Solved

Apply certifcate for DAG Exchange 2010 servers

Posted on 2013-11-11
10
433 Views
Last Modified: 2013-11-15
We have two Exchange servers EX1 and EX2  in DAG and a TMG gateway.

Suppose I finish applying the SAN certificate on EX1. How can I then load the certificate on EX2.

Inaddition, how to load this certificate on TMG ?

Great Thanks.
0
Comment
Question by:AXISHK
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 18

Assisted Solution

by:Peter Hutchison
Peter Hutchison earned 100 total points
ID: 39639176
Run mmc, add the Certificates snap in for the Local MAchine, then you can view the certificate under Personal, Certificates and export it to a PFX file (you need to include the private certificate).
Then you can copy the PFX file to EX2 and import it there and the same for the TMG.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39639208
You can also use the Exchange Management Console to export and import the certificate.
If you use the Exchange management tools you can do everything from a single machine.

The only thing you may have to do on the second machine is install any root or intermediate certificate supplied by the SSL vendor.

Simon.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 39639209
Why your DAG server require SAN certificates ?
SAN certificate required by CAS servers...
You can apply certificate to all servers in CAS array at once through Exchange MMC
You need to export exchange certificate on CAS server in .pfx format and need to import on TMG server.
Then you need to create Web listener on TMG to publish OWA
Please check below articles for how to import certificates and create web listener:
http://technet.microsoft.com/en-us/library/gg589609(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/gg589610(v=ws.10).aspx

Step by step publishing OWA with TMG
http://www.isaserver.org/articles-tutorials/configuration-general/Publishing-Exchange-Outlook-Web-App-OWA-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
http://www.windows-noob.com/forums/index.php?/topic/3124-how-to-publish-owaactivesyncoutlook-anywhere-exchange-2010-with-microsoft-forefront-tmg/
0
 

Author Comment

by:AXISHK
ID: 39640609
All roles are installed on a Exchange server. And two exchange run in DAG.
0
 

Author Comment

by:AXISHK
ID: 39640634
"You can apply certificate to all servers in CAS array at once through Exchange MMC".

How to do this ?

Actually, what my plan is
1. Run New-ExchangeCertificate -GenerateRequest to generate a .req file.
2. Submit the certificate to VeriSign.
3. Import the certificate to EX01.
4. My question is how to load the certificate to EX02 ? As I plan to apply a SAN certificate, I can include the EX02 name in the certificate.

Appreciate to give me more information on this.

Great tks
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 35

Expert Comment

by:Mahesh
ID: 39640879
Its not advised to install CAS and mailbox server roles on same server.
Once you get the certificate from verisign, you can just right click pending cert request in EMC and click on "Complete pending request".
Once scertificate impotrted on Exchange server, assign that certificate to Exchnage services, at this time wizard will allow to select all exchange servers (CAS Servers) from list.
Please check below arfticle for step by step instruction

http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010
https://support.globalsign.com/customer/portal/articles/1310888-install-certificate---microsoft-exchange-2010
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/managing-certificates-exchange-server-2010-part1.html

Hope that helps
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39644471
@ MaheshPM "Its not advised to install CAS and mailbox server roles on same server."

Really? Where does it advise that? Microsoft.com only - not any forums. Anything else isn't a primary source.

The best practise is to have all of the roles on the same server.

The only people who want to split CAS from the mailbox role are those that want to use the Windows NLB - which the Exchange product team don't recommend.

Simon.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39645003
@Sembee2
You may install all Exchange server roles on single server.
Nobody will stop you.
I am sure that companies having midsize to big setup definitely seperate the exchange roles
For testing \ small size organizations which may not afford multiple servers can do all roles on single server
Why should I look for other sources when I am getting product information from product manufacturer?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39645125
You said it isn't advised to put all of the roles on to the same server. I asked you to provide evidence of that advice.

I can tell you right now that for all installations, including the biggest, that isn't the case.

I sit on a group with some of Microsoft's biggest customers (100,000 plus) and all of them have all roles on all servers. This has even been noticed by Microsoft with the dropping of the hub transport role in Exchange 2013. The functionality of CAS has also been changed because of this new model.

Every design I do has all roles on all servers, and has been the case for over two years.

Simon.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39646077
Below is the MS article which provide you information about role seperation
http://technet.microsoft.com/en-us/magazine/hh536214.aspx
Below MS article explains about HUB and CAS Together (Not Mailbox)
http://technet.microsoft.com/en-us/library/ee832795(v=exchg.141).aspx


"Its not advised to install CAS and mailbox server roles on same server" is my earlier comment. Unfortunately I have not found MS article recommendation to put CAS + Mailbox on same server.

Also found below link for multirole servers recommendations which is not practicable in all scenarios.  
http://technet.microsoft.com/en-us/library/dd298121(v=exchg.141).aspx

You are talking about Exchange 2013, still microsoft has kept 2 Roles atleast,
even in Exchange 2003 also there is Frontend - backend servers ?
Then why Microsoft has not published Exchange without any role in Exchange 2013?

If I have exchange design with 10 Servers, why should I install all server roles on all servers where may be as per design calculations, 4 servers (Hub + CAS) are enough for client connectivity and 6 mailbox servers in DAG are enough to load balance mailboxes ?
If I install CAS on all 10 servers, then I would require 10 SSL certs
Now you might ask me to deploy 6 servers with all roles ?
Instead of installing all roles on all servers, I will prefer to simplify deployment by seperating roles with HA.
This will also help me in case of troubleshooting, performance, management, administration, security, simplicity, recovery, role seperation.
One suggestion\recommendation cannot be useful in all situations.
Now I request you to please stop this debate as the topic has changed dramatically from original post.
At least I will stop commenting on this topic now.

Thanks
Mahesh
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now