null } | Enable-Mailbox
L.批量导出AD用户
参考https://www.cnblogs.com/wulongy/p/14924907.html
表格样例
AD域管理工具
https://osdn.net/projects/sfnet_adbulkadmin/downloads/ADBulkAdmin/1.1.0.33/ADBulkAdmin-v1.1.0.33.zip/
https://zh.osdn.net/projects/sfnet_adbulkadmin/releases/
导出it组织单元下的所有用户
Get-ADUser -Filter * -Properties * -SearchBase "DC=it,DC=tyun,DC=cn" |Select-Object name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company |Export-Csv C:\AllADUser20221001.csv -Encoding UTF8 –NoTypeInformation
ldifde -f "c:\alldbauser.ldf" -d "DC=it,DC=tyun,DC=cn" -r objectClass=user -l "name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company"
M.获取AD密码策略域过期时间
#获取AD域服务器密码策略信息
Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled:密码必须符合复杂性要求
MaxPasswordAge:密码最长使用期限
MinPasswordAge:密码最短使用期限
MinPasswordLength:最小密码长度
PasswordHistoryCount:强制密码历史
密码最长使用期限是 24 天;
Set-ADDefaultDomainPasswordPolicy -Identity tyun.cn -ComplexityEnabled $True -MaxPasswordAge 180.00:00:00
#获取已经过期的用户
Get-Aduser -Filter * -Properties * | where {$_.PasswordExpired -eq $true} | FT Name
#获取所有标识密码过期时间的用户
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate
#获取指定标识密码过期时间的用户
Get-ADUser -Filter {name -like "king"} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate
#获取所有用户密码属性信息
Get-ADUser -Filter * -Properties * | Sort-Object Name | ft Name,PasswordLastSet,PasswordExpired,PasswordNeverExpires
#删除单个用户
Remove-ADUser -Identity king -Confirm:$false
#SAM 账户名删除属于子项/子集/子树的用户对象
Get-ADUser -Identity king | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}
#搜索并删除指定组织单位(OU)容器内的用户对象
Get-ADUser -Filter * -SearchBase "OU=cnList,OU=testGroup,DC=tyun,DC=cn" | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}
#删除子项(子树)需要使用如下删除域对象
Remove-ADObject -Identity king -Recursive
导入 CSV 数据列表删除用户对象
import-csv .\del.csv | foreach{Get-ADUser -Identity $_.name} | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}
Get-ADUser king
可以参考https://hexingxing.cn/tag/active-directory/page/2/
https://github.com/phillips321/adaudit/blob/master/AdAudit.ps1
N.存储规划
Database Name | 用户属性 | 单位空间 最大容量 | MAil server01 | |
Level1 | 集团高管、董事会、总裁办公室 | 20G | 主400G | |
Level2 | 业务单元总经理办公人员 | 15G | 主400G | |
Level3 | 部门主管、负责人、核心员工 | 10G | ||
Level4 | 普通员工 | 4G | ||
Level5 | 不活跃用户 | 500M | ||
Level6 | 公共邮箱、系统邮箱、功能邮箱 | 视情况而定 | ||
Level7 | 离职员工 | |||
Level8 | 邮件离职 |
Exchange2019的步骤
IP地址 | 主机名 | 服务器用途 | 备注 |
10.30.21.64 | SH-Srv-AD | 域控服务器(主域控) | |
10.30.21.77 | SH-Srv-AC | 域控服务器(额外域控) | |
10.30.21.78 | SH-Srv-MBX01 | 邮件服务器01 | |
10.30.21.83 | SH-Srv-MBX02 | 邮件服务器02 |
架构图展示
第一步:安装AD主域控
01 AD域控PDC时间
#查询域控PDC服务器
netdom query fsmo
#配置PDC使用ntp服务器同步时间
w32tm /config /manualpeerlist:"server0.cn.pool.ntp.org,0x8 server1.cn.pool.ntp.org,0x8 time.windows.com,0x8" /syncfromflags:manual /reliable:yes /update
#查看当前Windows Time运行情况
w32tm /query /status
#查看当前ntp时间服务器设置
w32tm /query /peers
#查看PDC服务器ntp同步状态,和ntp服务器时间差
w32tm /stripchart /computer:time.windows.com /samples:100 /dataonly
#AD 域客户端同步域服务器时间
net time \\192.168.232.10 /set /y
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ /v SpecialPollInterval /t REG_DWORD /d 1200 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v NtpServer /d ntp1.aliyun.com /f
net stop w32time
net start w32time02 服务器重置下SID信息
自建打开C:\Windows\System32\Sysprep目录运行sysprep.exe,重置SID后重启服务器
如果是aliyun服务器请下载
https://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/40846/cn_zh/1542010494209/AutoSysprep.ps1?spm=a2c4g.11186623.0.0.293f5f53EeEej3&file=AutoSysprep.ps1
.\AutoSysprep.ps1 -help
重新初始化服务器的SID并重启服务器
.\AutoSysprep.ps1 -ReserveHostname -ReserveNetwork -SkipRearm -PostAction "reboot"03 开始安装主域控
密码策略配置
使用Powershell命令添加AD细粒度密码策略
New-ADFineGrainedPasswordPolicy -Name "PasswordSetting3" -Precedence 1 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "PasswordSetting3" -LockoutDuration "0.00:30:00" -LockoutObservationWindow "0.00:30:00" -LockoutThreshold "5" -MaxPasswordAge "24.00:00:00" -MinPasswordAge "1.00:00:10" -MinPasswordLength "7" -PasswordHistoryCount "24"
优先级:1(最高)
强制最短密码长度:7(个字符)
强制密码历史记录:24(个历史密码)
密码复杂性要求:启用
强制密码最短期限:1(天)
强制密码最长期限:24(天)
强制账号锁定策略:30(分钟)内5次(登录失败)锁定30(分钟)第二步:安装AD辅域控
重启服务器后
测试主辅域连接是否正常
netdom query fsmo
诊断AD信息是否正常
repadmin /showrepl
第三步:安装exchange2019
以次安装服务
ndp48-x86-x64-allos-enu.exe、vcredist_x64.exe(2012和2013)、urlrewrite2.exe、
UcmaRuntimeSetup_API4.0.exe
#安装远程工具管理包
Install-WindowsFeature RSAT-ADDS
#安装 Server Media Foundation 窗口功能
Install-WindowsFeature Server-Media-Foundation
# Exchange 安装程序安装所需的 Windows 组件
Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source G:\sources\sxs
#重启下服务器后安装下面的命令操作
先加载window server 2019镜像,打开powershell窗口进入g:
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"tyun"
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains根据提示重启服务器,然后再执行一次安装
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema
Exchange2019服务器再次重启
开始安装Exchange2019CU12
或者是通过命令来执行
#将许可证Exchange SRV2019-MBX 的服务器
Set-ExchangeServer SRV2019-MBX -ProductKey YCQY7-BNTF6-R337H-69FGX-P39TY
#重新启动 Microsoft Exchange信息存储服务
Restart-Service MSExchangeIS
#验证证书属性
Get-ExchangeServer SRV2019-MBX | Format-List Name,Edition,*Trial*
Get-ExchangeServer | Format-Table -Auto Name,Edition,*Trial*各版本的秘钥信息
Enterprise: YCQY7-BNTF6-R337H-69FGX-P39TY
Standard: G3FMN-FGW6B-MQ9VW-YVFV8-292KP修复0Day漏洞
.*autodiscover\.json.*\@.*Powershell.*条件输入{REQUEST_URI}.\iisreset.exe -restart
第四步:配置证书
add-pssnapin microsoft.exchange*
查询EXCHANGE服务器数据库和日志文件路径
Get-MailboxDatabase -Server SRV2019-MBX| Select Name,EdbFilePath,LogFolderPath | fl
#查看Exchange Server版本号
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
安装完成exchange服务后重启下服务器,发现exchange服务是停止状态,通过命令重新启动
打开地址https://mail.tyun.cn/ecp
Install-WindowsFeature Web-Client-Auth输入window+q键 inetmgr 进入Internet Information Services (IIS) 管理器
点击owa虚拟目录,双击SSL设置
选择
Microsoft-Server-ActiveSync 虚拟目录,选择SSL 设置
Cmd 打开regedit注册表修改HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 1
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ecp/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
颁发自签证书
New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate" -SubjectName CN=srv2019-mbx -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true
New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate2019" -SubjectName CN=mail -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true
查询证书信息
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
续自签证书
Get-ExchangeCertificate -Thumbprint BC37CBE2E59566BFF7D01FEAC9B6517841475F2D | New-ExchangeCertificate -Force -PrivateKeyExportable $true
颁发机构续订
#如果需要将证书续订请求文件 的内容 发送到 CA,请使用以下语法创建 Base64 编码的请求文件
$txtrequest = Get-ExchangeCertificate -Thumbprint | New-ExchangeCertificate -GenerateRequest [-KeySize <1024 2048 4096>] [-Server ]
[System.IO.File]::WriteAllBytes('\.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
#如果需要将 证书续订请求文件 发送到 CA,请使用以下语法创建 DER 编码的请求文件
$binrequest = Get-ExchangeCertificate -Thumbprint | New-ExchangeCertificate -GenerateRequest -BinaryEncoded [-KeySize <1024 2048 4096>] [-Server ]
[System.IO.File]::WriteAllBytes('\.pfx', $binrequest.FileData)
#若要找到您想续订的证书的指纹值,请运行以下命令:
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
#此示例为具有指纹值 5DB9879E38E36BCB60B761E29794392B23D1C054的现有证书创建 Base64 编码的证书续订请求:
$txtrequest = Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
#此示例为同一证书创建 DER (二进制) 编码的证书续订请求:
$binrequest = Get-ExchangeCertificate -Thumbprint | New-ExchangeCertificate -GenerateRequest -BinaryEncoded
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.pfx', $binrequest.FileData)
#在用于存储证书请求的服务器上的 Exchange 命令行管理程序 中,运行以下命令:
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint
第五步:配置AD CS
服务器重启
注:如果重启之后发现打开https://主机名/ecp/ 出现503错误的话
修改成对应的ssl证书信息
第六步:导入CA证书
浏览器输入网址
https://mail/centsrv/Default.asp或者
http://localhost/certsrv/default.asp
如果访问出错的话配置
http://localhost/certsrv/default.asp
$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Mail.tyun.cn Cert" -SubjectName "CN=mail.tyun.cn"
[System.IO.File]::WriteAllBytes('\\SRV2019-MBX\Data\Mail.tyun.cn Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
#查看exchange2019存储证书信息
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint扩大exchange2019证书年限
计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\tyun-SRV2019-MBX-CA 下面的值ValidityPeriodUnits
先停止服务,然后再启动服务
右键复制模版,把有效期改成20年
模版名称修改为Exchange Server 2019
新建 要颁发的证书模版 选择Exchange Server 2019
导入证书到excange2019
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\SRV2019-MBX\Data\certnew.cer'))ad域服务器下发证书
出现导入成功后,强制刷新下组策略 gpupdate /force