Outlook and Exchange Active Sync on mobile device uses Autodiscover for configuring and maintaining server settings for client that is configured to access a Mailbox. On the Initial configuration, we know Outlook will do an Auto Discovery look up to configure the outlook profile. Once the outlook profile configured, it will do an Auto Discovery look up to see if any changes on the Url’s or changes on the mailbox settings.

We need to know when outlook will do an Auto Discovery look up. Outlook clients automatically connect to the Autodiscover service in the following conditions:

  • When outlook client starts, both opening for the first time and every time it starts
  • Every 60 minutes once
  • Any time that the client’s connection to an Exchange Server fails

Hope this is informative J

ADRMS service provides Information Rights Management protection to Exchange Server, SharePoint Servers and File Servers. When using ADRMS, we can configure Protection Templates like Do Not Reply All, View Only etc and made them available for end users to apply those templates on email or documents to protect the confidential documents and emails.

We need to deploy ADRMS service in On-Premise environment with the required templates and need to publish those templates for end users to consume it. I have the ADMRS Infrastructure in my lab and Exchange Server 2019 installed.

Exchange Server will have the below IRM configuration as default

And users will be prompted to Connect to Rights Management Servers to get the IRM templates published by an administrator

Configuring Exchange Server 2019 to use ADRMS

Setting up Exchange Server to use IRM is simple, we need to set the InternalLicensingEnabled parameter on the Set-IRMConfiguration command to True. Below shows the settings change.

Exchange will do a SCP lookup and do the IRM configuration.

User is able to access the IRM template now after the ADRMS service deployment and the IRM configuration in Exchange.

IRM Template from OWA

I have a plan to show case the demo on IRM configuration change from ADRMS to Azure RMS for Exchange Server 2019. I will post it later.

Exchange Server 2019 automatically configures Internet Information Service Virtual Directories related to the Exchange. Clients will connect to these Virtual Directories to access the Services provided by Exchange Servers. This post shows the default configurations of Exchange Server 2019 Virtual Directory.

Internal and External URL, SSL configuration and the Authentication methods are the important parameters related to Virtual Directories, we will see all those configurations in detail.

Below are the Virtual Directory created during the Exchange Server 2019 installation.

I have preferred mail.superhybridcloud.com as the namespace for the all the exchange services and I already changed it. Exchange Certificate installation and configuration are already done.

Auto Discover:

Auto Discover allows the email clients like Outlook to discover the mailbox settings and configure the mailbox automatically without entering the details like server information etc. Service Connection Point object in AD will be referred by Auto Discover to get the User information.

Get-ClientAccessService is command to configure the Internal Url and the Authentication Methods as shown below.

No need to set the Internal / External Url using Set-AutodiscoverVirtualDirectory as it is applicable when using Exchange Server 2010.

MAPI over HTTP:

MAPI over HTTP is the default protocol for Outlook in Exchange Server 2019 and the Exchange 2019 installation warns the MAPIHTTP enablement if it is not enabled. To ensure it is enabled, use Get-OrganizationConfig command.

Set-MapiVirtualDirectory command be used to manage MAPI over HTTP related settings

Exchange Control Panel:

Exchange Control Panel is where an admin can access Exchange Admin Center to manage the Exchange Service. Basic Authentication and FBA are the default Authentication method set on the ECP virtual directory.

Use Set-ECPVirtualDirectory command to manage the ECP virtual directory related settings.

Outlook on the Web (OWA):

OWA virtual directory allows the emails access using Web Browser and we can use Set-OWAVirtualDirectory to configure the OWA virtual directory settings

Active Sync:

Mobile Device clients that support Exchange Active Sync connects to Active Sync Virtual directory to access the mailbox.

Default configuration will not set any Authentication we can enable basic to allow the clients to access the mailbox using Active Sync protocol.

Set-ActiveSyncVirtualDirectory command allows you to configure the Active Sync related settings.

Offline Address Book (OAB):

Outlook clients using Cached mode requires offline address book to access the address book when it is not connected to exchange.

You can use Set-OABVirtualDirectory command to modify the OAB settings

Exchange Web Service (EWS):

EWS virtual directory supports many features like free busy look up, calendar sharing, mail tips and OOO etc. You can use Set-WebServicesVirtualDirectory command to manage EWS virtual directory settings.

Outlook Anywhere (OA / RPC over HTTP):

MAPI over HTTP is the default protocol for MAPI clients having mailbox in Exchange Server 2019 but it still supports Exchange for legacy clients that does not support MAPI over HTTP.

Set-OutlookAnywhere command can be used to manage Outlook Anywhere related settings.

Hope above details are informative. Comment for any queries.

S/MIME in Exchange Server 2019

December 22nd, 2018 | Posted by admin in Exchange | EXchange 2019 - (0 Comments)

Exchange Server 2019 supports sending S/MIME emails from clients like MAPI, OWA & Exchange Active Sync. We will see how to send an S/MIME email from an Exchange Server 2019 Mailbox.

S/MIME can be used to send a Signed and Encrypted email.

  • Signing an email verifies the sender and ensures the message is not changed since it was sent but it will not prevent message being read by others.
  • Encrypting the email verifies the email has not changed since it was send and it can be decrypted and read by the recipient only.

Sending S/MIME email from Exchange Server 2019 mailbox using the Internal Certificate Authority.

I have an Internal Certificate PKI already configured on my lab which allows user to enroll a User certificate that can be used to Sign and Decrypt an email.

I have select 2 mailboxes from Exchange Server 2019 to show sending and receiving S/MIME email

User Vishwa configured his outlook with a certificate which was received from Internal CA to Sign / Encrypt emails.

Sending a Signed email to Dhanyashree and she can view the Signed email.

Now Sent a Encrypted email and recipient can view those email

Below message is expected, if a user tries to send an email to another user for whom a certificate was not issued / received from CA.

Similar way, we can send S/MIME emails from OWA and Exchange Active Sync Clients. We will have a look on configuring Information Rights Management configuration in Exchange Server 2019 on my Next Post.

New Versions of Exchange Server will always have many New Features and enhancements related to performance. We will see what’s New in Exchange Server 2019 in this post.

Major Enhancements

  • Exchange Server 2019 supports the installation on Windows Server Core and it supports 48 CPU cores and up to 256 GB of RAM.
  • Client Access Rules can be configured the restrict the users in accessing the ECP\OWA only from Internal network.
  • Database Failovers is much faster when compared to earlier version of Exchange
  • Indexing and Search Performance are improved
  • Dynamic Memory cache allocation to active database and the enhancement on Database engine using MetaCache Database provides performance improvements
  • No more Unified Messaging Server Role in Exchange Server 2019
  • MAPI over HTTP is the default protocol for Outlook. Still Exchange Server 2019 supports RPC over HTTP for legacy clients
  • Exchange Active Sync seamless redirection when on a Hybrid Exchange environment
  • In-Place hold and e-discovery support for Public Folders (Public Folders still exists)

Exchange Admin Center

EAC in Exchange 2019 is exactly same as Exchange Server 2016 or Office 365 Admin Center. New Installation of Exchange Server 2019 will not have the Unified Messaging tab as Unified Messaging Server Role is not available in Exchange Server 2019.

Outlook on the Web (OWA)

Outlook on the Web is same like Exchange Server 2016 or Exchange Online OWA with additional improvements like Quick Actions on the emails, New Themes, Rich experience for OWA on Android and IOS, preview for links, Inline videos etc.

Calendar

Exchange Server 2019 has the option to Set Do Not Forward IRM templates on Calendar Invites and Also New PowerShell Commands available to manage Calendar Delegation.

That’s all for the quick demo… I will add the new features when exploring Exchange Server 2019. Follow me for more information.

I will give a short intro about my Exchange Environment before jumping into the details on how to install Exchange Server 2019.

I have a Domain Controller with a domain name SHC.Com, Exchange Server 2013 and Exchange Server 2016 are there in this lab. I’m going to install Exchange Server 2019 on a 4 CPU with 16 GB RAM for this Exchange Server 2019 Step by Step Installation demo.

Prerequisites for Exchange Server 2019:

  • OS: Windows Server 2019 Standard / Datacenter Edition
  • Hardware: 64-bit processor with 128 GB RAM recommended
  • Active Directory Schema: AD Forest Functional Level Windows Server 2012 R2 or higher
  • Hybrid Support: Coexistence of Exchange Server 2013 CU1 and Exchange Server 2016 CU11 and above
  • Other Prerequisite: .NetFrameWork 4.7.2, Visual C++ Redistributable Package for Visual Studio 2012, Unified Communications Managed API 4.0
  • Windows Features: Exchange Server 2019 installation has the option to deploy the required Windows Features during the installation. If for any reason, if you want to install the Windows Features Manually then run the below command.

Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, RSAT-ADDS

Note: Forgot to add IIS Management Console on the screen capture. Please install it before the Exchange 2019 Installation or allow the Exchange 2019 installation to include the required windows features.

Validating the Prerequisites:

Forest & Domain Functional Level

Exchange Server 2019 Computer details

Windows Features Installation:

Other Prerequisites

Existing Exchange Servers (Co-existence of Exchange Server 2013 CU21 & Exchange Server 2016 CU11)

Prerequisites verified and we are good to start the Exchange Server 2019 Installation.

Step by Step Exchange Server 2019 Installation:

Prepare the AD Schema & Domain and then start the Exchange Server 2019 installation.

Step 1: Preparing the AD Schema

Step 2: Preparing the Domain

Restart the computer once before starting the Exchange 2019 installation.

Step 3: Exchange Server 2019 Installation

I don’t want to bore you with the GUI screen captures as it is not different from Exchange 2013 / Exchange 2016 installation.

We will see what’s New in Exchange Server 2019 on the next post. Post your comments for any queries in Installing Exchange Server 2019.

Your users may user different type of Strong Authentication method on their choice when MFA enabled for them. If you want to take a report on the type of Authentication Method, use the below PowerShell command.

Get-Msoluser -All |select DisplayName,@{N=’Email’;E={$_.UserPrincipalName}},@{n=”MFA_Methods”;e={($_.StrongAuthenticationMethods).MethodType}},@{N=’MFA_Requirements’;E={($_.StrongAuthenticationRequirements).state}} | export-csv C:\Temp\MFA_Strongauth_Dec31.csv –NoTypeInformation

Send-AS Permission in On-Premise Exchange environment can be assigned using the below PowerShell command,

Add-ADPermission -Identity “UserAccount” -User “UserwhoNeedsPermission” -AccessRights ExtendedRight -ExtendedRights “Send As”

But, as per Microsoft article, Send-As Permission over cross Exchange platform like Hybrid Exchange environment is not supportable. But still, you can run the below command to provide Send-As Permission for a On-Premise Mailbox on a Mailbox in Office 365.

Add-RecipientPermission “UserMailbox” -AccessRights sendas -Trustee “On-Premise Mailbox”

Azure AD Connect Sync the User Profile photo during the initial sync only. Any further changes on the Photo in On-Premise will not Sync / Update to Azure AD.

We need to manually change the photo if any changes required. You can follow the below PowerShell command to change the photo.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Set-UserPhoto “userid” -PictureData ([System.IO.File]::ReadAllBytes(“C:\Temp\userphoto.jpg”))

In this post, we will see how to control External Sharing in SharePoint Online & OneDrive for Business Online. It is better to control external sharing to restrict who can share contents with whom and this ensures your organization data safe.

Default settings on OneDrive for Business Online or for SharePoint Online is to share the content with anyone in the world (not to aliens 😉 ). Below the shows the default settings. ‘

You can login to Admin.OneDrive.com to control the external sharing both the applications.

OneDrive for Business Online

In addition, you can login to SharePoint Online Admin center to see the default settings, which will be like Allows external sharing with Authentication users, which means share with anyone who can authenticate with Azure AD.

Below the settings available for external sharing and you can choose any option that best suits your requirement or policy.

  • Only People in your organization – In other words, you are disabling the external sharing capabilities.
  • Existing external users – External users account already created in your Azure AD. If you create an external user, user in your organization can share with that external user
  • New and existing external users – You can share with anyone, if they authenticate with Azure AD using their organization account or using their live.com account then that account will be created in your organization’s Azure AD and users in your organization can share the content with them.
  • Anyone – Default option, as it is says sharing can be done to anyone and there is no requirement to login using his or her account.

We can move the slider based on our requirement to set the external sharing options.

Advanced settings for External Sharing:

Organizations may want to set the external sharing only to the domains that they collaborate on daily basis, to achieve this; on the same OneDrive admin center we control the advanced external sharing options.

You can manage the Advanced settings for external sharing settings here. I have explained the available options below.

Let external users shared items they don’t own: By default, it allows the external users to share the content with other users.

Allow or block sharing with people on specific domains: You can add the domains to which your organization users can share the documents.

External users must accept sharing invitations using the same account that the invitations were sent to: It is the best options to validate only the intended recipient is opening the shared content.

If you ask me, I would recommend organization’s to go with the below settings to ensure your data is on control.

Hope this is informative. We will see the external sharing with other domain and external user experience on my next post.