Why old exchange certificate is prompting?

This is using MS Exchange Server 2016, is a new setup and now in full production. Last time, we used to have an older exchange server 2013. We setup this new 2016 exchange to coexist and then migrated all mailboxes to this 2016. Now, the older 2013 server is still online, but with all exchange services off and mailbox databases removed. We are planning to uninstall and decomm this 2013 in 2 weeks time.

However, there is a little problem here. When user open outlook, they always see a dialog box states that "The name on the security certificate is invalid or does not match the name of the site. This is referring to the old server cert (using ms self-signed). I curious, why this outlook still look for this old server (for cert)? anything can be done on autodiscover setting?

Thanks in advance.
LVL 1
MichaelBalackAsked:
Who is Participating?
 
Todd NelsonSystems EngineerCommented:
Run the following command to compare the autodiscover URI of all the servers.  It is quite possible that the URI on the Exchange 2016 server does not have a valid, routable FQDN.  IMO, the autodiscover URI on Exchange 2016 should match what it was on Exchange 2013.  Especially, if you imported the cert from Exchange 2013.

Get-ExchangeServer | Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri

Open in new window

0
 
MAS (MVE)Technical Department HeadCommented:
Hi MichealBalack,
Please check this article and make sure everything configured as in the article.
https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-certificate-and-related-issues.html 

Thanks
MAS
2
 
Seth SimmonsSr. Systems AdministratorCommented:
why this outlook still look for this old server (for cert)?

did you use the old cert on the new server?  if so, that's why
the name on the certificate identifies it as the old server but is on the new server so the name doesn't match
you need to get a new cert that has the server name of the 2016 server to fix the issue
1
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
MAS (MVE)Technical Department HeadCommented:
You do not need server name in certificate from Exchange 2007 released.
We can use the same certificate of legacy server and import it on the new server and configure the same URLs on virtual directories except for Exchange 2007 upgrade to a latest version.
0
 
MichaelBalackAuthor Commented:
Hi Seth,

No, no old cert on new server.

There is new server name on the new cert on 2016
0
 
MichaelBalackAuthor Commented:
Todd,

2k13 is using self-signed cert, in which 2k16 is using cert issued by ms certificate service. Both server do not share the same cert.

Please see the results of the commands:

exch2k13:
autodiscoverserviceinternaluri:                 https://exch2k16.abc.local/autodiscover/autodiscover.xml

exch2k16:
autodiscoverserviceinternaluri:                 https://exch2k16.abc.local/autodiscover/autodiscover.xml

exch2k13 is using fqdn of exch2k16. Shall I change the settings to public host name?
0
 
MAS (MVE)Technical Department HeadCommented:
-->exch2k13 is using fqdn of exch2k16. Shall I change the settings to public host name?
Yes please.

Please configure DNS as in the article and update the records to your public name.
Explained in my article.
0
 
Todd NelsonSystems EngineerCommented:
What are the names in the certificate?

Is "exch2k16.abc.local" listed in the certificate?  You must use routeable FQDNs because a private FQDN cannot be added to a public SAN certificate.

You should think about exporting the cert from the 2013 server and importing it into the 2016 server.  Also, did you recently change the URI on the 2013 server?
0
 
MichaelBalackAuthor Commented:
Hi Todd,

Yes, the autodiscover uri was updated for exch2k13. However, this server has been stopped all exch services and schedule to be uninstall this coming weekends.

Hi MAS,

Yes, I read through whole article, and updates the settings according. Autodiscover and other virtual directories have been updated to use public host name.

Now, just wait and see any incident of old cert error appearing.
0
 
MAS (MVE)Technical Department HeadCommented:
@MichaelBalack
Appreciate if you update the thread.

MAS
0
 
MichaelBalackAuthor Commented:
Hi all,

Now the exch2k13 server already uninstalled and offline. No more old exchange cert prompting. The main thing lies in the following powershell command:

Get-ExchangeServer | Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri

If only the exch2k16 server is shown, then, the old exch2k13 old cert problem would disappears.
0
 
MichaelBalackAuthor Commented:
Thanks for Expert-Todd in suggesting using that command to check, this really works.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.