Tag Archives: setup

SSL Certificate warning during or after Exchange server setup

When installing a new Exchange server (2013/2016/2019) in an existing environment, Microsoft recommends installing this new Exchange server in a separate Active Directory site, configure the server there and then move the server to its production Active Directory site.

The reason for this is Outlook and the Service Connection Point (SCP) in Active Directory. Somewhere during the installation process a new SCP is created in Active Directory, but when created it is not configured and points to the FQDN of the Exchange server instead of the more general Autodiscover.contoso.com/Autodiscover/Autodiscover.xml URL. When an Outlook client accidentally discovers this unconfigured SCP it will try to connect to the new server instead of the Autodiscover FQDN which will result in a certificate warning message similar to the following:


To avoid this, the SCP should be configured as soon as it is created in Active Directory (and this is during setup itself).

Tony Murray, also an MVP, has written a PowerShell script (Set-AutodiscoverSCPValue.ps1) that will check the existence of the Exchange server object in Active Directory, and when it is created by the Exchange setup application, it immediately sets the correct Autodiscover value in its SCP.

When you run the script it will check every 5 seconds (time is configurable) for the newly created server object, and when it finds it, it will set the correct value as shown in the following screenshot:


From this moment on Outlook client can safely discover this SCP record, and it will be automatically connected to the correct Autodiscover URL and therefore the SSL Certificate warning will not appear (assuming the original servers are configured correctly of course).

More information and download – https://gallery.technet.microsoft.com/office/set-autodiscoverserviceinte-3930e163

Installing Exchange 2013 – Part I

Exchange server 2013 consists of two server roles, the Mailbox Server (sometimes referred to as the back-end) and the Client Access Server (sometimes referred to as the front-end). All clients connect to the CAS Server and the CAS Server proxies the request to the appropriate mailbox server.

It is possible to install the server roles on dedicated servers, multiple Exchange 2013 CAS servers with a hardware load balancer and multiple Exchange 2013 Mailbox servers with a Database Availability Group. This is the preferred way for large companies with lots of mailboxes, lots of servers and maybe multiple (global) datacenter. To be honest, this is where Exchange 2013 is designed for. But it is also possible for smaller organizations to install just two Exchange 2013 server with both roles on it, a DAG for mailbox resiliency and a hardware of software load balancers for the protocol resiliency.

Continue reading Installing Exchange 2013 – Part I