Hello all, Recently have came across the situtaion like one of the DAG Members exchane 2016 server operation system got corrupted due to RAID system. we recoverted the exchnage server 2016 in the DAG by following the below
1.1 DAG member update
Remove database copies from failed DAG member
Get-MailboxDatabaseCopyStatus -Server “ServerName” | Remove-MailboxDatabaseCopy -Confirm:$false
1.2 Remove failed DAG member from DAG
From ECP – DAG update -> remove the “ServerName” refer to Recover Exchange DAG member server - ALI TAJRAN
1.3 Disable the CRL Check
During the Exchange 2016, Exchange tries to connect to the certificate revocation list (CRL) Web site. If Exchange cannot connect to the CRL Web site, the installation may take a long time to complete or there may be error messages during installation.
This issue occurs because Exchange tries to examine the CRL to verify the code signing certificate each time that Exchange compiles an assembly into managed code. When Exchange is not connected to the Internet, each CRL request must time out before the installation can continue.
To work around this issue and to reduce installation time, we can turn off the Check for publisher’s certificate revocation option on the server. To do this, follow these steps.
Note: The Check for publisher's certificate revocation option is set on a per-account basis.
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab, and then locate the Security section.
4. Click to clear the Check for publisher’s certificate revocation check box, and then click OK.
1.4 Exchange 2016 Installation
· https://learn.microsoft.com/en-us/exchange/high-availability/disaster-recovery/recover-exchange-servers?view=exchserver-2019
The /Mode:RecoverServer switch assigns a self-signed certificate to all Exchange Services that require SSL/TLS. If the server previously used an SSL/TLS certificate that was issued by a different certification authority, you'll need to re-import the certificate and configure the services to use the certificate. Otherwise, users will get a certificate prompt when they try to connect (for example, in Outlook).
1. On the target server, open File Explorer, right-click on the Exchange ISO image file that you downloaded, and then select Mount. Note the virtual DVD drive letter that's assigned. D:\CU22\ ExchangeServer2016-x64-CU22.iso
2. Open a Windows Command Prompt window. For example:
o Press the Windows key + 'R' to open the Run dialog, type cmd.exe, and then press OK.
o Press Start. In the Search box, type Command Prompt, then in the list of results, select Command Prompt.
3. In the Command Prompt window, use the following syntax:
G:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /Mode:RecoverServer /TargetDir:" E:\ExchSvr"
1.5 Import certificates
1. Import-ExchangeCertificate -Server “SERVERNAME” -FileName "D:\Cert\2023\Exch2022.pfx" -Password (ConvertTo-SecureString -String '123456' -AsPlainText -Force)
2. Get-ExchangeCertificate | Format-List Thumbprint,Issuer,Subject,CertificateDomains,Services
3. Copy the new Thumbprint, use the following command enable services.
Enable-ExchangeCertificate -Server “SERVERNAME” -Thumbprint “XXXXXXXXXXXXXXXXX” -Services POP,IMAP,SMTP,IIS -Force
4. Restart IIS from CMD: NET STOP WAS /Y && NET START W3SVC
5. Update SMTP 587 connector
$TLSCert = Get-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"
Set-ReceiveConnector -Identity "“SERVERNAME”\Client Frontend “SERVERNAME”"-TlsCertificateName $TLSCertName
Problem Faced after certificate installation
Certificate Status may show “Revocation Failed”
Set the winhttp proxy from cmd (admin) - fix the cert renew issue. And Refer to Certificate is invalid and revocation check failure in Exchange Server - Azure365Pro.com
netsh winhttp show proxy
netsh winhttp set proxy 10.158.100.1:8080
https://www.azure365pro.com/certificate-is-invalid-and-revocation-check-failure-in-exchange-server/
1.6 Change Mail Queue location , edit EdgeTransport.exe.config file under E:\ExchSvr\Bin
<add key="QueueDatabasePath" value="E:\ExchSvr\TransportRoles\data\Queue" /> <add key="QueueDatabaseLoggingPath" value="E:\ExchSvr\TransportRoles\data\Queue" /> | F:\QueueDB |
1.7 Test EWS oAuth ( Problem Faced)
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox Mbxname@cloudmonkeys.xyz -Verbose | fl
We got the error
Connectivity failed due to TLS
Change Registry for TLS
1.8 Set Virtual Driectory for the failed exchange servers
- Set-OwaVirtualDirectory -Identity "“ServerName”\OWA (Default Web Site)" -InternalUrl -ExternalUrl
- Set-EcpVirtualDirectory -Identity "“ServerName”\ecp (Default Web Site)" -InternalUrl
- Set-WebServicesVirtualDirectory -Identity "“ServerName”\EWS (Default Web Site)" -InternalUrl -ExternalUrl
- Set-ActiveSyncVirtualDirectory -Identity "“ServerName”\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl -ExternalUrl
- Set-OabVirtualDirectory -Identity "“ServerName”\OAB (Default Web Site)" -InternalUrl -ExternalUrl
- Set-OutlookAnywhere -Identity "“ServerName”\Rpc (Default Web Site)" -SSLOffloading $False -InternalHostname -ExternalHostname -ExternalClientsRequireSsl $True -ExternalClientAuthenticationMethod Ntlm -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true
- Set-MapiVirtualDirectory -Identity "“ServerName”\mapi (Default Web Site)" -InternalUrl -ExternalUrl
- Set-ImapSettings -Server “ServerName” -InternalConnectionSettings
Enable Kerberos for NSB Exchange servers - Porblem Faced
Outlook keep asked for the login crodential whenever the mailbox coneected to this mailbox server
Open Exchange Management Shell, switch to the script path “cd $exscripts”
Run the following command to deploy ASA credential to every other Exchange 2016 servers.
.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer “ServerName”.nsn-intra.net -CopyFrom “ServerName”
You could run the following command to confirm if it runs successfully:
Get-ClientAccessServer “ServerName” -IncludeAlternateServiceAccountCredentialStatus | Format-List Name, AlternateServiceAccountConfiguration
Name Server Name
AlternateServiceAccountConfiguration : Latest: 6/12/2020 11:35:30 AM, domainname \EXCHNSBASA$
Previous: 6/12/2020 11:17:45 AM, domianname\EXCHNSBASA$
...
1.9 Configure Server Proxy Settings for Anti-Malware Updates
we use a proxy server to control access to the Internet, you need to identify the proxy server so anti-malware engine and definition updates can be downloaded successfully.
Proxy server settings that are available using the Netsh.exe tool, Internet Explorer connection settings, and the InternetWebProxy parameter on the Set-ExchangeServer cmdlet don't affect how anti-malware updates are downloaded.
To configure the proxy server settings for anti-malware updates, perform the following steps:
1. Open Windows PowerShell and type below command:
NOTE: We need to do this configuration on ALL Exchange 2016 servers
Add-PsSnapin Microsoft.Forefront.Filtering.Management.Powershell
Set-ProxySettings -Enabled $true -Server X.X.X.X -Port 8080
2. Use below command to verify the configuration
Get-ProxySettings
Because we use the customized Exchange installation folder, we need the set addional permission on FIP-FS folder:
1. Open below folder in Windows Explorer, click “Continue” when you get security warning
E:\ExchSvr\FIP-FS\Data\Engines
2. Go back to E:\ExchSrv\FIP-FS folder, right click the folder and select “Properties”
3. Go to “Security” tab and select “Edit”
4. Grant “Full Control” permission to “NETWORK SERVICE” account:
To check the anti-malware updates information, perform the following steps:
Open Windows PowerShell and type below command:
Add-PsSnapin Microsoft.Forefront.Filtering.Management.Powershell
Get-EngineUpdateInformation
Get-EngineUpdateCommonSettings
1.10 Add server into DAG
exchange server ECP, add the “ServerName” server into DAG.
1.11 Database update
Add all DB on “ServerName” server with following command:
Add-MailboxDatabaseCopy -Identity DBNAME -MailboxServer “SERVERNAME” -ActivationPreference 2
Comments
Post a Comment