Adding the Transport Server to Exchange

As discussed in Adding Exchange to the Lab, I wanted to create a DMZ based Transport Server, just to complicate things, and why not. So to start with, I have done a Windows Server 2019 Core VM in the DMZ network. This has been named, AVMA key installed, fully updated (2020-11 update). The ISO has been mounted and ready to go.

We start with the pre-requisites, there are fewer of these for the Transport Server role, just DotNet framework, Visual C++ 2012 and the Active Directory Lightweight Directory Service! I won’t go through the installation of the software as it’s similar to the mailbox server role.

As this is not a domain joined computer, you need to manually set up the FQDN before Exchange will install. A good article on how to do this for Server Core can be found at Jaap Wesselius’ blog. I ended up using PowerShell to do the following

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name 'NV Domain' -Value lab.marklewis.blog

So, lets go through the installation and run setup.exe

No updates were found, so happy days, click Next. At this point it copies the files required.

Accept the license terms

I am going to use the recommended settings here

Then, we select just the Edge Transport Role, you’ll notice I’ve already installed the ADLDS feature in the background so no need to tick the box here.

Next, we specify where to install it

It will verify the prerequisites are done when you can then click install

And wait …..

I will admit I have no idea how long this took, if it was as long as a mailbox server as I just set it off and went to do other things. As requested, I rebooted the server and then began to work on the post installation set up.

First thing that I needed to do was ensure that names were resolvable between the Transport Server and Mailbox Server. I edited the hosts file on the transport server due to lack of a DNS server (DNS is forwarded on via the router).

Next, I made sure I had added the domain (marklewis.blog) to the Exchange server as an authoritative domain. I configured the address policy that I wanted to use. To access the management console on the transport server, I opened PowerShell then ran

exshell.psc1

Followed by

exchange.ps1

At this point, I was able to create a new subscription using he following PowerShell

New-EdgeSubscription -FileName C:\tmp\EdgeSubscriptionInfo.xml

Now we have the file, we need to copy it to the mailbox server. At the moment, my firewall rule between the DMZ and LAN allows for full access between the Transport Server and Mailbox Server. I mapped a drive, copied the file over then jumped on to the Mailbox Server. Running

LaunchEMS

from a command line fires up the Exchange Management Console. Then running the New-EdgeSubscription cmdlet. I had to specify the AD Site where my Exchange Mailbox Server is as a source for the syncronization process.

I waited about 15 minutes and then tried sending a test mail:

Received: from h-EX01.lab.marklewis.blog (192.168.20.8) by h-DMZ-EXTS.marklewis.blog (172.16.2.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Wed, 18 Nov 2020 +0000
Received: from h-EX01.lab.marklewis.blog (192.168.20.8) by h-EX01.lab.marklewis.blog (192.168.20.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Wed, 18 Nov 2020 +0000
Received: from h-EX01.lab.marklewis.blog ([fe80::30ad:484c:7638:3440]) by h-EX01.lab.marklewis.blog ([fe80::30ad:484c:7638:3440%5]) with mapi id 15.02.0721.002; Wed, 18 Nov 2020 +0000

Looking at the headers, that worked! Next, I need to update the firewall rules to allow SMTP(S) traffic and then set the MX record and SPF Record. Before this though, I created the shared mailbox, like I currently use, ready for the occasional mail to come through.

With the public DNS records updated, mailflow was working back and forth. Lastly, I will add the product key, using the Exchange Management Shell.

Exchange Server doesn’t have a built in DKIM mechanism, something I did make use of on Office 365.

I was asked on Twitter if I covered the ACLs before and after installation of Exchange in Active Directory, this is something I will attempt to do an in depth look at what it does.

Leave a Reply

Your email address will not be published. Required fields are marked *