Section 1: Prerequisites and System Requirements
Section 1: Prerequisites and System Requirements
Scope: This section covers the fundamental operating system settings, security requirements, and health checks required prior to the integration of Active Directory, Microsoft Exchange Server, and AD FS systems.
Important: Completing the steps below strictly is critical to prevent Authentication Failures and SSL/TLS handshake issues.
1.1. Time and Time Zone Synchronization
Authentication protocols like Kerberos used in Distributed Systems are highly sensitive to timestamps. If there is a time difference of more than 5 minutes between servers, authentication will fail, and "Access Denied" errors will occur.
Configuration Steps:
Ensure that the following settings are identical on all servers (DC, Exchange, AD FS, Application Server) in the environment:
Time Zone Check:
Navigate to Settings > Time & Language to check the time zone.
Test Environment Standard:
(UTC-08:00) Pacific Time (US & Canada)(This field can be updated to the local time zone based on project requirements).Attention: Pay close attention to the (-) or (+) sign after UTC and the region selection.
NTP Synchronization:DOS
Ensure that the clocks of all member servers are synchronized with the PDC (Primary Domain Controller). Trigger synchronization using the following commands in CMD running with Administrator privileges:
# To check the current time time # To force synchronization with the DC w32tm /resync
1.2. Certificate Infrastructure
The Active Directory Certificate Services (AD CS) role must be configured to ensure secure communication of system components via HTTPS and to establish trust between servers.
Step A: Configuration of Certificate Authority (CA)
Server: Domain Controller (DC)
Role: Enterprise Root CA
Purpose: To generate and sign the SSL certificates required by Exchange, AD FS, and Web servers.
Step B: Distribution of Trust Chain
To ensure clients and servers trust the certificates generated by the DC, the Root CA certificate must be distributed.
Export: Export the CA certificate in
.CERformat from thecertsrv.mscconsole on the DC server.Import: Import this certificate into the "Trusted Root Certification Authorities" store on all servers (Exchange, AD FS, etc.) in the environment.
1.3. Detection of Exchange Access Points (URLs)
It is necessary to identify the correct address (Internal/External URL) that users and other services will use to access the Exchange server.
Run the following command on the Exchange Server using the Exchange Management Shell (EMS):
PowerShell
1.4. Exchange SSL Certificate Subject and Domain Check
It is mandatory that the "Subject Name" (CN) and "Subject Alternative Names" (SAN) values of the active certificate on Exchange match the URL being accessed (e.g., mail.domain.com).
Perform the check on the Exchange Management Shell (EMS):
PowerShell
Verification: Verify that the FQDN addresses you plan to use (e.g., mail.domain.com, https://www.google.com/search?q=autodiscover.domain.com) are listed in the CertificateDomains output.
1.5. Exchange Server Health Checks
Before starting the integration, verify that the Exchange server is functioning correctly (Baseline Health).
Service Status: Confirm via
services.mscthatMSExchangeTransport,MSExchangeADTopology, andMSExchangeISservices are in the "Running" state.Admin Panel (ECP): Verify that you can log in to
https://<ServerAddress>/ecpwith an administrator account.Web Mail (OWA): Perform an email send/receive test between test users via
https://<ServerAddress>/owa.
1.6. AD FS Service Name (Hostname) Verification
The Federation Service Name defined during the AD FS installation must be verified. This name must match the DNS records and certificate names.
Run the following command on the AD FS server using PowerShell:
PowerShell
Last updated