Link to home
Create AccountLog in
Avatar of SCL Admin
SCL AdminFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Migration from Exchange server 2016 to Exchange server 2019. Clients and mobile devices are still connecting and authenticating to the old exchange 2016.

Migration from Exchange server 2016 to Exchange server 2019. Clients and mobile devices are still connecting and authenticating to the old exchange 2016.


All DNS entries have been updated to point to the new exchange server 2019. 


Also HMA (oauth) is enabled with Exchange Server 2019 is in hybrid M365


I’m at a lost what am I missing.,,


Avatar of M A S
M A S
Flag of United States of America image

Avatar of SCL Admin

ASKER

yes... it still look looks at the old mail server to authenticate 

I've gone through both articles and Virtual directories are point to there respective servers. 


But I did notice that when using Outlook Email Auto configuration, both mail servers alternated in the results.


Also when I ran: 


Get-IntraOrganizationConfiguration


I got this response:


WARNING: Please check that the Autodiscover endpoint of "https://ex16.domain.com/autodiscover/autodiscover.svc" is

correct and can be accessed externally. If it's incorrect or can't be accessed externally, use an existing Autodiscover

 endpoint that can be accessed externally for the configuration of the intra-organization connector.



OnlineDiscoveryEndpoint                     :

OnlineTargetAddress                         :

OnPremiseTargetAddresses                    : {}

OnPremiseDiscoveryEndpoint                  : https://ex16.domain.com/autodiscover/autodiscover.svc

OnPremiseWebServiceEndpoint                 : https://ex16.domain.com/EWS/Exchange.asmx

DeploymentIsCompleteIOCReady                : True

HasNonIOCReadyExchangeCASServerVersions     : False

HasNonIOCReadyExchangeMailboxServerVersions : False


This is effectivity pointing to the old exchange 2016 server not the new 2019.



 

Update your AD based Service Connection Point (SCP):

# Check SCP:
Get-ClientAccessServer | fl name,AutoDiscoverServiceInternalUri

Open in new window

If it is correct then check the internal DNS A Record for the URL and make sure it's pointing to the new Exchange Server.


Set it:

# Set SCP:

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://Mail.YourDomain.Com/autodiscover/autodiscover.xml

Open in new window


This is what I get when I use:


Get-ClientAccessServer | fl name,AutoDiscoverServiceInternalUri


WARNING:  The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
 to use the Get-ClientAccessService cmdlet.  For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.




Name                           : EX16
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml


Name                           : EX19
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

Open in new window

should I be using the server address rather than the Autodiscover address?

If this is a single instance of Exchange is the SSL certificate that is being used for IIS a SAN certificate? That is, does it have more than one common name associated with it?


If it doesn't then use the _TCP._AutoDiscover DNS method on the internet for devices to find Exchange on-premises.


From there, split the DNS internally so that the OWA/ECP URL that has a single common name SSL certificate associated with them to:

DNS A Record mail.domain.Com IP = Ex2019 Internal IP


Then, use the Set SCP PowerShell above to set the SCP to mail.domain.com.


We would set the SCP to the same URL as OWA/ECP anyway since there are a lot of different services mail clients need to access at that URL not just AutoDiscover.

We have two servers in a co-existence, where we are migrating from exchange 2016 to 2019. 


 the arbitration, user and public folder mailboxes have been moved over to the mail exchange server 2019.


The certificate used is wildcard so both the internal names and external names are the same.


To be clear, you are suggesting to change SCP to the Exchange server 2019 domain name rather than the auto discover domain name?

With the wildcard no. The SCP can be the AutoDiscover.Domain.Com URI and there shouldn't be any certificate issues with the mail clients.


The DNS A IP should be Ex2019 internally.

I didn’t see any certificate issues, but I’m getting oauth issues when clients connecting to the new server


What I’m see the clients are connecting to the old server and then proxy over to the new server.


When manually configurate iPhone to point to the new server it can connect from the firewall logs I see http 401 error.


Yet basic authentication works as expected 



Not sure about that one. All of our clients are on-premises Exchange with no cloud connection so we've not needed to deploy OAUTH.

Sorry I forgot to mention we are using hybrid with exchange online to make use of HMA and Conditional Access

ASKER CERTIFIED SOLUTION
Avatar of SCL Admin
SCL Admin
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer

Everything is working as expected after the uninstall.


Thanks guys for your help on this.