asked on
Migration from Exchange server 2016 to Exchange server 2019. Clients and mobile devices are still connecting and authenticating to the old exchange 2016.
Migration from Exchange server 2016 to Exchange server 2019. Clients and mobile devices are still connecting and authenticating to the old exchange 2016.
All DNS entries have been updated to point to the new exchange server 2019.
Also HMA (oauth) is enabled with Exchange Server 2019 is in hybrid M365
I’m at a lost what am I missing.,,
ASKER
yes... it still look looks at the old mail server to authenticate
ASKER
I've gone through both articles and Virtual directories are point to there respective servers.
But I did notice that when using Outlook Email Auto configuration, both mail servers alternated in the results.
Also when I ran:
Get-IntraOrganizationConfiguration
I got this response:
WARNING: Please check that the Autodiscover endpoint of "https://ex16.domain.com/autodiscover/autodiscover.svc" is
correct and can be accessed externally. If it's incorrect or can't be accessed externally, use an existing Autodiscover
endpoint that can be accessed externally for the configuration of the intra-organization connector.
OnlineDiscoveryEndpoint :
OnlineTargetAddress :
OnPremiseTargetAddresses : {}
OnPremiseDiscoveryEndpoint : https://ex16.domain.com/autodiscover/autodiscover.svc
OnPremiseWebServiceEndpoint : https://ex16.domain.com/EWS/Exchange.asmx
DeploymentIsCompleteIOCReady : True
HasNonIOCReadyExchangeCASServerVersions : False
HasNonIOCReadyExchangeMailboxServerVersions : False
This is effectivity pointing to the old exchange 2016 server not the new 2019.
Update your AD based Service Connection Point (SCP):
# Check SCP:
Get-ClientAccessServer | fl name,AutoDiscoverServiceInternalUri
If it is correct then check the internal DNS A Record for the URL and make sure it's pointing to the new Exchange Server.
Set it:
# Set SCP:
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://Mail.YourDomain.Com/autodiscover/autodiscover.xml
ASKER
This is what I get when I use:
Get-ClientAccessServer | fl name,AutoDiscoverServiceInternalUri
WARNING: The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
to use the Get-ClientAccessService cmdlet. For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.
Name : EX16
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml
Name : EX19
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml
should I be using the server address rather than the Autodiscover address?
If this is a single instance of Exchange is the SSL certificate that is being used for IIS a SAN certificate? That is, does it have more than one common name associated with it?
If it doesn't then use the _TCP._AutoDiscover DNS method on the internet for devices to find Exchange on-premises.
From there, split the DNS internally so that the OWA/ECP URL that has a single common name SSL certificate associated with them to:
DNS A Record mail.domain.Com IP = Ex2019 Internal IP
Then, use the Set SCP PowerShell above to set the SCP to mail.domain.com.
We would set the SCP to the same URL as OWA/ECP anyway since there are a lot of different services mail clients need to access at that URL not just AutoDiscover.
ASKER
We have two servers in a co-existence, where we are migrating from exchange 2016 to 2019.
the arbitration, user and public folder mailboxes have been moved over to the mail exchange server 2019.
The certificate used is wildcard so both the internal names and external names are the same.
To be clear, you are suggesting to change SCP to the Exchange server 2019 domain name rather than the auto discover domain name?
With the wildcard no. The SCP can be the AutoDiscover.Domain.Com URI and there shouldn't be any certificate issues with the mail clients.
The DNS A IP should be Ex2019 internally.
ASKER
I didn’t see any certificate issues, but I’m getting oauth issues when clients connecting to the new server
What I’m see the clients are connecting to the old server and then proxy over to the new server.
When manually configurate iPhone to point to the new server it can connect from the firewall logs I see http 401 error.
Yet basic authentication works as expected
Not sure about that one. All of our clients are on-premises Exchange with no cloud connection so we've not needed to deploy OAUTH.
ASKER
Sorry I forgot to mention we are using hybrid with exchange online to make use of HMA and Conditional Access
ASKER
Everything is working as expected after the uninstall.
Thanks guys for your help on this.
Did you try with Outlook for mobile?
If not please try that.
https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en&gl=US&pli=1
https://apps.apple.com/us/app/microsoft-outlook/id951937596