Automating Exchange 2016 installation with Desired State Configuration


Hi, folks!

There is a good example of Exchange installation inside of help files for xExchange module but it’s actually not valid for Exchange 2016:

  • no installation for server roles and features = configuration fails
  • Exchange 2016 does not have separate client access role anymore = wrong installation parameters and setup fails
  • UCMA is required to be installed = errors during prerequisite check up
  • not optimal LCM parameters
  • no certificate management
  • there is no variables passing via command line = not suitable for unattended setup

So here is the fixed version of one .

/Has been tested on VM with up-to-date domain joined 2012 R2 guest machine.

//If you are not yet familiar with PowerShell DSC it’s recommended to review some facts before setting up and then do some additional steps:

0) Step for lazy persons Улыбка . Download link for  all-in-one zip file

1) Install the following update (only for PowerShell v3 and v4.0) :

PackageManagement PowerShell Modules Preview – March 2016

2) Import or verify that the required modules are available :

  • xExchange . It’s  a custom module for installation and configuration Exchange environment (installation, DAG, settings and more)
  • WindowsFeature . Built-in DSC resource that ensures and installs windows server roles/features
  • Package . Built-in DSC resource to install program packages (msi,exe and etc)
  • xPendingReboot. Custom module that reboots system if it is in the “pending reboot” status.
  • To list installed custom DSC resources:
    Get-DscResource|? {$_.ModuleName -NotMatch "PSDesired"}
    
  • To install custom DSC (internet connectivity is required):
    Install-Module xExchange
    
  • I prefer to save module for the further usage and then install or just copy to one of the PS module’s path
    #save module to pre-created folder
    
    Save-Module xExchange -Path C:\DSC\Modules
    
    #Copy module to the one of the following folders (../Program Files/.. is recommended)
    
    $env:PSModulePath
    
    C:\Users\username\Documents\WindowsPowerShell\Modules;
    C:\Program Files\WindowsPowerShell\Modules;
    C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    

3) Prepare folders. Script uses the following paths:

  • “C:\Exch”  – Exchange binaries,
  • “C:\ExchInstall\Cert” – required files for import certificate
  • “C:\UCMA” – UCMA installation files

4) Download Exchange media and copy setup files (C:\Exch in my case)

5) Extract UCMA package  to another folder (script uses C:\UCMA)

6) (optional) Prepare certificate for securing MOF files. I use this module  to create one and then export PFX and CER-files to “C:\ExchInstall\Cert”.

Note: If you don’t want to secure your MOF files you can comment out related strings in the main script (step 6, see comment blocks)

. .\New-SelfSignedCertificateEx.ps1
New-SelfsignedCertificateEx `
    -Subject 'CN=localhost' `
    -EKU 'Document Encryption' `
    -KeyUsage 'KeyEncipherment, DataEncipherment' `
    -SAN localhost `
    -FriendlyName 'DSC certificate' `
    -Exportable `
    -StoreLocation 'LocalMachine' `
    -StoreName 'My' `
    -KeyLength 2048 `
    -ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
    -AlgorithmName 'RSA' `
    -SignatureAlgorithm 'SHA256'

6) Create the new script (ps1) which contains the following strings

Note: RebootNodeIfNeeded has been set to “True” so LCM have rights to reboot your machine automatically.

 <#
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |w|w|w|.|r|l|e|v|c|h|e|n|k|o|.|c|o|m|
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                                                                                                    

::Exchange 2016 Installation (DSC)
::Required modules: xExchange and xPendingReboot

 #>

#Variables
    param ()
      #Domain and Netbios Names
      $domainname=$args[0] #or get-domain if domain is existed.
      $netbios=$DomainName.split(“.”)[0]

	  #Creds for Exchange install acoount
	  $pwd = ConvertTo-SecureString "Pass123" -AsPlainText -Force
      $Creds = New-Object System.Management.Automation.PSCredential ("$netbios\Administrator", $pwd)

      #Import the certificate for securing MOF (optional. related strings can be just commented out)
      $CertPW=ConvertTo-SecureString “Pass123” -AsPlainText -Force
      Import-PfxCertificate -Password $certpw -CertStoreLocation Cert:\LocalMachine\My -FilePath C:\ExchInstall\cert\publickey.pfx

#DSC starts here
Configuration InstallExchange

{
        Import-DscResource -Module xExchange
        Import-DscResource -Module xPendingReboot

    Node $AllNodes.NodeName
    {
        #Sets certificate for LCM on every node
        LocalConfigurationManager
        {
            CertificateId      = $AllNodes.Thumbprint
            RebootNodeIfNeeded = $true
            ConfigurationMode = 'ApplyOnly'
        }

        #Installs Required Components for Exchange (note: there is 1 planned automatic reboot)
        WindowsFeature ASHTTP
        {
            Ensure = 'Present'
            Name = 'AS-HTTP-Activation'
        }
        WindowsFeature DesktopExp
        {
            Ensure = 'Present'
            Name = 'Desktop-Experience'
        }
         WindowsFeature NetFW45
        {
            Ensure = 'Present'
            Name = 'NET-Framework-45-Features'
        }
           WindowsFeature RPCProxy
        {
            Ensure = 'Present'
            Name = 'RPC-over-HTTP-proxy'
        }
            WindowsFeature RSATClus
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering'
        }
            WindowsFeature RSATClusCmd
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering-CmdInterface'
        }
            WindowsFeature RSATClusMgmt
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering-Mgmt'
        }
           WindowsFeature RSATClusPS
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering-PowerShell'
        }
           WindowsFeature WebConsole
        {
            Ensure = 'Present'
            Name = 'Web-Mgmt-Console'
        }
            WindowsFeature WAS
        {
            Ensure = 'Present'
            Name = 'WAS-Process-Model'
        }
            WindowsFeature WebAsp
        {
            Ensure = 'Present'
            Name = 'Web-Asp-Net45'
        }
           WindowsFeature WBA
        {
            Ensure = 'Present'
            Name = 'Web-Basic-Auth'
        }
           WindowsFeature WCA
        {
            Ensure = 'Present'
            Name = 'Web-Client-Auth'
        }
          WindowsFeature WDA
        {
            Ensure = 'Present'
            Name = 'Web-Digest-Auth'
        }
          WindowsFeature WDB
        {
            Ensure = 'Present'
            Name = 'Web-Dir-Browsing'
        }
           WindowsFeature WDC
        {
            Ensure = 'Present'
            Name = 'Web-Dyn-Compression'
        }
           WindowsFeature WebHttp
        {
            Ensure = 'Present'
            Name = 'Web-Http-Errors'
        }
           WindowsFeature WebHttpLog
        {
            Ensure = 'Present'
            Name = 'Web-Http-Logging'
        }
           WindowsFeature WebHttpRed
        {
            Ensure = 'Present'
            Name = 'Web-Http-Redirect'
        }
          WindowsFeature WebHttpTrac
        {
            Ensure = 'Present'
            Name = 'Web-Http-Tracing'
        }
          WindowsFeature WebISAPI
        {
            Ensure = 'Present'
            Name = 'Web-ISAPI-Ext'
        }
          WindowsFeature WebISAPIFilt
        {
            Ensure = 'Present'
            Name = 'Web-ISAPI-Filter'
        }
            WindowsFeature WebLgcyMgmt
        {
            Ensure = 'Present'
            Name = 'Web-Lgcy-Mgmt-Console'
        }
            WindowsFeature WebMetaDB
        {
            Ensure = 'Present'
            Name = 'Web-Metabase'
        }
            WindowsFeature WebMgmtSvc
        {
            Ensure = 'Present'
            Name = 'Web-Mgmt-Service'
        }
           WindowsFeature WebNet45
        {
            Ensure = 'Present'
            Name = 'Web-Net-Ext45'
        }
            WindowsFeature WebReq
        {
            Ensure = 'Present'
            Name = 'Web-Request-Monitor'
        }
             WindowsFeature WebSrv
        {
            Ensure = 'Present'
            Name = 'Web-Server'
        }
              WindowsFeature WebStat
        {
            Ensure = 'Present'
            Name = 'Web-Stat-Compression'
        }
               WindowsFeature WebStatCont
        {
            Ensure = 'Present'
            Name = 'Web-Static-Content'
        }
               WindowsFeature WebWindAuth
        {
            Ensure = 'Present'
            Name = 'Web-Windows-Auth'
        }
              WindowsFeature WebWMI
        {
            Ensure = 'Present'
            Name = 'Web-WMI'
        }
              WindowsFeature WebIF
        {
            Ensure = 'Present'
            Name = 'Windows-Identity-Foundation'
        }
              WindowsFeature RSATADDS
        {
            Ensure = 'Present'
            Name = 'RSAT-ADDS'
        }
        #Installs UCMA. Don't forget to change path it if it is required
        Package UCMA
        {
            Ensure= 'Present'
            Name = 'Microsoft Unified Communications Managed API 4.0, Core
                    Runtime 64-bit'
            Path= 'c:\UCMA\UcmaRuntimeSetup\ironmansetup.exe'
            ProductID= 'ED98ABF5-B6BF-47ED-92AB-1CDCAB964447'
            Arguments= '/q'

         }

        #Checks Exchange Setup Directory (can be changed it's necessary). No recurse.
        File ExchangeBinaries
        {
            Ensure          = 'Present'
            Type            = 'Directory'
            Recurse         = $false
            SourcePath = 'C:\Exch'
            DestinationPath = 'C:\Exch'
        }

        #Checks if a reboot is needed before installing Exchange
        xPendingReboot BeforeExchangeInstall
        {
            Name      = "BeforeExchangeInstall"

            DependsOn  = '[File]ExchangeBinaries'
        }

        #Does the Exchange install. Verify directory with exchange binaries
        xExchInstall InstallExchange
        {
            Path       = "C:\Exch\Setup.exe"
            Arguments  = "/mode:Install /role:Mailbox /OrganizationName:""$netbios"" /Iacceptexchangeserverlicenseterms"
            Credential = $Creds

            DependsOn  = '[xPendingReboot]BeforeExchangeInstall'
        }

        #Sees if a reboot is required after installing Exchange
        xPendingReboot AfterExchangeInstall
        {
            Name      = "AfterExchangeInstall"

            DependsOn = '[xExchInstall]InstallExchange'
        }
   }
}

#DSC Configuration data
$ConfigData=@{
    AllNodes = @(

        @{
            NodeName = "*"
				  #Replace thumbprint with yours or use precreated cert
                  CertificateFile = "C:\ExchInstall\cert\publickey.cer"
                  Thumbprint = "FF0693E72BD283298323DF34B2A848F0F1B48E67"
                  PSDscAllowPlainTextPassword = $true
        }

        @{
            NodeName = "localhost"
        }
    );
}

if ($Creds -eq $null)
{
   #if creds are empty -> write to log Application/mozno udalit')
   New-EventLog –LogName Application –Source “Exchange Installation”
   Write-EventLog –LogName Application –Source “Exchange Installation” –EntryType Error –EventID 1 –Message “Credentials are empty”

}

#Compiles the example
InstallExchange -ConfigurationData $ConfigData -Creds $Creds

#Sets up LCM on target computers to decrypt credentials, and to allow reboot during resource execution
Set-DscLocalConfigurationManager -Path .\InstallExchange -Verbose

#Pushes configuration and waits for execution
Start-DscConfiguration -Path .\InstallExchange -Verbose -Wait

7) Run the script with the mandatory <domainname> parameter

Example: 

.\InstallExchange.ps1 contoso.com

8) Wait while LCM applies DSC configuration.

To retrieve the the current status use:

Get-DSCLocalConfigurationManager

and

  • read logs (Applications and Services Logs – Microsoft – Windows – Desired State Configuration)
  • Exchange creates it’s own setup logs on your system drive . check them in case of unexpected errors.

Until then,

have a nice weekend!

P.S. I have updated this script with DAG configuration and etc.. I’ll publish a new post later. Be in touch.

1 thought on “Automating Exchange 2016 installation with Desired State Configuration”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s