Why old exchange certificate is prompting?

This is using MS Exchange Server 2016, is a new setup and now in full production. Last time, we used to have an older exchange server 2013. We setup this new 2016 exchange to coexist and then migrated all mailboxes to this 2016. Now, the older 2013 server is still online, but with all exchange services off and mailbox databases removed. We are planning to uninstall and decomm this 2013 in 2 weeks time.

However, there is a little problem here. When user open outlook, they always see a dialog box states that "The name on the security certificate is invalid or does not match the name of the site. This is referring to the old server cert (using ms self-signed). I curious, why this outlook still look for this old server (for cert)? anything can be done on autodiscover setting?

Thanks in advance.
LVL 1
MichaelBalackAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MASEE Solution Guide - Technical Dept HeadCommented:
Hi MichealBalack,
Please check this article and make sure everything configured as in the article.
https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-certificate-and-related-issues.html 

Thanks
MAS
2
Seth SimmonsSr. Systems AdministratorCommented:
why this outlook still look for this old server (for cert)?

did you use the old cert on the new server?  if so, that's why
the name on the certificate identifies it as the old server but is on the new server so the name doesn't match
you need to get a new cert that has the server name of the 2016 server to fix the issue
1
Todd NelsonSystems EngineerCommented:
Run the following command to compare the autodiscover URI of all the servers.  It is quite possible that the URI on the Exchange 2016 server does not have a valid, routable FQDN.  IMO, the autodiscover URI on Exchange 2016 should match what it was on Exchange 2013.  Especially, if you imported the cert from Exchange 2013.

Get-ExchangeServer | Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

MASEE Solution Guide - Technical Dept HeadCommented:
You do not need server name in certificate from Exchange 2007 released.
We can use the same certificate of legacy server and import it on the new server and configure the same URLs on virtual directories except for Exchange 2007 upgrade to a latest version.
0
MichaelBalackAuthor Commented:
Hi Seth,

No, no old cert on new server.

There is new server name on the new cert on 2016
0
MichaelBalackAuthor Commented:
Todd,

2k13 is using self-signed cert, in which 2k16 is using cert issued by ms certificate service. Both server do not share the same cert.

Please see the results of the commands:

exch2k13:
autodiscoverserviceinternaluri:                 https://exch2k16.abc.local/autodiscover/autodiscover.xml

exch2k16:
autodiscoverserviceinternaluri:                 https://exch2k16.abc.local/autodiscover/autodiscover.xml

exch2k13 is using fqdn of exch2k16. Shall I change the settings to public host name?
0
MASEE Solution Guide - Technical Dept HeadCommented:
-->exch2k13 is using fqdn of exch2k16. Shall I change the settings to public host name?
Yes please.

Please configure DNS as in the article and update the records to your public name.
Explained in my article.
0
Todd NelsonSystems EngineerCommented:
What are the names in the certificate?

Is "exch2k16.abc.local" listed in the certificate?  You must use routeable FQDNs because a private FQDN cannot be added to a public SAN certificate.

You should think about exporting the cert from the 2013 server and importing it into the 2016 server.  Also, did you recently change the URI on the 2013 server?
0
MichaelBalackAuthor Commented:
Hi Todd,

Yes, the autodiscover uri was updated for exch2k13. However, this server has been stopped all exch services and schedule to be uninstall this coming weekends.

Hi MAS,

Yes, I read through whole article, and updates the settings according. Autodiscover and other virtual directories have been updated to use public host name.

Now, just wait and see any incident of old cert error appearing.
0
MASEE Solution Guide - Technical Dept HeadCommented:
@MichaelBalack
Appreciate if you update the thread.

MAS
0
MichaelBalackAuthor Commented:
Hi all,

Now the exch2k13 server already uninstalled and offline. No more old exchange cert prompting. The main thing lies in the following powershell command:

Get-ExchangeServer | Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri

If only the exch2k16 server is shown, then, the old exch2k13 old cert problem would disappears.
0
MichaelBalackAuthor Commented:
Thanks for Expert-Todd in suggesting using that command to check, this really works.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.