Exchange 2010 migration to a newer version and Exchange Management Shell mailbox anchoring

Copper Contributor

Hello, I'm in the process of migrating my Exchange server to a newer version. I'm aware of this EMS (Exchange Management Shell) behavior change:

and of these workarounds:

From my understanding that means that, without workarounds, with a fresh install of Exchange, if I run a cmdlet (i.e.: I want to change the SCP attribute to avoid certificate warings in Outlook) in EMS on the new Exchange, simply it won't work. Am i right?

Those posts was made when Exchange 2013 CU11 and Exchange 2016 CU1 were released. I'm wondering if those "issues" are still present in newer builds.

My main concern, as above said, is that when a new Exchange version is installed in a AD site, the first thing I must do is to change the default SCP (Service Connection Point) attribute to the one currently used that points to my Exchange 2010 server, to avoid certificate warnings to end users in Outlook. If the above said is still true, I won't be able to change the Service Connection Point created by the new Exchange server in AD in a timely manner since EMS loaded on the new Exchange server will actually point to Exchange 2010. So my users will get those annoying warnings until Exchange admin mailbox will be moved for example and I will then be able to run the cmdlet on the new Exchange.
In the case, I must change my deployment steps (and time schedule for the deploy) accordingly and I'd like to know it before to start the migration.

Thank you,
Francesco B. B.

5 Replies





I will recommend below scenario to avoid such kind of hassles..


1. create new exchange server with latest CU/Windows updates etc.
2. Create new DAG & generate new certificate
3. Create batch files based on Departments/Sectors
4. Migrate these batches of users from one DAG to another DAG.


Thank you,



I think that your answer it's unrelated to the topic.
I'm constating that this forum is not as reliable and active as Technet.
Hi Francesco,
As ever, it depends! When you install the new version of Exchange it will add it's own SCP into AD pointing to itself. If you have a self-signed certificate on the Exchange server that corresponds to the server name the clients will see that as trusted and not kick up a warning box to Outlook. If you are using a 3rd party cert and a vanity alias ( there is a period where we'll want to upload the cert, update the virtual directories and amend the SCP to make it more elegant where the users may get the annoying Outlook cert warning before we've completed the configuration changes. You're only looking at a period of several minutes during the install before you can use the Exchange 2016 EMS console to set the SCP to the DNS address of the Exchange 2010 servers but that is enough for a handful of Outlook clients to potentially try and connect.

You've got a couple of options -
You can deploy the Exchange server to a separate AD site with no clients and then move it to the "live" AD site - probably more hassle then is necessary.
Out of hours deployment, email comms before hand asking users to close Outlook overnight and ignore any certificate warnings.

Certainly once Exchange has installed you'll be able to use the EMS on the new server to run any powershell commands necessary.
Hi, I think you (too) did not read properly the question. I'm fully aware of the SCP record and how to workaround it. But that's not the problem for which I asked help.
However, the correct answer has been already provided on Microsoft Q&A (Technet community):

No valid answers have been provided here. Hence I cannot mark as a valid answer any of the replies given to this question.

Francesco B. B.