基本資訊
- 鏡像下載下傳位址:https://next.itellyou.cn/Original/#
- 文檔:https://learn.microsoft.com/zh-cn/Exchange/plan-and-deploy/system-requirements?view=exchserver-2019
必要軟體
- Exchange 2019 最低要求是 16GB 記憶體
顯示計算機、網絡圖示,在運作視窗輸入
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
桌面桌面顯示ip位址資訊
https://learn.microsoft.com/zh-cn/sysinternals/downloads/bginfo
Boot Time: <Boot Time>
OS Version: <OS Version>
Host Name: <Host Name>
Logon Domain: <Logon Domain>
Machine Domain: <Machine Domain>
CPU: <CPU>
Memory: <Memory>
IP Address: <IP Address>
DHCP Server: <DHCP Server>
MAC Address: <MAC Address>
Subnet Mask: <Subnet Mask>
DNS Server: <DNS Server>
Default Gateway: <Default Gateway>
Volumes: <Volumes>
A .NET架構4.8
https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0fd66638cde16859462a6243a4629a50/ndp48-x86-x64-allos-enu.exe
B.Visual C++ Redistributable Package for Visual Studio 2012
https://www.microsoft.com/download/details.aspx?id=30679
C.在 Windows PowerShell 中運作以下指令,安裝遠端工具管理包:
Install-WindowsFeature RSAT-ADDS
D.Exchange Server 2019 CU12 (2022H1)更新檔包
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026
下載下傳位址https://www.microsoft.com/en-us/download/details.aspx?id=30679
E.IIS URL 重寫子產品
IIS 的 URL 重寫子產品需要在累積更新 11 或更高版本中使用。
下載下傳位址https://www.iis.net/downloads/microsoft/url-rewrite
F.添加所需的 Lync Server 或 Skype for Business Server 元件:
Install-WindowsFeature Server-Media-Foundation
G.安裝 Unified Communications Managed API 4.0。此程式包可供下載下傳并位于 Exchange Server 媒體的\UCMARedist 檔案夾中。
https://www.microsoft.com/download/details.aspx?id=34992
H.使用 Exchange 安裝程式安裝所需的 Windows 元件,請在 Windows PowerShell 中運作以下指令之一
#把window2019的安裝ios加到到本電腦上的z磁盤
Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source Z:\sources\sxs
#擴充AD架構
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD /OrganizationName:"tyun"
#在AD用戶與計算機上,你會發現 Microsoft Exchange Security Groups
\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains
I.批量發送郵件給自己
send-mailmessage -to [email protected] -subject "TEST49" -Body "請注意!SRVEX 磁碟空間目前已剩下不到 78% 的可用空間 " -smtpserver srvex.ianext.com -from [email protected] -Encoding Unicode
J.單exchange服務停止批量啟動
#檢視exchange服務
Get-Service -Name "MSExch*"
#顯示完成的exchange名稱
Get-Service -Name "MSExch*" | ft -auto
# 直接重啟 Exchange 已經停止的服務
Get-Service -Name "MSExchange*" | Where-Object {$_.Status -eq "Stopped"} | Restart-Service
K.exchange使用者資訊
#使用者登入Exchange資訊
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox | Get-MailboxStatistics | Sort-Object Lastlogontime -Descending | Select-Object DisplayName,MailboxTypeDetail,LastLogonTime,ServerName
#檢視目前有架構下所有的 Exchange Server 完整主機名稱等等資訊
Get-ExchangeServer | Select FQDN, ServerRole,AdminDisplayVersion,IsEdgeServer
#檢視本機所有 Exchange 服務的執行狀态
Get-Service -Name *Exchange* | Select Status, DisplayName | Sort Status | FT -Auto
#測試主機連接配接smtp服務是否正常
Test-NetConnection srvex.tyun.cn -Port 25 -InformationLevel "Detailed"
#測試連接配接的所有網絡、來源位址、目的位址以及路由資訊
Test-NetConnection -ComputerName srvex.tyun.cn -DiagnoseRouting -InformationLevel Detailed
#Exchange DNS 檢視
Get-TransportService | FL *dns*
#把ad使用者導入到exchange
Get-User -RecipientTypeDetails User -Filter { UserPrincipalName -ne $Null } | Enable-Mailbox
L.批量導出AD使用者
參考https://www.cnblogs.com/wulongy/p/14924907.html
表格樣例
AD域管理工具
https://osdn.net/projects/sfnet_adbulkadmin/downloads/ADBulkAdmin/1.1.0.33/ADBulkAdmin-v1.1.0.33.zip/
https://zh.osdn.net/projects/sfnet_adbulkadmin/releases/
導出it組織單元下的所有使用者
Get-ADUser -Filter * -Properties * -SearchBase "DC=it,DC=tyun,DC=cn" |Select-Object name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company |Export-Csv C:\AllADUser20221001.csv -Encoding UTF8 –NoTypeInformation
ldifde -f "c:\alldbauser.ldf" -d "DC=it,DC=tyun,DC=cn" -r objectClass=user -l "name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company"
M.擷取AD密碼政策域過期時間
#擷取AD域伺服器密碼政策資訊
Get-ADDefaultDomainPasswordPolicy
ComplexityEnabled:密碼必須符合複雜性要求
MaxPasswordAge:密碼最長使用期限
MinPasswordAge:密碼最短使用期限
MinPasswordLength:最小密碼長度
PasswordHistoryCount:強制密碼曆史
密碼最長使用期限是 24 天;
Set-ADDefaultDomainPasswordPolicy -Identity tyun.cn -ComplexityEnabled $True -MaxPasswordAge 180.00:00:00
#擷取已經過期的使用者
Get-Aduser -Filter * -Properties * | where {$_.PasswordExpired -eq $true} | FT Name
#擷取所有辨別密碼過期時間的使用者
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate
#擷取指定辨別密碼過期時間的使用者
Get-ADUser -Filter {name -like "king"} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate
#擷取所有使用者密碼屬性資訊
Get-ADUser -Filter * -Properties * | Sort-Object Name | ft Name,PasswordLastSet,PasswordExpired,PasswordNeverExpires
#删除單個使用者
Remove-ADUser -Identity king -Confirm:$false
#SAM 賬戶名删除屬于子項/子集/子樹的使用者對象
Get-ADUser -Identity king | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}
#搜尋并删除指定組織機關(OU)容器内的使用者對象
Get-ADUser -Filter * -SearchBase "OU=cnList,OU=testGroup,DC=tyun,DC=cn" | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}
#删除子項(子樹)需要使用如下删除域對象
Remove-ADObject -Identity king -Recursive
導入 CSV 資料清單删除使用者對象
import-csv .\del.csv | foreach{Get-ADUser -Identity $_.name} | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}
Get-ADUser king
可以參考https://hexingxing.cn/tag/active-directory/page/2/
https://github.com/phillips321/adaudit/blob/master/AdAudit.ps1
N.存儲規劃
Database Name | 使用者屬性 | 機關空間 最大容量 | MAil server01 |
Level1 | 集團高管、董事會、總裁辦公室 | 20G | 主400G |
Level2 | 業務單元總經理辦公人員 | 15G | 主400G |
Level3 | 部門主管、負責人、核心員工 | 10G | |
Level4 | 普通員工 | 4G | |
Level5 | 不活躍使用者 | 500M | |
Level6 | 公共郵箱、系統郵箱、功能郵箱 | 視情況而定 | |
Level7 | 離職員工 | ||
Level8 | 郵件離職 |
Exchange2019的步驟
IP位址 | 主機名 | 伺服器用途 | 備注 |
10.30.21.64 | SH-Srv-AD | 域控伺服器(主域控) | |
10.30.21.77 | SH-Srv-AC | 域控伺服器(額外域控) | |
10.30.21.78 | SH-Srv-MBX01 | 郵件伺服器01 | |
10.30.21.83 | SH-Srv-MBX02 | 郵件伺服器02 |
架構圖展示
第一步:安裝AD主域控
01 AD域控PDC時間
#查詢域控PDC伺服器
netdom query fsmo
#配置PDC使用ntp伺服器同步時間
w32tm /config /manualpeerlist:"server0.cn.pool.ntp.org,0x8 server1.cn.pool.ntp.org,0x8 time.windows.com,0x8" /syncfromflags:manual /reliable:yes /update
#檢視目前Windows Time運作情況
w32tm /query /status
#檢視目前ntp時間伺服器設定
w32tm /query /peers
#檢視PDC伺服器ntp同步狀态,和ntp伺服器時間差
w32tm /stripchart /computer:time.windows.com /samples:100 /dataonly
#AD 域用戶端同步域伺服器時間
net time \\192.168.232.10 /set /y
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ /v SpecialPollInterval /t REG_DWORD /d 1200 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v NtpServer /d ntp1.aliyun.com /f
net stop w32time
net start w32time
02 伺服器重置下SID資訊
自建打開C:\Windows\System32\Sysprep目錄運作sysprep.exe,重置SID後重新開機伺服器
如果是aliyun伺服器請下載下傳
https://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/40846/cn_zh/1542010494209/AutoSysprep.ps1?spm=a2c4g.11186623.0.0.293f5f53EeEej3&file=AutoSysprep.ps1
.\AutoSysprep.ps1 -help
重新初始化伺服器的SID并重新開機伺服器
.\AutoSysprep.ps1 -ReserveHostname -ReserveNetwork -SkipRearm -PostAction "reboot"
03 開始安裝主域控
密碼政策配置
使用Powershell指令添加AD細粒度密碼政策
New-ADFineGrainedPasswordPolicy -Name "PasswordSetting3" -Precedence 1 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "PasswordSetting3" -LockoutDuration "0.00:30:00" -LockoutObservationWindow "0.00:30:00" -LockoutThreshold "5" -MaxPasswordAge "24.00:00:00" -MinPasswordAge "1.00:00:10" -MinPasswordLength "7" -PasswordHistoryCount "24"
優先級:1(最高)
強制最短密碼長度:7(個字元)
強制密碼曆史記錄:24(個曆史密碼)
密碼複雜性要求:啟用
強制密碼最短期限:1(天)
強制密碼最長期限:24(天)
強制賬号鎖定政策:30(分鐘)内5次(登入失敗)鎖定30(分鐘)
第二步:安裝AD輔域控
重新開機伺服器後
測試主輔域連接配接是否正常
netdom query fsmo
診斷AD資訊是否正常
repadmin /showrepl
第三步:安裝exchange2019
以次安裝服務ndp48-x86-x64-allos-enu.exe、vcredist_x64.exe(2012和2013)、urlrewrite2.exe、UcmaRuntimeSetup_API4.0.exe
#安裝遠端工具管理包
Install-WindowsFeature RSAT-ADDS
#安裝 Server Media Foundation 視窗功能
Install-WindowsFeature Server-Media-Foundation
# Exchange 安裝程式安裝所需的 Windows 元件
Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source G:\sources\sxs
#重新開機下伺服器後安裝下面的指令操作
先加載window server 2019鏡像,打開powershell視窗進入g:
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"tyun"
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains
根據提示重新開機伺服器,然後再執行一次安裝
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema
Exchange2019伺服器再次重新開機
開始安裝Exchange2019CU12
或者是通過指令來執行
#将許可證Exchange SRV2019-MBX 的伺服器
Set-ExchangeServer SRV2019-MBX -ProductKey YCQY7-BNTF6-R337H-69FGX-P39TY
#重新啟動 Microsoft Exchange資訊存儲服務
Restart-Service MSExchangeIS
#驗證證書屬性
Get-ExchangeServer SRV2019-MBX | Format-List Name,Edition,*Trial*
Get-ExchangeServer | Format-Table -Auto Name,Edition,*Trial*
各版本的秘鑰資訊
Enterprise: YCQY7-BNTF6-R337H-69FGX-P39TY
Standard: G3FMN-FGW6B-MQ9VW-YVFV8-292KP
修複0Day漏洞
.*autodiscover\.json.*\@.*Powershell.*
條件輸入{REQUEST_URI}
.\iisreset.exe -restart
第四步:配置證書
add-pssnapin microsoft.exchange*
查詢EXCHANGE伺服器資料庫和日志檔案路徑
Get-MailboxDatabase -Server SRV2019-MBX| Select Name,EdbFilePath,LogFolderPath | fl
#檢視Exchange Server版本号
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
安裝完成exchange服務後重新開機下伺服器,發現exchange服務是停止狀态,通過指令重新啟動
打開位址https://mail.tyun.cn/ecp
Install-WindowsFeature Web-Client-Auth
輸入window+q鍵 inetmgr 進入Internet Information Services (IIS) 管理器
點選owa虛拟目錄,輕按兩下SSL設定
選擇 Microsoft-Server-ActiveSync 虛拟目錄,選擇SSL 設定
Cmd 打開regedit系統資料庫修改HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 1
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ecp/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost
頒發自簽證書
New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate" -SubjectName CN=srv2019-mbx -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true
New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate2019" -SubjectName CN=mail -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true
查詢證書資訊
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
續自簽證書
Get-ExchangeCertificate -Thumbprint BC37CBE2E59566BFF7D01FEAC9B6517841475F2D | New-ExchangeCertificate -Force -PrivateKeyExportable $true
頒發機構續訂
#如果需要将證書續訂請求檔案 的内容 發送到 CA,請使用以下文法建立 Base64 編碼的請求檔案
$txtrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>]
[System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
#如果需要将 證書續訂請求檔案 發送到 CA,請使用以下文法建立 DER 編碼的請求檔案
$binrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -BinaryEncoded [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>]
[System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.pfx', $binrequest.FileData)
#若要找到您想續訂的證書的指紋值,請運作以下指令:
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
#此示例為具有指紋值 5DB9879E38E36BCB60B761E29794392B23D1C054的現有證書建立 Base64 編碼的證書續訂請求:
$txtrequest = Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
#此示例為同一證書建立 DER (二進制) 編碼的證書續訂請求:
$binrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -BinaryEncoded
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.pfx', $binrequest.FileData)
#在用于存儲證書請求的伺服器上的 Exchange 指令行管理程式 中,運作以下指令:
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint
第五步:配置AD CS
伺服器重新開機
注:如果重新開機之後發現打開https://主機名/ecp/ 出現503錯誤的話
修改成對應的ssl證書資訊
第六步:導入CA憑證
浏覽器輸入網址https://mail/centsrv/Default.asp或者http://localhost/certsrv/default.asp
如果通路出錯的話配置
http://localhost/certsrv/default.asp
$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Mail.tyun.cn Cert" -SubjectName "CN=mail.tyun.cn"
[System.IO.File]::WriteAllBytes('\\SRV2019-MBX\Data\Mail.tyun.cn Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
#檢視exchange2019存儲證書資訊
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint
擴大exchange2019證書年限
計算機\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\tyun-SRV2019-MBX-CA 下面的值ValidityPeriodUnits
先停止服務,然後再啟動服務
右鍵複制模版,把有效期改成20年
模版名稱修改為Exchange Server 2019
建立 要頒發的證書模版 選擇Exchange Server 2019
導入證書到excange2019
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\SRV2019-MBX\Data\certnew.cer'))
ad域伺服器下發證書
出現導入成功後,強制重新整理下組政策 gpupdate /force