Author: rlevchenko

Automating Exchange 2016 installation with Desired State Configuration

Hi, folks!

There is a good example of Exchange installation inside of help files for xExchange module but it’s actually not valid for Exchange 2016:

  • no installation for server roles and features = configuration fails
  • Exchange 2016 does not have separate client access role anymore = wrong installation parameters and setup fails
  • UCMA is required to be installed = errors during prerequisite check up
  • not optimal LCM parameters
  • no certificate management
  • there is no variables passing via command line = not suitable for unattended setup

So here is the fixed version of one .

/Has been tested on VM with up-to-date domain joined 2012 R2 guest machine.

//If you are not yet familiar with PowerShell DSC it’s recommended to review some facts before setting up and then do some additional steps:

0) Step for lazy persons Улыбка . Download link for  all-in-one zip file

1) Install the following update (only for PowerShell v3 and v4.0) :

PackageManagement PowerShell Modules Preview – March 2016

2) Import or verify that the required modules are available :

  • xExchange . It’s  a custom module for installation and configuration Exchange environment (installation, DAG, settings and more)
  • WindowsFeature . Built-in DSC resource that ensures and installs windows server roles/features
  • Package . Built-in DSC resource to install program packages (msi,exe and etc)
  • xPendingReboot. Custom module that reboots system if it is in the “pending reboot” status.
  • To list installed custom DSC resources: 
    Get-DscResource|? {$_.ModuleName -NotMatch "PSDesired"}
  • To install custom DSC (internet connectivity is required): 
    Install-Module xExchange
  • I prefer to save module for the further usage and then install or just copy to one of the PS module’s path 
    #save module to pre-created folder

Save-Module xExchange -Path C:\DSC\Modules

#Copy module to the one of the following folders (../Program Files/.. is recommended)

$env:PSModulePath

C:\Users\username\Documents\WindowsPowerShell\Modules;
C:\Program Files\WindowsPowerShell\Modules;
C:\Windows\system32\WindowsPowerShell\v1.0\Modules

3) Prepare folders. Script uses the following paths:

  • “C:\Exch”  – Exchange binaries,
  • “C:\ExchInstall\Cert” – required files for import certificate
  • “C:\UCMA” – UCMA installation files

4) Download Exchange media and copy setup files (C:\Exch in my case)

5) Extract UCMA package  to another folder (script uses C:\UCMA)

6) (optional) Prepare certificate for securing MOF files. I use this module  to create one and then export PFX and CER-files to “C:\ExchInstall\Cert”.

Note: If you don’t want to secure your MOF files you can comment out related strings in the main script (step 6, see comment blocks)

. .\New-SelfSignedCertificateEx.ps1
New-SelfsignedCertificateEx `
    -Subject 'CN=localhost' `
    -EKU 'Document Encryption' `
    -KeyUsage 'KeyEncipherment, DataEncipherment' `
    -SAN localhost `
    -FriendlyName 'DSC certificate' `
    -Exportable `
    -StoreLocation 'LocalMachine' `
    -StoreName 'My' `
    -KeyLength 2048 `
    -ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
    -AlgorithmName 'RSA' `
    -SignatureAlgorithm 'SHA256'

6) Create the new script (ps1) which contains the following strings

Note: RebootNodeIfNeeded has been set to “True” so LCM have rights to reboot your machine automatically.

 <#
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |w|w|w|.|r|l|e|v|c|h|e|n|k|o|.|c|o|m|
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                                                                                                    

::Exchange 2016 Installation (DSC)
::Required modules: xExchange and xPendingReboot

 #>

#Variables
    param ()
      #Domain and Netbios Names
      $domainname=$args[0] #or get-domain if domain is existed.
      $netbios=$DomainName.split(“.”)[0]

	  #Creds for Exchange install acoount
	  $pwd = ConvertTo-SecureString "Pass123" -AsPlainText -Force
      $Creds = New-Object System.Management.Automation.PSCredential ("$netbios\Administrator", $pwd)

      #Import the certificate for securing MOF (optional. related strings can be just commented out)
      $CertPW=ConvertTo-SecureString “Pass123” -AsPlainText -Force
      Import-PfxCertificate -Password $certpw -CertStoreLocation Cert:\LocalMachine\My -FilePath C:\ExchInstall\cert\publickey.pfx

#DSC starts here
Configuration InstallExchange

{
        Import-DscResource -Module xExchange
        Import-DscResource -Module xPendingReboot

    Node $AllNodes.NodeName
    {
        #Sets certificate for LCM on every node
        LocalConfigurationManager
        {
            CertificateId      = $AllNodes.Thumbprint
            RebootNodeIfNeeded = $true
            ConfigurationMode = 'ApplyOnly'
        }

        #Installs Required Components for Exchange (note: there is 1 planned automatic reboot)
        WindowsFeature ASHTTP
        {
            Ensure = 'Present'
            Name = 'AS-HTTP-Activation'
        }
        WindowsFeature DesktopExp
        {
            Ensure = 'Present'
            Name = 'Desktop-Experience'
        }
         WindowsFeature NetFW45
        {
            Ensure = 'Present'
            Name = 'NET-Framework-45-Features'
        }
           WindowsFeature RPCProxy
        {
            Ensure = 'Present'
            Name = 'RPC-over-HTTP-proxy'
        }
            WindowsFeature RSATClus
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering'
        }
            WindowsFeature RSATClusCmd
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering-CmdInterface'
        }
            WindowsFeature RSATClusMgmt
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering-Mgmt'
        }
           WindowsFeature RSATClusPS
        {
            Ensure = 'Present'
            Name = 'RSAT-Clustering-PowerShell'
        }
           WindowsFeature WebConsole
        {
            Ensure = 'Present'
            Name = 'Web-Mgmt-Console'
        }
            WindowsFeature WAS
        {
            Ensure = 'Present'
            Name = 'WAS-Process-Model'
        }
            WindowsFeature WebAsp
        {
            Ensure = 'Present'
            Name = 'Web-Asp-Net45'
        }
           WindowsFeature WBA
        {
            Ensure = 'Present'
            Name = 'Web-Basic-Auth'
        }
           WindowsFeature WCA
        {
            Ensure = 'Present'
            Name = 'Web-Client-Auth'
        }
          WindowsFeature WDA
        {
            Ensure = 'Present'
            Name = 'Web-Digest-Auth'
        }
          WindowsFeature WDB
        {
            Ensure = 'Present'
            Name = 'Web-Dir-Browsing'
        }
           WindowsFeature WDC
        {
            Ensure = 'Present'
            Name = 'Web-Dyn-Compression'
        }
           WindowsFeature WebHttp
        {
            Ensure = 'Present'
            Name = 'Web-Http-Errors'
        }
           WindowsFeature WebHttpLog
        {
            Ensure = 'Present'
            Name = 'Web-Http-Logging'
        }
           WindowsFeature WebHttpRed
        {
            Ensure = 'Present'
            Name = 'Web-Http-Redirect'
        }
          WindowsFeature WebHttpTrac
        {
            Ensure = 'Present'
            Name = 'Web-Http-Tracing'
        }
          WindowsFeature WebISAPI
        {
            Ensure = 'Present'
            Name = 'Web-ISAPI-Ext'
        }
          WindowsFeature WebISAPIFilt
        {
            Ensure = 'Present'
            Name = 'Web-ISAPI-Filter'
        }
            WindowsFeature WebLgcyMgmt
        {
            Ensure = 'Present'
            Name = 'Web-Lgcy-Mgmt-Console'
        }
            WindowsFeature WebMetaDB
        {
            Ensure = 'Present'
            Name = 'Web-Metabase'
        }
            WindowsFeature WebMgmtSvc
        {
            Ensure = 'Present'
            Name = 'Web-Mgmt-Service'
        }
           WindowsFeature WebNet45
        {
            Ensure = 'Present'
            Name = 'Web-Net-Ext45'
        }
            WindowsFeature WebReq
        {
            Ensure = 'Present'
            Name = 'Web-Request-Monitor'
        }
             WindowsFeature WebSrv
        {
            Ensure = 'Present'
            Name = 'Web-Server'
        }
              WindowsFeature WebStat
        {
            Ensure = 'Present'
            Name = 'Web-Stat-Compression'
        }
               WindowsFeature WebStatCont
        {
            Ensure = 'Present'
            Name = 'Web-Static-Content'
        }
               WindowsFeature WebWindAuth
        {
            Ensure = 'Present'
            Name = 'Web-Windows-Auth'
        }
              WindowsFeature WebWMI
        {
            Ensure = 'Present'
            Name = 'Web-WMI'
        }
              WindowsFeature WebIF
        {
            Ensure = 'Present'
            Name = 'Windows-Identity-Foundation'
        }
              WindowsFeature RSATADDS
        {
            Ensure = 'Present'
            Name = 'RSAT-ADDS'
        }
        #Installs UCMA. Don't forget to change path it if it is required
        Package UCMA
        {
            Ensure= 'Present'
            Name = 'Microsoft Unified Communications Managed API 4.0, Core
                    Runtime 64-bit'
            Path= 'c:\UCMA\UcmaRuntimeSetup\ironmansetup.exe'
            ProductID= 'ED98ABF5-B6BF-47ED-92AB-1CDCAB964447'
            Arguments= '/q'

         }

        #Checks Exchange Setup Directory (can be changed it's necessary). No recurse.
        File ExchangeBinaries
        {
            Ensure          = 'Present'
            Type            = 'Directory'
            Recurse         = $false
            SourcePath = 'C:\Exch'
            DestinationPath = 'C:\Exch'
        }

        #Checks if a reboot is needed before installing Exchange
        xPendingReboot BeforeExchangeInstall
        {
            Name      = "BeforeExchangeInstall"

            DependsOn  = '[File]ExchangeBinaries'
        }

        #Does the Exchange install. Verify directory with exchange binaries
        xExchInstall InstallExchange
        {
            Path       = "C:\Exch\Setup.exe"
            Arguments  = "/mode:Install /role:Mailbox /OrganizationName:""$netbios"" /Iacceptexchangeserverlicenseterms"
            Credential = $Creds

            DependsOn  = '[xPendingReboot]BeforeExchangeInstall'
        }

        #Sees if a reboot is required after installing Exchange
        xPendingReboot AfterExchangeInstall
        {
            Name      = "AfterExchangeInstall"

            DependsOn = '[xExchInstall]InstallExchange'
        }
   }
}

#DSC Configuration data
$ConfigData=@{
    AllNodes = @(

        @{
            NodeName = "*"
				  #Replace thumbprint with yours or use precreated cert
                  CertificateFile = "C:\ExchInstall\cert\publickey.cer"
                  Thumbprint = "FF0693E72BD283298323DF34B2A848F0F1B48E67"
                  PSDscAllowPlainTextPassword = $true
        }

        @{
            NodeName = "localhost"
        }
    );
}

if ($Creds -eq $null)
{
   #if creds are empty -> write to log Application/mozno udalit')
   New-EventLog –LogName Application –Source “Exchange Installation”
   Write-EventLog –LogName Application –Source “Exchange Installation” –EntryType Error –EventID 1 –Message “Credentials are empty”

}

#Compiles the example
InstallExchange -ConfigurationData $ConfigData -Creds $Creds

#Sets up LCM on target computers to decrypt credentials, and to allow reboot during resource execution
Set-DscLocalConfigurationManager -Path .\InstallExchange -Verbose

#Pushes configuration and waits for execution
Start-DscConfiguration -Path .\InstallExchange -Verbose -Wait

7) Run the script with the mandatory <domainname> parameter

Example: 

.\InstallExchange.ps1 contoso.com

8) Wait while LCM applies DSC configuration.

To retrieve the the current status use:

Get-DSCLocalConfigurationManager

and

  • read logs (Applications and Services Logs – Microsoft – Windows – Desired State Configuration)
  • Exchange creates it’s own setup logs on your system drive . check them in case of unexpected errors.

Until then,

have a nice weekend!

P.S. I have updated this script with DAG configuration and etc.. I’ll publish a new post later. Be in touch.

Launch dates for Windows Server and System Center 2016

Update: Windows Server 2016 is available for download @EvalCenter  and will be available at October price list. Fully licensed software will be available @VLSC at the mid-October (System Center 2016  Evaluation is here)

As I predicted in the previous posts, TP5 is the latest preview release before Windows Server 2016 RTM/GA. Today Microsoft has finally revealed the official launch dates for Windows Server and System Center 2016.

GA will be announced at Ignite conference that takes place at the end of September and global price lists will be updated in October, 2016 . So, we have enough time to get ready for it. RTM release dates are not available at the moment. But I expect it in August.

Until then let’s review some important facts about upcoming WS and SC new generations.

Windows Server 2016:

  • Datacenter Edition includes new advanced software-defined datacenter capabilities designed for highly virtualized private and hybrid cloud environments. Some new features unique to Datacenter Edition include an Azure-inspired networking stack and Azure-inspired storage enhancements including Storage Spaces Direct
  • Standard  Edition provides the core functionality of Windows Server for lightly virtualized environments
  • Essentials. This edition is designed for smaller organizations with less than 50 users.
  • Standard and Datacenter editions don’t have the same list of features as we have in Windows Server 2012/2012R2 (except AVMA ). Storage Replica , Storage Spaces Direct , Shielded VMs and New Networking stack are available only in Datacenter

System Center 2016 editions:

  • Datacenter is the optimal choice for a large deployments or CSP. 1 license allows you to manage unlimited quantity of OSE (Operational System Environments)
  • Standard is built for small infrastructures and provides management rights for only 2 OSEs

Installation Options in Windows Server

  • Server with Desktop Experience: The Server with Desktop Experience installation option provides an full user experience for those who need to run an app that requires local UI or for Remote Desktop Services Host. This option has the Windows client shell and experience, consistent with Windows 10 Anniversary edition Long Term Servicing Branch (LTSB), with the server Microsoft Management Console (MMC) and Server Manager tools available locally on the server.
  • Server Core: The Server Core installation option removes the client UI from the server, providing an installation that runs the majority of the roles and features on a lighter install. Server Core does not include MMC or Server Manager, which can be used remotely, but does include limited local graphical tools such as Task Manager as well as PowerShell for local or remote management.
  • Nano Server: The Nano Server installation option provides an ideal lightweight operating system to run “cloud-native” applications based on containers and micro-services

Licensing

Licensing model for both Windows Server and System Center has been moved from processors to physical cores which aligns licensing of private and public cloud to a consistent currency of cores and simplifies licensing across multi-cloud environments

To license a physical server, all physical cores must be licensed in the server. A minimum of 8 core licenses is required for each physical processor in the server and a minimum of 16 cores is required to be licensed for servers with one processor.

The most surprised is that if you are going to deploy and use Nano Server in production it is required to have active Software Assurance. Nano Server is awesome but do you agree to pay extra money for that? let’s pray for changes.. (hope dies last)

System Center: Core + Client Management Licenses (CML)

system center 2016 editions and prices

Windows Server: Core + Client Access Licenses (CAL) + additional CALs (RDS and etc) + Software Assurance (required for deploy and operate Nano Server)

windows server 2016 prices and editions

The price of 16-core licenses of Windows Server 2016 Datacenter and Standard Edition will be same price as the 2 proc license of the corresponding editions of the Windows Server 2012 R2 version ’cause core licenses will be sold in packs of two 8 core packs and the  two-core pack for each edition is 1/8th the price of a two proc license for corresponding 2012 R2 editions

Servicing models

Now Windows Server has  “5+5” servicing model meaning that there is 5 years of mainstream support and 5 years of extended support and this will continue with Windows Server 2016. Customers who choose to install full Windows Server 2016 with a desktop experience or Server Core will maintain this servicing experience, which will be known as the Long Term Servicing Branch (LTSB).

Nano Server will be covered by active Current Branch Servicing (CSB) model as Windows 10 has. This type of servicing provides new functionality and features.

New features