Exchange Server 2019 实战操作指南

基本信息

• 镜像下载地址：https://next.itellyou.cn/Original/#
• 文档：https://learn.microsoft.com/zh-cn/Exchange/plan-and-deploy/system-requirements?view=exchserver-2019
  
  

必要软件

• Exchange 2019 最低要求是 16GB 内存

显示计算机、网络图标，在运行窗口输入
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0

桌面壁纸显示ip地址信息
https://learn.microsoft.com/zh-cn/sysinternals/downloads/bginfo


Boot Time:        <Boot Time>
OS Version:        <OS Version>
Host Name:        <Host Name>
Logon Domain:        <Logon Domain>
Machine Domain:        <Machine Domain>
CPU:        <CPU>
Memory:        <Memory>
IP Address:        <IP Address>
DHCP Server:        <DHCP Server>
MAC Address:        <MAC Address>
Subnet Mask:        <Subnet Mask>
DNS Server:        <DNS Server>
Default Gateway:        <Default Gateway>
Volumes:        <Volumes>

A .NET框架4.8

https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0fd66638cde16859462a6243a4629a50/ndp48-x86-x64-allos-enu.exe

B.Visual C++ Redistributable Package for Visual Studio 2012

https://www.microsoft.com/download/details.aspx?id=30679

C.在 Windows PowerShell 中运行以下命令，安装远程工具管理包：

Install-WindowsFeature RSAT-ADDS

D.Exchange Server 2019 CU12 (2022H1)补丁包

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026

下载地址https://www.microsoft.com/en-us/download/details.aspx?id=30679


E.IIS URL 重写模块

IIS 的 URL 重写模块需要在累积更新 11 或更高版本中使用。

下载地址https://www.iis.net/downloads/microsoft/url-rewrite

F.添加所需的 Lync Server 或 Skype for Business Server 组件：

Install-WindowsFeature Server-Media-Foundation

G.安装 Unified Communications Managed API 4.0。此程序包可供下载并位于 Exchange Server 媒体的\UCMARedist 文件夹中。

https://www.microsoft.com/download/details.aspx?id=34992

H.使用 Exchange 安装程序安装所需的 Windows 组件，请在 Windows PowerShell 中运行以下命令之一

#把window2019的安装ios加到到本电脑上的z磁盘
Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source Z:\sources\sxs


#扩展AD架构
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema


\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD /OrganizationName:"tyun"

#在AD用戶与計算机上，你会发现 Microsoft Exchange Security Groups


\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

I.批量发送邮件给自己

send-mailmessage -to administrator@tyun.cn -subject "TEST49" -Body "請注意！SRVEX 磁碟空間目前已剩下不到 78% 的可用空間 " -smtpserver srvex.ianext.com -from administrator@tyun.cn  -Encoding  Unicode

J.单exchange服务停止批量启动

#查看exchange服务
Get-Service -Name "MSExch*"

#显示完成的exchange名称
Get-Service -Name "MSExch*" | ft -auto


# 直接重啟 Exchange 已经停止的服务
Get-Service -Name "MSExchange*" | Where-Object {$_.Status -eq "Stopped"} | Restart-Service

K.exchange用户信息

#用户登录Exchange信息
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox | Get-MailboxStatistics | Sort-Object Lastlogontime -Descending | Select-Object DisplayName,MailboxTypeDetail,LastLogonTime,ServerName


#查看目前有架构下所有的 Exchange Server 完整主机名称等等信息
Get-ExchangeServer | Select FQDN, ServerRole,AdminDisplayVersion,IsEdgeServer



#查看本机所有 Exchange 服务的执行状态
Get-Service -Name *Exchange* | Select Status, DisplayName | Sort Status | FT -Auto

#测试主机连接smtp服务是否正常
Test-NetConnection srvex.tyun.cn -Port 25 -InformationLevel "Detailed"


#测试连接的所有网络、来源地址、目的地址以及路由信息
Test-NetConnection -ComputerName srvex.tyun.cn -DiagnoseRouting -InformationLevel Detailed

#Exchange DNS 查看
Get-TransportService | FL *dns*


#把ad用户导入到exchange
Get-User -RecipientTypeDetails User -Filter { UserPrincipalName -ne $Null } | Enable-Mailbox

L.批量导出AD用户

参考https://www.cnblogs.com/wulongy/p/14924907.html

表格样例

AD域管理工具

https://osdn.net/projects/sfnet_adbulkadmin/downloads/ADBulkAdmin/1.1.0.33/ADBulkAdmin-v1.1.0.33.zip/

https://zh.osdn.net/projects/sfnet_adbulkadmin/releases/

导出it组织单元下的所有用户
Get-ADUser -Filter * -Properties * -SearchBase "DC=it,DC=tyun,DC=cn" |Select-Object name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company |Export-Csv C:\AllADUser20221001.csv -Encoding UTF8 –NoTypeInformation



ldifde -f "c:\alldbauser.ldf" -d "DC=it,DC=tyun,DC=cn" -r objectClass=user -l "name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company"

M.获取AD密码策略域过期时间

#获取AD域服务器密码策略信息
Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled：密码必须符合复杂性要求
MaxPasswordAge：密码最长使用期限
MinPasswordAge：密码最短使用期限
MinPasswordLength：最小密码长度
PasswordHistoryCount：强制密码历史

密码最长使用期限是 24 天；

Set-ADDefaultDomainPasswordPolicy -Identity tyun.cn -ComplexityEnabled $True -MaxPasswordAge 180.00:00:00


#获取已经过期的用户
Get-Aduser -Filter *  -Properties * | where {$_.PasswordExpired -eq $true} | FT Name


#获取所有标识密码过期时间的用户
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate 



#获取指定标识密码过期时间的用户
Get-ADUser -Filter {name -like "king"} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate

#获取所有用户密码属性信息
Get-ADUser -Filter * -Properties * | Sort-Object Name | ft Name,PasswordLastSet,PasswordExpired,PasswordNeverExpires


#删除单个用户
Remove-ADUser -Identity king -Confirm:$false

#SAM 账户名删除属于子项/子集/子树的用户对象
Get-ADUser -Identity king | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}

#搜索并删除指定组织单位（OU）容器内的用户对象
Get-ADUser -Filter * -SearchBase "OU=cnList,OU=testGroup,DC=tyun,DC=cn" | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}

#删除子项（子树）需要使用如下删除域对象
Remove-ADObject -Identity king -Recursive


导入 CSV 数据列表删除用户对象
import-csv .\del.csv | foreach{Get-ADUser -Identity $_.name} | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}

Get-ADUser king


可以参考https://hexingxing.cn/tag/active-directory/page/2/


https://github.com/phillips321/adaudit/blob/master/AdAudit.ps1

N.存储规划

Exchange2019的步骤

架构图展示

第一步:安装AD主域控

01 AD域控PDC时间

#查询域控PDC服务器
netdom query fsmo


#配置PDC使用ntp服务器同步时间
w32tm /config /manualpeerlist:"server0.cn.pool.ntp.org,0x8 server1.cn.pool.ntp.org,0x8 time.windows.com,0x8" /syncfromflags:manual /reliable:yes /update


#查看当前Windows Time运行情况
w32tm /query /status


#查看当前ntp时间服务器设置
w32tm /query /peers


#查看PDC服务器ntp同步状态，和ntp服务器时间差
w32tm /stripchart /computer:time.windows.com /samples:100 /dataonly




#AD 域客户端同步域服务器时间
net time  \\192.168.232.10  /set  /y




reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\  /v  SpecialPollInterval  /t REG_DWORD /d 1200 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v  NtpServer   /d ntp1.aliyun.com /f
 
net stop w32time
net start w32time

02 服务器重置下SID信息

自建打开C:\Windows\System32\Sysprep目录运行sysprep.exe,重置SID后重启服务器

如果是aliyun服务器请下载

https://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/40846/cn_zh/1542010494209/AutoSysprep.ps1?spm=a2c4g.11186623.0.0.293f5f53EeEej3&file=AutoSysprep.ps1

.\AutoSysprep.ps1 -help


重新初始化服务器的SID并重启服务器
.\AutoSysprep.ps1 -ReserveHostname -ReserveNetwork -SkipRearm -PostAction "reboot"

03 开始安装主域控

密码策略配置

使用Powershell命令添加AD细粒度密码策略

New-ADFineGrainedPasswordPolicy -Name "PasswordSetting3" -Precedence 1 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "PasswordSetting3" -LockoutDuration "0.00:30:00" -LockoutObservationWindow "0.00:30:00" -LockoutThreshold "5" -MaxPasswordAge "24.00:00:00" -MinPasswordAge "1.00:00:10" -MinPasswordLength "7" -PasswordHistoryCount "24"




优先级：1（最高）
强制最短密码长度：7（个字符）
强制密码历史记录：24（个历史密码）
密码复杂性要求：启用
强制密码最短期限：1（天）
强制密码最长期限：24（天）
强制账号锁定策略：30（分钟）内5次（登录失败）锁定30（分钟）

第二步:安装AD辅域控

重启服务器后

测试主辅域连接是否正常

netdom query fsmo

诊断AD信息是否正常

repadmin /showrepl

第三步:安装exchange2019

以次安装服务ndp48-x86-x64-allos-enu.exe、vcredist_x64.exe(2012和2013)、urlrewrite2.exe、UcmaRuntimeSetup_API4.0.exe

#安装远程工具管理包
Install-WindowsFeature RSAT-ADDS


#安装 Server Media Foundation 窗口功能
Install-WindowsFeature Server-Media-Foundation


# Exchange 安装程序安装所需的 Windows 组件
Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source G:\sources\sxs


#重启下服务器后安装下面的命令操作


先加载window server 2019镜像，打开powershell窗口进入g:
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema




\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"tyun"




\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains

根据提示重启服务器,然后再执行一次安装

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema

Exchange2019服务器再次重启

开始安装Exchange2019CU12

或者是通过命令来执行

#将许可证Exchange SRV2019-MBX 的服务器
Set-ExchangeServer SRV2019-MBX -ProductKey YCQY7-BNTF6-R337H-69FGX-P39TY


#重新启动 Microsoft Exchange信息存储服务
Restart-Service MSExchangeIS


#验证证书属性
Get-ExchangeServer SRV2019-MBX | Format-List Name,Edition,*Trial*


Get-ExchangeServer | Format-Table -Auto Name,Edition,*Trial*

各版本的秘钥信息
Enterprise: YCQY7-BNTF6-R337H-69FGX-P39TY


Standard: G3FMN-FGW6B-MQ9VW-YVFV8-292KP

修复0Day漏洞

.*autodiscover\.json.*\@.*Powershell.*

条件输入{REQUEST_URI}

.\iisreset.exe -restart

第四步:配置证书

add-pssnapin microsoft.exchange*


查询EXCHANGE服务器数据库和日志文件路径
Get-MailboxDatabase -Server SRV2019-MBX| Select Name,EdbFilePath,LogFolderPath | fl


#查看Exchange Server版本号
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

安装完成exchange服务后重启下服务器，发现exchange服务是停止状态，通过命令重新启动

打开地址https://mail.tyun.cn/ecp

Install-WindowsFeature Web-Client-Auth

输入window+q键 inetmgr 进入Internet Information Services (IIS) 管理器

点击owa虚拟目录,双击SSL设置

选择 Microsoft-Server-ActiveSync 虚拟目录,选择SSL 设置

Cmd 打开regedit注册表修改HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 1

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost


%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ecp/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost


%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost

颁发自签证书
New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate" -SubjectName CN=srv2019-mbx -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true


New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate2019" -SubjectName CN=mail -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true


查询证书信息
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter


续自签证书
Get-ExchangeCertificate -Thumbprint BC37CBE2E59566BFF7D01FEAC9B6517841475F2D | New-ExchangeCertificate -Force -PrivateKeyExportable $true






颁发机构续订


#如果需要将证书续订请求文件 的内容 发送到 CA，请使用以下语法创建 Base64 编码的请求文件
$txtrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>]
[System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))


#如果需要将 证书续订请求文件 发送到 CA，请使用以下语法创建 DER 编码的请求文件
$binrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -BinaryEncoded [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>]
[System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.pfx', $binrequest.FileData)


#若要找到您想续订的证书的指纹值，请运行以下命令：
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter


#此示例为具有指纹值 5DB9879E38E36BCB60B761E29794392B23D1C054的现有证书创建 Base64 编码的证书续订请求：
$txtrequest = Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))


#此示例为同一证书创建 DER (二进制) 编码的证书续订请求：
$binrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -BinaryEncoded
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.pfx', $binrequest.FileData)


#在用于存储证书请求的服务器上的 Exchange 命令行管理程序 中，运行以下命令：
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

第五步:配置AD CS

服务器重启

注:如果重启之后发现打开https://主机名/ecp/ 出现503错误的话

修改成对应的ssl证书信息

第六步:导入CA证书

浏览器输入网址https://mail/centsrv/Default.asp或者http://localhost/certsrv/default.asp

如果访问出错的话配置

http://localhost/certsrv/default.asp

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Mail.tyun.cn Cert" -SubjectName "CN=mail.tyun.cn"
[System.IO.File]::WriteAllBytes('\\SRV2019-MBX\Data\Mail.tyun.cn Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))




#查看exchange2019存储证书信息
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

扩大exchange2019证书年限

计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\tyun-SRV2019-MBX-CA 下面的值ValidityPeriodUnits

先停止服务，然后再启动服务

右键复制模版，把有效期改成20年

模版名称修改为Exchange Server 2019

新建 要颁发的证书模版 选择Exchange Server 2019

导入证书到excange2019

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\SRV2019-MBX\Data\certnew.cer'))

ad域服务器下发证书

出现导入成功后，强制刷新下组策略 gpupdate /force