HowTo: Migration Exchange 2016 to Exchange Server 2019 CU15 (Part 2)

In the first part of this series of articles I briefly introduced the environment, meanwhile the Exchange 2019 Server installed and you can start with the configuration and migration. The second part deals with the configuration of the installed Exchange 2019 server. Here is an overview of the environment:

If it is a larger Exchange organization and an Exchange 2016 DAG is to be migrated to Exchange 2019 CU15, then the Exchange 2019 DAG after this article can be created. If Kerberos was activated for the Exchange 2016 environment, the following can now also be created Kerberos for Exchange 2019 be activated with a new Alternate Service Account.

Exchange 2019 configuration

On the new Exchange Server, the URLs for the interfaces can be customized first. As the Exchange 2019 server is already distributed to clients in the Active Directory via autodiscover, it makes sense to configure the URLs and certificate promptly so that there are no certificate warnings for the clients. The Exchange 2019 URLs are configured identically to the Exchange 2016 URLs. A small script can be used so that not all URLs have to be adjusted manually. Only the corresponding host names for the two Exchange servers need to be specified in the script:

$Exchange2019Server = "EX2"
$Exchange2016Server = "EX1"
#Get URLs from Exchange 2016 Server
$autodiscoverhostname = (Get-ClientAccessService $Exchange2016Server).AutoDiscoverServiceInternalUri
$owainturl = (Get-OwaVirtualDirectory -Server $Exchange2016Server).internalurl
$owaexturl = (Get-OwaVirtualDirectory -Server $Exchange2016Server).externalurl
$ecpinturl = (Get-EcpVirtualDirectory -server $Exchange2016Server).internalurl
$ecpexturl = (Get-EcpVirtualDirectory -server $Exchange2016Server).externalurl
$ewsinturl = (Get-WebServicesVirtualDirectory -Server $Exchange2016Server).internalurl
$ewsexturl = (Get-WebServicesVirtualDirectory -Server $Exchange2016Server).externalurl
$easinturl = (Get-ActiveSyncVirtualDirectory -Server $Exchange2016Server).internalurl
$easexturl = (Get-ActiveSyncVirtualDirectory -Server $Exchange2016Server).externalurl
$oabinturl = (Get-OabVirtualDirectory -server $Exchange2016Server).internalurl
$oabexturl = (Get-OabVirtualDirectory -server $Exchange2016Server).externalurl
$mapiinturl = (Get-MapiVirtualDirectory -server $Exchange2016Server).internalurl
$mapiexturl = (Get-MapiVirtualDirectory -server $Exchange2016Server).externalurl
$OutlAnyInt = (Get-OutlookAnywhere -Server $Exchange2016Server).internalhostname
$OutlAnyExt = (Get-OutlookAnywhere -Server $Exchange2016Server).externalhostname
#Configure Exchange 2019 Server
Get-OwaVirtualDirectory -Server $Exchange2019Server | Set-OwaVirtualDirectory -internalurl $owainturl -externalurl $owaexturl -Confirm:$false
Get-EcpVirtualDirectory -server $Exchange2019Server | Set-EcpVirtualDirectory -internalurl $ecpinturl -externalurl $ecpexturl -Confirm:$false
Get-WebServicesVirtualDirectory -server $Exchange2019Server | Set-WebServicesVirtualDirectory -internalurl $ewsinturl -externalurl $ewsexturl -Confirm:$false
Get-ActiveSyncVirtualDirectory -Server $Exchange2019Server | Set-ActiveSyncVirtualDirectory -internalurl $easinturl -externalurl $easexturl -Confirm:$false
Get-OabVirtualDirectory -Server $Exchange2019Server | Set-OabVirtualDirectory -internalurl $oabinturl -externalurl $oabexturl -Confirm:$false
Get-MapiVirtualDirectory -Server $Exchange2019Server | Set-MapiVirtualDirectory -externalurl $mapiexturl -internalurl $mapiinturl -Confirm:$false
Get-OutlookAnywhere -Server $Exchange2019Server | Set-OutlookAnywhere -externalhostname $OutlAnyExt -internalhostname $OutlAnyInt -ExternalClientsRequireSsl:$true -InternalClientsRequireSsl:$true -ExternalClientAuthenticationMethod 'Negotiate' -Confirm:$false
Get-ClientAccessService $Exchange2019Server | Set-ClientAccessService -AutoDiscoverServiceInternalUri $autodiscoverhostname -Confirm:$false
#Display setttings
Get-OwaVirtualDirectory | fl server,externalurl,internalurl
Get-EcpVirtualDirectory | fl server,externalurl,internalurl
Get-WebServicesVirtualDirectory | fl server,externalurl,internalurl
Get-ActiveSyncVirtualDirectory | fl server,externalurl,internalurl
Get-OabVirtualDirectory | fl server,externalurl,internalurl
Get-MapiVirtualDirectory | fl server,externalurl,internalurl
Get-OutlookAnywhere | fl servername,ExternalHostname,InternalHostname
Get-ClientAccessService | fl name,AutoDiscoverServiceInternalUri

The script then configures all Exchange 2019 URLs with the values from the Exchange 2016 configuration:

Exchange 2019: Customize URLs

Finally, the current configuration is displayed:

Exchange 2019: Customize URLs

Next, the certificate is exported from the Exchange 2016 server and imported into the new server. It is important at this point that the same certificate is used so that Extended Protection does not cause any problems. The corresponding certificate can be conveniently exported and imported via the Exchange Admin Center (this function has been reinstalled):

Exchange 2019: Transfer certificate

Only a password needs to be entered for the export, after which the certificate is downloaded:

Exchange 2019: Transfer certificate

The certificate can then be imported on the Exchange 2019 server:

Exchange 2019: Transfer certificate

Select file and enter password:

Exchange 2019: Transfer certificate

And specify the new server for the import:

Exchange 2019: Transfer certificate

Finally, the services are assigned to the certificate:

Exchange 2019: Transfer certificate

The connectors can now be configured. The same settings can be used here as for the Exchange 2016 servers. The new Exchange server is first added to the send connectors; no new connector needs to be created here, but the existing send connectors are adapted:

Exchange 2019: Customize the send conector

The new server is added here, as are any other send connectors:

Customize send conector

This completes the configuration for sending mails. The situation is slightly different for the receive connectors. The receive connectors are created for each server and must therefore be adapted on the new server. Here it makes sense to place both servers next to each other and go through connector by connector:

Exchange 2019: Customize receiving connectors

In particular, the size restrictions and security settings should be checked and adjusted if necessary. If there are additional receive connectors on the Exchange 2016 side, these connectors will also be created on the Exchange 2019 side.

The size limits are also important for the new database; here too, the limits must be adopted from the Exchange 2016 databases:

Exchange 2019: Customize databases

Here you should also not forget to assign the offline address book:

Customize databases

This completes the configuration. The first tests are now possible at this point. On a client, the IP for Autodiscover and web services can be adapted to the IP of the Exchange 2019 server in the hosts file. In my case, it looks like this:

Test the settings and change DNS

Now the connection can be tested via Outlook and a few mails (internal mailbox to mailbox, external outgoing, external incoming) can be sent.

If no problems occur, the DNS and router / firewall settings can be adjusted. In internal DNS, the IPs for autodiscover and web services must be adjusted:

Test the settings and change DNS

The IP of the Exchange 2019 server is used for both entries so that all clients can already connect to their mailboxes via the new server:

Test the settings and change DNS

Depending on how the Exchange server is accessible on the Internet, the NAT entries for port 443 (possibly also 80) and 25 can now be adjusted on the Exchange 2019 servers. If there are upstream SPAM filters or similar, these systems can also deliver their mails to the Exchange 2019 server. Access and email routing should now only take place to the Exchange 2019 server.

At this point, you can now allow some time to pass so that all clients are aware of the DNS changes. The time can be used to switch all SMTP clients. Printers, scanners, MFCs, other devices and software may use the Exchange 2016 server to deliver mails, this can now be adapted to the new server.

After the changeover, it is advisable to run the "Outlook Connectivity" tests from the Microsoft Remote Connectivity Analyzer:

Next steps

The next and last article in this series will be about migrating the data and uninstalling the old server. As soon as the article is finished, I will link it here.

5 thoughts on “HowTo: Migration Exchange 2016 zu Exchange Server 2019 CU15 (Teil 2)”

  1. Extended Protection ist es nicht, die war bzw. ist am alten laut HealthChecker in Ordnung. Kerberos muss ich mal prüfen, könnte aber ein Ansatz sein, Danke!

  2. Erstmal herzlichen Dank für die wie immer hervorragende Anleitung.
    Ich versuche das gerade bei mir umzusetzen und stoße auf ein Problem.
    An dem Punkt an dem man zum Testen die Hosts-Datei editiert habe ich nun das Problem, dass sich dann Outlook nicht mehr mit dem Server verbindet. Man wird aufgefordert sich zu authentifizieren, wenn man das tut kommt die Abfrage aber direkt wieder, quasi in einer Endlosschleife.
    Ich finde den Fehler einfach nicht. Kann mir hier evtl. jemand weiter helfen bzw. hat jemand das gleiche Problem?

    • Meine erste Vermutung wäre (wieder einmal) die Extended Protection. War die auf dem bisherigen Exchange eingeschaltet und korrekt konfiguriert? Seit CU14 wird die bei Exchange 2019 automatisch eingeschaltet, bei den älteren musste man das manuell machen.

      • Wenns das nicht ist, könnte es noch der Kerberos Alternate Service Account sein. Ist ja oben beschrieben.

        • Also, es ist weder die Extended Protection, die ist auf EX16 wie EX19 einwandfrei, noch scheint es Kerberos zu sein.
          Ich hatte jedenfalls zum Test dann gemäß der Anleitung und obwohl kein Loadbalancer im Einsatz ist die Einrichtung vorgenommen. Leider mit dem Erfolg, dass ich dann die Anmeldeproblematik von Outlook auf beiden Servern hatte – was mir dann gleich um die Ohren geflogen ist weil das Problem dann halt auch bei allen Usern aufgepoppt ist.
          Ich habe das mit dem Kerberos Alternate Service Account dann rückgängig gemacht. Interessant dabei war dann, dass die Anmeldeproblematik auf dem alten EX16 dann erst wieder verschwand, als ich die SPNs entfernt und am Client einen klist purge ausgeführt habe.
          Meine Hoffnung, dass sich das auch auf die neuen EX19 in irgendeiner Weise positiv ausgewirkt hat hat sich allerdings zerschlagen und ich stehe wieder am Anfangsproblem von oben.

          Könnte das theoretisch mit öffentlichen Ordnern im Zusammenhang stehen? Verhält sich der EX19 hier anders als der EX16?

