Outlook clients are trying to connect to a new server

Question

I have just installed Exchange 2019 in an organization where several Exchange 2016 servers have already been installed. I did not take any steps after installation on the new server.

However, some users started complaining about the appearance of an error message in Outlook:

There is a problem with proxy server’s security certificate.
The security certificate is not from a trusted certifying authority.
Outlook is unable to connect to server The security certificate is not from a trusted certifying authority.(Error code 8)

How can I make sure that clients do not connect to the new server until all the necessary post-installation steps are completed?

Answer 1

Hi @Михаил Андросов,

Welcome to the Microsoft Q&A platform!

Based on your description, it sounds like your new Exchange 2019 server has become visible to clients before you completed the necessary post-installation steps, including securing your SSL certificates.

Here are some steps you can take to ensure clients do not connect to the new server until you're ready:

1. Putting the new server into maintenance mode will prevent clients from being proxied to it. You can follow the steps to do this:

• Open the Exchange Management Shell on the new Exchange 2019 server.
• Run the following commands:

Set-ServerComponentState -Identity "ServerName" -Component HubTransport -State Draining -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component FrontendTransport -State Draining -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component ActiveSync -State Inactive -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component Owa -State Inactive -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component UMCallRouter -State Inactive -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component EAS -State Inactive -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component OAB -State Inactive -Requester Maintenance 

2. Make sure you have appropriate SSL certificates installed and configured on the new server.

• Obtain a valid SSL certificate from a trusted certification authority (CA).
• Install the SSL certificate on the new server.
• Assign the services to the certificate (e.g., IIS, SMTP) using the Exchange Management Shell:

Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services "IIS, SMTP" 

3. Ensure that the URLs for services (like OWA, EWS, etc.) are correctly configured and point to the correct endpoints.

To verify and set the URLs, use the Exchange Management Shell:

• Check the current URLs with:

Get-ClientAccessService | FL Name,*URL

• Set the URLs if necessary:

Set-ClientAccessService -Identity "ServerName" -AutoDiscoverServiceInternalUri https://autodiscover.yourdomain.com/autodiscover/autodiscover.xml 
Set-WebServicesVirtualDirectory -Identity "ServerName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx -ExternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx 
Set-OwaVirtualDirectory -Identity "ServerName\owa (Default Web Site)" -InternalUrl https://mail.yourdomain.com/owa -ExternalUrl https://mail.yourdomain.com/owa 

4. Ensure DNS records (like Autodiscover and mail) are not pointing to the new server until it is fully ready.
5. Use tools like the Exchange Remote Connectivity Analyzer (exrca.com) to test connectivity and ensure there are no certificate or URL configuration issues.

Once all configurations and verifications are complete, remove the server from maintenance mode:

Set-ServerComponentState -Identity "ServerName" -Component HubTransport -State Active -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component FrontendTransport -State Active -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component ActiveSync -State Active -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component Owa -State Active -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component UMCallRouter -State Active -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component EAS -State Active -Requester Maintenance 
Set-ServerComponentState -Identity "ServerName" -Component OAB -State Active -Requester Maintenance 

By following these steps, you can ensure that clients do not connect to the new server prematurely and that once they do, they will have a smooth and secure experience.

---

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Answer 2

hy Михаил Андросов, To prevent clients from connecting to the new Exchange 2019 server until post-installation steps are completed, follow these steps:

1. Disable proxy services: Run the following command in the Exchange Management Shell on the new server:

Set-ServerComponentState -Identity <ServerName> -Component HubTransport -State Draining -Requester Functional

Set-ServerComponentState -Identity <ServerName> -Component UMCallRouter -State Draining -Requester Functional

This will disable proxy services, preventing clients from connecting to the new server.

1. Set the server as inactive: Run the following command:

Set-ExchangeServer -Identity <ServerName> -IsInactive $true

This will mark the server as inactive, preventing it from being used by clients.

1. Complete post-installation steps: Perform all necessary post-installation tasks, such as configuring certificates, updating DNS records, and moving mailboxes.
2. *Re-enable proxy services and activate the

[13/09, 12:03 am] Meta AI: To prevent clients from connecting to the new Exchange 2019 server until post-installation steps are completed, follow these steps:

1. Disable proxy services: Run the following command in the Exchange Management Shell on the new server:

Set-ServerComponentState -Identity <ServerName> -Component HubTransport -State Draining -Requester Functional

Set-ServerComponentState -Identity <ServerName> -Component UMCallRouter -State Draining -Requester Functional

This will disable proxy services, preventing clients from connecting to the new server.

1. Set the server as inactive: Run the following command:

Set-ExchangeServer -Identity <ServerName> -IsInactive $true

This will mark the server as inactive, preventing it from being used by clients.

1. Complete post-installation steps: Perform all necessary post-installation tasks, such as configuring certificates, updating DNS records, and moving mailboxes.
2. Re-enable proxy services and activate the server: Once post-installation steps are complete, re-enable proxy services and activate the server using the following commands:

Set-ServerComponentState -Identity <ServerName> -Component HubTransport -State Active -Requester Functional

Set-ServerComponentState -Identity <ServerName> -Component UMCallRouter -State Active -Requester Functional

Set-ExchangeServer -Identity <ServerName> -IsInactive $false

This will allow clients to connect to the new server.

Remember to replace <ServerName> with your actual server name.

Answer 3

Hi!

I have nothing to add to what has been said. I have already written that after using these commands, users continued to try to connect to the server. Therefore, I have completed all the post-installation steps. Now the work of users has returned to normal.