This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 24%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
We have installed Exchange 2013 and 1026 in same AD/same forest
Certificate name and computer name matches, so no cert warning when users launch Outlook and connect. However the certificate DOES appear on exchange 2016, because name on PC now does not match...
and it can't match with two servers on same network during migration.
If name can be changed (but not advisable), then that won't work either, as you'd have downtime while all mailboxes are moved across, old server shut down, all just to change name so no miss-match error.
Whats the best way around this ? must he have new cert from CA? or can computer name be changed in such away it will not break anything ? Others would be in the same boat, so either they somehow transfer from CA cert, or they all get new cert eg mail2, instead of mail.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 31%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJX%3C/text%3E%3C/svg%3E)
Hi @dss ds ,
Are you saying that there was a problem with certificate migration during exchange migration?
Under normal circumstances, migrating from Exchange2013 to Exchange2016, you only need to import the original certificate into Exchange2016, and then you need to migrate all mailboxes in the original environment (including user mailboxes, arbitration mailboxes, etc.) and databases to the new environment, and finally uninstall the original environment. Here's an article where you can refer to certificate migration, and there are also complete migration steps:
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.
If I misunderstand the meaning of your problem, I apologize, and you can re-describe your problem so that I can help you solve it.
Hi @dss ds ,
As Andy said, if they are not in the same load balance pool, you will need a new certificate.
You can mark useful replies as answers to help more people with the same questions.
If all the servers are in a load balanced pool, then they all use the same certificate and the client virtual directories and autodiscover SCP are all set the same FQDNs to match the subject names in the cert.
If they are not in the same pool, then each server needs a trusted certificate that matches the unique client virtual directories FQDNs and autodiscover SCP that are set for the subject names
Thats it really.
Microsoft removed CA in CU21 and above:
https://support.microsoft.com/en-gb/topic/changes-in-exchange-server-powershell-cmdlets-and-exchange-admin-center-for-unc-path-inputs-kb5014278-36af1640-4389-4ff1-b805-d1d63715a0dd
I'm using CU23 so the only option via EAC is "create Self-signed" and complete CA import/export or Renew is all done by Powershell only
However, i'm fine with that..
The issue though if server name is mail
And on cert its: mail.domain.com
Server 2(Exchange 2016) cannot use mail, as its already in use.. therefore when you import cert it will be wrong..
Sever2 will be unique: mail2 while ssl cert remains as mail..
Thus you will get missmatch always..
Is this avoidable at all without new cert needed?
For the record: exchange 2 name is unique because BLOTH servers (2013 and 2016) cannot have same name on network, and since both servers must up up for migration of mailboxes, i do not see a way around this other than breaking something..
Plz confirm.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 98%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Check the app pool for recycling.
Check this article for help - https://community.spiceworks.com/how_to/170553-exchange-migration-checklist-and-guide
Its fine saying 'move over original cert" but that's not the point.. Its will no longer be trusted..
And that nulls the point of moving it.. If you have to trust it again (due to missmatch, its basically a new cert.... anyway isn't it.
On old box it would be ok, because it has same name as that of cert..
mail.example.com
new box: mail2.example.com
Since moving over cert will keep mail.example.com, users will get certificate when opening their favorite mail client Thus, i think a new cert is the only way to go ...
Am i correct?
I thought there would be a way ton move AND keep trust... but not possible.
.