Certificate warning during or after a new Exchange Server installation
Users are getting a certificate warning in Outlook. It happened during or after a new Exchange Server installation in the organization. The first question that you are asking yourself is: Why are users getting a certificate warning in Outlook? The second question: Is there a way to prevent the certificate warning for the users in Outlook? In this article, you will get both questions answered.
Why are users getting a certificate warning in Outlook?
The reason for this is Outlook and the Service Connection Point (SCP) in Active Directory. During the setup of the Exchange Server, a new SCP is created in Active Directory (AD). An Outlook client will accidentally discover the unconfigured SCP. It will try to connect to the new Exchange Server instead of the Autodiscover FQDN. Because of that, a certificate warning is showing up in Outlook.
You need to find the autodiscover URL in Exchange with PowerShell. After that, you need to configure the autodiscover URL in Exchange with PowerShell on the new Exchange Server. When you do that, the chance of preventing the warning is not that great. It’s too late and people are starting to get the warning in Outlook. Is there another way?
Is there a way to prevent the certificate warning?
Yes, there is a way to prevent the certificate warning for the users in Outlook. This can be done by a PowerShell script. Download the script Set-AutodiscoverSCP.ps1 (Microsoft Technet Gallery). You can also download the script from here Set-AutodiscoverSCP.ps1 (direct link). The script is made by MVP Jeff Guillet.
The script is intended to run on another Exchange server in the organization running the same version of Exchange as the new server. This is because Exchange 2010 cannot update SCP values for Exchange 2013, 2016 or 2019 and vice versa. Note that Exchange 2013/2016/2019 servers can update each other. You can also have the script target a particular domain controller. This is useful when the new server you are installing is in a different AD site.
Example 1: Exchange 2010 and Exchange 2016
You have two Exchange Servers 2010 (EX2010-01) and (EX2010-02) in the organization. You are going to install a new Exchange Server 2016 (EX2016). Download the script and place it in the C:\scripts\ folder on the Exchange Server 2016 (EX2016). Run the script on the Exchange Server 2016 (EX2016). Start installing Exchange Server on EX2016.
1 2 3 | [PS] C:\>cd C:\scripts\ [PS] C:\scripts>Set-AutodiscoverSCP.ps1 -Server ex2016 -ServerToClone ex2010-01 |
The script will continually query the current configuration domain controller until it finds an SCP for server EX2016 and then sets it to match the SCP of EX2010-01. It also configures Outlook Anywhere and the internal/external virtual directory URLs to match those found on EX2010-01.
Example 2: Exchange 2013 and Exchange 2019
You have one Exchange Server 2013 (EX2013) in the organization. You are going to install a new Exchange Server 2019 (EX2019). Download the script and place it in the C:\scripts\ folder on the Exchange Server 2013 (EX2013). Run the script on the Exchange Server 2013 (EX2013). Start installing Exchange Server on the EX2019.
1 2 3 | [PS] C:\>cd C:\scripts\ [PS] C:\scripts>Set-AutodiscoverSCP.ps1 -Server ex2019 -ServerToClone ex2013 |
The script will continually query the current configuration domain controller until it finds an SCP for server EX2019 and then sets it to match the SCP of EX2013. It also configures Outlook Anywhere and the internal/external virtual directory URLs to match those found on EX2013.
Example 3: Exchange server in a different AD site
It is almost the same as the command in the previous examples, except it continually queries DC03 for the SCP record and configures it on that domain controller. This is useful when configuring a new Exchange server in a different Active Directory site.
1 2 3 | [PS] C:\>cd C:\scripts\ [PS] C:\scripts>Set-AutodiscoverSCP.ps1 -Server ex2019 -ServerToClone ex2013 -DomainController dc03 |
From this moment on an Outlook client can safely discover this SCP record. Outlook will automatically connect to the correct Autodiscover URL and therefore the SSL Certificate warning will not appear (assuming the original servers are configured correctly).
Conclusion
In this article, you learned why a certificate warning is showing up in Outlook. This happens during or after a new Exchange Server installation. You learned how to prevent the certificate warning from popping up in Outlook. I hope that this article was informative to you. Did you enjoy this article? You may like the article Pause a single mailbox move request in Exchange. Don’t forget to follow us and share this article.
