Before you begin Welcome to Exchange 2013! Before you deploy Exchange 2013 in your organization, you'll need to first do some careful planning. Before you go any further with the Deployment Assistant, we urge you to review this entire topic to make sure that you fully understand how deploying Exchange 2013 could affect your existing network and Exchange organization.Things to consider before deploying Exchange 2013Before you deploy Exchange 2013, you need to carefully consider some important issues. It’s important that you understand these issues before you begin your deployment so you don’t run into any surprises along the way.Server rolesExchange 2013 includes two server roles; the Mailbox and Client Access server roles. Each organization requires at a minimum one Client Access server and one Mailbox server in the Active Directory forest. Additionally, each Active Directory site that contains a Mailbox server must also contain at least one Client Access server. If you're separating your server roles, we recommend installing the Mailbox server role first.The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server. The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.Learn more at: Mailbox and Client Access ServersActive Directory schema updateWhen you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Depending on the size of your organization, and how infrastructure responsibilities are divided within your organization, the schema update may need to be done by another team or department. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule.Before installing the first Exchange 2013 server, talk with your Active Directory management team, if you have one, so they can review, sign-off, and implement the schema update. We also recommend that you test the schema update in a lab environment and back up your production Active Directory schema prior to applying the schema update.Learn more at: Exchange 2013 Active Directory Schema Changes, Exchange Server 2003 to Exchange Server 2010 Active Directory Schema Changes Reference, March 2013, Prepare Active Directory and Domains, and Testing for Active Directory Schema Extension ConflictsCertificatesSecure Sockets Layer (SSL) certificates help to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection. Certificates can be issued by third-party certificate authorities (CAs), issued by an internal CA, or self-signed. Here’s a short description of each type of certificate:Third-party certificates Third-party certificates are issued by a public CA such as GoDaddy, Verisign, Thawte, Comodo, or GlobalSign. Certificates published by public CAs are trusted by most operating systems and browsers. This is important if you want to use certificates to help protect communications between your Exchange 2013 organization and external organizations. The external organization must trust the certificate you give them. While you can accomplish the same thing with certificates issued by internal CAs or using self-signed certificates, the external organization must manually trust the certificates on each computer that will communicate with your Exchange 2013 organization. Some public CAs also offer services to verify the identity of the organization they’re issuing a certificate to. This can be useful when an external organization must make sure they’re connecting to the correct organization. Public CAs charge for each certificate they issue. The cost varies depending on the type of certificate your purchase, the number of domains that will be listed on the certificate, and the pricing structure of the public CA.Private certificates Private certificates are issued by an internal, private CA. A private CA is hosted within your organization and issues certificates for your internal use. Private CAs are useful because there is no cost to issuing certificates, internal clients and servers can be configured to trust them automatically, and you manage the issuance process. However, the drawback is that external organizations don’t trust your internal CA by default. If you want to secure communication between your Exchange 2013 and external organizations using a private certificate, the external organization must manually trust the certificates on each computer that will communicate with your Exchange 2013.Self-signed certificates Self-signed certificates are issued by an individual computer and not by any CA. Self-signed certificates aren’t trusted by any other computers, operating systems, or browsers. They don’t allow other clients or servers to verify the identity of the organization. To connect to a computer that uses a self-signed certificate, the client or server that’s connecting must manually trust the certificate. This process must be repeated each time the certificate expires. When you have clients or external organizations that need to connect to your Exchange 2013 servers, using self-signed certificates on your Client Access server isn't feasible.When deploying Exchange 2013, we strongly recommend that you obtain a certificate issued either by a third-party or internal CA for use on your Client Access server. This certificate will be used to help protect communication between the Client Access server and clients and other servers that are connecting to your server. However, you don’t need to get or configure certificates for communication between your Mailbox server and Client Access server. The certificates used for communication between internal Exchange 2013 servers are managed automatically by Exchange. You don’t need to configure certificates on the Mailbox server.Learn more at: Digital Certificates and SSLLegacy Exchange 2007 host nameBefore you deploy Exchange 2013 into your organization, you need to verify that the legacy host name you configured for your existing Exchange 2007 and Exchange 2010 servers is working correctly. A legacy host name is a domain name system (DNS) host name that you assign to your Exchange 2007 servers so that internal and external clients can connect to it. Exchange 2013 makes use of the same legacy host name to redirect connections for Exchange 2007 mailboxes from an Exchange 2013 Client Access server to an Exchange 2007 Client Access server. If the legacy host name isn't configured correctly, Exchange 2013 won't be able to redirect connections to Exchange 2007 Client Access servers.To verify that your legacy host name is configured correctly, connect to an Exchange 2010 Client Access server and log into an Exchange 2007 mailbox. If the legacy host name is configured correctly, you will be successfully redirected to an Exchange 2007 Client Access server.Split DNSSplit domain name service (DNS) is a concept that allows you to configure different IP addresses for the same host name, depending on where the originating DNS request came from. This is also known as split-horizon DNS, split-view DNS, or split-brain DNS. Split DNS can help you reduce the number of host names that you must manage for Exchange by allowing your clients to connect to Exchange through the same host name whether they're connecting from the Internet or from the Intranet. Split DNS allows requests that originate from an intranet to receive a different IP address than requests that originate from the Internet. For example, external Internet users who visit www.contoso.com will be sent to the company’s public website while employees on the internal intranet will be sent to the company’s private intranet site.We recommend that you deploy Exchange 2013 in a split DNS configuration. In addition to simplifying deployment, split DNS also reduces the number of subject alternative names (SANs) required on the SSL certificates you’ll use to help secure connections to your Client Access server. The steps in this checklist configure your new Exchange 2013 organization to use split DNS. When you’re done, you’ll be able to use the same URL, such as owa.contoso.com, to access your Exchange 2013 server from your intranet and the Internet.Note:The Deployment Assistant configures your Exchange 2013 deployment so that the URL internal and external users use to access your Exchange server is the same. If you have a different addressing scheme for your organization, you can change the internal and external URLs to match that scheme.Supported clientsExchange 2013 and Exchange Online support the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:Outlook 2013 (15.0.4420.1017)Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000). For more information, see Description of the Outlook 2010 update: November 13, 2012. Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000). For more information, see Description of the Outlook 2007 update: November 13, 2012. Entourage 2008 for Mac, Web Services EditionOutlook for Mac 2011Important:The information above provides the minimum versions required for a client to connect to Exchange and Exchange Online. We strongly recommend that you install the latest available service packs and updates available so that your users receive the best possible experience when connecting to Exchange and Exchange Online.Outlook clients earlier than Outlook 2007 are not supported. Email clients on Mac operating systems that require DAV, such as Entourage 2008 for Mac RTM and Entourage 2004, are not supported.Outlook Web App supports several browsers on a variety of operating systems and devices. For detailed information, see What's New for Outlook Web App in Exchange 2013.Hybrid deployments with Office 365A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange Server 2013 organization and Exchange Online in Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization. To configure a hybrid deployment after your initial Exchange 2013 installation is complete, select Hybrid in the Deployment Assistant and complete the checklist steps.Learn more at: Exchange Server 2013 Hybrid DeploymentsAccessibilityFor information about keyboard shortcuts that may apply to the procedures in this checklist, see Keyboard Shortcuts in the Exchange Admin Center. Verify prerequisites Before you go any further with the Deployment Assistant, make sure that your organization's operating system, hardware, software, clients, and other elements meet the requirements for Exchange 2013. If they don't, you won't be able to complete the steps in the Deployment Assistant and you won't be able to deploy Exchange 2013.Release notesMake sure you read the release notes before you begin your deployment. The release notes contain important information about issues you might encounter during and after your deployment.Learn more at: Release Notes for Exchange 2013System requirementsSystem requirements tell you what hardware and operating systems are supported on the computer where you install Exchange 2013. You’ll also learn about what Active Directory configurations can be used, which legacy Exchange versions can coexist with Exchange 2013 in the same Active Directory forest, which email clients are supported, and what’s required for hybrid deployments with Office 365.Learn more at: Exchange 2013 System RequirementsExchange 2013 prerequisitesPrerequisites tell you what Windows components, software packages, and updates need to be installed on the computer where you’ll install Exchange 2013. These prerequisites need to be installed on the computer before you begin your Exchange 2013 installation.To prepare the Exchange 2010 servers in your organization for coexistence with Exchange 2013, you’ll need to install Service Pack 3 (SP3) for Exchange 2010 on all the Exchange 2010 servers in your organization before you can install Exchange 2013. The service pack is available in the Microsoft Download Center at Microsoft Exchange Server 2010 Service Pack 3 (SP3). Also, be sure to see Release Notes for Exchange Server 2010 SP3 and Upgrade Exchange 2010 to Exchange 2010 SP1, SP2, or Exchange 2010 SP3.To prepare the Exchange 2007 servers in your organization for coexistence with for Exchange 2013, you’ll need to install Update Rollup 10 (RU10) for Exchange 2007 Service Pack 3 (SP3) on all the Exchange 2007 servers in your organization before you can install Exchange 2013. The service pack is available in the Microsoft Download Center at Exchange Server 2007 Service Pack 3. The update rollup is available in the Microsoft Download Center at Update Rollup 10 for Exchange Server 2007 Service Pack 3 (KB2788321). (Although this topic isn't an exact match, you can reference it for steps about how to upgrade to Exchange 2007 SP3: How to Upgrade to Exchange 2007 SP1)Also, in order for Exchange 2013 to coexist with previous versions of Exchange, all your Exchange 2013 servers must be running Cumulative Update 2 (CU2) for Exchange 2013. To download Exchange 2013 CU2, see Cumulative Updates for Exchange 2013.Learn about all prerequisites at: Exchange 2013 PrerequisitesPermissions to install and manage Exchange 2013Exchange 2013 requires different permissions to install and to manage your server roles. When you're installing Exchange 2013 servers in your organization, the account you use might not be the same account that you use for administering and managing your server roles. To manage your server roles, Exchange 2013 uses the Role Based Access Control (RBAC) permissions model.Exchange 2013 uses RBAC to manage permissions on the Mailbox and Client Access server roles. With RBAC, you can control what resources administrators can configure and what features users can access. The RBAC model is flexible and provides you with several ways to customize the default permissions.RBAC has two primary ways of assigning permissions to users in your organization, depending on whether the user is an administrator or specialist user, or an end-user: Management role groups and management role assignment policies. Each method associates users with the permissions they need to do their jobs. The following tables list the tasks found in the Deployment Assistant and the permissions required to complete the task.Note:Some features may require that you have local administrator permissions on the server you want to manage. To manage these features, you must be a member of the Local Administrators group on that server.Learn more at: PermissionsInstallation permissionsThe table below lists the permissions that you need to successfully use the Deployment Assistant and to install Exchange 2013. By default, the account that's used to install Exchange 2013 in the organization is added as a member of the Organization Management role group.When you install the first Exchange 2013 server role (Mailbox) into your Exchange 2013 organization, Exchange Setup will prepare your Active Directory schema if you have the correct permissions. If you want to separate your Active Directory schema preparation from the Exchange server installation, see Prepare Active Directory and Domains.For information about how to add permissions, see Manage Role Group Members. TaskPermissions requiredInstall the Mailbox server role (first server role installed)Local AdministratorEnterprise AdministratorSchema AdminsInstall the second serverLocal AdministratorOrganization Management or Delegated SetupExchange management permissionsThe table below lists the configuration permissions that you need to successfully use the Deployment Assistant. For information about how to add permissions, see Manage Role Group Members. TaskPermissions requiredConfigure disjoint namespaceLocal AdministratorDomain AdministratorConfigure mail flowOrganization ManagementConfigure accepted domainsOrganization ManagementConfigure email address policiesOrganization ManagementConfigure external URLsOrganization Management or Server ManagementConfigure certificatesOrganization Management or Server ManagementLocal AdministratorConfigure Unified MessagingOrganization Management or UM ManagementConfigure site mailboxesOrganization Management or Server Management Collect required information Before you start your Exchange 2013 deployment, you're going to need information about your organization. We suggest you print this step so you can record your organization's information and have easy access to it as you go through the checklist.You can use the following table to gather information about your organization that you're going to need before you get started. When you're working through your checklist, replace the example information that you see in the checklist with the information you've provided in this table. For example, if the external fully qualified domain name (FQDN) of your Exchange 2013 server will be exchange.adatum.com, enter that FQDN in the "Value in your organization" field. DescriptionExample value in checklistValue in your organizationActive Directory forest rootcorp.contoso.com Internal Exchange 2013 computer nameEX2013 Internal Exchange 2007 or Exchange 2010 computer nameEX2007 or EX2010 External Exchange 2013 FQDN for the following services:Outlook Anywhere Offline Address Book Exchange Web Services (EWS) Exchange ActiveSync mail.contoso.com Internal Exchange 2013 FQDN for the following services:Outlook Anywhere Offline Address Book Remote PowerShell Exchange Web Services (EWS) Exchange ActiveSync Internal URL same as external URL mail.contoso.comInternal URL different than external URL internal.contoso.com External Exchange 2013 FQDN for the following services:Outlook Web App ECP (Exchange Admin Center) owa.contoso.com Internal Exchange 2013 FQDN for the following services:Outlook Web App ECP (Exchange Admin Center) Internal URL same as external URL owa.contoso.comInternal URL different than external URL internal.contoso.com External Autodiscover FQDNautodiscover.contoso.com Internal service connection point FQDNautodiscover.contoso.com Primary SMTP namespacecontoso.com User principal name domaincontoso.com Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Configure default offline address book Estimated time to complete: 5 minutes or longer, depending on the number of mailbox databases in your organizationBefore you install Exchange 2013, you need to make sure that all of the existing Exchange mailboxes in your organization are assigned a default offline address book (OAB). If you don't do this, any mailbox that isn't assigned a default OAB when Exchange 2013 is installed will automatically download the new OAB generated by Exchange 2013. If you have hundreds or thousands of mailboxes, this could cause significant network traffic and server load.The steps below show you how to assign a default OAB to Exchange mailbox databases. Assigning a default OAB to a mailbox database has two advantages:Mailboxes stored in a mailbox database will inherit the OAB assigned to a mailbox database if the mailbox itself has no OAB assigned. This allows you to assign an OAB to many mailboxes without having to individually update each mailbox.When the mailbox is moved from an existing Exchange server to Exchange 2013, the mailbox will automatically begin using the new Exchange 2013-generated OAB if the mailbox itself isn't assigned an OAB.Important You need to run the commands below on your Exchange 2007 and Exchange 2010 servers separately. The Get-MailboxDatabase and Set-MailboxDatabase cmdlets running on an Exchange 2007 server can't configure mailbox databases running on Exchange 2010 and vice versa.How do I do this?Open the Exchange Management Shell on your Exchange server.Run the following command to retrieve a list of OABs.Get-OfflineAddressBookRun the following command to view all the Exchange 2007 or Exchange 2010 mailbox databases in your organization and the OABs assigned to them.Get-MailboxDatabase | Format-Table Name, Server, OfflineAddressBook -AutoFor every mailbox database that doesn't have an OAB assigned, assign an OAB from the list you retrieved earlier. You can either set the OAB on each mailbox database individually or set the OAB on all mailbox databases at once. Use the command below that best suits your requirements. To set the OAB on each mailbox database individually, run the following command. The command example uses "Sales Employees" for the mailbox database name on the Ex2007 server, and the "Default Offline Address Book" for the name of the OAB.Set-MailboxDatabase "Ex2007\Sales Employees" -OfflineAddressBook "Default Offline Address Book"To set the same OAB on all mailbox databases at once, run the following command. The command example uses "Default Offline Address Book" for the name of the OAB.Warning:The following command will overwrite the OAB assigned to every mailbox database in your organization. If you want to verify the command has the intended effect, run it with theWhatIf switch parameter first.Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book"How do I know this worked?To verify that every mailbox database in your organization is assigned a default OAB, run the following command. Every mailbox database should have an OAB listed in the OfflineAddressBookcolumn.Get-MailboxDatabase | Format-Table Name, Server, OfflineAddressBook -AutoHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Disable IPv6 on Exchange 2007 servers Estimated time to complete: 5 minutesBefore you install Exchange 2013, you might need to disable IPv6 on some of your Exchange 2007 servers. Some connections between Exchange 2007 and Exchange 2013 don't work correctly when IPv6 is enabled and an Exchange 2007 server has both the Mailbox and Client Access server roles installed.If you have Exchange 2007 servers that have both the Mailbox and Client Access server roles installed, complete the following steps on each of those servers to disable IPv6 on them.How do I do this?Do the following on each Exchange 2007 server in your organization that has both the Mailbox and Client Access server roles installed:Open the Registry Editor on your Exchange 2007 Client Access server.Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\If the DisabledComponents entry doesn’t exist, do the following to create it:In the Edit menu, click New, and then click DWORD (32-bit) Value.Type DisabledComponents and then press enter.Double-click DisabledComponents.In the Value data field, enter 0xFFFFFFFF.Click OK.Reboot the server.How do I know this worked?To verify that you've correctly set the DisabledComponents in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\, do the following:Open a Windows command prompt.Run the following command:Reg Query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponentsIf the DisabledComponents entry is properly set, you'll see the following:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters DisabledComponents REG_DWORD 0xFFFFFFFFIf you see a value other than 0xFFFFFFFF for the DisabledComponents entry, or if you receive the error ERROR: The system was unable to find the specified registry key or value., the entry isn't set correctly. Verify that you placed the DisabledComponents entry in the correct path and that it's spelled correctly.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Install Exchange 2013 Estimated time to complete: 50 to 60 minutesThe Mailbox server role in Exchange 2013 hosts user mailboxes and public folder mailboxes, provides Unified Messaging services, generates the Offline Address Book (OAB), and more. In Exchange 2013, the Client Access server role provides clients with access to mailboxes via Outlook, Outlook Web App, and other protocols; accepts inbound SMTP connections from the Internet and other Active Directory sites; accepts connections from telephony systems; and more.Learn more at: Mailbox and Client Access ServersCaution:After you install Exchange 2013 on a server, you must not change the server name. Renaming a server after you have installed an Exchange 2013 server role is not supported.How do I do this?Important To prepare your organization for Exchange 2013, make sure that you’ve done everything in the Verify prerequisites step earlier in this checklist. That step has lots of important information, like the following:In order for Exchange 2013 to coexist with previous versions of Exchange, all your Exchange 2013 servers must be running Cumulative Update 2 (CU2) for Exchange 2013. For information on how to download Exchange 2013, see Cumulative Updates for Exchange 2013.You'll also need to install Update Rollup 10 for Exchange 2007 Service Pack 3 (SP3) on all the Exchange 2007 servers in your organization before you can install Exchange 2013. Download fromExchange Server 2007 Service Pack 3 and Update Rollup 10 for Exchange Server 2007 Service Pack 3(KB2788321). In terms of the order in which to upgrade your sites, assuming you have Exchange servers in more than one site, start with any Internet-facing Active Directory sites, followed by the internal sites. The first site you will want to upgrade is the one where AutoDiscover requests from the Internet come in.After you have downloaded Exchange 2013 CU2, log on to the computer on which you want to install Exchange 2013. Navigate to the network location of the Exchange 2013 installation files.Start Exchange 2013 Setup by double-clicking Setup.exe.Important:If you have User Access Control (UAC) enabled, you must right-click Setup.exe and select Run as administrator.On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013. If you select Connect to the Internet and check for updates, Setup will download updates and apply them prior to continuing. If you select Don't check for updates right now, you can download and install updates manually later. We recommend that you download and install updates now. Click Next to continue. The Introduction page begins the process of installing Exchange into your organization. It will guide you through the installation. Several links to helpful deployment content are listed. We recommend that you visit these links prior to continuing setup. Click Next to continue. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send error reports and information about your computer hardware and how you use Exchange to Microsoft. If you select Don't use recommended settings, these settings remain disabled but you can enable them at any time after Setup completes. For more information about these settings and how information sent to Microsoft is used, click ?. On the Server Role Selection page, select both Mailbox role and Client Access role. The management tools are installed automatically if you install any other server role. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don't select this option, you must install the Windows features manually. Note:This option installs only the Windows features required by Exchange. You must install other prerequisites manually. For more information, see Exchange 2013 Prerequisites.Click Next to continue.On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.On the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If they haven't completed successfully, you must resolve any reported errors before you can install Exchange 2013. You don't need to exit Setup when resolving some of the prerequisite errors. After resolving a reported error, click Back and then click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013. On the Completion page, click Finish.Note:If you didn't separate your Active Directory schema preparation from the installation of Exchange 2013, the amount of time this takes is dependent upon your Active Directory site topology. It might take some time for the changes to replicate across your organization.Restart the computer after Exchange 2013 has completed.How do I know this worked?Run Get-ExchangeServerTo verify that Exchange 2013 installed successfully, run the Get-ExchangeServer cmdlet in the Exchange Management Shell. A list is displayed of all Exchange server roles that are installed on the specified server when this cmdlet is run.For detailed syntax and parameter information, see Get-ExchangeServer.Review the setup log fileYou can also learn more about the installation and configuration of Exchange 2013 by reviewing the setup log file created during the setup process.During installation, Exchange Setup logs events in the Application log of Event Viewer on computers that are running Windows Server 2008 R2 with Service Pack 1 (SP1) and Windows Server 2012. Review the Application log, and make sure there are no warning or error messages related to Exchange setup. These log files contain a history of each action that the system takes during Exchange 2013 setup and any errors that may have occurred. By default, the logging method is set to Verbose. Information is available for each installed server role.You can find the setup log file at\ExchangeSetupLogs\ExchangeSetup.log. The variable represents the root directory of the drive where the operating system is installed.The setup log file tracks the progress of every task that is performed during the Exchange 2013 installation and configuration. The file contains information about the status of the prerequisite and system readiness checks that are performed before installation starts, the application installation progress, and the configuration changes that are made to the system. Check this log file to verify that the server roles were installed as expected.We recommend that you start your review of the setup log file by searching for any errors. If you find an entry that indicates that an error occurred, read the associated text to figure out the cause of the error.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Create an Exchange 2013 mailbox To simplify configuration of Exchange 2013 and to help test your new server later on, you need to create an Exchange 2013 mailbox. We'll make this new mailbox a member of the Organization Management role group and you'll use this mailbox when you configure Exchange 2013.Later on in the checklist you'll need to log into your Exchange 2013 servers. Log in using the Exchange 2013 mailbox you'll create in this step. This will make sure you have the correct permissions to perform each of the steps and that the EAC opens correctly.How do I do this?Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ecp?ExchClientVer=15.Important:You need to include ?ExchClientVer=15 in the URL when you want to open the EAC with a user that doesn't have an Exchange 2013 mailbox.Enter the user name and password of the account you used to install Exchange 2013 in Domain\user name and Password, and then click Sign in.Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.Provide the information required for the new user and then click Save.Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .Under Members, click Add .Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.How do I know this worked?To verify that you've successfully created an Exchange 2013 mailbox and added it as a member of the Organization Management role group, do the following:In the EAC, go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management.In the details pane, view the Members list. If the Exchange 2013 mailbox has been successfully added as a member of the Organization Management role group, the mailbox will be listed here.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Configure Exchange 2013 external URLs Estimated time to complete: 10 to 15 minutesThere are several settings that you need to configure on the Exchange 2013 virtual directories, which include Outlook Anywhere, Exchange ActiveSync, Exchange Web Services, Offline Address Book (OAB), Outlook Web App, the Exchange admin center, and the availability service.Learn more at: Virtual Directory ManagementHow do I do this?Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.Enter your user name and password in Domain\user name and Password, and then click Sign in.Go to Servers > Servers, select the name of the Internet-facing Exchange 2013 Client Access server and then click Edit .Click Outlook Anywhere.In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.contoso.com.While you’re here, let’s also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail.contoso.com.Click Save.Go to Servers > Virtual directories and then click Configure external access domain .Under Select the Client Access servers to use with the external URL, click Add .Select the Client Access servers you want to configure, and then click Add. After you’ve added all the Client Access servers you want to configure, click OK.In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.contoso.com. Click Save.Note:Some organizations make the Outlook Web App FQDN unique to protect users against changes to underlying server FQDN changes. Many organizations use owa.contoso.com for their Outlook Web App FQDN instead of mail.contoso.com. If you want to configure a unique Outlook Web App FQDN, do the following after you completed the previous step. This checklist assumes you have configured a unique Outlook Web App FQDN.In Select server, choose your Exchange 2013 Client Access server.Select owa (Default Web Site) and click Edit .In External URL, type https://, then the unique Outlook Web App FQDN you want to use, and then append /owa. For example, https://owa.contoso.com/owa.Click Save.Select ecp (Default Web Site) and click Edit .In External URL, type https://, then the same Outlook Web App FQDN that you specified in the previous step, and then append /ecp. For example, https://owa.contoso.com/ecp.Click Save.How do I know this worked?To verify that you have successfully configured the external URL on the Client Access server virtual directories, do the following:In the EAC, go to Servers > Virtual directories.In the Select server field, select the Internet-facing Exchange 2013 Client Access server.Select a virtual directory and then, in the virtual directory details pane, verify that the External URL field is populated with the correct FQDN and service as shown below: Virtual directoryExternal URL valueAutodiscoverNo external URL displayedECPhttps://owa.contoso.com/ecpEWShttps://mail.contoso.com/EWS/Exchange.asmxMicrosoft-Server-ActiveSynchttps://mail.contoso.com/Microsoft-Server-ActiveSyncOABhttps://mail.contoso.com/OABOWAhttps://owa.contoso.com/owaPowerShellhttp://mail.contoso.com/PowerShellHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Configure Exchange 2013 internal URLs Estimated time to complete: 10 to 15 minutesBefore clients can connect to your new Exchange 2013 server from your Intranet, you need to configure the internal domains, or URLs, on the Exchange 2013 Client Access server’s virtual directories.You choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange servers or whether they should use a different URL. What you choose depends on the addressing scheme you have in place already or that you want to implement. If you’re implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange servers because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For more information about administering DNS zones, see Administering DNS Server.For more information internal and external URLs on virtual directories, see Virtual Directory Management.What do you want to do?Configure internal and external URLs to be the sameOpen the Exchange Management Shell on your Exchange 2013 Client Access server.Store the host name of your Client Access server in a variable that will be used in the next step. For example, Ex2013.$HostName = "Ex2013"Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL. Set-EcpVirtualDirectory "$HostName\ECP (Default Web Site)" -InternalUrl ((Get-EcpVirtualDirectory "$HostName\ECP (Default Web Site)").ExternalUrl) Set-WebServicesVirtualDirectory "$HostName\EWS (Default Web Site)" -InternalUrl ((get-WebServicesVirtualDirectory "$HostName\EWS (Default Web Site)").ExternalUrl) Set-ActiveSyncVirtualDirectory "$HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl ((Get-ActiveSyncVirtualDirectory "$HostName\Microsoft-Server-ActiveSync (Default Web Site)").ExternalUrl) Set-OabVirtualDirectory "$HostName\OAB (Default Web Site)" -InternalUrl ((Get-OabVirtualDirectory "$HostName\OAB (Default Web Site)").ExternalUrl) Set-OwaVirtualDirectory "$HostName\OWA (Default Web Site)" -InternalUrl ((Get-OwaVirtualDirectory "$HostName\OWA (Default Web Site)").ExternalUrl) Set-PowerShellVirtualDirectory "$HostName\PowerShell (Default Web Site)" -InternalUrl ((Get-PowerShellVirtualDirectory "$HostName\PowerShell (Default Web Site)").ExternalUrl)How do I know this worked?To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:In the EAC, go to Servers > Virtual directories.In the Select server field, select the Internet-facing Client Access server.Select a virtual directory and then click Edit . Verify that the Internal URL field is populated with the correct FQDN and service as shown below: Virtual directoryInternal URL valueAutodiscoverNo internal URL displayedECPhttps://owa.contoso.com/ecpEWShttps://mail.contoso.com/EWS/Exchange.asmxMicrosoft-Server-ActiveSynchttps://mail.contoso.com/Microsoft-Server-ActiveSyncOABhttps://mail.contoso.com/OABOWAhttps://owa.contoso.com/owaPowerShellhttp://mail.contoso.com/PowerShellHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online ProtectionConfigure different internal and external URLsOpen the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.Go to Servers > Virtual directories.In the Select server field, select the Internet-facing Client Access server.Select the virtual directory you want to change, and then click Edit .In Internal URL, replace the host name between https:// and the first forward slash (/ ) with the new FQDN you want to use. For example, if you want to change the EWS virtual directory FQDN from Ex2013.corp.contoso.com to internal.contoso.com, change the internal URL from https://Ex2013.corp.contoso.com/ews/exchange.asmx to https://internal.contoso.com/ews/exchange.asmx.Click Save.Repeat steps 5 and 6 for each virtual directory you want to change.Note:The ECP and OWA virtual directory internal URLs must be the same.You can’t set an internal URL on the Autodiscover virtual directory.How do I know this worked?To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:In the EAC, go to Servers > Virtual directories.In the Select server field, select the Internet-facing Client Access server.Select a virtual directory, and then click Edit . Verify that the Internal URL field is populated with the correct FQDN. For example, you may have set the internal URLs to use internal.contoso.com. Virtual directoryInternal URL valueAutodiscoverNo internal URL displayedECPhttps://internal.contoso.com/ecpEWShttps://internal.contoso.com/EWS/Exchange.asmxMicrosoft-Server-ActiveSynchttps://internal.contoso.com/Microsoft-Server-ActiveSyncOABhttps://internal.contoso.com/OABOWAhttps://internal.contoso.com/owaPowerShellhttp://internal.contoso.com/PowerShellHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Configure Exchange 2013 certificates Estimated time to complete: 10 to 15 minutes (not including response time from the certificate authority)Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2013 server. You can choose whether you want to re-use the SSL certificate installed on the Exchange 2010 server or purchase a new SSL certificate from a third-party certificate authority (CA). If you decide to re-use the Exchange 2010 certificate, the host names you've configured on the Exchange 2013 virtual directories must match the host names configured on the SSL certificate.How do I get and install a 3rd-party SSL certificate?Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.Enter your user name and password in Domain\user name and Password, and then click Sign in.Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.Specify a name for this certificate and then click Next.If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet)should show owa.contoso.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.contoso.com. If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the Internet) should show owa.contoso.com and Outlook Web App (when accessed from the Intranet) should show internal.contoso.com.These domains will be used to create the SSL certificate request. Click Next.Add any additional domains you want included on the SSL certificate. Select the domain that you want to be the common name for the certificate and click Set as common name. For example, contoso.com. Click Next.Provide information about your organization. This information will be included with the SSL certificate. Click Next.Specify the network location where you want this certificate request to be saved. Click Finish.After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.In the certificate request details pane, click Complete under Status.On the Complete pending request page, specify the path to the SSL certificate file and then click OK.Select the new certificate you just added, and then click Edit .On the certificate page, click Services.Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2013 transport. Click Save.If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.How do I re-use my Exchange 2010 SSL certificate?First, you need to export your certificate from your Exchange 2010 server with the certificate's private key using the following steps.Log on directly to your Exchange 2010 Client Access server with an administrator user account.Open an empty Microsoft Management Console (MMC).Click File, then Add/Remove Snap-in.In the Add or Remove Snap-ins window, select Certificates and then click Add >. In the Certificates snap-in window that appears, select Computer account and click Next.Select Local computer and click Finish. Then click OK.Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.Select the 3rd-party certificate that's used by Exchange 2010 that matches the host names you've configured on the Exchange 2013 server. This must be a 3rd-party certificate and not a self-signed certificate.Right-click on the certificate and select All Tasks and then Export....In the Certificate Export Wizard, click Next.Select Yes, export the private key and click Next.Important:You must be able to export the certificate from your Exchange 2010 server with the certificate's private key. If you don't have access to the certificate's private key, you won't be able to use the certificate on the Exchange 2013 server. You'll need to use the steps in "How do I get and install a 3rd-party SSL certificate?" to get a certificate for the Exchange 2013 server.Make sure Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. ClickNext.Select Password and enter a password to help secure your certificate. Click Next.Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.You'll receive a confirmation prompt if the certificate export was successful. Click OK to close it.Copy the .pfx file you created to your Exchange 2013 Client Access server.After you've exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.Log on directly to your Exchange 2013 Client Access server with an administrator user account.Open an empty Microsoft Management Console (MMC).Click File, then Add/Remove Snap-in.In the Add or Remove Snap-ins window, select Certificates and then click Add >. In the Certificates snap-in window that appears, select Computer account and click Next.Select Local computer and click Finish. Then click OK.Under Console Root, expand Certificates (Local Computer), and then Personal.Right-click Personal and select All Tasks and then Import….In the Certificate Import Wizard, click Next.Click Browse and select the .pfx file you copied to your Exchange 2013 Client Access server. Click Open and then click Next.Note:You may need to change the File name filter in the Open window to All Files (*.*) to see the .pfx file.In the Password field, enter the password you used to help secure the certificate when you exported it on the Exchange 2010 Client Access server.Verify that Include all extended properties is selected and click Next.Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next. Click Finish.You'll receive a confirmation prompt if the certificate import was successful. Click OK to close it.Now that the new certificate has been imported on your Exchange 2013 Client Access server, you need to assign it to your Exchange services using the following steps.Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.Enter your user name and password in Domain\user name and Password, and then click Sign in.On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit .On the certificate page, click Services.Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2013 transport. Click Save.If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.How do I know this worked?To verify that you have successfully added a new certificate, do the following:In the EAC, go to Servers > Certificates.Select the new certificate and then, in the certificate details pane, verify that the following are true:Status shows ValidAssigned to services shows, at minimum, IIS and optionally IMAP, POP, UM call router, and SMTP.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Move arbitration mailbox Estimated time to complete: 10 minutesIn Exchange 2010, the Microsoft Exchange system mailbox is an arbitration mailbox used to store organization-wide data such as administrator audit logs, metadata for eDiscovery searches, and Unified Messaging data, such as menus, dial plans, and custom greetings. When you install Exchange 2013 into an existing Exchange 2010 organization, you need to move the arbitration mailbox to an Exchange 2013 Mailbox server. If you don't move the arbitration mailbox, Exchange 2013 cmdlets that are run won't be logged in the administrator audit log and eDiscovery searches run on Exchange 2013 servers will be queued but won't start.How do I do this?In the EAC, go to Recipients > Migration.Click New , and then click Move to a different database.On the New local mailbox move page, click Select the users that you want to move, and then click Add .On the Select Mailbox page, add the mailbox that has the following properties:The display name is Microsoft Exchange.The alias of the mailbox’s email address is SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}. Click OK, and then click Next.On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15. x, which indicates that the database is located on an Exchange 2013 server.Click OK, and then click Next.On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.How do I know this worked?To verify that you’ve successfully moved the Microsoft Exchange system mailbox to a mailbox database located on an Exchange 2013 server, run the following command in the Shell.Get-Mailbox -Arbitration -Identity "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | FL Database,ServerName,AdminDisplayVersionIf the value of the AdminDisplayVersion property is Version 15.x (Build xxx.x), this verifies that the system mailbox resides on a mailbox database that is located on an Exchange 2013 server.After you move the Microsoft Exchange system mailbox to Exchange 2013, you’ll also be able to successfully perform the following administrative tasks:Run the Search-AdminAuditLog cmdlet.Export the administrator audit log in the EAC.Successfully create and start eDiscovery searches using the EAC or the Shell in Exchange 2013.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Enable and configure Outlook Anywhere Estimated time to complete: 10 to 15 minutesTo allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2007 and Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2007 and Exchange 2010 servers in your organization. If some Exchange 2007 or Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2007 and Exchange 2010 server:The Outlook Anywhere external URL is set to the external hostname of the Exchange 2013 server.Client authentication, which is used to allow clients like Outlook 2013 to authenticate with Exchange, is set to Basic.Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate, set to NTLM and Basic.How do I do this?Perform the following steps to enable and configure Outlook Anywhere on your Exchange 2007 servers.Open the Exchange Management Shell on your Exchange 2007 Client Access server.Store the external host name of your Exchange 2013 Client Access server in a variable that will be used in the next steps. For example, mail.contoso.com.$Exchange2013HostName = "mail.contoso.com"Run the following command to configure Exchange 2007 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.Warning:The following command will change the configuration of Outlook Anywhere on any Exchange 2007 server in your organization on which it's already enabled.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere "$_\RPC (Default Web Site)" -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}Run the following command to enable Outlook Anywhere on the rest of your Exchange 2007 servers to accept connections from Exchange 2013 servers. Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, BasicPerform the following steps to enable and configure Outlook Anywhere on your Exchange 2010 servers.Open the Exchange Management Shell on your Exchange 2010 Client Access server.Store the external host name of your Exchange 2013 Client Access server in a variable that will be used in the next steps. For example, mail.contoso.com.$Exchange2013HostName = "mail.contoso.com"Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers. Warning:The following command will change the configuration of Outlook Anywhere on any Exchange 2010 server in your organization on which it's already enabled.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere "$_\RPC (Default Web Site)" -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2013 servers. Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, BasicHow do I know this worked?To verify that you've successfully configured Outlook Anywhere on your Exchange 2007 servers to accept connections redirected from Exchange 2013, do the following:Open the Exchange Management Shell on your Exchange 2007 Client Access server.Run the following command to view the Outlook Anywhere configuration on your Exchange 2007 servers:Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-OutlookAnywhere | Format-Table Server, ClientAuthenticationMethod, IISAuthenticationMethods, SSLOffloading, ExternalHostname -WrapTo verify that you've successfully configured Outlook Anywhere on your Exchange 2010 servers to accept connections redirected from Exchange 2013, Do the following:Open the Exchange Management Shell on your Exchange 2010 Client Access server.Run the following command to view the Outlook Anywhere configuration on your Exchange 2010 servers:Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-OutlookAnywhere | Format-Table Server, ClientAuthenticationMethod, IISAuthenticationMethods, SSLOffloading, ExternalHostname -AutoHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Configure service connection point Estimated time to complete: 10 minutesAutodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you're updating.How do I do this?Perform the following steps to configure the SCP object on your Exchange 2007 servers.Open the Exchange Management Shell on your Exchange 2007 Client Access server.Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.contoso.com.$AutodiscoverHostName = "autodiscover.contoso.com"Run the following command to set the SCP object on every Exchange 2007 server to the AutoDiscover URL of the new Exchange 2013 server.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xmlPerform the following steps to configure the SCP object on your Exchange 2010 servers.Open the Exchange Management Shell on your Exchange 2010 Client Access server.Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.contoso.com.$AutodiscoverHostName = "autodiscover.contoso.com"Run the following command to set the SCP object on every Exchange 2010 server to the AutoDiscover URL of the new Exchange 2013 server.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xmlPerform the following steps to configure the SCP object on your Exchange 2013 servers.Open the Exchange Management Shell on your Exchange 2013 Client Access server.Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.contoso.com.$AutodiscoverHostName = "autodiscover.contoso.com"Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 15*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xmlHow do I know this worked?To verify that you've successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2007 servers with the value of the Exchange 2013 AutoDiscover URL, do the following:Open the Exchange Management Shell on your Exchange 2007 Client Access server.Run the following command to view the SCP object configuration on Exchange 2007 servers.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 8*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -AutoTo verify that you've successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2010 servers with the value of the Exchange 2013 AutoDiscover URL, do the following:Open the Exchange Management Shell on your Exchange 2010 Client Access server.Run the following command to view the SCP object configuration on Exchange 2010 servers.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -AutoTo verify that you've successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2013 servers with the value of the Exchange 2013 AutoDiscover URL, do the following:Open the Exchange Management Shell on your Exchange 2013 Client Access server.Run the following command to view the SCP object configuration on Exchange 2013 servers.Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 15*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -AutoHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Configure DNS records Estimated time to complete: 15 to 20 minutesNow that you've configured your Exchange 2010 and Exchange 2013 servers, it's time to change your DNS records to direct connections to your new Exchange 2013 server. You'll move the host names (for example, mail.contoso.com) users have been using to connect to Outlook Web Access, Autodiscover, and so on, from your Exchange 2010 server to your Exchange 2013 server. When an Exchange 2010 user tries to open their mailbox, the Exchange 2013 server will proxy their request and communicate with the Exchange 2010 server on their behalf. Configuring DNS includes the following:Change the primary host names, such as mail.contoso.com, autodiscover.contoso.com, and owa.contoso.com (if used) to point to the external, publically-accessible, IP address of the Exchange 2013 Client Access server with your public DNS provider.Change the primary host names, such as mail.contoso.com (or internal.contoso.com if you're using different internal host names) and owa.contoso.com (if used) to point to the internal machine name of the Exchange 2013 Client Access server on your internal DNS servers.Important:Read this topic completely before starting.You might need to make changes to your firewall to support the new Exchange 2013 server. You might need to add new firewall rules, add an external IP address for your Exchange 2013 server, or make other configuration changes. If your organization has a network management group, a security review process, or change management process, you may need to request permission to perform these changes or have someone else make them for you.How do I configure my public DNS records?To send users to your Exchange 2013 Client Access server, you need to configure the existing DNS host (A) record with your external DNS provider. The public DNS records should point to the external IP address or FQDN of your Internet-facing Exchange 2013 Client Access server and use the externally accessible FQDNs that you've configured on your Client Access server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.Note:Instead of changing the DNS records to point your public DNS records to a new external IP address for your Exchange 2013 Client Access server, you can reconfigure your firewall to route connections for the original IP address to the Exchange 2013 server instead of the Exchange 2010 server. The Exchange 2010 Client Access server no longer needs to be accessible from the Internet because all connections will be proxied by the Exchange 2013 server. If you choose to reconfigure your firewall, you don't need to change your public DNS records.Important:Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long a DNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change the TTL of your DNS records, don't make any other changes until the original TTL interval has passed. FQDNDNS record typeValuecontoso.comMXMail.contoso.commail.contoso.comA172.16.10.11owa.contoso.comCNAMEMail.contoso.comautodiscover.contoso.comA172.16.10.11How do I configure my internal DNS records?You choose whether you want users to use the same URL on your intranet and on the Internet to access your Exchange server or whether they should use a different URL. What you choose depends on the addressing scheme you have in place already or that you want to implement. If you’re implementing a new addressing scheme, we recommend that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange server because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure. For more information about administering DNS zones, see Administering DNS Server.Configure internal and external URLs to be the sameTo send users to your Exchange 2013 Client Access server, you need to configure the existing DNS host (A) record on your internal DNS servers. The internal DNS records should point to the internal host name and IP address of your Exchange 2013 Client Access server. The internal host names you use should match the external host names, for example, mail.contoso.com and owa.contoso.com. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.Important:Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long a DNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change the TTL of your DNS records, don't make any other changes until the original TTL interval has passed. FQDNDNS record typeValuemail.contoso.comCNAMEEx2013CAS.corp.contoso.comowa.contoso.comCNAMEEx2013CAS.corp.contoso.comautodiscover.contoso.comA192.168.10.10Configure different internal and external URLsTo send users to your Exchange 2013 Client Access server, you need to configure the existing DNS host (A) record on your internal DNS servers. The internal DNS records should point to the internal host name and IP address of your Exchange 2013 Client Access server. The following are examples of recommended DNS records that you should create to enable mail flow and external client connectivity.Important:Before you make any changes to your DNS records, we strongly recommend that you reduce the time to live (TTL) values of each DNS record you want to change to its minimum interval. The TTL value determines how long a DNS record stays cached on DNS servers. A smaller interval, such as 5 or 10 minutes, will allow you to reverse any changes faster in the event you need to revert back to your original configuration. If you do need to change the TTL of your DNS records, don't make any other changes until the original TTL interval has passed. FQDNDNS record typeValueinternal.contoso.comCNAMEEx2013CAS.corp.contoso.comautodiscover.contoso.comA192.168.10.10How do I know this worked?To verify that you have successfully configured your public DNS records, do the following:Open a command prompt and run nslookup.exe.Change to a DNS server that can query your public DNS zone.In nslookup, look up the record of each FQDN you created. Verify that the value that's returned for each FQDN is correct.Now, verify that you can access your Exchange 2013 server using your primary host name. Using a computer outside of your internal network, open your favorite browser and browse to the Outlook Web Access URL of the Exchange 2013 server, for example, https://mail.contoso.com/owa. Perform the two following tests:Log into an Exchange 2013 mailbox Log into an Exchange 2013 mailbox and verify that you can access the contents of the mailbox without any certificate warnings or other errors. Log out and close your browser. If you need to create a new Exchange 2013 mailbox, see Create User Mailboxes.Log into an Exchange 2010 mailbox Log into an Exchange 2010 mailbox. When you log into this mailbox, you will be proxied to your Exchange 2010 Client Access server (the URL in the browser address bar stay the same). Verify that you are logged in successfully, that you can access the contents of the mailbox, and that you don't receive any certificate warnings or other errors.Test inbound and outbound mail flow Send a message from an external mail provider, such as outlook.com, to Exchange 2013 and Exchange 2010 mailboxes. Verify that the message is received successfully. Reply to the message from each mailbox and verify that the external recipient receives the message. You can also examine the message headers of the messages you sent and received to verify the path the message took using the Message Analyzer in the Microsoft Remote Connectivity Analyzer.With the exception of the mail flow test, repeat the previous tests from a computer inside your network to test your internal DNS configuration. If you've configured your internal DNS records to use the same host names as your external DNS, attempt to access an Exchange 2013 and Exchange 2010 mailbox using those host names, for example mail.contoso.com or owa.contoso.com. If you've configured your internal DNS records to use a different host name, attempt to access an Exchange 2013 and Exchange 2010 mailbox using the internal host name, for example internal.contoso.com.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Move mailboxes to Exchange 2013 After you've completed your deployment of Exchange 2013, you can move mailboxes to your Exchange 2013 Mailbox server. To move mailboxes to your Exchange 2013 Mailbox server, you'll need to use the Exchange Admin Center.How do I do this?Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.Enter your user name and password in Domain\user name and Password, and then click Sign in.Go to Recipients > Migration, click Add and then select Move to a different database.Under Select the users that you want to move, click Add .In the Select Mailbox window, select the mailboxes you want to move, click Add and then OK.Verify that the mailboxes you want to move are listed and then click Next.Specify a name for the new mailbox move and verify that Move the primary mailbox and the archive mailbox if one exists is selected.Under Target database, click Browse.In the Select Mailbox Database window, select a mailbox database on the Exchange 2013 server that you want to move the mailboxes to, click Add and then OK.Verify that the mailbox database displayed in Target database is correct and then click Next.Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse and select a different user.Verify Automatically start the batch is selected.Decide whether you want to have mailbox moves automatically complete. During the finalization phase, the mailbox is unavailable for a short time. If you choose to complete the mailbox move manually, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.Note:If you chose to complete the mailbox move manually, you'll need to go to Recipients > Migration, select the mailbox migration batch you want to complete, and then click Complete this migration batch in the details pane to finalize the move. When you finalize the move, mailboxes in this batch will be unavailable for a short time. The Complete this migration batch link will only be available once the batch is ready to be completed.Click New.How do I know this worked?To verify that the mailbox move has completed successfully, do the following:In the EAC, go to Recipients > MigrationSelect the migration batch you want to the check the status of.In the details pane, you can check to see if there are any mailboxes waiting to be synced or finalized, or if there are any failed mailboxes. Click View details to see more information about the status of each mailbox in the batch.Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection Post-configuration tasks After you complete a new installation of Exchange 2013, add an additional Exchange 2013 server role to an existing Exchange 2013 server, or install Exchange 2013 in an existing organization, you should consider the post-installation tasks. The post-installation tasks will help you verify the installation and configure the components that you have just installed.Product keyWhen you install Exchange 2013, your server is licensed as a trial edition. The trial edition expires 120 days after the date of installation. A server that has a trial edition license functions as an Exchange Standard Edition server, but it isn't eligible for support from Microsoft support services. If you have Exchange 2013 servers for which the trial edition has expired, Exchange displays a separate warning for each expired server. You need to enter a product key before the trial edition expires if you want to continue using Exchange 2013 on the server.Learn more: Enter Product KeyPermissions configurationFor the purposes of the Deployment Assistant, your administrator account was granted permissions that you might not need going forward. You should verify that this account doesn't have more permissions than required to configure and manage your Exchange 2013 environment.Role Based Access Control (RBAC), the permissions model in Exchange 2013, is extremely flexible. The built-in role groups are probably sufficient to manage most of your Exchange 2013 organization. You can simply add and remove members from the existing role groups to control permissions. The following topics provide more information and can help you configure the appropriate permissions for your Exchange 2013 tasks:Permissions Manage Role Groups Manage Role Group Members Manage Role Assignment Policies Change the Assignment Policy on a Mailbox Built-in Role Groups Built-in Management Roles Public foldersPublic folders are designed for shared access and provide an easy and effective way to collect, organize, and share information with other people in your workgroup or organization. You can use them as an archive for distribution groups, as a simple document sharing solution, and more.Learn more: Public FoldersNow that you've successfully installed Exchange 2013, you can migrate your public folders from Exchange Server 2010 SP3 or Exchange 2007 SP3 RU10 to Exchange Server 2013. You’ll perform the migration by using the new *PublicFolderMigrationRequest cmdlets, in addition to several PowerShell scripts. These cmdlets use the Microsoft Exchange Mailbox Replication service to perform the migration.Learn more: Migrate Public Folders to Exchange 2013 From Previous VersionsUnified Messaging upgradeWhen you upgrade an Exchange 2007 organization with Unified Messaging to Exchange 2013 Unified Messaging, there are a number of steps you must perform to complete the Unified Messaging upgrade. Depending on your telephony environment and the UM components that were created and configured to support Unified Messaging in Exchange 2007, you may need to deploy additional telephony equipment including VoIP gateways or IP PBXs and then create and configure any additional UM components that will be required for Exchange 2013 UM. Learn more: Upgrade Exchange 2007 UM to Exchange 2013 UMWhen you upgrade an Exchange 2010 organization with Unified Messaging to Exchange 2013 Unified Messaging, there are a number of steps you must perform to complete the Unified Messaging upgrade. Depending on your telephony environment and the UM components that were created and configured to support Unified Messaging in Exchange 2010, you may need to deploy additional telephony equipment including VoIP gateways or IP PBXs and then create and configure any additional UM components that will be required for Exchange 2013 UM. Learn more: Upgrade Exchange 2010 UM to Exchange 2013 UMHigh availability options for Mailbox serversAfter deploying and verifying the successful installation of at least two Mailbox servers, you can configure your Mailbox servers and mailbox databases for high availability and site resilience. Exchange 2013 uses the concept of incremental deployment, which is the ability to configure high availability and site resilience for Mailbox servers after the servers have been deployed. Service and data redundancy is achieved by using features in Exchange 2013 such as database availability groups and database copies.Learn more: Managing High Availability and Site ResilienceHybrid deployments with Office 365A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange 2013 organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization. To configure a hybrid deployment, select Hybrid in the Exchange Server Deployment Assistant, answer the questions, and complete the checklist steps.Learn more: Exchange Server 2013 Hybrid DeploymentsRemove legacy Exchange versionsAfter you have completed deploying and configuring Exchange 2013 in your organization, you may be ready to remove previous versions of Exchange. For more information about removing legacy Exchange servers, see the following topics:Modify or Remove Exchange 2010 How to Completely Remove Exchange 2007 from a Server Maintaining and growing an Exchange organizationNow that you’ve installed Exchange 2013, learn more about how you can use Exchange to support your organization. For example, you could do the following:Configure mobile device policies so users can only access their mail from approved devices.Add remote domains to apply custom configuration and security to mail sent to and from a partner’s mail servers.Configure backup and restore processes to help keep your data safe.In addition to enabling features to improve productivity, you might need to add servers so that you can deploy a high availability solution, service users in other locations, increase capacity, or meet a combination of those or other goals. As you install additional servers, you’ll need to think about things like Active Directory site design, load balancing Client Access servers, message routing and transport high availability, and so on.For more information, see the following topics: TopicDescriptionActive DirectoryLearn how Exchange 2013 uses Active Directory sites, and why it’s important to have a good Active Directory site design to help ensure the correct and efficient functioning of Exchange Server.PermissionsSmaller organizations can often manage Exchange with a single administrator account. However, you might want to delegate permission to additional administrators, give limited permission to specialist users, and more. Read this topic to learn more about how you can use Exchange to grant permissions to administrators, specialist users, or how you can give users access to control their own mailbox.Messaging Policy and ComplianceDepending on the laws of your country or rules and regulations for your industry, you might be required to archive data for a certain period of time or provide documents in response to a legal court order. Read this topic to learn more about how Exchange can help you respond to these requirements and requests.Mail FlowAs you add more Exchange 2013 servers, you’ll need to carefully plan message routing between servers in different Active Directory sites, other messaging products, and the Internet. Read this topic to learn more about how Exchange 2013 routes traffic, how you can configure efficient highly available mail routing, and how you can perform mail flow monitoring and diagnostics.Email Addresses and Address BooksThe global address list (GAL) contains every recipient in the Exchange 2013 organization. Some organizations might not want every user to see every other recipient in the organization. Or, you might want some departments or business units to have a specific email address domain. Read this topic to learn more about how you can use Exchange 2013 to segment the GAL so that users only see the recipients you want them to see, how to apply the correct email address to recipients automatically, how to configure offline address books, and more.Clients and MobileUsers no longer access their email only from their computer at work. They use their home computer, mobile device, tablet, airport kiosk, and other methods to access their email. It’s important to understand how users access their email so that you can ensure your company’s information stays safe. Read this topic to learn more about how Exchange can help you keep control of your company’s information by applying policies to devices, specifying which methods users can use to access their email, and more.Mailbox and Client Access ServersUnderstanding the Mailbox and Client Access server roles is critical to maintaining a healthy Exchange organization. Read the topics in this node to learn more about how these roles function, how to move mailboxes, manage mailbox databases, configure load balancing, configure certificates, and more.Managing High Availability and Site ResilienceData integrity and server availability are critically important in an Exchange organization. You need to ensure that the data stored on your Exchange servers is safe, and that the availability of your Exchange servers meets your organization’s requirements. Read this topic to learn more about how Exchange can help you meet your goals by configuring database availability groups, establishing and testing backup and restore processes, and more.Install Exchange 2013 Using the Setup WizardAdditional servers increase capacity and enable you to configure features like database availability groups. Read this topic to learn how to install additional Mailbox and Client Access servers. Deployment checklist complete Congratulations on successfully completing your checklist in the Deployment Assistant!Tools you can useThe Microsoft Remote Connectivity Analyzer tool is a free Web-based tool that helps you troubleshoot connectivity issues. The tool simulates several client logon and mail flow scenarios. When a test fails, troubleshooting tips can assist you in correcting the problem.Take a look at: Microsoft Remote Connectivity Analyzer ToolAnd, for more information about Exchange planning and deployment, you can always review the related content in the Exchange TechCenter Library.Find it all at: Planning and DeploymentGive us feedback pleaseWe would really appreciate your feedback about the Deployment Assistant. What worked for you? What could we have done better? What do you recommend we change for the next version?Tell us what you think at: Feedback: Exchange Server Deployment Assistant