On the last part, we saw how the auto discover works for customers in Office 365 alone. In this post we will see how the Autodiscover working on Exchange On-Premise and Hybrid Edge environment.

How Autodiscover works in Exchange On-Premise?

If a company has their messaging infrastructure in On-Premise alone, this is how the Autodiscover works for Exchange Online Mailbox

  1. Once the user launches the outlook and enter the credential, Outlook will query AD for SCP record to get the Autodiscover Service information.
  2. Once the information available, it will validate the user and try to connect the url which will go to the client access server
  3. CAS server query AD and send the Autodiscover and other exchange related services information in XML file
  4. Outlook uses that information to configure outlook profile.

Below the Test E-Mail Autoconfiguration result that explains the above behaviour

How Autodiscover works in Exchange Hybrid Environment?

Hybrid Exchange environment is nothing but a customer having few mailboxes in On-Premise Exchange and few in Office 365 (Exchange Online). Though both the exchange infrastructure are different, Hybrid Configuration Wizard make those 2 environments coupled together and function as a single environment.

Below the details on how Autodiscover works for a user mailbox in Office 365 for Hybrid environment user.

In above illustration, company user dhanya.com as their SMTP address space and for the mailboxes in Office 365, On-Premise will have a remote mailbox account with the target address as dhanyaonline.mail.onmicrosoft.com as the target address.

  1. Once the user launches the outlook and enter the credential, Outlook will query AD for SCP record to get the Autodiscover Service information.
  2. Once the information available, it will try to validate the user and it can’t find mailbox for Raj and only remote mailbox account available for this user in On-Premise and it will inform outlook to try Autodiscover request for Raj’s Target Address.
  3. Outlook will try to get the Autodiscover information for dhanyaonline.mail.onmicrosoft.com by dns query to internet. Autodiscover.dhanyaonline.mail.onmicrosoft.com will have a CNAME record that points to Exchange Online Autodiscover record
  4. Outlook will connect Autodiscover.outlook.com which will connect to Exchange Online client Access server
  5. Exchange Online validate the user by an authentication prompt
  6. Once verified, Exchange Online will send the Autodiscover information in xml formal to user.

Below the Test E-Mail Autoconfiguration result that explains the above behaviour which clearly shows the above explanation

We see lot of information on how the Autodiscover works for Exchange Online, Exchange On-Premise and Hybrid Exchange environment with explanations. I hope this is informative to you. Leave your comments if any additional information required.

On the last part, we saw how the auto discover works for internal and external clients. In this post we will see how the Autodiscover working on Exchange Online.

How Autodiscover works in Exchange Online?

If a company has their messaging infrastructure in Office 365 alone without any On-Premise infrastructure, this is how the Autodiscover works for Exchange Online Mailbox

  1. When user enters the credential, it will perform a SCP query and it will fail
  2. DNS lookup will happen to find the Autodiscover service for the FQDN autodiscover.domainname.com
  3. Once it finds the Autodiscover record, there will be CNAME record created for Autodiscover pointed to Autodiscover.outlook.com. Here it is pointed to connect Exchange Online to get the Autodiscover information
  4. Outlook will connect autodisover.outlook.com (Exchange Online) and the credential will be validated.
  5. Autodiscover xml file will be returned to outlook client with the server name to connect as outlook.office365.com

Below test connection result show the details on how it worked. For testing, I have directly entered the domainname.onmicrosoft.com email address, so the SCP query is not available on the below result.

Explanation:

Lot of tools are available to see the behaviour of Autodiscover like Outlook Test E-mail AutoConfiguration, Exchange Remote Connectivity Analyser, Fiddler and outlook advanced logging etc. Here we will use the Outlook Test E-mail AutoConfiguration option to explain the Autodiscover Process.

All the requests to Office 365 are considered as external network request and it behaves the same way as explained in the previous article.

  1. Second portion of the email address is considered as a the fqdn and it try to connect to that Url and it failed

  1. Outlook uses the predefined URL as mention below to connect and it failed again

  1. Searching for any local record for domain name and it failed

  1. Redirection method (HTTP instead of HTTPS to predefined URL) followed and it got response to go to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml. It will prompt to enter the credential for validation at this point

  1. Got response for https & http of https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml and for xml will retrieved from Exchange Online and outlook configures the profiles

This is how you need to split the log to see how the Autodiscover working on your environment.

Everyone knows how Exchange Autodiscover works, as it is there from Exchange Server 2007. Writing this blog to show how it works for Exchange Online, Exchange On-Premise and Exchange Hybrid environment.

Microsoft Exchange Autodiscover service in Exchange helps the Autodiscover capable outlook clients to configure outlook profile easily by providing minimal input. Users know their user name and password information, by providing those information, other information to configure outlook profile can be retried from Exchange using Autodiscover Service. Autodiscover automatically configures user profile for outlook and mobile devices.

Outlook 2007 and later clients supports Autodiscover to connect Exchange 2007 and above.

How Autodiscover works?

Information that are required to configure the outlook profile will be retrieved from Exchange in a XML format and outlook use that information to connect to different services to function properly.

How Autodiscover works when connecting from Internal network.

Note: To locate Autodiscover service, outlook uses LDAP query to Service Connection Point object first (Internal clients) and if it fails it uses DNS query (external clients).

  1. Once user enters the credential (email address and password, where email address is considered as a user name), outlook authenticated with AD and queries for Service Connection Point objects to find the Autodiscover Service in Client access server to which it has to contact to get the Autodiscover information in xml format.

SCP object will be created when Exchange client access server installed and new SCP will be created when new CAS servers are installed, SCP will be updated with the servicebindinginformation FQDN of client access server name in the form of https://cas01.learnexchangeserver.com/autodiscover/autodiscover.xml and keyword that tells to which site this CAS server belongs.

Once the client authenticated to active directory,

  • The Autodiscover service information will be obtained from SCP object, for any reason it that fails
  • Outlook will try the predefined URL like https://autodiscover.learnexchangeserver.com/autodiscover/autodiscover.xml by using DNS
  • If the above fails, outlook will try the HTTP redirect method, it is same predefined URL, instead of https, http will be used
  • If the above fails, SRV record lookup will be used which is the last lookup method and if that fails outlook auto configuration will fail.
  1. Autodiscover Service in CAS server contacts AD to get the URL and the configured Exchange Services details
  2. Autodiscover Service returns a HTTPS response with XML file that includes connection settings and URLS for available Exchange features
  3. Outlook client uses that information to connect to Exchange.

How Autodiscover works when connecting from Internet.

If the Client Machine is not domain joined, or connecting from Internet.

  1. Outlook first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Since the client is in internet, it will not be able to contact Active Directory,
  2. Outlook Client will try to locate the Autodiscover service by DNS query.

For DNS query, outlook uses the right side of the email address (domain name), that is, learnexchangeserver.com, and then check the DNS for two predefined URLs. For example

https://learnexchangeserver.com/autodiscover/autodiscover.xml

https://autodiscover.learnexchangeserver.com/autodiscover/autodiscover.xml

Note: Need to create a DNS record in Internet to connect to your Client Access Server to make it work.

  1. Autodiscover Service in CAS server contacts AD to get the URL and the configured Exchange Services details
  2. Autodiscover Service returns a HTTPS response with XML file that includes connection settings and URLS for available Exchange features
  3. Outlook client uses that information to connect to Exchange.

On the next part we will see how the Autodiscover work for Exchange Online / Exchange On-Premise and Exchange Hybrid environment.

 

Outlook and Exchange Active Sync on mobile device uses Autodiscover for configuring and maintaining server settings for client that is configured to access a Mailbox. On the Initial configuration, we know Outlook will do an Auto Discovery look up to configure the outlook profile. Once the outlook profile configured, it will do an Auto Discovery look up to see if any changes on the Url’s or changes on the mailbox settings.

We need to know when outlook will do an Auto Discovery look up. Outlook clients automatically connect to the Autodiscover service in the following conditions:

  • When outlook client starts, both opening for the first time and every time it starts
  • Every 60 minutes once
  • Any time that the client’s connection to an Exchange Server fails

Hope this is informative J

ADRMS service provides Information Rights Management protection to Exchange Server, SharePoint Servers and File Servers. When using ADRMS, we can configure Protection Templates like Do Not Reply All, View Only etc and made them available for end users to apply those templates on email or documents to protect the confidential documents and emails.

We need to deploy ADRMS service in On-Premise environment with the required templates and need to publish those templates for end users to consume it. I have the ADMRS Infrastructure in my lab and Exchange Server 2019 installed.

Exchange Server will have the below IRM configuration as default

And users will be prompted to Connect to Rights Management Servers to get the IRM templates published by an administrator

Configuring Exchange Server 2019 to use ADRMS

Setting up Exchange Server to use IRM is simple, we need to set the InternalLicensingEnabled parameter on the Set-IRMConfiguration command to True. Below shows the settings change.

Exchange will do a SCP lookup and do the IRM configuration.

User is able to access the IRM template now after the ADRMS service deployment and the IRM configuration in Exchange.

IRM Template from OWA

I have a plan to show case the demo on IRM configuration change from ADRMS to Azure RMS for Exchange Server 2019. I will post it later.

Exchange Server 2019 automatically configures Internet Information Service Virtual Directories related to the Exchange. Clients will connect to these Virtual Directories to access the Services provided by Exchange Servers. This post shows the default configurations of Exchange Server 2019 Virtual Directory.

Internal and External URL, SSL configuration and the Authentication methods are the important parameters related to Virtual Directories, we will see all those configurations in detail.

Below are the Virtual Directory created during the Exchange Server 2019 installation.

I have preferred mail.superhybridcloud.com as the namespace for the all the exchange services and I already changed it. Exchange Certificate installation and configuration are already done.

Auto Discover:

Auto Discover allows the email clients like Outlook to discover the mailbox settings and configure the mailbox automatically without entering the details like server information etc. Service Connection Point object in AD will be referred by Auto Discover to get the User information.

Get-ClientAccessService is command to configure the Internal Url and the Authentication Methods as shown below.

No need to set the Internal / External Url using Set-AutodiscoverVirtualDirectory as it is applicable when using Exchange Server 2010.

MAPI over HTTP:

MAPI over HTTP is the default protocol for Outlook in Exchange Server 2019 and the Exchange 2019 installation warns the MAPIHTTP enablement if it is not enabled. To ensure it is enabled, use Get-OrganizationConfig command.

Set-MapiVirtualDirectory command be used to manage MAPI over HTTP related settings

Exchange Control Panel:

Exchange Control Panel is where an admin can access Exchange Admin Center to manage the Exchange Service. Basic Authentication and FBA are the default Authentication method set on the ECP virtual directory.

Use Set-ECPVirtualDirectory command to manage the ECP virtual directory related settings.

Outlook on the Web (OWA):

OWA virtual directory allows the emails access using Web Browser and we can use Set-OWAVirtualDirectory to configure the OWA virtual directory settings

Active Sync:

Mobile Device clients that support Exchange Active Sync connects to Active Sync Virtual directory to access the mailbox.

Default configuration will not set any Authentication we can enable basic to allow the clients to access the mailbox using Active Sync protocol.

Set-ActiveSyncVirtualDirectory command allows you to configure the Active Sync related settings.

Offline Address Book (OAB):

Outlook clients using Cached mode requires offline address book to access the address book when it is not connected to exchange.

You can use Set-OABVirtualDirectory command to modify the OAB settings

Exchange Web Service (EWS):

EWS virtual directory supports many features like free busy look up, calendar sharing, mail tips and OOO etc. You can use Set-WebServicesVirtualDirectory command to manage EWS virtual directory settings.

Outlook Anywhere (OA / RPC over HTTP):

MAPI over HTTP is the default protocol for MAPI clients having mailbox in Exchange Server 2019 but it still supports Exchange for legacy clients that does not support MAPI over HTTP.

Set-OutlookAnywhere command can be used to manage Outlook Anywhere related settings.

Hope above details are informative. Comment for any queries.

S/MIME in Exchange Server 2019

December 22nd, 2018 | Posted by admin in Exchange | EXchange 2019 - (0 Comments)

Exchange Server 2019 supports sending S/MIME emails from clients like MAPI, OWA & Exchange Active Sync. We will see how to send an S/MIME email from an Exchange Server 2019 Mailbox.

S/MIME can be used to send a Signed and Encrypted email.

  • Signing an email verifies the sender and ensures the message is not changed since it was sent but it will not prevent message being read by others.
  • Encrypting the email verifies the email has not changed since it was send and it can be decrypted and read by the recipient only.

Sending S/MIME email from Exchange Server 2019 mailbox using the Internal Certificate Authority.

I have an Internal Certificate PKI already configured on my lab which allows user to enroll a User certificate that can be used to Sign and Decrypt an email.

I have select 2 mailboxes from Exchange Server 2019 to show sending and receiving S/MIME email

User Vishwa configured his outlook with a certificate which was received from Internal CA to Sign / Encrypt emails.

Sending a Signed email to Dhanyashree and she can view the Signed email.

Now Sent a Encrypted email and recipient can view those email

Below message is expected, if a user tries to send an email to another user for whom a certificate was not issued / received from CA.

Similar way, we can send S/MIME emails from OWA and Exchange Active Sync Clients. We will have a look on configuring Information Rights Management configuration in Exchange Server 2019 on my Next Post.

New Versions of Exchange Server will always have many New Features and enhancements related to performance. We will see what’s New in Exchange Server 2019 in this post.

Major Enhancements

  • Exchange Server 2019 supports the installation on Windows Server Core and it supports 48 CPU cores and up to 256 GB of RAM.
  • Client Access Rules can be configured the restrict the users in accessing the ECP\OWA only from Internal network.
  • Database Failovers is much faster when compared to earlier version of Exchange
  • Indexing and Search Performance are improved
  • Dynamic Memory cache allocation to active database and the enhancement on Database engine using MetaCache Database provides performance improvements
  • No more Unified Messaging Server Role in Exchange Server 2019
  • MAPI over HTTP is the default protocol for Outlook. Still Exchange Server 2019 supports RPC over HTTP for legacy clients
  • Exchange Active Sync seamless redirection when on a Hybrid Exchange environment
  • In-Place hold and e-discovery support for Public Folders (Public Folders still exists)

Exchange Admin Center

EAC in Exchange 2019 is exactly same as Exchange Server 2016 or Office 365 Admin Center. New Installation of Exchange Server 2019 will not have the Unified Messaging tab as Unified Messaging Server Role is not available in Exchange Server 2019.

Outlook on the Web (OWA)

Outlook on the Web is same like Exchange Server 2016 or Exchange Online OWA with additional improvements like Quick Actions on the emails, New Themes, Rich experience for OWA on Android and IOS, preview for links, Inline videos etc.

Calendar

Exchange Server 2019 has the option to Set Do Not Forward IRM templates on Calendar Invites and Also New PowerShell Commands available to manage Calendar Delegation.

That’s all for the quick demo… I will add the new features when exploring Exchange Server 2019. Follow me for more information.

I will give a short intro about my Exchange Environment before jumping into the details on how to install Exchange Server 2019.

I have a Domain Controller with a domain name SHC.Com, Exchange Server 2013 and Exchange Server 2016 are there in this lab. I’m going to install Exchange Server 2019 on a 4 CPU with 16 GB RAM for this Exchange Server 2019 Step by Step Installation demo.

Prerequisites for Exchange Server 2019:

  • OS: Windows Server 2019 Standard / Datacenter Edition
  • Hardware: 64-bit processor with 128 GB RAM recommended
  • Active Directory Schema: AD Forest Functional Level Windows Server 2012 R2 or higher
  • Hybrid Support: Coexistence of Exchange Server 2013 CU1 and Exchange Server 2016 CU11 and above
  • Other Prerequisite: .NetFrameWork 4.7.2, Visual C++ Redistributable Package for Visual Studio 2012, Unified Communications Managed API 4.0
  • Windows Features: Exchange Server 2019 installation has the option to deploy the required Windows Features during the installation. If for any reason, if you want to install the Windows Features Manually then run the below command.

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, RSAT-ADDS

Note: Forgot to add IIS Management Console on the screen capture. Please install it before the Exchange 2019 Installation or allow the Exchange 2019 installation to include the required windows features.

Validating the Prerequisites:

Forest & Domain Functional Level

Exchange Server 2019 Computer details

Windows Features Installation:

Other Prerequisites

Existing Exchange Servers (Co-existence of Exchange Server 2013 CU21 & Exchange Server 2016 CU11)

Prerequisites verified and we are good to start the Exchange Server 2019 Installation.

Step by Step Exchange Server 2019 Installation:

Prepare the AD Schema & Domain and then start the Exchange Server 2019 installation.

Step 1: Preparing the AD Schema

Step 2: Preparing the Domain

Restart the computer once before starting the Exchange 2019 installation.

Step 3: Exchange Server 2019 Installation

I don’t want to bore you with the GUI screen captures as it is not different from Exchange 2013 / Exchange 2016 installation.

We will see what’s New in Exchange Server 2019 on the next post. Post your comments for any queries in Installing Exchange Server 2019.

Send-AS Permission in On-Premise Exchange environment can be assigned using the below PowerShell command,

Add-ADPermission -Identity “UserAccount” -User “UserwhoNeedsPermission” -AccessRights ExtendedRight -ExtendedRights “Send As”

But, as per Microsoft article, Send-As Permission over cross Exchange platform like Hybrid Exchange environment is not supportable. But still, you can run the below command to provide Send-As Permission for a On-Premise Mailbox on a Mailbox in Office 365.

Add-RecipientPermission “UserMailbox” -AccessRights sendas -Trustee “On-Premise Mailbox”