Exchange 2013 – Pre-stage CNO for DAG creation

The basic steps to creating a DAG of course means having Exchange servers setup prior with their respective databases.

The core components to pre-stage for a DAG are:
1. Designate a Witness Server – In production, best practice suggests in a separate location than that of your DAG(s).
2. Database Availability Group Name
3. Witness Directory
4. Database Availability Group IP address
5. Cluster Name Object
Start by creating a witness server for your DAG.
To pre-stage the witness server you create a folder on the C: drive of the witness server. On my server I call it “ExchangeFWS” so that the witness server has a spot to store its logs, and I can logically identify it later.
Then you will need to add the Exchange Trusted Subsystem to the local administrators group of the witness server.
Follow this by going to your domain controller and creating a computer object (I give mine the same name as the DAG, in my case: DAG01.) This will be the CNO.
While still in Active Directory Users and Computers, enable Advanced Features under the view drop down menu and navigate back to the location of my the DAG01 computer object.
Right click the object and select properties and navigate to to the security tab.
Once here, add the exchange servers computer objects with full permissions.
Exit out of the properties window and right click your DAG computer object and disable it. This is done for security so that you don’t have an unused computer object hanging out in your active directory.
And that’s it!
Now you can get ready to create your DAG.

Exchange 2013 – Moving and Renaming a Mailbox Database

The default location of a mail database is not really that easy to remember either, so I am going to move my databases from their default location:

That being said, you can either create a new one, or move the existing one.
In this post I am going to move my existing mail database using powershell:
First I need to change the Mailbox Database name to something more suitable.
I do this by logging into the EAC, selecting Servers – Databases – Edit – then change the name of the given database to something like DB01 and then pressing OK.
Then I need to get the exact name of the database:

I used a command like this one to dismount my database:

Now I can move the MailboxDatabase and my LogFolderPath:

Then I need to check the status of my Mailbox Database with something like:

Followed by mounting the database again:

For my own sanity, I finalize this process by running:

Exchange 2013 – Exporting Certificate Private Keys

As I continue to work with Exchange, I came to a point where I needed to export the private key from a certificate to complete a request with a 3rd party Certificate Authority.
I did some quick research for how to do an export of a private key from a Certificate Enrollment Request Certificate found in my local Exchange Server’s local computer certificate store.
I exported the certificate with the private key and all extended properties.
What I ended up doing was downloading Openssl for Windows, and installing it on my C: drive of my Exchange lab server.
Once installed I opened the Windows CLI and navigated into the directory.
I was able to successfully export the key by running a command similar to this one:

Since you must have a password to obtain the private key, I was prompted to enter the password associated with the certificate file.
After successfully entering the password I was able to find my .pem file which I opened with notepad and was able to copy and paste to the GUI of the 3rd party CA I wanted to use.

Exchange 2013 – Blocked Port 25? No problem.

Playing in my home lab with Exchange 2013, I came to a point where I wanted to setup e-mail that would be routed to and from the Internet.
My current ISP (Comcast) subscription is a normal home account. That being said, Comcast blocks port 25 (SMTP) from any outbound and inbound connections.
I would just upgrade my account with Comcast to a Business account but I also live with a couple of roommates. I found it hard to justify the jump in price to them if I were to switch the account over to a business account. I’m also just cheap.
As I started to do some research through hours of googling, I couldn’t find any sort of straight forward answer for how to accomplish what I want to do.
If you want to send e-mail out to the internet but your ISP blocks port 25, and you want to do so without having to upgrade to a business account, there are a few things you will need to do:
1. Have about $30 – $40
2. Buy a publicly routable domain name
3. Adjust some port settings on your router
4. Subscribe to an “Outbound E-mail Relay” provider
5. Subscribe to a “Mail Redirection” provider
There are two sites I used to accomplish this:
1and1 – This is where I bought my domain name. New customers get their first domain name for $0.99
DNSExit – This is where I bought the services for Outbound E-mail Relaying and also Mail Redirection. It costs $4.50 a month for 150 outbound mail relays per day. Through this site I was also able to get a trial for 14 days of their mail redirection service. After the 14 days, the mail redirection service is $24.99 /domain /year.

The setup could be summarized as follows:

Buy a Domain

As I stated above, I bought my domain name with I was able to use their interface to set up the DNS records needed to point to my router. I was also able to set up a subdomain name and point it to my router as well.
So the requirements here were:
  • Set A record for domain name and point to router (My Public IP)
  • Set A record for subdomain name and point to router (My Public IP)
  • Set MX record for mail server. (This will be the FQDN of the mail server that will be forwarding your mails from the internet to your home server. In my case it was “”)

Setup Port Forwarding

In my case, I opened port 26 on my routers firewall and set a couple of port forward rules. The rules I set said: For anything coming from the internet on port 26, port forward to my internal Exchange server’s IP addresses on port 26.
I use DD-WRT as my router firmware. The settings above are accomplished by logging into your router, selecting NAT/QOS and selecting the Port Forwarding tab.
An example entry looks like:
Application     Protocol     Source Net     Port from     IP Address               Port to
MAIL              Both         26               26
If you have already installed your Exchange environment navigate to the Exchange Admin Console and perform the following:
  •      Select Mail Flow
  •      Select the receive connectors tab
  •      Select the Default Frontend
  •      Select Scoping
Within the Network adapter bindings change your IP Addresses port number to one of the supported ports of your chosen provider. In my case I chose port 26.
  •      Save your changes
  •      Select the Send Connectors tab
  •      Create or edit an existing send connector
Set the new send connector to route mail through smart hosts and specify the address the relay provider gives you. In my case it was I also left the external DNS blank.
  • Select the basic authentication option and enter in the credentials that your provider gives you.
  • Set the address space to “*” and add your exchange servers.
  • Save your new send connector.
If port 25 is blocked, you will need to do the following as well:
  • Open the Exchange Management Shell
  • You will need to use the Set-SendConnector cmdlet to specify the port of your new send connector.

Where SENDCONNECTORNAME is the name of the send connector which you named in Step 1 and port 26 could be any open ports from your provider.
If no errors show in the shell then it worked and you are done setting up the outbound relay.
Send a test e-mail from your Exchange server to verify.
Assuming the above is all setup, you should be able to send and receive e-mail from your home Exchange server.
Feel free to drop a comment or share your experience!