Hi @Михаил Андросов,
Welcome to the Microsoft Q&A platform!
Based on your description, it sounds like your new Exchange 2019 server has become visible to clients before you completed the necessary post-installation steps, including securing your SSL certificates.
Here are some steps you can take to ensure clients do not connect to the new server until you're ready:
- Putting the new server into maintenance mode will prevent clients from being proxied to it. You can follow the steps to do this:
- Open the Exchange Management Shell on the new Exchange 2019 server.
- Run the following commands:
Set-ServerComponentState -Identity "ServerName" -Component HubTransport -State Draining -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component FrontendTransport -State Draining -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component ActiveSync -State Inactive -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component Owa -State Inactive -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component UMCallRouter -State Inactive -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component EAS -State Inactive -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component OAB -State Inactive -Requester Maintenance
- Make sure you have appropriate SSL certificates installed and configured on the new server.
- Obtain a valid SSL certificate from a trusted certification authority (CA).
- Install the SSL certificate on the new server.
- Assign the services to the certificate (e.g., IIS, SMTP) using the Exchange Management Shell:
Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services "IIS, SMTP"
- Ensure that the URLs for services (like OWA, EWS, etc.) are correctly configured and point to the correct endpoints.
To verify and set the URLs, use the Exchange Management Shell:
- Check the current URLs with:
Get-ClientAccessService | FL Name,*URL
- Set the URLs if necessary:
Set-ClientAccessService -Identity "ServerName" -AutoDiscoverServiceInternalUri https://autodiscover.yourdomain.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "ServerName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx -ExternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx
Set-OwaVirtualDirectory -Identity "ServerName\owa (Default Web Site)" -InternalUrl https://mail.yourdomain.com/owa -ExternalUrl https://mail.yourdomain.com/owa
- Ensure DNS records (like Autodiscover and mail) are not pointing to the new server until it is fully ready.
- Use tools like the Exchange Remote Connectivity Analyzer (exrca.com) to test connectivity and ensure there are no certificate or URL configuration issues.
Once all configurations and verifications are complete, remove the server from maintenance mode:
Set-ServerComponentState -Identity "ServerName" -Component HubTransport -State Active -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component FrontendTransport -State Active -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component ActiveSync -State Active -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component Owa -State Active -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component UMCallRouter -State Active -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component EAS -State Active -Requester Maintenance
Set-ServerComponentState -Identity "ServerName" -Component OAB -State Active -Requester Maintenance
By following these steps, you can ensure that clients do not connect to the new server prematurely and that once they do, they will have a smooth and secure experience.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang