Installing Exchange Server 2013 CU21 requisites on Windows Server 2012 R2

We are going to install Exchange 2013 CU21 ( combination of Mailbox and Client Access  role) on a single box.

Install the Unified Communications Managed API 4.0 Runtime, and the Visual C++ 2013 redistributable package.

Install the required features using:

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-Clustering-CmdInterface, RSAT-ADDS

Make sure you check for updates after you install these as typically the UCM API has some post-updates.

If you are installing Exchange Server in the AD forest for the first time run the following Exchange 2013 setup command to prepare Active Directory:

Enable Copy & Paste in VMware vSphere 6.7

If you want to enable copy & paste on VMware vSphere 6.7 do the following:

  1. Disable Lockdown Mode if it is enabled and start the SSH service
  2. Log in to the ESX/ESXi host as a root user.
  3. Take a backup of the /etc/vmware/config file.

Open the /etc/vmware/config file using a text editor and add these entries to the file:

vmx.fullpath = "/bin/vmx"
isolation.tools.copy.disable="FALSE"
isolation.tools.paste.disable="FALSE"

Or you can just copy and paste this:

grep -i 'vmx.fullpath = "/bin/vmx"' /etc/vmware/config || echo 'vmx.fullpath = "/bin/vmx"' >> /etc/vmware/config
grep -i 'isolation.tools.copy.disable="FALSE"' /etc/vmware/config || echo 'isolation.tools.copy.disable="FALSE"' >> /etc/vmware/config
grep -i 'isolation.tools.paste.disable="FALSE"' /etc/vmware/config || echo 'isolation.tools.paste.disable="FALSE"' >> /etc/vmware/config

You must reboot each VM on the host (or use vMotion to move the VM back and forth).

Headless Windows Server, how to manage firewall remotely?

I noticed that once you deploy headless windows servers (domain controllers as an example) you can manage everything remotely (mmc, event viewer, rsat, etc.) except Windows Firewall right out of the box.

To be able to manage the firewall remotely, you need to open additional ports on the headless instance using:

netsh advfirewall firewall set rule name="Windows Firewall Remote Management (RPC)" new enable=yes
netsh advfirewall firewall set rule name="Windows Firewall Remote Management (RPC-EPMAP)" new enable=yes

Convert Windows Server 2016/2019 from EVAL to FULL

Most evaluation versions can be converted to full retail versions, but the method varies slightly depending on the edition. Before you attempt to convert the version, verify that your server is actually running an evaluation version.

For releases of Windows Server 2016 prior to 14393.0.161119-1705.RS1_REFRESH, you can only perform this conversion from evaluation to retail with Windows Server 2016 that has been installed by using the Desktop Experience option (not the Server Core option). Starting with version 14393.0.161119-1705.RS1_REFRESH and later releases, you can convert evaluation editions to retail regardless of the installation option used.

To confirm you are running evaluation version, use:

DISM /online /Get-CurrentEdition

Next we need to figure out what version we can convert into using:

DISM /online /Get-TargetEditions

We can now convert using:

DISM /online /Set-Edition:[TargetEdition] `
/ProductKey:[KMS_KEY] /AcceptEula

If you need to convert to other editions, use the correct keys below.

Windows Server 2012 R2 Server Standard: D2N9P-3P6X9-2R39C-7RTCD-MDVJX
Windows Server 2012 R2 Datacenter: W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9
Windows Server 2016 Datacenter: CB7KF-BWN84-R7R2Y-793K2-8XDDG
Windows Server 2016 Standard: WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY
Windows Server 2019 Datacenter: WMDGN-G9PQG-XVVXX-R3X43-63DFG
Windows Server 2019 Standard: N69G4-B89J2-4G8F4-WWYCC-J464C

I have observed that it can take up to a few hours for this process to complete (TiWorker.exe taking up lots of CPU during this task) in Server 2016. It was observed that the process was much quicker in Server 2012 R2.

Deploy headless Server 2016 Domain Controllers

This guide will show you how to deploy two headless Windows Server 2016 domain controllers in a new environment. This guide (first of the series) assumes you are standing up a hybrid Microsoft environment within a VMware homelab.

First we need to get a few things out of the way:

  • 2 Windows 2016 virtual machines with 2 vCPUs and 4-8GB RAM
  • Make sure you are using VMXNET3 network adapters
  • Install latest VMware Tools
  • Apply latest OS updates
  • Change the HOSTNAME of the VMs (XXX-DC01 and XXX-DC02)
  • Change the host to use static TCP/IP and DNS

If you are deploying domain controllers from a base Windows 2016 VM template, do not forget to generate a new SID using: C:\Windows\System32\Sysprep\sysprep.exe

We are going to deploy two domain controllers at a bare minimum, the domain name is going to be called corp.fixmytech.ca and our network will be 192.168.1.1/25.

The domain name you choose should be resolvable from the internet, so choose a domain that you have registered with a domain registrar and that of which you have full control of.

Some common candidates for xxx.fixmytech.ca are:

  • internal.fixmytech.ca
  • ad.fixmytech.ca
  • corp.fixmytech.ca

One common 3 letter server prefix used for the internal server names is the IATA 3-Letter Codes of the closest airport.

To do most of the basic first steps you can use sconfig (shell GUI) or issue the following:

Set a static DNS and TCP/IP:

Get-NetAdapter | Get-Member
Set-NetIPInterface -InterfaceAlias "PROD Network" -DHCP Disabled -PassThru

New-NetIPAddress ` 
     -AddressFamily IPv4 ` 
     -InterfaceAlias "PROD Network" ` 
     -IPAddress 192.168.1.2 ` 
     -PrefixLength 25 ` 
     -DefaultGateway 192.168.1.1

Set-DnsClientServerAddress -InterfaceAlias "10 Network" -ServerAddresses 192.168.10.2

Rename the computer and reboot:

Rename-Computer -NewName FMT-DC01 -Restart -Force -PassThru

Create the forest:

Add-WindowsFeature AD-Domain-Services
Import-Module ADDSDeployment 
Install-ADDSForest ` 
  -DomainName corp.fixmytech.ca `
  -DomainNetbiosName CORP `
  -DomainMode 7 `
  -ForestMode 7 `
  -InstallDns:$true `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -DatabasePath "C:\Windows\NTDS"`
  -NoRebootOnCompletion:$false `
  -CreateDnsDelegation = $false `
  -Force:$true `
  -Verbose

Deploy your second domain controller using:

Add-WindowsFeature AD-Domain-Services 
Import-Module ADDSDeployment
Install-ADDSDomainController `
  -NoGlobalCatalog:$false `
  -CreateDnsDelegation:$false `
  -Credential (Get-Credential) `
  -CriticalReplicationOnly:$false `
  -DatabasePath "C:\Windows\NTDS" `
  -DomainName "corp.fixmytech.ca" `
  -InstallDns:$true `
  -LogPath "C:\Windows\NTDS" `
  -NoRebootOnCompletion:$false `
  -SiteName "Default-First-Site-Name" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -Force:$true

Do not forget to stand up a Windows 10 jump server with RSAT tools installed so that you still have GUI access to most AD MMC snap-ins.

Next logical steps are to deploy DHCP, basic Group Policy Objects, Internal PKI and ADFS.