Exchange 2013 migration ramp-up

it_medcomp used Ask the Experts™
We are planning an Exchange upgrade next year. We are still in the early-planning stages, and have not decided on a version yet. We would probably just go with 2019. Also coming up for renewal is our public SAN cert that is used exclusively for email, so we may do all at once. all of our mail users are internal emp[loyees, generally using domain--joined computers (And we can deal with the exceptions to this rule as needed). Do we need to buy an expensive SAN certificate for mail delivery, or can we switch to a private certificate? I would need to know the answer for Exchange 2013, 2016, and 2019. I appreciate any help!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
if you are an expert in Exchange you can install Exchange 2019 in Windows core as it is 3x faster than other versions..
if not install Exchange 2016 with the latest CU update.
Unlike Exchange 2013 there is no separate roles in Exchange roles, Only roles are Mailbox and Edge.

->Do we need to buy an expensive SAN certificate for mail delivery, or can we switch to a private certificate?
That is completely depend on you. You can issue a certificate and create a group policy will ignore the certificate error.
If your issue is budget you can install Letsencrypt which is free and automate the renewal.
I strongly recommend to have a UCC SAN certificate.

Please check this to configure Exchange 2016 SSL name requirement and configuration.

Use this co create CSR easily

Use this to count the mailboxes before migration

Use this to move mailboxes from Exchange 2013 to Exchange 2016/2019

Use this to configure database path and log folder path.
Saif ShaikhServer engineer

Third part certificate with multi SAN will suffice. I. E. and
for Exchange 2013, 2016, and 2019.


Sure, I am an Exchange expert.... I took the class and have the certificate, and I have managed an Exchange organization along with 52 other servers, so I must be an expert, right? all kidding aside, what degree of expertise are we talking about? the level where I can look at a hex dump an ask MS why they don't patch that method by name, or more of the overall understanding of the moving parts, or something in the middle?

All domain computers trust our internal CA's- will we have a certificate error to deal with?
Thanks again for the help!
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.


@Saif Shaikh:
I already have a certificate with a public CA. I am trying to determine whether there is an actual need for a public cert, or if I can use an internally-generated one. I think I have the format down, just trying to figure out if I can use infrastructure already in place. Thanks though!
Exchange Engineer
Distinguished Expert 2018
Yes renew or purchase new public SAN cert. It will make your life 100 times easier as opposed to using an internal CA and the complications that come with that. Also it's what's recommended by microsoft.

In regards to Exchange if your Active Directory infrastructure is already in a supported state  by being hosted on Windows 2012 R2 Standard or Datacenter and higher, and with Windows Server 2012 R2 Active Directory forest functionality or higher, then I would suggest going with Exchange 2019. So Exchange 2013, 2016, or 2019 can each co-exist with one another so you can go either way but if you AD infrastructure is all ready in a supported state go 2019, if not, then go 2016 or get your AD infrastructure supported.

Here is a link to help you with 2013 to 2019 if you go that way:
AmitIT Architect
Distinguished Expert 2017

To answer your query in short, you need to keep public certificate on your Exchange server. As there will be lot of client end tools, which might be connecting via public network and it would fail, if you don't have public cert. Recently, one of my client made this mistake, they changed it to private cert and all Blackberry devices stopped working. it took me and Microsoft 24 hours to find out the root cause, once cert is change to public, everything started working. Hope that answers your query.


Thanks everyone for the responses- I tried to rate fairly, but there was a lot of very helpful information you all provided. I gave MAS the full rating because he provided a lot of information in addition to the core question. Saif Shaikh answered the core question as well. timgreen7077 provided an answer with some added advice, which was very helpful. Amit brought in the dimension I had not considered about mobile devices and potential issues a privately-signed certificate could present.
Thanks to all for your help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial