Exchange Server on the AWS Cloud - aws-quickstart.s3 ... · If you have an AWS account, and...
Transcript of Exchange Server on the AWS Cloud - aws-quickstart.s3 ... · If you have an AWS account, and...
Microsoft Exchange Server on the AWS Cloud
Quick Start Reference Deployment
January 2015
Last update: January 2020 (revisions)
Dragos Madarasan, AWS Professional Services
Aaron Lima, AWS Quick Start Team
This guide is also available in HTML format at
https://docs.aws.amazon.com/quickstart/latest/exchange/.
Visit our GitHub repository for source files (including documentation files) and
to post feedback, report bugs, or submit feature ideas for this Quick Start.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 2 of 38
Contents
Quick Links ............................................................................................................................ 3
Overview ................................................................................................................................. 4
Microsoft Exchange Server on AWS .................................................................................. 4
Cost and Licenses ............................................................................................................... 5
Architecture ............................................................................................................................ 6
Architectural Considerations ............................................................................................. 6
Architecture Components .................................................................................................. 6
Prerequisites .......................................................................................................................... 9
Technical Requirements ..................................................................................................... 9
Specialized Knowledge ....................................................................................................... 9
Exchange Server 2019 Requirements .............................................................................. 10
Implementation Details ....................................................................................................... 10
Storage on the Exchange Nodes ....................................................................................... 10
IP Addresses on the Exchange Nodes .............................................................................. 12
Database Availability Group ............................................................................................ 13
Edge Transport Nodes ...................................................................................................... 14
Load Balancer ................................................................................................................... 15
Volume Encryption........................................................................................................... 15
Deployment Options ............................................................................................................ 16
Deployment Steps ................................................................................................................ 16
Step 1. Prepare Your AWS Account .................................................................................. 16
Step 2: Launch the Quick Start ........................................................................................ 17
Step 3. (Optional) Create Database Copies ..................................................................... 28
Step 4. (Optional) Create a DNS Entry for the Load Balancer ....................................... 28
Best Practices ....................................................................................................................... 32
High Availability and Disaster Recovery ......................................................................... 32
Automatic Failover ........................................................................................................... 32
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 3 of 38
Security Groups and Firewalls ......................................................................................... 33
Security ................................................................................................................................. 34
Troubleshooting ................................................................................................................... 34
GitHub Repository ............................................................................................................... 35
Additional Resources ........................................................................................................... 36
Document Revisions ............................................................................................................ 37
This Quick Start was developed by Amazon Web Services (AWS) solutions architects.
Quick Starts are automated reference deployments that use AWS CloudFormation
templates to deploy key technologies on AWS, following AWS best practices.
Quick Links The links in this section are for your convenience. Before you launch the Quick Start, please
review the architecture, configuration, network security, and other considerations discussed
in this guide.
Note You are responsible for the costs related to your use of any AWS services used
while running this Quick Start reference deployment. See the pricing pages of the
AWS services you will be using for full details.
If you have an AWS account, and you’re already familiar with AWS services and
Microsoft Exchange Server, you can launch the Quick Start to build the architecture
shown in Figure 1 in a new or existing virtual private cloud (VPC). The deployment takes
approximately 90 minutes. If you’re new to AWS or to Exchange Server, please review
the implementation details and follow the step-by-step instructions provided later in
this guide.
Launch (for new VPC)
Launch (for existing VPC)
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 4 of 38
If you want to take a look under the covers, you can view the AWS CloudFormation
templates that automate the deployment.
Overview This Quick Start reference deployment guide includes infrastructure information,
architectural considerations, and configuration steps for planning and deploying a
Microsoft Exchange Server environment on the AWS Cloud. It uses AWS CloudFormation
templates to automate the deployment.
Note This Quick Start supports Exchange Server 2016 and Exchange Server 2019.
This Quick Start is for IT infrastructure architects, administrators, and DevOps
professionals who are planning to implement or extend their Exchange Server workloads on
the AWS Cloud.
Included are best practices for configuring a highly available, fault-tolerant, and secure
Exchange environment. This guide doesn’t cover general installation and software
configuration tasks for Exchange Server. For general guidance and best practices, consult
the Microsoft Exchange Server documentation.
Microsoft Exchange Server on AWS Exchange Server is a messaging and collaboration solution that Microsoft developed, with
support for mailboxes, calendars, compliance, and e-archival. In an Exchange Server
environment, your users can collaborate and—when you deploy the environment in AWS—
you can scale your environment based on demand.
The AWS Cloud provides infrastructure services that enable you to deploy Exchange Server
in a highly available, fault-tolerant, and affordable way. By deploying on AWS, you get the
functionality of Exchange Server and the flexibility and security of AWS.
In addition to this Quick Start, we’ve published a set of Microsoft-based Quick Starts that
you can use to deploy other common Microsoft workloads on AWS, including:
Microsoft Active Directory
Remote Desktop Gateway (RD Gateway)
View template (for new VPC)
View template (for existing VPC)
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 5 of 38
Microsoft SharePoint Server
Microsoft Web Application Proxy with Active Directory Federation Services (ADFS)
Microsoft SQL Server
Windows Server Update Services
Each of those Quick Starts includes a virtual private cloud (VPC) environment, which is
deployed based on AWS best practices. To read more about deploying Microsoft workloads
by using our Quick Starts, see the Quick Starts in the Microsoft Technologies category.
Cost and Licenses You are responsible for the cost of the AWS services used while running this Quick Start
reference deployment. There is no additional cost for using the Quick Start.
The AWS CloudFormation template for this Quick Start includes configuration parameters
that you can customize. Some of these settings, such as instance type, will affect the cost of
deployment. For cost estimates, see the pricing pages for each AWS service you will be
using. Prices are subject to change.
Tip After you deploy the Quick Start, we recommend that you enable the AWS Cost
and Usage Report to track costs associated with the Quick Start. This report delivers
billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your
account. It provides cost estimates based on usage throughout each month, and
finalizes the data at the end of the month. For more information about the report,
see the AWS documentation.
Exchange Server can be deployed and licensed through the Microsoft License Mobility
through Software Assurance program. For development and test environments, you can use
your existing MSDN licenses for Exchange Server using Amazon Elastic Compute Cloud
(Amazon EC2) Dedicated Instances. For details, see the MSDN on AWS page.
This Quick Start deployment uses an evaluation copy of Exchange Server. To upgrade your
version, see the Microsoft Exchange Server website.
This Quick Start launches the Amazon Machine Image (AMI) for
Microsoft Windows Server 2016 and Windows Server 2019, and includes the license for the
Windows Server operating system. The AMI is updated on a regular basis with the latest
service pack for the operating system, so you don’t have to install any updates. The
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 6 of 38
Windows Server AMI doesn’t require client access licenses (CALs) and includes two
Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.
Architecture Architectural Considerations Before you deploy the template in this Quick Start, decide whether to use two Availability
Zones or three, and whether to use a file share witness or a full node.
By default, the Exchange Server Quick Start uses two Availability Zones, with one Exchange
node in each zone. The file share witness is launched in the same Availability Zone as the
first Exchange node.
Note Where possible, we recommend deploying the Exchange Server Quick Start
using three Availability Zones. This enables automatic failover of database
availability groups (DAGs), without the need for manual intervention.
You can deploy a full Exchange node instead of a file share witness. In addition, you can
specify whether to deploy the full node or the file share witness in a third Availability Zone.
To learn more about Exchange DAGs and quorum models, see TechNet – database
availability groups.
In addition, you can deploy an internal Application Load Balancer (ALB) to provide high
availability and distribute traffic to the Exchange nodes. In this configuration, you need to
import a Secure Sockets Layer (SSL) certificate into AWS Certificate Manager (ACM) before
you launch the template.
AWS Secrets Manager is used to securely store the Exchange administrative account
credentials. AWS Systems Manager Parameter Store is used to retrieve the latest AMI ID
for the underlying EC2 instances, to ensure that the Windows 2016 or 2019 installation is
up to date.
Architecture Components Deploying this Quick Start for a new VPC with default parameters builds the following
Exchange Server environment in the AWS Cloud.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 7 of 38
Figure 1: Exchange Server architecture on AWS
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 8 of 38
You can also choose to build an architecture with three Availability Zones, as shown in Figure 2.
Figure 2: Exchange Server architecture with Edge nodes and three Availability Zones
The Quick Start sets up the following:
A virtual private cloud (VPC) configured with public and private subnets across two
Availability Zones. This provides the network infrastructure for your Exchange Server
deployment. You can optionally choose a third Availability Zone for the file share
witness or for an additional Exchange node, as shown in Figure 2.*
In the public subnets, Windows Server–based Remote Desktop Gateway (RD Gateway)
instances and network address translation (NAT) gateways for outbound internet
access.*
Elastic IP addresses associated with the NAT gateway and RD Gateway instances.*
In the private subnets, Active Directory domain controllers.*
In the private subnets, Windows Server–based instances as Exchange nodes.
Exchange Server Enterprise Edition on each node. This architecture provides
redundancy along with a witness server to ensure that a quorum can be established. The
default architecture mirrors an on-premises architecture of two Exchange Server
instances spanning two subnets placed in two different Availability Zones, as shown in
Figure 1.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 9 of 38
Security groups to enable the secure flow of traffic between the instances deployed in the
VPC.
(Optional) In the public subnets, Exchange Edge Transport servers for routing internet
email in and out of your environment.
* The template that deploys the Quick Start into an existing VPC skips the tasks marked by
asterisks and prompts you for your existing VPC configuration.
Prerequisites Technical Requirements
You must obtain a license for Exchange Server before you deploy this Quick Start. Microsoft
Exchange Server can be deployed and licensed via the Microsoft License Mobility through
Software Assurance program. For development and test environments, you can use your
existing MSDN licenses for Exchange Server using Amazon Elastic Compute Cloud
(Amazon EC2) Dedicated Instances. For details, see the MSDN on AWS page.
This Quick Start deployment uses an evaluation copy of Exchange Server. To upgrade your
version, see the Microsoft Exchange Server website.
Specialized Knowledge
Before you deploy this Quick Start, we recommend that you become familiar with the
following AWS services. (If you are new to AWS, see Getting Started with AWS.)
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Block Store (Amazon EBS)
Amazon Virtual Private Cloud (Amazon VPC)
AWS CloudFormation
NAT gateway
AWS Identity and Access Management (IAM)
Elastic Load Balancing (ELB)
AWS Certificate Manager (ACM)
In addition, you should be familiar with the following:
Windows Server 2016 or Windows Server 2019
Microsoft Active Directory and Domain Name System (DNS)
Windows Server Failover Clustering (WSFC)
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 10 of 38
Exchange database availability groups (DAGs)
For information, see the Microsoft product documentation for these technologies.
Exchange Server 2019 Requirements
Microsoft has released Exchange Server 2019 only via Volume Licensing Service Center, so
you need to provide your own installation media. The Exchange2019Source parameter
takes as an input the full URL to the installation media (ISO file).
The Exchange2019Source parameter value should always end in an ISO file extension,
although the file name itself is not important as the scripts have built-in logic to determine
it from the URL.
Acceptable paths:
https://[yourbucket].s3-us-east-1.amazonaws.com/SW_DVD9_Exchange_Svr_2019.ISO
http://media.example.com/Exchange2019.ISO
Improper path:
https://[yourbucket].s3-us-east-1.amazonaws.com/SW_DVD9_Exchange_Svr_2019.zip
Note We recommend uploading the Exchange 2019 installation media to an S3
bucket and temporarily making the installation media public. This will ensure that
the file is quickly downloaded to the EC2 instances.
Implementation Details Storage on the Exchange Nodes
Storage capacity and performance are key aspects of any production installation. Although
capacity and performance vary from one deployment to the next, this Quick Start provides a
reference configuration that you can use as a starting point. The AWS CloudFormation
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 11 of 38
template deploys the Exchange nodes using the memory-optimized r5.xlarge instance type
by default.
To provide highly performant and durable storage, we’ve also included Amazon EBS
volumes in this reference architecture. EBS volumes are network-attached disk storage,
which you can create and attach to EC2 instances. Once these are attached, you can create a
file system on top of these volumes, run a mailbox database, or use them in any other way
you would use a block device. EBS volumes are placed in a specific Availability Zone, where
they are automatically replicated to protect you from the failure of a single component.
Provisioned IOPS EBS volumes offer storage with consistent and low-latency performance.
They are backed by solid state drives (SSDs) and are designed for applications with I/O-
intensive workloads such as databases.
Amazon EBS-optimized instances, such as the R5 instance type, deliver dedicated
throughput between Amazon EC2 and Amazon EBS. The dedicated throughput minimizes
contention between Amazon EBS I/O and other traffic from your Amazon EC2 instance,
and provides the best performance for your EBS volumes.
By default, on each Exchange node, the Quick Start deploys three 500-GiB General Purpose
(GP2) SSD volumes to store mailbox databases and transaction logs. The database and log
partitions are formatted using GUID Partition Table (GPT).
By default, partitions are created using Resilient File System (ReFS), which is the Preferred
Architecture (PA) choice for Exchange Server 2016 and Exchange Server 2019. If you set
the Enable or disable ReFS parameter to false, the partitions are formatted using NTFS.
The GP2 volume type delivers a consistent baseline of 3 IOPS/GiB, which provides a total of
1,500 IOPS per volume for Exchange database and transaction log volumes. You can
customize the volume size, and you can switch to using dedicated IOPS volumes.
If you need more IOPS per volume, consider using Provisioned IOPS SSD volumes by
changing the Exchange Server Volume Type and Exchange Server Volume IOPS
parameters, or use disk striping within Windows.
The default disk layout in this Quick Start uses the following EBS volumes:
One General Purpose SSD volume (100 GiB) for the operating system (C:)
One General Purpose SSD volume (500 GiB) to host the Exchange Server database files
(D:)
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 12 of 38
One General Purpose SSD volume (500 GiB) to host the Exchange Server transaction
log files (E:)
Figure 3 shows the disk layout on each Exchange Server node.
Figure 3: Disk layout on Exchange Server node
Note You’ll find the installation software on each node in the
C:\Exchangeinstall folder.
Depending on the instance type selected, you might see additional drives for instance
store (ephemeral) volumes such as (Z:). Data on instance storage will be lost when
you stop your EC2 instance.
IP Addresses on the Exchange Nodes
By default, the Microsoft Exchange Quick Start template deploys two Exchange nodes with
two IP addresses each:
One IP address is used as the primary IP address for the instance.
A second IP address acts as the Failover Cluster IP resource.
When you launch the AWS CloudFormation template, you can specify the addresses for
each node, as shown in Figure 4. By default, the 10.0.0.0/19, 10.0.32.0/19, and
10.0.64.0/19 CIDR blocks are used for the private subnets.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 13 of 38
Figure 4: Configuring IP addresses on the Exchange node
Database Availability Group
A failover cluster is automatically created for the database availability group (DAG). The
AWS CloudFormation templates carry out this task when deploying the second node. If you
use the default parameter settings in the template, the Quick Start runs the following
Windows PowerShell commands to complete this task:
Install-WindowsFeature failover-clustering –IncludeManagementTools New-DatabaseAvailabilityGroup -Name DAG -WitnessServer FileServer -WitnessDirectory C:\DAG Add-DatabaseAvailabilityGroupServer -Identity DAG -MailboxServer ExchangeNode1 Add-DatabaseAvailabilityGroupServer -Identity DAG -MailboxServer ExchangeNode2
Note By default, the database availability group is created with the name DAG. To
change this value, modify the DAGName default parameter value in the Configure-
ExchangeDAG.ps1 file.
The first command runs on each instance during the bootstrapping process. It installs the
required components and management tools for the failover clustering services. The rest of
the commands run near the end of the bootstrapping process on the second node and are
responsible for creating the cluster and for defining the server nodes and IP addresses.
By default, the Quick Start configures an even number of servers in the cluster. You need a
third resource to maintain a majority vote to keep the cluster online if an individual server
fails. For this, the Quick Start uses a dedicated file share witness instance, which can be
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 14 of 38
either a domain-joined server or a third Exchange node (which cannot be part of the DAG
itself). By default, the Quick Start creates a Dedicated Instance in the first Availability Zone
to act as the file share witness. For production environments, you can also set the Third
AZ parameter to witness to create a Dedicated Instance with a file share in a third
Availability Zone.
Alternatively, you can use any domain-joined server for this task. (This isn’t included in the
Quick Start.) If you set the Third AZ parameter to full, the Quick Start keeps the quorum
settings to the default node majority and creates a third Exchange Server node in the third
Availability Zone. Note that some AWS Regions support only two Availability Zones; for a
current list, see AWS Global Infrastructure.
The Quick Start automated solution ends after creating the DAG and adding the two
Exchange nodes to the DAG. When the deployment is complete, you can create additional
databases and make them highly available by creating copies on the second nodes. This
process is covered in step 3 of the deployment instructions.
Edge Transport Nodes Edge Transport nodes relay inbound and outbound emails and provide smart host services
within the Exchange organization. The Edge nodes are installed in the public subnets and
aren’t domain-joined. However, they do require information from Active Directory, and
configuring an Edge sync subscription is needed.
Because Edge Transport role nodes aren’t required for end-to-end mail flow, by default,
Edge nodes aren’t deployed. For this to occur, you must select yes on the Deploy Edge
servers launch option, as shown in Figure 5.
Figure 5: Deploying Edge servers
A pair of Edge servers is deployed in the public subnets (which must be defined), and the
Exchange Server Edge Transport role is installed using default settings. The EC2 instances
aren’t domain-joined, but the DNS suffix that corresponds to the domain name is
configured on the network interface cards (NICs). Also, DNS records are created in
Active Directory corresponding to their hostname.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 15 of 38
The Local Administrator password is reset to the Domain Admin password, and an Edge
subscription file is created, which can be found in C:\EdgeServerSubscription.xml.
Copy the subscription file to a mailbox server, and import the subscription by running the
following command:
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "AZ1"
Load Balancer
Exchange servers running with the Client Access/Transport roles are usually situated
behind a network load balancer (NLB) with a unified Exchange namespace such as
“mail.example.com.” The namespace resolves to the load balancer, which in turns
distributes traffic to the Exchange servers.
The Exchange Server Quick Start contains an option to deploy an Application Load
Balancer that distributes the traffic to the Exchange nodes.
By default, the load balancer isn’t deployed because it requires an existing SSL certificate to
be imported in AWS Certificate Manager.
For a load balancer to be deployed, you must:
1. Import or generate a certificate in AWS Certificate Manager.
2. Specify the full Amazon Resource Name (ARN) in the CertificateARN option.
3. Select true in Deploy Load Balancer, when you launch the Quick Start.
Volume Encryption As part of the default setup, the Exchange Server Quick Start creates and attaches two EBS
volumes to each Exchange node. One EBS volume (corresponding to the D:\ drive) holds
the Exchange mailbox databases, while the other EBS volume (E:\) holds the Exchange
transaction logs.
Optionally, the Quick Start provides an option to encrypt the EBS volumes with either the
default AWS Key Management Service (AWS KMS) encryption key or a custom KMS key, as
shown in Figure 6.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 16 of 38
Figure 6: Encrypting the EBS volumes
Note The root volume of the Exchange nodes (C:\) isn’t encrypted, if Encrypt
data volumes is selected.
Deployment Options This Quick Start provides two deployment options:
Deploy Exchange Server into a new VPC (end-to-end deployment). This option
builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security
groups, bastion hosts, and other infrastructure components, and then deploys
Exchange Server into this new VPC.
Deploy Exchange Server into an existing VPC. This option provisions
Exchange Server in your existing AWS infrastructure. Your AWS environment must
include a VPC with two or three Availability Zones, public and private subnets in each
Availability Zone, Remote Desktop Gateway and NAT gateways deployed into the public
subnet, and Active Directory Domain Services deployed into the private subnet.
The Quick Start also lets you configure additional settings such as CIDR blocks, instance
types, and Exchange Server settings, as discussed later in this guide.
Deployment Steps Step 1. Prepare Your AWS Account
1. If you don’t already have an AWS account, create one at https://aws.amazon.com by
following the on-screen instructions.
2. Use the Region selector in the navigation bar to choose the AWS Region where you want
to deploy the infrastructure for Microsoft Exchange Server on AWS. If you’re planning
to use a third Availability Zone for a file share witness instance or a third Exchange
Server node, choose an AWS Region that includes three or more Availability Zones; see
Regions and Availability Zones for a list.
3. Create a key pair in your preferred Region.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 17 of 38
4. If necessary, request a service quota increase for the Amazon EC2 r5.xlarge instance
type. You might need to do this if you already have an existing deployment that uses this
instance type, and you think you might exceed the default limit with this deployment.
Step 2: Launch the Quick Start
Note You are responsible for the cost of the AWS services used while running this
Quick Start reference deployment. There is no additional cost for using this Quick
Start. For full details, see the pricing pages for each AWS service you will be using in
this Quick Start. Prices are subject to change.
1. Choose one of the following options to launch the AWS CloudFormation template into
your AWS account. For help choosing an option, see deployment options earlier in this
guide.
Option 1
Deploy Exchange Server into a
new VPC on AWS
Option 2
Deploy Exchange Server into an
existing VPC on AWS
Important If you’re deploying Exchange Server into an existing VPC, make sure
that your VPC has at least two private subnets in different Availability Zones. These
subnets require NAT gateways or NAT instances in their route tables, to allow the
instances to download packages and software without exposing them to the internet.
You will also need the domain name option configured in the DHCP options as
explained in the Amazon VPC documentation. You will be prompted for your VPC
settings when you launch the Quick Start.
Each deployment takes about 90 minutes to complete.
2. Check the Region that’s displayed in the upper-right corner of the navigation bar, and
change it if necessary. This is where the network infrastructure for Exchange Server will
be built. The template is launched in the US West (Oregon) Region by default.
3. On the Select Template page, keep the default setting for the template URL, and then
choose Next.
4. On the Specify Details page, change the stack name if needed. Review the parameters
for the template. Provide values for the parameters that require input. For all other
Launch Launch
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 18 of 38
parameters, review the default settings and customize them as necessary. When you
finish reviewing and customizing the parameters, choose Next.
In the following tables, parameters are listed by category and described separately for
the two deployment options:
– Parameters for deploying Microsoft Exchange Server into a new VPC
– Parameters for deploying Microsoft Exchange Server into an existing VPC
Option 1: Parameters for deploying Exchange Server into a new VPC
View template
VPC Network Configuration:
Parameter label
(name)
Default Description
Availability Zones
(AvailabilityZones)
Requires input The list of Availability Zones to use for the subnets in the VPC.
The Quick Start uses two Availability Zones from your list and
preserves the logical order you specify.
Number of Availability
Zones
(NumberOfAZs)
2 The number of Availability Zones to use in the VPC. This
number must match your selection in the list of the
Availability Zones parameter.
Third Availability
Zone
(ThirdAZ)
no Enables you to deploy three Availability Zones. The third
Availability Zone either can be used just for the witness, or can
be a full Exchange cluster node.
Note: If you use the Availability Zone for the witness, you
must set the File Server Private IP Address parameter to an IP
address in the third subnet range.
VPC CIDR
(VPCCIDR)
10.0.0.0/16 The CIDR block for the VPC.
Private Subnet 1 CIDR
(PrivateSubnet1CIDR)
10.0.0.0/19 The CIDR block for the private subnet located in Availability
Zone 1.
Private Subnet 2 CIDR
(PrivateSubnet2CIDR)
10.0.32.0/19 The CIDR block for the private subnet located in Availability
Zone 2.
Private Subnet 3 CIDR
(PrivateSubnet3CIDR)
10.0.64.0/19 (Optional) The CIDR block for optional private subnet 3
located in Availability Zone 3.
Public Subnet 1 CIDR
(PublicSubnet1CIDR)
10.0.128.0/20 The CIDR block for the public (DMZ) subnet located in
Availability Zone 1.
Public Subnet 2 CIDR
(PublicSubnet2CIDR)
10.0.144.0/20 The CIDR block for the public (DMZ) subnet located in
Availability Zone 2.
Public Subnet 3 CIDR
(PublicSubnet3CIDR)
10.0.160.0/20 (Optional) The CIDR block for the optional public (DMZ)
subnet 3 located in Availability Zone 3.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 19 of 38
Amazon EC2 Configuration:
Parameter label
(name)
Default Description
Key pair name
(KeyPairName)
Requires input The public/private key pair, which allows you to connect
securely to your instance after it launches. When you created
an AWS account, this is the key pair you created in your
preferred Region.
Microsoft Active Directory Configuration:
Parameter label
(name)
Default Description
Domain DNS name
(DomainDNSName)
example.com The fully qualified domain name (FQDN) of the forest root
domain (e.g. example.com).
Domain NetBIOS
name
(DomainNetBIOSName)
example The NetBIOS name of the domain (up to 15 characters) for
users of earlier versions of Windows (e.g. EXAMPLE).
Restore Mode
password
(RestoreModePassword)
Requires input The password for a separate Administrator account when the
domain controller is in Restore Mode. Must be at least 8
characters containing letters, numbers, and symbols. Avoid
using special characters such as @ or $.
Domain Admin user
name
(DomainAdminUser)
StackAdmin The user name for the account that will be added as Domain
Administrator. This is separate from the default Administrator
account
Domain Admin
password
(DomainAdminPassword)
Requires input The password for the domain admin user. Must be at least 8
characters containing letters, numbers, and symbols. Avoid
using special characters such as @ or $.
Domain Controller 1
instance type
(ADServer1InstanceType)
m5.xlarge The EC2 instance type for the first Active Directory instance.
Domain Controller 1
NetBIOS name
(ADServer1NetBIOSName)
DC1 The NetBIOS name of the first Active Directory server (up to 15
characters).
Domain Controller 1
private IP address
(ADServer1PrivateIP)
10.0.0.10 The private IP address for the first Active Directory server
located in Availability Zone 1.
Domain Controller 2
instance type
(ADServer2InstanceType)
m5.xlarge The EC2 instance type for the second Active Directory
instance.
Domain Controller 2
NetBIOS name
(ADServer2NetBIOSName)
DC2 The NetBIOS name of the second Active Directory server (up to
15 characters).
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 20 of 38
Parameter label
(name)
Default Description
Domain Controller 2
private IP address
(ADServer2PrivateIP)
10.0.32.10 The private IP address for the second Active Directory server
located in Availability Zone 2.
Remote Desktop Gateway Configuration:
Parameter label
(name)
Default Description
Allowed Remote
Desktop Gateway
external access CIDR
(RDGWCIDR)
Requires input The allowed CIDR block for external access to the Remote
Desktop Gateways.
Remote Desktop
Gateway instance type
(RDGWInstanceType)
t2.large The EC2 instance type for the Remote Desktop Gateway
instances.
Number of RDGW
hosts
(NumberOfRDGWHosts)
1 The number of Remote Desktop Gateway hosts to create.
Exchange Server Configuration:
Parameter label
(name)
Default Description
Exchange Server version
(ExchangeServerVersion)
2016 The version of Exchange Server to install. Options include either
2016 or 2019.
Exchange Server 2019
source (ISO)
(Exchange2019Source)
https:// Full URL (including https://) for Exchange 2019 ISO. This is
required only if the Exchange Server version selected is 2019.
Deploy Edge servers
(IncludeEdgeTransportRole)
no Setting this parameter to yes will include Exchange Edge
Transport servers in the public subnets.
Edge Role instance type
(EdgeInstanceType)
t3.large The EC2 instance type for the Exchange Edge Transport servers.
Edge Node 1 NetBIOS
name
(EdgeNode1NetBIOSName)
EdgeNode1
The NetBIOS name of the first Edge server (up to 15 characters).
Edge Node 1 private IP
address
(EdgeNode1PrivateIP1)
10.0.128.12 The primary private IP address for the first Edge server located
in Availability Zone 1.
Edge Node 2 NetBIOS
name
(EdgeNode2NetBIOSName)
EdgeNode2 The NetBIOS name of the second Edge server (up to 15
characters).
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 21 of 38
Parameter label
(name)
Default Description
Edge Node 2 private IP
address
(EdgeNode2PrivateIP1)
10.0.144.12 The primary private IP address for the second Edge server
located in Availability Zone 1.
Enable or disable ReFS
(EnableReFSVolumes)
true Setting this parameter to false formats the data and log
volumes on Exchange nodes using NTFS instead of ReFS.
Encrypt data volumes
(EncryptDataVolumes)
false Setting this parameter to true encrypts the data and log
volumes on the Exchange nodes.
KMS key to encrypt
volumes
(EncryptionKmsKey)
— (Optional) The KMS encryption ARN in the following format:
arn:aws:kms:[REGION]:[ACCOUNTNUMBER]:key/[GUID]
Leave blank to use the default EBS encryption key.
Exchange Server volume
IOPS
(VolumeIops)
1000 The provisioned IOPS for the Exchange Data and Logs volumes.
This parameter is only applicable when the Exchange Server
volume type parameter is set to "io1".
Exchange Server volume
size (GiB)
(VolumeSize)
500 The volume size for the Exchange data and log volumes.
Exchange Server volume
type
(VolumeType)
gp2 The volume type for the Exchange data and log volumes.
Load Balancer Configuration:
Parameter label
(name)
Default Description
Deploy Application
Load Balancer
(DeployLoadBalancer)
false Setting this parameter to true configures an Application Load
Balancer (ALB).
Application Load
Balancer Certificate
(CertificateArn)
—
(Conditional) The certificate ARN to be used by the ALB. If true is
chosen in the Deploy Application Load Balancer option, specify the
certificate ARN to be used by the load balancer in the following
format:
arn:aws:acm:[REGION]:[ACCOUNTNUMBER]:certificate/[GUID]
Failover Cluster Configuration:
Parameter label
(name)
Default Description
Instance type
for Exchange nodes
(ExchangeNodeInstanceType)
r5.xlarge The EC2 instance type for the Exchange nodes.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 22 of 38
Parameter label
(name)
Default Description
Exchange Node 1 NetBIOS
name
(ExchangeNode1NetBIOS
Name)
ExchangeNode1 The NetBIOS name of the first Exchange node (up to 15
characters).
Exchange Node 1
private IP address 1
(ExchangeNode1PrivateIP1)
10.0.0.100 The primary private IP address for Exchange node 1 located
in Availability Zone 1.
Exchange Node 1
private IP address 2
(ExchangeNode1PrivateIP2)
10.0.0.101 The secondary private IP address for Exchange node 1.
Exchange Node 2
NetBIOS name
(ExchangeNode2NetBIOSNam
e)
ExchangeNode2 The NetBIOS name of Exchange node2 (up to 15 characters).
Exchange Node 2
private IP address 1
(ExchangeNode2PrivateIP1)
10.0.32.100 The primary private IP address for Exchange node 2.
Exchange Node 2
private IP address 2
(ExchangeNode2PrivateIP2)
10.0.32.101 The secondary private IP address for Exchange node 2.
Exchange Node 3
NetBIOS name
(ExchangeNode3NetBIOSNam
e)
ExchangeNode3 (Optional) The NetBIOS name of the optional Exchange
node 3 (up to 15 characters).
Exchange Node 3
private IP address 1
(ExchangeNode3PrivateIP1)
10.0.64.100 (Optional) The primary private IP address for the optional
Exchange node 3.
Exchange Node 3
private IP address 2
(ExchangeNode3PrivateIP2)
10.0.64.101 (Optional) The secondary private IP address for the optional
Exchange node 3.
File Server
instance type
(FileServerInstanceType)
t3.small The EC2 instance type for the file-share witness server.
File Server NetBIOS name
(FileServerNetBIOSName)
FileServer The NetBIOS name of the file-share witness server (up to 15
characters).
File Server
private IP address
(FileServerPrivateIP)
10.0.0.200 The primary private IP address for the file-share witness
server located in Availability Zone 1.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 23 of 38
AWS Quick Start Configuration:
Parameter label
(name)
Default Description
Quick Start S3 bucket
name
(QSS3BucketName)
aws-quickstart The S3 bucket you’ve created for your copy of Quick Start
assets, if you decide to customize or extend the Quick Start
for your own use. The bucket name can include numbers,
lowercase letters, uppercase letters, and hyphens, but should
not start or end with a hyphen.
Quick Start S3 key
prefix
(QSS3KeyPrefix)
quickstart-microsoft-
exchange/
The S3 key name prefix used to simulate a folder for your
copy of Quick Start assets, if you decide to customize or
extend the Quick Start for your own use. This prefix can
include numbers, lowercase letters, uppercase letters,
hyphens, and forward slashes, but should not start or end
with a forward slash (which is automatically added).
Option 2: Parameters for deploying Exchange Server into an existing VPC
View template
Network Configuration:
Parameter label
(name)
Default Description
Third Availability
Zone
(ThirdAZ)
no Enables you to deploy three Availability Zones. The third
Availability Zone either can be used just for the witness, or can
be a full Exchange node.
Note: If you use the Availability Zone for the witness, you
must set the File Server Private IP Address parameter to an IP
address in the third subnet range.
VPC for Exchange
deployment
(VPCID)
Requires input The ID of the VPC (e.g., vpc-0343606e).
CIDR block of VPC
(VPCCidrBlock)
10.0.0.0/16 The CIDR block for the VPC.
Private Subnet 1 ID
(PrivateSubnet1ID)
Requires input The ID of the private subnet 1 in Availability Zone 1 (e.g.,
subnet-a0246dcd).
Private Subnet 1 CIDR
(PrivateSubnet1CIDR)
10.0.0.0/19 The CIDR block for the private subnet 1 located in Availability
Zone 1.
Private Subnet 2 ID
(PrivateSubnet2ID)
Requires input The ID of the private subnet 2 in Availability Zone 2 (e.g.,
subnet-a0246dcd).
Private Subnet 2 CIDR
(PrivateSubnet2CIDR)
10.0.32.0/19 The CIDR block for the private subnet 2 located in Availability
Zone 2.
Private Subnet 3 ID
(PrivateSubnet3ID)
_ (Optional) The ID of the optional private subnet 3 in
Availability Zone 3 (e.g., subnet-a0246dcd).
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 24 of 38
Parameter label
(name)
Default Description
Private Subnet 3 CIDR
(PrivateSubnet3CIDR)
10.0.64.0/19 (Optional) The CIDR block for optional private subnet 3
located in Availability Zone 3.
Public Subnet 1 ID
(PublicSubnet1ID)
Requires input (Optional) The ID of the public subnet 1 in Availability Zone 1
(e.g., subnet-a0246dcd).
Public Subnet 2 ID
(PublicSubnet2ID)
Requires input (Optional) The ID of the public subnet 2 in Availability Zone 2
(e.g., subnet-a0246dcd).
Amazon EC2 Configuration:
Parameter label
(name)
Default Description
Key pair name
(KeyPairName)
Requires input The public/private key pair, which allows you to connect
securely to your instance after it launches. When you created an
AWS account, this is the key pair you created in your preferred
Region.
Windows Server 2016
AMI name
(WS2016FULLBASE)
/aws/service/ami-
windows-
latest/Windows_Se
rver-2016-English-
Full-Base
The image name for the Systems Manager Windows Server
2016 AMI ID lookup.
Windows Server 2019
AMI name
(WS2019FULLBASE)
/aws/service/ami-
windows-
latest/Windows_Se
rver-2019-English-
Full-Base
The image name for the Systems Manager Windows Server
2019 AMI ID lookup.
Microsoft Active Directory Configuration:
Parameter label
(name)
Default Description
Domain DNS name
(DomainDNSName)
example.com The fully qualified domain name (FQDN) of the forest root
domain (e.g. example.com).
Domain NetBIOS name
(DomainNetBIOSName)
EXAMPLE The NetBIOS name of the domain (up to 15 characters) for
users of earlier versions of Windows (e.g. EXAMPLE).
Domain Admin user
name
(DomainAdminUser)
StackAdmin The user name for the account that will be used as Domain
Administrator. This is separate from the default Administrator
account.
Domain Admin
password
(DomainAdminPassword)
Requires input The password for the domain admin user. Must be at least 8
characters containing letters, numbers, and symbols. Avoid
using special characters such as @ or $.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 25 of 38
Parameter label
(name)
Default Description
Domain Controller 1
NetBIOS name
(ADServer1NetBIOSName)
DC1 The NetBIOS name of the first Active Directory server (up to 15
characters).
Domain Controller 1
private IP address
(ADServer1PrivateIP)
10.0.0.10 The private IP address for the first Active Directory server
located in Availability Zone 1.
Domain Controller 2
NetBIOS name
(ADServer2NetBIOSName)
DC2 The NetBIOS name of the second Active Directory server (up to
15 characters).
Domain Controller 2
private IP address
(ADServer2PrivateIP)
10.0.32.10 The private IP address for the second Active Directory server
located in Availability Zone 2.
Security Group ID for
AD domain members
(DomainMemberSGID)
Requires input The ID of the Domain Member Security Group (e.g., sg-
7f16e910).
Microsoft Exchange Server Configuration:
Parameter label
(name)
Default Description
Exchange Server version
(ExchangeServerVersion)
2016 The version of Exchange Server to install. Options include
either 2016 or 2019.
Exchange Server 2019
source (ISO)
(Exchange2019Source)
https:// Full URL (including https://) for Exchange 2019 ISO. This is
required only if the Exchange Server version selected is 2019.
Deploy Edge servers
(IncludeEdgeTransportRole)
no Setting this parameter to yes will deploy Exchange Edge
Transport servers in the public subnets.
Instance type for Edge
server
(EdgeInstanceType)
t3.large The EC2 instance type for the Exchange Edge Transport
servers.
Edge Node 1 NetBIOS
name
(EdgeNode1NetBIOSName)
EdgeNode1 The NetBIOS name of the first Edge Server (up to 15
characters).
Edge Node 1 private IP
address
(EdgeNode1PrivateIP1)
10.0.128.12 The primary private IP address for the first Edge Server located
in Availability Zone 1.
Edge Node 2 NetBIOS
name
(EdgeNode2NetBIOSName)
EdgeNode2 The NetBIOS name of the second Edge Server (up to 15
characters).
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 26 of 38
Parameter label
(name)
Default Description
Edge Node 2 private IP
address
(EdgeNode2PrivateIP1)
10.0.144.12 The primary private IP address for the second Edge Server
located in Availability Zone 1
Enable or disable ReFS
(EnableReFSVolumes)
true Setting this parameter to false formats the data and log
volumes on Exchange nodes using NTFS instead of ReFS.
Encrypt data volumes
(EncryptDataVolumes)
false Setting this parameter to true encrypts the data and log
volumes on the Exchange nodes.
KMS key to encrypt
volumes
(EncryptionKmsKey)
— (Optional) The KMS encryption ARN in the following format:
arn:aws:kms:[REGION]:[ACCOUNTNUMBER]:key/[GUID]
Leave blank to use the default EBS encryption key.
Data Volume size (GiB)
(VolumeSize)
500 The volume size for the Exchange data drive.
Data Volume type
(VolumeType)
gp2 The volume type for the Exchange data drive.
Data Volume IOPS
(VolumeIops)
1000 The IOPS for the Exchange Data drive (This is only used when
the volume type is io1.)
Load Balancer Configuration:
Parameter label
(name)
Default Description
Deploy Application
Load Balancer
(DeployLoadBalancer)
false Setting this parameter to true deploys an Application Load
Balancer (ALB)
Application Load
Balancer Certificate
(CertificateArn)
—
(Conditional) The certificate ARN to be used by the ALB. If true is
chosen in the Deploy Application Load Balancer option, specify the
certificate ARN to be used by the load balancer in the following
format:
arn:aws:acm:[REGION]:[ACCOUNTNUMBER]:certificate/[GUID]
Failover Cluster Configuration:
Parameter label
(name)
Default Description
Instance type for Exchange
nodes
(ExchangeNodeInstanceType)
r5.xlarge The EC2 instance type for the Exchange nodes.
Exchange Node 1 NetBIOS
name
(ExchangeNode1NetBIOSName)
ExchangeNode1
The NetBIOS name of the first Exchange node (up to 15
characters).
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 27 of 38
Parameter label
(name)
Default Description
Exchange Node 1 private IP
address 1
(ExchangeNode1PrivateIP1)
10.0.0.100 The primary private IP address for Exchange Node 1 located
in Availability Zone 1.
Exchange Node 1 private IP
address 2
(ExchangeNode1PrivateIP2)
10.0.0.101 The secondary private IP address for Exchange node 1.
Exchange Node 2 NetBIOS
name
(ExchangeNode2NetBIOSName)
ExchangeNode
2
The NetBIOS name of Exchange node 2 (up to 15 characters).
Exchange Node 2 private IP
address 1
(ExchangeNode2PrivateIP1)
10.0.32.100 The primary private IP address for Exchange node 2 located
in Availability Zone 2.
Exchange Node 2 private IP
address 2
(ExchangeNode2PrivateIP2)
10.0.32.101 The secondary private IP address for the Exchange node 2.
Exchange Node 3 NetBIOS
name
(ExchangeNode3NetBIOSName)
ExchangeNode
3
(Optional) The NetBIOS name of the second Exchange node
(up to 15 characters).
Exchange Node 3 private IP
address 1
(ExchangeNode3PrivateIP1)
10.0.64.100 (Optional) The primary private IP address for Exchange node
3 located in Availability Zone 3.
Exchange Node 3 private IP
address 2
(ExchangeNode3PrivateIP2)
10.0.64.101 (Optional) The secondary private IP address for Exchange
node 3 located in Availability Zone 3.
File Server instance type
(FileServerInstanceType)
t3.small The EC2 instance type for the file-share witness server.
File Server NetBIOS name
(FileServerNetBIOSName)
FileServer The NetBIOS name of the file-share witness server (up to 15
characters).
File Server private IP
address
(FileServerPrivateIP)
10.0.0.200 The primary private IP address for the file-share witness
server located in Availability Zone 1.
AWS Quick Start Configuration:
Parameter label
(name)
Default Description
Quick Start S3 Bucket
Name
(QSS3BucketName)
aws-quickstart The S3 bucket you’ve created for your copy of Quick Start
assets, if you decide to customize or extend the Quick Start for
your own use. The bucket name can include numbers,
lowercase letters, uppercase letters, and hyphens, but should
not start or end with a hyphen.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 28 of 38
Parameter label
(name)
Default Description
Quick Start S3 Key
Prefix
(QSS3KeyPrefix)
quickstart-
microsoft-
exchange/
The S3 key name prefix used to simulate a folder for your copy
of Quick Start assets, if you decide to customize or extend the
Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes, but should not start or end with a forward slash (which
is automatically added).
5. On the Options page, you can specify tags (key-value pairs) for resources in your stack
and set advanced options. When you’re done, choose Next.
6. On the Review page, review and confirm the template settings. Under Capabilities,
select the check box to acknowledge that the template will create IAM resources.
7. Choose Create to deploy the stack.
Monitor the status of the stack. When the status is CREATE_COMPLETE, the
Exchange Server cluster is ready.
Step 3. (Optional) Create Database Copies The Quick Start creates a database availability group (DAG) and adds the Exchange nodes
to the DAG. As part of the Exchange installation, each Exchange node contains a mailbox
database. The first node contains a database called DB1, and the second node contains a
database called DB2.
As part of configuring high availability for the mailbox roles, you can add mailbox database
copies on the other Exchange nodes. Alternatively, you can create entirely new databases
and only then create additional copies.
To create a second copy for the initial databases, use the following commands:
Add-MailboxDatabaseCopy -Identity DB1 –MailboxServer ExchangeNode2 -ActivationPreference 2 Add-MailboxDatabaseCopy -Identity DB2 –MailboxServer ExchangeNode1 -ActivationPreference 2
Step 4. (Optional) Create a DNS Entry for the Load Balancer 1. If you chose the option to deploy a load balancer, the Application Load Balancer (ALB)
will have an endpoint address such as [elb.amazonaws.com].
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 29 of 38
2. To use the load balancer with your Exchange namespace, create a CNAME record in
Active Directory that points to the ALB.
3. Before proceeding, go to the Amazon EC2 console and, under Load balancer, select
the load balancer that the Quick Start created.
4. Copy the value listed under the DNS name, as shown in Figure 7.
Figure 7: Creating a DNS entry for the load balancer
5. To create the DNS record, connect using Remote Desktop to one of the domain
controllers using domain credentials, and open the DNS console by going to the Start
menu and typing “DNS”.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 30 of 38
6. In the DNS console, navigate to the Active Directory zone, right-click, and select New
Alias (CNAME), as shown in Figure 8.
Figure 8: Selecting New Alias (CNAME)
7. Create the DNS entry such as “mail” and in fully qualified domain name (FQDN)
for target host, paste the value of the Application Load Balancer endpoint, as shown
in Figure 9.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 31 of 38
Figure 9: Creating the DNS entry (“mail”)
8. Verify that the DNS entry is resolved successfully by performing an nslookup. Go to
Start and type “cmd”. In the command line window, type the following:
Nslookup mail.example.com
Where mail is the name of the CNAME record you created, and “example.com” is your
Active Directory domain name.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 32 of 38
9. Ensure that the record resolves to the load balancer DNS record, such as shown in
Figure 10.
Figure 10: Verifying the DNS record
Best Practices The architecture built by this Quick Start supports AWS best practices for high availability
and security.
High Availability and Disaster Recovery Amazon EC2 provides the ability to place instances in multiple locations composed of AWS
Regions and Availability Zones. Regions are dispersed and located in separate geographic
areas. Availability Zones are distinct locations within a Region that are engineered to be
isolated from failures in other Availability Zones and that provide inexpensive, low-latency
network connectivity to other Availability Zones in the same Region.
By launching your instances in separate Regions, you can design your application to be
closer to specific customers or to meet legal or other requirements. By launching your
instances in separate Availability Zones, you can protect your applications from the failure
of a single location. Exchange provides infrastructure features that complement the high
availability and disaster recovery scenarios supported in the AWS Cloud.
Automatic Failover Deploying the Quick Start with the default parameters configures a two-node database
availability group (DAG) with a file share witness. The DAG uses Windows Server Failover
Clustering for automatic failover.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 33 of 38
The Quick Start implementation supports the following scenarios:
Protection from the failure of a single instance
Automatic failover between the cluster nodes
Automatic failover between Availability Zones
However, the Quick Start default implementation doesn’t provide automatic failover in
every case. For example, the loss of Availability Zone 1, which contains the primary node
and file share witness, would prevent automatic failover to Availability Zone 2. This is
because the cluster would fail as it loses quorum. In this scenario, you could follow manual
disaster recovery steps that include restarting the cluster service and forcing quorum on the
second cluster node (e.g., ExchangeNode2) to restore application availability.
The Quick Start also provides an option to deploy into three Availability Zones. This
deployment option can mitigate the loss of quorum in the case of a failure of a single node.
However, you can select this option only in AWS Regions that include three or more
Availability Zones; for a current list, see AWS Global Infrastructure.
We recommend that you consult the Microsoft Exchange Server documentation and
customize some of the steps described in this guide or add ones (e.g., deploy additional
cluster nodes and configure mailbox database copies) to deploy a solution that best meets
your business, IT, and security requirements.
Security Groups and Firewalls When the EC2 instances are launched, they must be associated with a security group, which
acts as a stateful firewall. You have complete control over the network traffic entering or
leaving the security group, and you can build granular rules that are scoped by protocol,
port number, and source or destination IP address or subnet. By default, all traffic
egressing a security group is permitted. Ingress traffic, on the other hand, must be
configured to allow the appropriate traffic to reach your instances.
The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the
different methods for securing your AWS infrastructure. Recommendations include
providing isolation between application tiers using security groups. We recommend that
you tightly control ingress traffic, so that you reduce the attack surface of your EC2
instances.
Domain controllers and member servers require several security group rules to allow traffic
for services such as AD DS replication, user authentication, Windows Time service, and
Distributed File System (DFS), among others. The nodes running Exchange Server permit
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 34 of 38
full communication between each other, as recommended by Microsoft best practices. For
more information, see Exchange, Firewalls, and Support.
Edge node servers (if configured to be deployed) allow port 25 TCP (SMTP) from the entire
internet.
The Quick Start creates certain security groups and rules for you. For a detailed list of port
mappings, see the Security section of the Active Directory Domain Services Quick Start
deployment guide, and the Security section of this guide.
Security AWS provides a set of building blocks (for example, Amazon EC2 and Amazon VPC) that
you can use to provision infrastructure for your applications. In this model, some security
capabilities, such as physical security, are the responsibility of AWS and are highlighted in
the AWS security whitepaper. Other areas, such as controlling access to applications, fall on
the application developer and the tools provided in the Microsoft platform.
This Quick Start configures the following security groups for Exchange Server:
Security group Associated with Inbound source Ports
DomainMemberSGID Exchange nodes
FileServer
RD Gateway
Domain controllers
VPC CIDR Standard AD
ports
EXCHClientSecurityGroup Exchange nodes
FileServer
VPC CIDR 25, 80, 443,
143, 993, 110,
995, 587
ExchangeSecurityGroup Exchange nodes ExchangeSecurityGroup All ports
EXCHEdgeSecurityGroup EXCHEdgeSecurityGroup Private subnets CIDR
0.0.0.0/0
50636
25
LoadBalancerSecurityGroup Load balancer 0.0.0.0/0 0.0.0.0/0
Troubleshooting Q. I encountered a CREATE_FAILED error when I launched the Quick Start. What should
I do?
A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the
template with Rollback on failure set to No. (This setting is under Advanced in the
AWS CloudFormation console, Options page.) With this setting, the stack’s state will be
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 35 of 38
retained and the instance will be left running, so you can troubleshoot the issue. (You'll
want to look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)
Important When you set Rollback on failure to No, you will continue to incur
AWS charges for this stack. Please make sure to delete the stack when you’ve
finished troubleshooting.
The following table lists specific CREATE_FAILED error messages you might encounter.
Error message Possible cause What to do
We currently do not have
sufficient r5.xlarge
capacity in the AZ you
requested
Insufficient instance
capacity
If you get an InsufficientInstanceCapacity error (ICE),
AWS might not have enough on-demand capacity for
the selected instance type. Switch to a different
instance type (such as m5.xlarge, r4.xlarge), use
different Availability Zones if possible, or retry in a few
minutes.
Instance ID did not
stabilize
You have exceeded your
IOPS for the Region
Request a quota increase by completing the request
form in the Service Quotas console.
System Administrator
password must contain at
least 8 characters
The master password
contains $ or other
special characters
Change the master password (DomainAdminPassword
parameter in the template), and then relaunch the
Quick Start. The password must be at least 8
characters, consisting of uppercase and lowercase
letters and numbers. Avoid using special characters
such as @ or $.
For additional information, see Troubleshooting AWS CloudFormation on the AWS
website.
Q. I encountered a size limitation error when I deployed the AWS CloudFormation
templates.
A. We recommend that you launch the Quick Start templates from the location we’ve
provided or from another S3 bucket. If you deploy the templates from a local copy on your
computer or from a non-S3 location, you might encounter template size limitations when
you create the stack. For more information about AWS CloudFormation quotas, see the
AWS documentation.
GitHub Repository You can visit our GitHub repository to download the templates, scripts, and documentation
files for this Quick Start, to provide feedback including documentation feedback, and to
share your customizations with others.
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 36 of 38
Additional Resources
AWS services
AWS CloudFormation
https://docs.aws.amazon.com/cloudformation/index.html
Amazon EBS
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
Amazon EC2
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html
Amazon VPC
https://docs.aws.amazon.com/vpc/index.html
Microsoft Exchange Server documentation
Exchange Server 2016
https://docs.microsoft.com/en-us/Exchange/exchange-server?view=exchserver-2019
Database availability groups (DAGs)
https://docs.microsoft.com/en-us/Exchange/high-availability/database-availability-
groups/database-availability-groups?view=exchserver-2019
Deploying Microsoft software on AWS
Windows Server on AWS
https://aws.amazon.com/windows/
Secure the Microsoft platform on AWS
https://d1.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf
Microsoft License Mobility
https://aws.amazon.com/windows/resources/licensemobility/
MSDN on AWS
https://aws.amazon.com/windows/resources/msdn/
AWS Windows and .NET Developer Center
https://aws.amazon.com/developer/language/net/
Quick Start reference deployments
AWS Quick Start home page
https://aws.amazon.com/quickstart/
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 37 of 38
Microsoft Active Directory Domain Services on the AWS Cloud
https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/welcome.html
Microsoft Remote Desktop Gateway on the AWS Cloud
https://docs.aws.amazon.com/quickstart/latest/rd-gateway/welcome.html
Microsoft SharePoint on the AWS Cloud
https://docs.aws.amazon.com/quickstart/latest/sharepoint/welcome.html
Document Revisions Date Change In sections
January 2020 Added support for Exchange Server 2019 and
removed support for Exchange Server 2013.
Removed support for BYOL due to Microsoft
licensing changes.
Throughout document;
template updates
September 2019 Updated storage section and references to other
Microsoft Quick Starts
Throughout document
October 2018 Added support for Exchange Server 2016; added
Exchange Edge Transport nodes.
Throughout document;
architecture diagram and
template updates
March 2018 Updated Active Directory to use the Windows
Server 2016 AMI; updated template parameters.
Template updates
September 2015 In the sample templates, changed the default type
for Active Directory and RD Gateway instances
from m3.xlarge to m4.xlarge for better
performance and price.
Template updates
August 2015 Updated DAG guidance and deployment
scenarios.
Deployment Options
March 2015 Optimized the underlying Amazon VPC design to
support expansion and to reduce complexity.
Architecture diagram and
template updates
January 2015 Initial publication —
Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020
Page 38 of 38
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.