Once you have followed the previous step in installing Exchange 2016, now you need to configure it.

  1. From the newly deployed Exchange 2016 Server, Open Exchange Management Shell.

  2. Enter the product key:

Set-ExchangeServer -Identity EXCHANGE1 -ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
(Note: This has to be from the Exchange 2016 server, not from the existing Exchange 2013 server as it will say the key is invalid)

  1. Then restart the Information Store service:

Restart-Service -ServiceName "Microsoft Exchange Information Store"

  1. Change the transport logs path to the logs drive:

Set-TransportServer %servername% -MessageTrackingLogPath “G:\Logs\MessageTracking” Set-TransportServer %servername% -ConnectivityLogPath “G:\Logs\Connectivity” Set-TransportServer %servername% -IrmLogPath “G:\Logs\IRMLogs” Set-TransportServer %servername% -ActiveUserStatisticsLogPath “G:\Logs\ActiveUserStats” Set-TransportServer %servername% -ServerStatisticsLogPath “G:\Logs\ServerStats” Set-TransportServer %servername% -ReceiveProtocolLogPath “G:\Logs\ProtocolLog\SmtpReceive” Set-TransportServer %servername% -RoutingTableLogPath “G:\Logs\Routing” Set-TransportServer %servername% -SendProtocolLogPath “G:\Logs\ProtocolLog\SmtpSend”

  1. Import your 3rd Party CA Signed SSL Certificate and assign services:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\certificate\certificate.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Enable-ExchangeCertificate -Thumbprint <ID> -Services IIS,SMTP,POP,IMAP

  1. Reset IIS:

  2. Configure send connectors

  3. Configure receive connectors

  4. Configure accepted domains

  5. Configure default email address policy

  6. Configure external access domain

  7. Configure Exchange virtual directories to use the same internal and external URL (For Split-DNS)

Grab your existing Exchange Virtual Directory configuration on all your Exchange Servers:

Get-ClientAccessService -Identity <server> | Select Server,ExternalURL,InternalURL,AutoDiscoverServiceInternalUri | fl

Get-OwaVirtualDirectory -Server <server> -AdpropertiesOnly | Select Server,ExternalURL,InternalURL | fl

Get-EcpVirtualDirectory -Server <server> -AdpropertiesOnly | Select Server,ExternalURL,InternalURL | fl

Get-WebServicesVirtualDirectory -Server <server> -AdpropertiesOnly | Select Server,ExternalURL,InternalURL | fl

Get-ActiveSyncVirtualDirectory -Server <server> -AdpropertiesOnly | select server,externalurl,internalurl | fl

Get-OabVirtualDirectory -Server <server> -AdpropertiesOnly | select server,externalurl,internalurl | fl

Get-MapiVirtualDirectory -Server <server> -AdpropertiesOnly | select server,externalurl,internalurl | fl

Get-ClientAccessServer | fl identity,autodiscoverserviceinternaluri

Get-OutlookAnywhere -Server <server> -AdpropertiesOnly | Select Server,ExternalHostname,Internalhostname | fl


Now set the correct values:

Set-ClientAccessService -Identity <server> -AutoDiscoverServiceInternalUri https://<url>/autodiscover/autodiscover.xml

Set-OwaVirtualDirectory -Identity "<server>\OWA (Default Web Site)" -ExternalUrl https://<url>/owa -InternalUrl https://<url>/owa

Set-EcpVirtualDirectory -Identity "<server>\ECP (Default Web Site)" -ExternalUrl https://<url>/ecp -InternalUrl https://<url>/ecp

Set-WebServicesVirtualDirectory -Identity "<server>\EWS (Default Web Site)" -ExternalUrl https://<url>/EWS/Exchange.asmx -InternalUrl https://<url>/EWS/Exchange.asmx

Set-ActiveSyncVirtualDirectory -Identity "<server>\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalUrl https://<url>/Microsoft-Server-ActiveSync -InternalUrl https://<url>/Microsoft-Server-ActiveSync

Set-OabVirtualDirectory -Identity "<server>\OAB (Default Web Site)" -ExternalUrl https://<url>/OAB -InternalUrl https://<url>/OAB

Set-MapiVirtualDirectory -Identity "<server>\mapi (Default Web Site)" -ExternalUrl https://<url>/mapi -InternalUrl https://<url>/mapi

Set-ClientAccessServer -Identity <server> –AutoDiscoverServiceInternalUri https://<url>/Autodiscover/Autodiscover.xml

Set-OutlookAnywhere -Identity "<server>\RPC (Default Web Site)" -ExternalHostname <url> -InternalHostname <url> -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Issues with rpc errors/best practices:

  1. First thing's first, if you have a multi domain forest you need to ensure you have configured a group policy to set the correct DNS search suffix order in each of your domains. RPC errors when using the ECP or OWA can be caused between Exchange Servers that are unable to resolve a hostname of any other Exchange Server to it's FQDN (besides other causes).

  2. Coming from Exchange 2013 to Exchange 2016 there are some settings which might be obsolete. Exchange 2013 provided a lot of backward compatibility for Exchange 2010 and lower, going forward these old protocols and settings will become obsolete, so ensure you configure the following when moving to Exchange 2016:

  3. On your Load Balancers, remove any TCP checks (for instance RPC over HTTP, which is disabled in Exchange 2016). Exchange 2016 now uses MAPI over HTTPS by default. Add the Exchange 2016 server to your Load Balancer. Exchange 2013 CAS servers can proxy requests to your Exchange 2016 server and vice versa.

  4. On each Exchange CAS, configure NTLM authentication. This is a best practice by MS and also much more secure as it doesn't reveal your username or password:

Get-OutlookAnywhere -Server (Exchange CAS)| Set-OutlookAnywhere -ExternalClientAuthenticationMethod NTLM
Get-OutlookAnywhere -Server (Exchange CAS)| Set-OutlookAnywhere -InternalClientAuthenticationMethod NTLM

Or all to perform this on all Exchange CAS servers:
Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM

  1. Run iisreset or reboot.

  2. These should not be empty, but I have seen these two fields to be empty on many Exchange Servers which can cause issues with Outlook Anywhere or Autodiscover.

Set-OutlookProvider EXPR -CertPrincipalName msstd:(your external host name)

Set-OutlookProvider EXCH -CertPrincipalName msstd:(your external host name)

  1. You should already have Split DNS:

Create a non-authoritative copy of your external namespace.
Create a zone with your external namespace (domain) and add the A records from your external namespace (Domain) A records - mail, autodiscover, www, etc pointing to your internal IP addresses (or load balancer)

You should now be able to log into Outlook Web App via the external URL and use Outlook for Autodiscover internally.

  1. Here's how to test and verify your configuration is optimal:

Test Outlook connectivity:
Test-OutlookConnectivity -RunFromServerId <server> -ProbeIdentity OutlookMapiHttpSelfTestProbe

Use the Microsoft Remote Connectivity Analyser tool to ensure all tests complete to verify :

Use the 'Get-' Powershell commands in this guide against each of your Exchange Servers to ensure they have identical configuration


  1. Now deploy a second Exchange 2016 Mailbox Server, (preferably) in a separate site than above. Then configure your Load Balancers to balance Load between the two CAS servers (I use HAProxy, I will post a config later).

  2. Add both servers into a DAG, Set up Witness Server IP-les DAG (use for the DAG Network).

  3. Create some test accounts, test mail flow and DAG failover, DAG switchover, Database copy seeding, etc.

  4. Create a mailbox database copy on your second Exchange 2016 server in the DAG.

  5. Take a database backup of your Exchange 2013 databases.

  6. Copy/Move mailboxes from your existing Exchange 2013 Servers to your Exchange 2016 Servers. Test mailbox connectivity, mail flow, etc.

  7. Finally, decommission your Exchange 2013 environment to complete your transition to Exchange 2016.