Unable to move from CU7 further

Copper Contributor

Hi all! 

Recently I've started having issues when upgrading Exchange 2019 721.2 (CU7) . I am not able to move past step 11 of 17 - Mailbox role: Transport service. I keep getting an error :


The following error was generated when "$error.Clear(); 
          Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
            Install-AuthCertificate -DomainController $RoleDomainController
        " was run: "Microsoft.Exchange.Management.Clients.FormsAuthenticationMarkPathUnknownSetError: An unexpected error occurred while modifying the forms authentication settings for path /LM/W3SVC/1.  The error returned was 5506.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
  at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".


Anyone has an idea how I should proceed  ? I've spent hours trying and reverting but no luck . 


Thank you 

4 Replies
Sounds like a certificate issue. Did you try the following:
1) IIS Manager > Default Web Site > Edit Bindings > https
2) Check if SSL certificate is bound to "Microsoft Exchange"; if not, configure it so.
3) Re-run setup to upgrade
4) Post upgrade, reconfigure the 3rd party certificate
Hi , thank you for the reply. I will definitely try.
So if I understand correctly, for the upgrade I should revert to the self signed certificate. Once done, I should put 3rd party one again back in place.
Thank you !
Hi , I've tried this approach last night. I didn't get too far. I think this helped to overcome the intial problem but then the next one showed up . Still in the "Front End" section. I've even followed some instruction on the net to completly remove IIS Management tools, but it was not able to finish the installation . Don't know why something that was an easy process before now got stuck and won't move forward.

Since this is a hybrid environment. Is building a fresh new Exchange and moving mailboxes to it something I should consider? Can it mess up hybrid config ? Any idea ?
best response confirmed by vuckovic75 (Copper Contributor)
Well, something in your setup is off as this normally should be straightforward. While I personally would want to work out the underlying problem, there is a point where it may take up too much time and redeploying it might be quicker, especially when you run hybrid and you have (automated, scripted) config procedures at hand. You could also run setup using the /Mode:RecoverServer switch to recover the server (replacing, same name) using the information from AD to speed things up; one of the things to do afterwards is getting the certificate on it.

What path you choose here is yours.