Share via

New Exchange server installation in a new site/DC

GoodResource 306 Reputation points
2020-12-21T15:44:06.79+00:00

Hi,

I am doing a project of Exchange 2013 migration to a new DC/site in the same forest/organization. So we have built 2 new Exchange 2013 servers in the new site. All okay but am seeing Microsoft Exchange server Auth Cert is missing in both the new exchange servers installed. The servers already there in the old site have got the cert and SMTP service assigned to it. I have tested creating test mailboxes on the new Exchange server DB and did some mail flow testing internally and it worked. Will there be any issues having the cert missing on the new server? I didn't find any error while installing Exchange 2013 on those two new servers.

Exchange | Exchange Server | Management
0 comments
Accepted answer
  1. Andy David - MVP 157.9K Reputation points MVP Volunteer Moderator
    2020-12-21T15:50:17.87+00:00

    Exchange will eventually replicate the existing self-signed cert to the new Servers.
    Just give it a few days. If you dont see it after that, do an iisreset and/or reboot the new servers and wait some more.

    If they certifcates aren't replicating, that tells me you are blocking firewall ports between these sites which is isnt supported for Exchange Servers

    https://learn.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2019

    We do not support restricting or altering network traffic between internal Exchange servers, between internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of internal network traffic, you need to configure rules that allow free and unrestricted communication between these servers: rules that allow incoming and outgoing network traffic on any port (including random RPC ports) and any protocol that never alter bits on the wire.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lucas Liu-MSFT 6,191 Reputation points
    2020-12-22T06:00:26.917+00:00

    Hi @GoodResource ,
    According to my research and test, the Microsoft Exchange Server Auth Certificate is one of the certificates that comes with the installation of Exchange and is used for server-to-server authentication and integration by using OAuth. So this certificate is indispensable, when I remove this certificate from my Exchange server, some functions of Exchange are abnormal.
    Please run the following command to confirm whether the certificate is really authentic: 

    Get-ExchangeCertificate | fl

    If your Exchange is functioning normally, you can observe it for a period of time as Andy said. You can also run the following command line to export the existing Microsoft Exchange server Auth Cert, and then import it to the server that lacks the certificate: 

    Export-ExchangeCertificate -Thumbprint <Thumbprint> -FileName "<FilePathOrUNCPath>\<FileName>.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String '<Password> ' -AsPlainText -Force) [-Server <ServerIdentity>]  
Import-ExchangeCertificate -FileName "<FilePathOrUNCPath>\<FileName>" -Password (ConvertTo-SecureString -String '<Password> ' -AsPlainText -Force) [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdentity>]

    For more detailed steps, you can refer to:Export a certificate from an Exchange server and Import or install a certificate on an Exchange server

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.