文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

Exchange Server 2019 实战操作指南

2023-09-03 17:57

关注

7cba4d1e3fcee65bf52bf1838389a969.gif

新钛云服已累计为您分享737篇技术干货

c6020af76f9f16c561202f6228c93c46.gif

基本信息

https://next.itellyou.cn/Original/#

必要软件

Exchange 2019 最低要求是 16GB 内存

显示计算机、网络图标,在运行窗口输入rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0桌面壁纸显示ip地址信息https://learn.microsoft.com/zh-cn/sysinternals/downloads/bginfoBoot Time:        OS Version:        Host Name:        Logon Domain:        Machine Domain:        CPU:        Memory:        IP Address:        DHCP Server:        MAC Address:        Subnet Mask:        DNS Server:        Default Gateway:        Volumes:        

A .NET框架4.8

https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0fd66638cde16859462a6243a4629a50/ndp48-x86-x64-allos-enu.exe

B.Visual C++ Redistributable Package for Visual Studio 2012

https://www.microsoft.com/download/details.aspx?id=30679

C.在 Windows PowerShell 中运行以下命令,安装远程工具管理包:

Install-WindowsFeature RSAT-ADDS

D.Exchange Server 2019 CU12 (2022H1)补丁包

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026

下载地址https://www.microsoft.com/en-us/download/details.aspx?id=30679

E.IIS URL 重写模块

IIS 的 URL 重写模块需要在累积更新 11 或更高版本中使用。

下载地址https://www.iis.net/downloads/microsoft/url-rewrite

F.添加所需的 Lync Server 或 Skype for Business Server 组件:

Install-WindowsFeature Server-Media-Foundation

G.安装 Unified Communications Managed API 4.0。

此程序包可供下载并位于 Exchange Server 媒体的

\UCMARedist 文件夹中。

https://www.microsoft.com/download/details.aspx?id=34992

H.使用 Exchange 安装程序安装所需的 Windows 组件,请在 Windows PowerShell 中运行以下命令之一

#把window2019的安装ios加到到本电脑上的z磁盘Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source Z:\sources\sxs#扩展AD架构\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD /OrganizationName:"tyun"#在AD用戶与計算机上,你会发现 Microsoft Exchange Security Groups\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

I.批量发送邮件给自己

send-mailmessage -to administrator@tyun.cn -subject "TEST49" -Body "請注意!SRVEX 磁碟空間目前已剩下不到 78% 的可用空間 " -smtpserver srvex.ianext.com -from administrator@tyun.cn  -Encoding  Unicode

J.单exchange服务停止批量启动

#查看exchange服务Get-Service -Name "MSExch*"#显示完成的exchange名称Get-Service -Name "MSExch*" | ft -auto# 直接重啟 Exchange 已经停止的服务Get-Service -Name "MSExchange*" | Where-Object {$_.Status -eq "Stopped"} | Restart-Service

K.exchange用户信息

#用户登录Exchange信息Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox | Get-MailboxStatistics | Sort-Object Lastlogontime -Descending | Select-Object DisplayName,MailboxTypeDetail,LastLogonTime,ServerName#查看目前有架构下所有的 Exchange Server 完整主机名称等等信息Get-ExchangeServer | Select FQDN, ServerRole,AdminDisplayVersion,IsEdgeServer#查看本机所有 Exchange 服务的执行状态Get-Service -Name *Exchange* | Select Status, DisplayName | Sort Status | FT -Auto#测试主机连接smtp服务是否正常Test-NetConnection srvex.tyun.cn -Port 25 -InformationLevel "Detailed"#测试连接的所有网络、来源地址、目的地址以及路由信息Test-NetConnection -ComputerName srvex.tyun.cn -DiagnoseRouting -InformationLevel Detailed#Exchange DNS 查看Get-TransportService | FL *dns*#把ad用户导入到exchangeGet-User -RecipientTypeDetails User -Filter { UserPrincipalName -ne $Null } | Enable-Mailbox

L.批量导出AD用户

参考https://www.cnblogs.com/wulongy/p/14924907.html

#查询到的ad用户导出到ADuser.csv文件里Get-ADUser -Filter * -SearchBase "DC=TYUN, DC=CN" |Select-Object -Property SamAccountName, Surname, GivenName, Name, Group, UserPrincipalName, Path, AccountPassword, Enabled, ChangePasswordAtLogon | Export-Csv -Encoding unicode ADuser.csv文件在C:\Users\Administrator下面#PowerShell 批量导入AD域用户(密码写在脚本上Tyun@2022)import-csv c:\ad\User.csv | Foreach {New-ADUser  -samAccountName $_.SamAccountName  -Surname $_.Surname   -GivenName $_.GivenName  -Name $_.Name  -UserPrincipalName $_.Userprincipalname  -DisplayName $_.DisplayName  -Description $_.Description   -Path $_.Path -AccountPassword(ConvertTo-SecureString "Tyun@2022" -AsPlainText -Force) -Enabled $true -ChangePasswordAtLogon 1  -passthru -PasswordNeverExpires ($_.PasswordNeverExpires -eq "1") }#PowerShell 批量导入AD域用户(密码写在csv里面)import-csv c:\ad\User.csv | Foreach {New-ADUser  -samAccountName $_.SamAccountName  -Surname $_.Surname   -GivenName $_.GivenName  -Name $_.Name  -UserPrincipalName $_.Userprincipalname  -DisplayName $_.DisplayName  -Description $_.Description   -Path $_.Path  -Enabled $true -AccountPassword (ConvertTo-SecureString $_.AccountPassword -AsPlainText -force) -passthru -PasswordNeverExpires ($_.PasswordNeverExpires -eq "1")}#指定用户查询所有域组名称Get-ADPrincipalGroupMembership hexingxing | ft name#指定用户查询所有域组名称并以名称排序Get-ADPrincipalGroupMembership hexingxing | sort name | ft name#Get-ADUser(Get-ADUser -Identity hexingxing -Properties *).MemberOf用户上次设置密码时间Get-ADUser king -Properties * | ft PasswordLastSet设置账户king密码永不过期Set-ADAccountControl -Identity king -PasswordNeverExpires:$true取消账户king密码永不过期Set-ADAccountControl -Identity king -PasswordNeverExpires:$false设置king的账户过期时间为 2022/10/18 0:00:00,即最后可用使用时间为 2022/10/18Set-ADAccountExpiration -Identity king -DateTime "10/18/2022"忽略旧密码为账户设置新密码Set-ADAccountPassword -Identity king -NewPassword (ConvertTo-SecureString -AsPlainText "ef7s00#" -Force)根据提示信息输入旧密码并更新用户密码Set-ADAccountPassword -Identity kingAD 域启用账户Enable-ADAccount -Identity kingAD 域禁用账户Disable-ADAccount -Identity king

表格样例

298de25b44d6371260b687270ef5e591.png

AD域管理工具

https://osdn.net/projects/sfnet_adbulkadmin/downloads/ADBulkAdmin/1.1.0.33/ADBulkAdmin-v1.1.0.33.zip/

https://zh.osdn.net/projects/sfnet_adbulkadmin/releases/

导出it组织单元下的所有用户Get-ADUser -Filter * -Properties * -SearchBase "DC=it,DC=tyun,DC=cn" |Select-Object name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company |Export-Csv C:\AllADUser20221001.csv -Encoding UTF8 –NoTypeInformationldifde -f "c:\alldbauser.ldf" -d "DC=it,DC=tyun,DC=cn" -r objectClass=user -l "name,SamAccountName,Givenname,surname,Displayname,title,mobile,CanonicalName,Created,Department,DistinguishedName,EmailAddress,homeMDB,mail,mailNickname,MemberOf,msExchCoManagedObjectsBL,msExchHomeServerName,PasswordLastSet,PrimaryGroup,proxyAddresses,UserPrincipalName,whenCreated,whenChanged,MobilePhone,telephoneNumber,employeeNumber,postalCode,company"

M.获取AD密码策略域过期时间

#获取AD域服务器密码策略信息Get-ADDefaultDomainPasswordPolicyComplexityEnabled:密码必须符合复杂性要求MaxPasswordAge:密码最长使用期限MinPasswordAge:密码最短使用期限MinPasswordLength:最小密码长度PasswordHistoryCount:强制密码历史密码最长使用期限是 24 天;Set-ADDefaultDomainPasswordPolicy -Identity tyun.cn -ComplexityEnabled $True -MaxPasswordAge 180.00:00:00#获取已经过期的用户Get-Aduser -Filter *  -Properties * | where {$_.PasswordExpired -eq $true} | FT Name#获取所有标识密码过期时间的用户Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate #获取指定标识密码过期时间的用户Get-ADUser -Filter {name -like "king"} -Properties * | Select-Object -Property "Name", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days)}} | Sort-Object ExpiryDate#获取所有用户密码属性信息Get-ADUser -Filter * -Properties * | Sort-Object Name | ft Name,PasswordLastSet,PasswordExpired,PasswordNeverExpires#删除单个用户Remove-ADUser -Identity king -Confirm:$false#SAM 账户名删除属于子项/子集/子树的用户对象Get-ADUser -Identity king | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}#搜索并删除指定组织单位(OU)容器内的用户对象Get-ADUser -Filter * -SearchBase "OU=cnList,OU=testGroup,DC=tyun,DC=cn" | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}#删除子项(子树)需要使用如下删除域对象Remove-ADObject -Identity king -Recursive导入 CSV 数据列表删除用户对象import-csv .\del.csv | foreach{Get-ADUser -Identity $_.name} | foreach{Remove-ADObject -Identity $_.ObjectGUID -Recursive -Confirm:$False}Get-ADUser king可以参考https://hexingxing.cn/tag/active-directory/page/2/https://github.com/phillips321/adaudit/blob/master/AdAudit.ps1

N.存储规划

Database Name

用户属性

单位空间

最大容量

MAil server01


Level1

集团高管、董事会、总裁办公室

20G

主400G


Level2

业务单元总经理办公人员

15G

主400G


Level3

部门主管、负责人、核心员工

10G



Level4

普通员工

4G



Level5

不活跃用户

500M



Level6

公共邮箱、系统邮箱、功能邮箱

视情况而定



Level7

离职员工




Level8

邮件离职




Exchange2019的步骤

IP地址

主机名

服务器用途

备注

21.64

SH-Srv-AD

域控服务器(主域控)


21.77

SH-Srv-AC

域控服务器(额外域控)


21.78

SH-Srv-MBX01

邮件服务器01


21.83

SH-Srv-MBX02

邮件服务器02


架构图展示

第一步:安装AD主域控

01  AD域控PDC时间‍‍

#查询域控PDC服务器netdom query fsmo#配置PDC使用ntp服务器同步时间w32tm /config /manualpeerlist:"server0.cn.pool.ntp.org,0x8 server1.cn.pool.ntp.org,0x8 time.windows.com,0x8" /syncfromflags:manual /reliable:yes /update#查看当前Windows Time运行情况w32tm /query /status#查看当前ntp时间服务器设置w32tm /query /peers#查看PDC服务器ntp同步状态,和ntp服务器时间差w32tm /stripchart /computer:time.windows.com /samples:100 /dataonly#AD 域客户端同步域服务器时间net time  \\192.168.232.10  /set  /yreg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\  /v  SpecialPollInterval  /t REG_DWORD /d 1200 /freg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v  NtpServer   /d ntp1.aliyun.com /f net stop w32timenet start w32time

02  服务器重置下SID信息‍

自建打开C:\Windows\System32\Sysprep目录运行sysprep.exe,重置SID后重启服务器

如果是aliyun服务器请下载

https://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/40846/cn_zh/1542010494209/AutoSysprep.ps1?spm=a2c4g.11186623.0.0.293f5f53EeEej3&file=AutoSysprep.ps1

.\AutoSysprep.ps1 -help重新初始化服务器的SID并重启服务器.\AutoSysprep.ps1 -ReserveHostname -ReserveNetwork -SkipRearm -PostAction "reboot"

03  开始安装主域控

8ffeb35c5567eb88faefc5eb3cf20074.png

f4c1fb76c7977edfc7026921d6842da3.png

34664ccefee352982c55aca69c59bf6d.png

df3d0845fdcaa23c911940ba3f57d7e7.png

02b50c6c282d128bf183fd806e2bad07.png

3ed8a80ba3e170d63bd78d5abcd2e5d2.png

6331c23bbde6abad0e3daf4474aa602b.png

af018095541cd547e9b26df1496f7f81.png

21158bca55c3ee5543721e4ce2fea059.png

c9d79e937c245d9bbe67b71712672d66.png

3917dc8bb99ac1df97b5bab5576b77db.png

34f6e3c4815da6520254a58c97a9f8dd.png

ad1f6274fe3fae0a3656142b09bc31cd.png

6c39180f801efd4ba1ce728c8b929b61.png

a0dfd20df88c1d4cd532f59238607f75.png

893fa6a9b8b551d4f0b8635facf13acb.png

d0481b5e946121d7a515ce2e5687c885.png

密码策略配置

ea6fe605367271af05c63ee1a97d0d4f.png

8c3672f5e5dc7b9cc482fc03dc2038a3.png

e6fb92c4158e85810f5c6ba2e54ca185.png

使用Powershell命令添加AD细粒度密码策略

New-ADFineGrainedPasswordPolicy -Name "PasswordSetting3" -Precedence 1 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "PasswordSetting3" -LockoutDuration "0.00:30:00" -LockoutObservationWindow "0.00:30:00" -LockoutThreshold "5" -MaxPasswordAge "24.00:00:00" -MinPasswordAge "1.00:00:10" -MinPasswordLength "7" -PasswordHistoryCount "24"优先级:1(最高)强制最短密码长度:7(个字符)强制密码历史记录:24(个历史密码)密码复杂性要求:启用强制密码最短期限:1(天)强制密码最长期限:24(天)强制账号锁定策略:30(分钟)内5次(登录失败)锁定30(分钟)

第二步:安装AD辅域控

68b8b7857eb8f4ad6facb81056cd740c.png

dd39f8ab9f91716ee1d13ca369d4f28b.png

6839c202c01ae31914389be336087f00.png

f6017abe2b499f0d40622a34346879b6.png

eb388e8bdffffb6c197e741dadd7a368.png

a1e2644cc194808269df7346f3216d9c.png

ceacedbae0b49529ce212774aaff5777.png

699636aa6c75c16634df22fd0e38b95e.png

重启服务器后

测试主辅域连接是否正常

netdom query fsmo

诊断AD信息时候正常

repadmin /showrepl

0159c28edb8bafa6685624babafd31d3.png

e628a2f5c8bd2c648f6703fa432746d3.png

9cac8e1df9f3d766e7592ef859a2b0b6.png

第三步:安装exchange2019

73db3f4099655352a1c1ad2d758c6db6.png

以次安装服务ndp48-x86-x64-allos-enu.exe、vcredist_x64.exe(2012和2013)、urlrewrite2.exe、UcmaRuntimeSetup_API4.0.exe

276dfa71b54b06e6c77c5dbeef4649cc.png

90094072f78ed179510ba9b240b38305.png

#安装远程工具管理包Install-WindowsFeature RSAT-ADDS#安装 Server Media Foundation 窗口功能Install-WindowsFeature Server-Media-Foundation# Exchange 安装程序安装所需的 Windows 组件Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS -Source G:\sources\sxs#重启下服务器后安装下面的命令操作先加载window server 2019镜像,打开powershell窗口进入g:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"tyun"\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains

801a2c62b83b01c78bc1ef959310631f.png

2ab507a122464009367d36713b2cf8e1.png

根据提示重启服务器,然后再执行一次安装

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema

9f4c4a9c38c1c89b33227f5d5fe74e85.png

1c385820bbacb6fa4ce8e539537fd859.png

Exchange2019服务器再次重启

开始安装Exchange2019CU12

edbb6841e8497cc1d90eeb7185c477c9.png

1454e8307a9f8023e5bc5836fabd7cc8.png

2e6d6b3f7b0fa16309b9462e85ef25dc.png

a2d89aaf1a28bf728c28f439fa035dee.png

34c97961edf621f11039fb71e2854e3c.png

195e89aaed1c8ee7368a4ad60b0350cb.png

8a07dc4e9fd25291810ba4feed2719a5.png

aaf0aa0c2a6b8c9fcd44d4a2ac387e94.png

10ced8977933449aa3462694082d3322.png

9badbbe8495ea2d0733cbafef1c6c301.png

5dc823fd30c5845d179bbcd02e8ed34e.png

7bcbf0e9b97015bd77cec2d162d7a601.png

7cbf7835be8752454bbc50a7e0daebdc.png

7f3fb8b095de06fa48f7bb2651b8bd47.png

48ea1dfde2a46ebfe82e286156aa48f5.png

或者是通过命令来执行

#将许可证Exchange SRV2019-MBX 的服务器Set-ExchangeServer SRV2019-MBX -ProductKey YCQY7-BNTF6-R337H-69FGX-P39TY#重新启动 Microsoft Exchange信息存储服务Restart-Service MSExchangeIS#验证证书属性Get-ExchangeServer SRV2019-MBX | Format-List Name,Edition,*Trial*Get-ExchangeServer | Format-Table -Auto Name,Edition,*Trial*

2b0c04691b7c1764abf146a2e9caf489.png

各版本的秘钥信息Enterprise: YCQY7-BNTF6-R337H-69FGX-P39TYStandard: G3FMN-FGW6B-MQ9VW-YVFV8-292KP

修复0Day漏洞

ccdf8482f023e12b205a8911fab74e96.png

.*autodiscover\.json.*\@.*Powershell.*

ccd28d96fb8bdae61a836c0b27229235.png

条件输入{REQUEST_URI}

16dbb0992de3b5221697410c94630c86.png

.\iisreset.exe -restart

648461f35b21eb3a81a36502d57693b3.png

第四步:配置证书

add-pssnapin microsoft.exchange*查询EXCHANGE服务器数据库和日志文件路径Get-MailboxDatabase -Server SRV2019-MBX| Select Name,EdbFilePath,LogFolderPath | fl#查看Exchange Server版本号Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

安装完成exchange服务后重启下服务器,发现exchange服务是停止状态,通过命令重新启动

f259505f789e0c69f4e5b3e5e20bcc67.png

692f5415209cbc06186beae84a74d536.png

打开地址https://mail.tyun.cn/ecp

64fa8a4646761631403d0bc9133fa1f5.png

f25849fa46b85ea689a07388b9763268.png

Install-WindowsFeature Web-Client-Auth

0c4975c819a9edee319eb53a824be331.png

输入window+q键 inetmgr 进入Internet Information Services (IIS) 管理器

fb3ea36b5dbcf5f28ec9c7cc911527e4.png

7c6ab967ef6065ec79b9394fd3e5de2a.png

点击owa虚拟目录,双击SSL设置

13263d43195dae3da83a343d8d2c7d03.png

59060614261a72ab9062b6516c75ded0.png

选择 Microsoft-Server-ActiveSync 虚拟目录,选择SSL 设置

f6d9080ed76c36e9fc19464cd6f1f5c8.png

Cmd 打开regedit注册表修改HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 1

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/owa/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ecp/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-ActiveSync/" -section:system.webserver/security/access /sslFlags:"Ssl, SslRequireCert" /commit:apphost

eed8ca5aa8e6c943bef65ab52854a269.png

cd517f8727414d2e75a791ce65c1101c.png

172ce3773847260469b6503f4a0e0e99.png

3dd9a32a802788af6fd623218a39ee15.png

2f600ca1f2da2105c3624ca09f47dc24.png

56b211554fe292e94ec99c0c08161a65.png

颁发自签证书New-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate" -SubjectName CN=srv2019-mbx -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $trueNew-ExchangeCertificate -FriendlyName "Contoso Exchange Certificate2019" -SubjectName CN=mail -DomainName mail.tyun.cn,autodiscover.tyun.cn,srv2019-mbx.tyun.cn -Services SMTP,IIS -PrivateKeyExportable $true查询证书信息Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter续自签证书Get-ExchangeCertificate -Thumbprint BC37CBE2E59566BFF7D01FEAC9B6517841475F2D | New-ExchangeCertificate -Force -PrivateKeyExportable $true颁发机构续订#如果需要将证书续订请求文件 的内容 发送到 CA,请使用以下语法创建 Base64 编码的请求文件$txtrequest = Get-ExchangeCertificate -Thumbprint  | New-ExchangeCertificate -GenerateRequest [-KeySize <1024 | 2048 | 4096>] [-Server ][System.IO.File]::WriteAllBytes('\.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))#如果需要将 证书续订请求文件 发送到 CA,请使用以下语法创建 DER 编码的请求文件$binrequest = Get-ExchangeCertificate -Thumbprint  | New-ExchangeCertificate -GenerateRequest -BinaryEncoded [-KeySize <1024 | 2048 | 4096>] [-Server ][System.IO.File]::WriteAllBytes('\.pfx', $binrequest.FileData)#若要找到您想续订的证书的指纹值,请运行以下命令:Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter#此示例为具有指纹值 5DB9879E38E36BCB60B761E29794392B23D1C054的现有证书创建 Base64 编码的证书续订请求:$txtrequest = Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))#此示例为同一证书创建 DER (二进制) 编码的证书续订请求:$binrequest = Get-ExchangeCertificate -Thumbprint  | New-ExchangeCertificate -GenerateRequest -BinaryEncoded[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.pfx', $binrequest.FileData)#在用于存储证书请求的服务器上的 Exchange 命令行管理程序 中,运行以下命令:Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

第五步:配置AD CS

584a88e13bfc8393c636ada800b195ef.png

d2fbcdb220497cde0a917d0d431aecb4.png

517417a6a127a9be885d306c5c4f946e.png

3d7604eff0a179d7119be2093057d8c0.png

f23bce339406c2384b20b48a2be5fb09.png

a1592a95c04a41f93e0d12f3cca6d9da.png

0f5f1f1715f63e3208592c47a5bb2452.png

e7728b1981f2c78af593c2f0cb1c1401.png

e98c7cc4067e3c9c4c5bbe846f3a5ccc.png

5496ab814a7d373e10b10e2683afd93f.png

65ce3ba5590b58e8481257c9c726fbb5.png

2a2db3e302b039d47ec335187b13b573.png

45a719aaffc3b8fc64959b1a185150c4.png

3800d2972f6906eb2bdeb8daaff64e2e.png

6225f8a798f6de9723682a0f0ae61975.png

a0d09808aa0a29728704f58ebdc4ca9d.png

服务器重启

注:如果重启之后发现打开https://主机名/ecp/  出现503错误的话

d1868c27dd4d6827407a35bca8ddc272.png

修改成对应的ssl证书信息

第六步:导入CA证书

浏览器输入网址https://mail/centsrv/Default.asp或者http://localhost/certsrv/default.asp

ca5f32816f8a8ee4d0a14cde35330344.png

如果访问出错的话配置

cfad374fbe410f24de784256a89556fa.png

http://localhost/certsrv/default.asp

38d60576c5ba3ce0c91d5413f047f80e.png

8819f0377d50a0512c8890031d211f2d.png

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Mail.tyun.cn Cert" -SubjectName "CN=mail.tyun.cn"[System.IO.File]::WriteAllBytes('\\SRV2019-MBX\Data\Mail.tyun.cn Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))#查看exchange2019存储证书信息Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

3825a29846a0d9fdd268f3ed03d11187.png

扩大exchange2019证书年限

b6f35fc18e30fee03615faf135994c89.png

计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\tyun-SRV2019-MBX-CA 下面的值ValidityPeriodUnits

e153fef5db115814345ca0f329908767.png

先停止服务,然后再启动服务

19691d2aa3a452d8bc8710da10613172.png

右键复制模版,把有效期改成20年

73d1b188d96faaedd5681eb7e89b0ecf.png

模版名称修改为Exchange Server  2019

e8dd5e1f6e75eb8c48321f2b44bb7ecb.png

8574b1ae9703861a429ca194091eff0b.png

a0ad6974a291992a1b1284bb4d160ec7.png

新建 要颁发的证书模版 选择Exchange Server  2019

b0441a8acbbf5d9b861731c3d2f75544.png

76af5cb5d3cfd5933bfe2b4d8a1f4bb6.png

416e74b5858b12676e85d4600fff0c3f.png

导入证书到excange2019

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\SRV2019-MBX\Data\certnew.cer'))

728e596a81cab6570e8b8f4e91f396ad.png

e273098f06a4a0650764d1f7e71ad8d0.png

ad域服务器下发证书

137f66cb4507e3df374cf16133533e21.png

ded8a1dc08ffc60815d738a81c81af21.png

d90fe553fc5e61f28fffec9dd15c05a6.png

出现导入成功后,强制刷新下组策略  gpupdate /force

1b48b1080082b16ed06aacc8380fc759.png

    推荐阅读   

9ae996e3addc78d222b3dc0b2130f651.png

e8c13f960326566665bb9e15394b887e.png

    推荐视频    

来源地址:https://blog.csdn.net/NewTyun/article/details/129964956

阅读原文内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     813人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     354人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     318人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     435人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     224人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-服务器
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯