Solved

Apply certifcate for DAG Exchange 2010 servers

Posted on 2013-11-11
10
435 Views
Last Modified: 2013-11-15
We have two Exchange servers EX1 and EX2  in DAG and a TMG gateway.

Suppose I finish applying the SAN certificate on EX1. How can I then load the certificate on EX2.

Inaddition, how to load this certificate on TMG ?

Great Thanks.
0
Comment
Question by:AXISHK
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 19

Assisted Solution

by:Peter Hutchison
Peter Hutchison earned 100 total points
ID: 39639176
Run mmc, add the Certificates snap in for the Local MAchine, then you can view the certificate under Personal, Certificates and export it to a PFX file (you need to include the private certificate).
Then you can copy the PFX file to EX2 and import it there and the same for the TMG.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39639208
You can also use the Exchange Management Console to export and import the certificate.
If you use the Exchange management tools you can do everything from a single machine.

The only thing you may have to do on the second machine is install any root or intermediate certificate supplied by the SSL vendor.

Simon.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 39639209
Why your DAG server require SAN certificates ?
SAN certificate required by CAS servers...
You can apply certificate to all servers in CAS array at once through Exchange MMC
You need to export exchange certificate on CAS server in .pfx format and need to import on TMG server.
Then you need to create Web listener on TMG to publish OWA
Please check below articles for how to import certificates and create web listener:
http://technet.microsoft.com/en-us/library/gg589609(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/gg589610(v=ws.10).aspx

Step by step publishing OWA with TMG
http://www.isaserver.org/articles-tutorials/configuration-general/Publishing-Exchange-Outlook-Web-App-OWA-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
http://www.windows-noob.com/forums/index.php?/topic/3124-how-to-publish-owaactivesyncoutlook-anywhere-exchange-2010-with-microsoft-forefront-tmg/
0
 

Author Comment

by:AXISHK
ID: 39640609
All roles are installed on a Exchange server. And two exchange run in DAG.
0
 

Author Comment

by:AXISHK
ID: 39640634
"You can apply certificate to all servers in CAS array at once through Exchange MMC".

How to do this ?

Actually, what my plan is
1. Run New-ExchangeCertificate -GenerateRequest to generate a .req file.
2. Submit the certificate to VeriSign.
3. Import the certificate to EX01.
4. My question is how to load the certificate to EX02 ? As I plan to apply a SAN certificate, I can include the EX02 name in the certificate.

Appreciate to give me more information on this.

Great tks
0
Swamped with email signature updates?

Have you been given a load of changes to make to your users’ email signatures? Having to manually implement multiple signatures for every department? Let Exclaimer save you from being swamped with email signature updates!

 
LVL 35

Expert Comment

by:Mahesh
ID: 39640879
Its not advised to install CAS and mailbox server roles on same server.
Once you get the certificate from verisign, you can just right click pending cert request in EMC and click on "Complete pending request".
Once scertificate impotrted on Exchange server, assign that certificate to Exchnage services, at this time wizard will allow to select all exchange servers (CAS Servers) from list.
Please check below arfticle for step by step instruction

http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010
https://support.globalsign.com/customer/portal/articles/1310888-install-certificate---microsoft-exchange-2010
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/managing-certificates-exchange-server-2010-part1.html

Hope that helps
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39644471
@ MaheshPM "Its not advised to install CAS and mailbox server roles on same server."

Really? Where does it advise that? Microsoft.com only - not any forums. Anything else isn't a primary source.

The best practise is to have all of the roles on the same server.

The only people who want to split CAS from the mailbox role are those that want to use the Windows NLB - which the Exchange product team don't recommend.

Simon.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39645003
@Sembee2
You may install all Exchange server roles on single server.
Nobody will stop you.
I am sure that companies having midsize to big setup definitely seperate the exchange roles
For testing \ small size organizations which may not afford multiple servers can do all roles on single server
Why should I look for other sources when I am getting product information from product manufacturer?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39645125
You said it isn't advised to put all of the roles on to the same server. I asked you to provide evidence of that advice.

I can tell you right now that for all installations, including the biggest, that isn't the case.

I sit on a group with some of Microsoft's biggest customers (100,000 plus) and all of them have all roles on all servers. This has even been noticed by Microsoft with the dropping of the hub transport role in Exchange 2013. The functionality of CAS has also been changed because of this new model.

Every design I do has all roles on all servers, and has been the case for over two years.

Simon.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39646077
Below is the MS article which provide you information about role seperation
http://technet.microsoft.com/en-us/magazine/hh536214.aspx
Below MS article explains about HUB and CAS Together (Not Mailbox)
http://technet.microsoft.com/en-us/library/ee832795(v=exchg.141).aspx


"Its not advised to install CAS and mailbox server roles on same server" is my earlier comment. Unfortunately I have not found MS article recommendation to put CAS + Mailbox on same server.

Also found below link for multirole servers recommendations which is not practicable in all scenarios.  
http://technet.microsoft.com/en-us/library/dd298121(v=exchg.141).aspx

You are talking about Exchange 2013, still microsoft has kept 2 Roles atleast,
even in Exchange 2003 also there is Frontend - backend servers ?
Then why Microsoft has not published Exchange without any role in Exchange 2013?

If I have exchange design with 10 Servers, why should I install all server roles on all servers where may be as per design calculations, 4 servers (Hub + CAS) are enough for client connectivity and 6 mailbox servers in DAG are enough to load balance mailboxes ?
If I install CAS on all 10 servers, then I would require 10 SSL certs
Now you might ask me to deploy 6 servers with all roles ?
Instead of installing all roles on all servers, I will prefer to simplify deployment by seperating roles with HA.
This will also help me in case of troubleshooting, performance, management, administration, security, simplicity, recovery, role seperation.
One suggestion\recommendation cannot be useful in all situations.
Now I request you to please stop this debate as the topic has changed dramatically from original post.
At least I will stop commenting on this topic now.

Thanks
Mahesh
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now