How To Renew Exchange Server 2010 Certificates

Back in April 2009 I wrote something about How to renew a self signed certificate in Exchange Server 2007 and then later Exchange 2010 EMC and Certificates Management Part – 1 and Exchange 2010 EMC and Certificates Management Part – 2

I am sure a lot of you have found these posts helpful. All of these posts however did not talk about the certificates issued by public CAs. I thought it would be even more helpful to put up a separate post that would talk more about the certificate renewal process in Exchange 2010 which indeed would cover few steps for Exchange 2007 certificate renewals as well.

If you run through the Exchange 2010 EMC and Certificate Management posts you would know how it really works when you are preparing, requesting and assigning a new certificate to your Exchange 2010 CAS and HT servers but these posts do not talk about renewal of the certificates once you assign them and they are just about to expire :-O

A little bit of stuff that you may or you may not know:

Whenever you work with certificates on an exchange server role installed on any OS, you are dealing with the local computer certificate stores on the at OS which is easily accessible by using Start—> Run –> MMC –> Add/Remove Snap In –> Certificates –> Local Computer. Just take a look at the local computer’s Personal certificate store and you wouldn’t be surprised to see these certificates in there. The only reason I wanted to bring this point here in this post because you may really need to run through this sometimes if you experience something that was mentioned in one of previous posts Missing Private Key on Exchange Certificate

So let’s have a look at what is it and how to do it!

GUI:

Just like above linked two posts talking about how to manage the exchange certificates using GUI, you need to locate the certificate that you need to renew in EMC. Right click on the certificate and select Renew

 

Provide the path in the wizard that appears which will save you a .req file. Once you have completed the wizard you are ready to use this .req file to be supplied to any certification authority that supports  your request. The reason I said ‘any CA that supports your request’ is because, some CAs do not support SAN extensions supplied in the request.

Once you supply the contents of the file generated above your CA will provide you a certificate that can be imported here. To import a certificate using GUI follow steps mentioned in Exchange 2010 EMC and Certificates Management Part – 2

Powershell:

We have a lot of powershell lovers by now and they feel powershell is much easier than GUI sometimes. For all of those

Find the certificate you need to renew using Get-ExchangeCertificate

Copy the certificate thumbprint and run following command to generate the CSR

Get-ExchangeCertfiicate -Thumbprint <Thumbprint> | Renew-ExchangeCertificate -GenerateRequest:$True -PrivateKeyExportable:$True

The above command displays the CSR that you need to be supplied to the CA. Copy the CSR and paste it to the CA interface.

Once you have downloaded the certificate issued by the CA use below command to import it. You need to make sure that you have not removed the certificate request generated by your last operation using EMC or powershell. This will lead you to another situation where you wouldn’t be able to import the certificate.

Import-ExchangeCertificate  -FileData ([Byte[]]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.cer -Encoding Byte -ReadCount 0))

If you have recieved your certificate in .pfx format then use

Import-ExchangeCertificate  -FileData ([Byte[]]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.pfx -Encoding Byte -ReadCount 0)) -Password:(Get-Credential).Password

And the final stage is to enable it for the services

Enable-ExchangeCertificate -Thumprint <Thumbprint> -Services IIS,IMAP,POP

Same procedure applies to Hub Transport Server Role certificate renewal as well but the Edge Transport Server Role. To manage certificates on the Edge Transport Server Role  you must be logged on the server and use powershell.

After you have renewed certificate on an edge transport server, you need to resubscribe it to the site since the subscription contains the certificate information in it too. Read more about Edge Transport here

Listing Exchange ActiveSync Users and Device Details

As an IT administrator you must have come across a requirement from information security teams that they want to review the number of users who use emails on their mobile phones. Some companies require this data so that they can allow access only for selected users. Although listing users is not a big deal when you can use Get-CASMailbox -ResultSize Unlimited | ? {$_.HasActiveSyncDevicePartnerShip = $True} it is a bit of challenge for a novice powershell user to find out their device information too.

Below scriptlet is quite handy when it comes to finding EAS users and their handheld device details.

$ResultArr =@()
$CASMailboxes = Get-CASMailbox -ResultSize Unlimited | ? {$_.HasActiveSyncDevicePartnership -eq $true}
foreach ($CASMailbox in $CASMailboxes)
{

$ResultArr += Get-ActiveSyncDeviceStatistics -Mailbox $CASMailbox.Identity | Select @{Name=”User”;Expression={($CASMailbox.Name).ToString()}},DeviceType,DeviceModel,FirstSyncTime,LastSuccessSync,IsRemoteWipeSupported
}

$ResultArr | Export-Csv C:\Reports\EASDeviceStats.csv -NoTypeInformation

If you are lazy like me then you may want to send this information directly to someone using a bit of automation

Send-MailMessage -From “Support@company.com” -To “security@company.com” -Subject “ActiveSync User Stats” -Attachments C:\Reports\EASDeviceStats.csv ” -Body ” This is an autogenerated Email. Please do not respond to this email” -SmtpServer “ServerName”

I hope you find this useful!

 

Exchange Server 2010 SP2 Installation – Few Must Knows

It is more than a week since Microsoft made the Exchange Server 2010 SP2 installation bits available for public download. Over a week’s time there are a lot of articles explaining the installation procedure of Exchange Server 2010 SP2. In this post, I am highlighting few things that you should know before installing Exchange Server 2010 SP2 in your production.

First things first, Test it in lab environment before installing in production environment.

You must know – SP2 includes schema changes

With certain new features, Exchange 2010 SP2 needs to write to schema partition. A bunch of new attributes / classes are added and a lot of them are modified. To understand what changes happen when you run Exchange 2010 SP2 read the Exchange Server Active Directory Schema Changes Reference, November 2011

Since, the installer will be requiring modifications to Schema, user account used for installation of SP2 must be a member of Schema Admins group in active directory. As a best practice, make sure that this user account is removed from the group once the schema extension is complete.

You must know – New Windows Server Features are required for CAS Role

In Exchange Server 2010 CAS is the primary entry point for clients to any Exchange Server 2010 Environment. With this release, a few more features are added in the CAS server role which makes on premise and Office 365 integration a better experience and also an improvement that makes the silent redirection better within cross site CAS roles. A new feature called Mini Outlook Web  App now exists that works on no cookies, no scripts model.

Address Book Policies aka GAL Segmentation is another new and long awaited feature that is now available with SP2. Essentially, ABPs are nothing but a logic provided by CAS server role the clients that will segregate their access to the Address Lists and Offline Address Books. Although I am not very sure yet whether all these new features require any additional  Windows Server Features to be installed but logically, all these things together demand installation of the new features those are required to be installed on CAS Servers.

Below are some new Windows Server Role Features that you need to install before installing SP2 on CAS Role.

  • IIS 6 WMI Compatibility
  • ASP.NET
  • ISAPI Filters
  • Client Certificate Mapping Authentication
  • Directory Browsing
  • HTTP Errors
  • HTTP Logging
  • HTTP Redirection
  • Tracing
  • Request Monitor
  • Static Content

 

Or Easier way to do the nasty stuff is to just use the setup.com switches :-) simply run

Setup /Mode:Upgrade /InstallWindowsComponents

 

You must know – Installing Updates on DAG is not a normal exercise

Many of us run DAG because of its proven reliability and ability to make a highly available mailbox database system. Installing updates on a member of a DAG is not a regular installation though. In June last year I posted Installing Exchange 2010 SP1 (beta) on DAG members . Procedure does not really change except some included hotfixes in my previous post. If you are running SP1 then you do not need those hotfixes anymore.

You did not like that procedure? No worries, Mike has another and simpler one posted here Performing Maintenance on DAG Members in Exchange 2010 SP1

 

Remaining is HT and UM roles. Well, there is nothing specific that you need to take care of there, you can install SP2 in a normal way there.

To summarize,

  • Exchange 2010 SP2 installation package modifies schema. You must be a member of Schema Admins with other necessary  RBAC permissions
  • Exchange 2010 SP2 installation package requires few additional Windows Server Role features to be added on CAS role before you can complete installation.
  • DAG members require a special procedure to install any updates.

Exchange Server 2010 Checklist

Few months ago someone in our discussion group had a requierment of an automated way to make sure that exchange servers health state should be checked automatically and a report should be sent to support team.During the discussion, we recieved a lot of ideas and many sample codes to do so. The largest piece of code was written for Exchange 2007. I perosnally used this script at many customers to automate the daily / hourly checklist part of their operations team but since a lot of them have already upgraded to Exchange 2010 the old script become almost useless due to changes in architecture of components of Exchange Server 2010. With said that, quite a considerable number of modifications were needed in the origional code.

I recently posted the latest version of the script that was customized by me to meet some of exclusive requirements. You can download the script from Microsoft Technet Gallery – Exchange Server 2010 Checklist

Yet, I really wanted to thank the person who wrote this entire stuff. That was really so cool.

Features:

  • Provides a detailed report of your Exchange Server 2010 Critical components in an HTML email.
  • Provides color coded statuses so that faulty components can be identified easily.
  • Emails can be sent to multiple people.
  • Script can be scheduled to run using scheduled task.

PARAMETERS:
        -ServerName (required)
                Must be an Exchange 2010 server. This script should be run locally on the mentioned server.

        -Path (required)
                This is the folder identity where the generated report will be saved.

        -CompanyName (required)
                Name of your company E.g. “Contoso Inc.”

        -SMTPServer (required)
                Hub Transport Server name or IP address. Any SMTP relay that can accept the email will also work.

        -From (required)
                Sender’s email address.

        -To (required)
                List of recipient(s). You can pass a comma seperated values here. For more than one recipients use {user1@domain.com, user2@domain.com}

        -JournalMailbox (optional)
                The mailbox identity to get mailbox statistics.
For many mailboxes use user1@domain.com,user2@domain.com

Please do provide your feedback in case you liked / disliked it or you would like to see some new features added into it. Download and Enjoy ;-)

Exchange Server 2010 Service Pack 2 is available for Download

Microsoft has released SP2 for Microsoft Exchange Server 2010 today. The service pack is available for download at http://www.microsoft.com/download/en/details.aspx?id=28190

With release of SP2 a long awaited feature of Address List Segregation will now be available instead of using Exchange in Hosting Mode. A lot of other fixes are included in this release.

Download your copy and Enjoy! ;-)