Configure Exchange Server 2016

This article is for those looking for a detailed and clear guide on how to configure Exchange Server 2016.

You can read more about how to configure Exchange Server 2019 in my guide Configure Exchange Server 2019.

IMPORTANT

We will consider the case when you already have two servers with the Windows Server 2012 R2 operating system installed on them. In addition, one of the servers must have the Active Directory Domain Services role installed, and the second server must have Exchange Server 2016 installed.

NOTE

For details on installing Exchange Server 2016 on Windows Server 2012 R2, refer to my guide: Install Exchange Server 2016 on Windows Server 2012 R2.

NOTE

To learn how to install Active Directory Domain Services on Windows Server 2012 R2, see my guide: Install Active Directory Domain Services on Windows Server 2012 R2.

Open the Exchange Admin Center control panel, which is located at the link https://us-boston-ex-01/ecp, where us-boston-ex-01 is the name of my Exchange server. Accordingly, you need to provide the name or IP address of your server.

Specify the username and password of an account with Exchange administrator rights and click on the “Sign in” button.

Welcome to the “Exchange Administration Center”.

You can start working with the Exchange server.

Let’s create a mailbox database.

In the “Servers” section, select the “Databases” subsection and click on the ”+” button.

Next, you need to specify a name for the new database and select an Exchange server with the “Mailbox” role.

Specify the name of the database and click on the “Browse” button.

Select the Exchange server with the “Mailbox” role and click on the “OK” button.

Now you need to specify in which folder the mailbox database and its logs will be stored.

NOTE

You need to first create folders on the server in which you plan to store the database and its logs. In addition, it is better to store the database on a disk specially allocated for this task.

In the “Database file path” field, specify the folder in which the database will be stored.

In the “Log folder path” field, specify the folder in which the database logs will be stored.

Check the “Mount this database” box and click on the “Save” button.

Now you need to restart the Microsoft Exchange Information Store service on the Exchange server.

Click on the “OK” button.

Open “Server Manager” on the server with Exchange Server 2016 installed, then click on the “Tools” button in the upper right corner of the screen and select “Services”.

Right-click on the “Microsoft Exchange Information Store” service and select “Restart”.

The service has restarted successfully and the new database is ready to go.

Next, in the “Servers” section, select the “Databases” subsection, then select a new database and double-click on it with the left mouse button.

In the “Limits” section, you can configure the retention time for deleted mailboxes and letters.

Specify the required values and click on the “Save” button.

Now let’s create a database for shared folders.

In the “Servers” section, select the “Databases” subsection and click on the ”+” button.

Specify a name for the shared folder database and click the Browse button.

Select the Exchange server with the “Mailbox” role and click on the “OK” button.

Now you need to specify in which folder the database for public folders and its logs will be stored.

NOTE

You need to first create folders on the server in which you plan to store the database and its logs. In addition, it is better to store the database on a disk specially allocated for this task.

In the “Database file path” field, specify the folder in which the database will be stored.

In the “Log folder path” field, specify the folder in which the database logs will be stored.

Check the “Mount this database” box and click on the “Save” button.

Now you need to restart the Microsoft Exchange Information Store service on the Exchange server.

Click on the “OK” button.

Return to “Server Manager” on the server with Exchange Server 2016 installed, click on the “Tools” button in the upper right corner of the screen, and select “Services”.

Right-click on the “Microsoft Exchange Information Store” service and select “Restart”.

The service has restarted successfully and the new database is ready to go.

Next, go to the “Public Folders” section.

In the “Public Folders” section, select the “Public Folder Mailboxes” subsection and click on the ”+” button.

Specify a name for the public folder mailbox and in the “Mailbox database” section click on the “Browse” button.

Select the database for shared folders and click on the “OK” button.

Nothing can be changed in the “Organization unit” section.

Click on the “Save” button.

After the public folder mailbox is created, it appears under the Public Folder Mailboxes subsection.

Now let’s add the trusted domain.

In the “Mail Flow” section, select the “Accepted Domains” subsection and click on the ”+” button.

In the “Name” and “Accepted Domain” fields, specify the domain that you want to add to the trusted ones, then select “Authoritative Domain: E-mail is delivered only to valid recipients in this Exchange organization”.

Click on the “Save” button.

After the domain is added to the trusted ones, it will appear in the “Accepted Domains” section.

Now you need to create a policy for generating mailing addresses.

In the “Mail Flow” section, select the “Email Address Policies” subsection and click on the ”+” button.

Next, you need to specify a name for the new policy and choose who it will be applied to, and then determine how mail addresses will be generated in your organization.

NOTE

In this tutorial, mailing addresses will be based on “Alias”.

Specify a name for the policy for generating postal addresses and click the ”+” button.

Specify the main domain and select “[email protected]”.

Click on the “Save” button.

Now let’s add a second domain so that users can receive mail using the second domain name as well.

Click on the ”+” button.

Specify the second domain and select “[email protected]”.

Click the “Save” button.

After you have determined how mail addresses will be formed in your organization, click on the “Save” button.

Pay attention to the warning. In order for the policy to take effect, you must click on the “Apply” button in the “E-mail Address Policies” subsection.

After the policy is added, it will appear in the “E-mail Address Policies” subsection with the “Unapplied” status.

To apply a policy, select it and click on the “Apply” button.

Next, a warning will appear stating that applying the policy may take a long time and you will not be able to perform other tasks while the policy is being applied.

Click on the “Yes” button.

The policy for generating postal addresses has been successfully applied.

Click on the “Close” button.

After the policy is applied, it will appear in the “E-mail Address Policies” subsection with the “Applied” status.

Now you need to create a send connector: to be able to send mail outside the organization.

In the “Mail Flow” section, select the “Send Connectors” subsection and click on the ”+” button.

Specify a name for the new Send Connector and select “Internet” in the “Type” section.

Click on the “Next” button.

NOTE

In this example, mail will be sent according to MX records.

Select “MX record associated with recipient domain” and click on the “Next” button.

Next, you need to specify for which domains the new connector will work.

Click on the ”+” button.

In the “Full Qualified Domain Name (FQDN)” field, enter *. This way, the new Send Connector will handle all domains except yours.

Click on the “OK” button.

After you have specified for which domains the new connector will work, click on the “Next” button.

Next, you need to specify on which Exchange server the Send connector will be created.

Click on the ”+” button.

Select the Exchange server on which the Send Connector will be created and click on the “OK” button.

Everything is ready to create a send connector.

Click on the “Finish” button.

Next, in the “Mail Flow” section, select the “Send Connectors” subsection, then select a new send connector and double-click on it with the left mouse button.

In the “General” section of the “Maximum send message size (MB)” menu, you can configure the maximum size of mail attachments to be sent.

Further, in the “Scoping” section, in the “Specify the FQDN this connector will provide in response to HELO or EHLO” field, specify the name by which your mail server is accessible from the Internet.

Click on the “Save” button.

Now let’s see the transport settings.

In the “Mail Flow” section, select the “Send Connectors” subsection. Then click on the ”…” button and select “Organization transport settings”.

In the “Limits” section, you can configure the maximum size of mail attachments for sending and receiving.

Specify the required values and click on the “Save” button.

Now you need to provide your Exchange Server 2016 license key.

In the “Servers” section, select the “Servers” subsection and click on the “Edit” button.

In the “General” section, specify the Exchange Server 2016 license key and click on the “Save” button.

Now you need to configure DNS records for the domain. To do this, you need to open a web browser and go to the control panel for external DNS records for your domain.

This tutorial uses “cPanel” to manage external DNS records for a domain.

Enter the login and password you received when purchasing hosting.

In the “Domains” section, select the “Advanced DNS Zone Editor” item.

Select the domain for which you want to configure DNS records.

Let’s add an A record.

In the “Name” field, enter “mail”.

In the “TTL” field, enter “14400”.

In the “Type” field, select “A”.

In the “Address” field, indicate the IP address by which your mail server is accessible from the Internet and click on the “Add record” button.

Let’s add one more A-record.

In the “Name” field, specify “autodiscover”.

In the “TTL” field, enter “14400”.

In the “Type” field, select “A”.

In the “Address” field, indicate the IP address by which your mail server is accessible from the Internet and click on the “Add record” button.

Let’s add one more A-record.

In the “Name” field, enter “mx01”.

In the “TTL” field, enter “14400”.

In the “Type” field, select “A”.

In the “Address” field, indicate the IP address by which your mail server is accessible from the Internet and click on the “Add record” button.

Next, you need to register MX records in the hosting control panel.

We return to the hosting control panel.

In the “Mail” section, select the “MX Record” item.

Next, in the domain field, you must specify the domain for which the MX records will be configured. Then in the item “Email Routing” you need to select “Remote Mail Exchanger” and click on the “Change” button.

Now delete all the old MX records in the MX Records section.

Select the entry and click on the “Delete” button.

In the “Priority” field, enter “1”.

In the “Destination” field, specify the previously created A-record with the name “mx01” and click on the “Add New Record” button.

Next, you need to make a request to your ISP to create a PTR record for your external IP address, where your mail server is accessible from the Internet. This is necessary in order for your IP address to resolve to a name.

NOTE

In this example, IP 188.244.46.91 is being converted to the name mail.vmkh.org.

Now you need to create an SPF (Sender Policy Framework) and write its value to the TXT record.

Thanks to SPF, you can check if the sender’s domain has been tampered with. SPF allows you to specify a list of servers capable of sending mail messages on behalf of your domain.

You can get the parameters for recording SPF using the SPF Wizard.

SPF example: v=spf1 mx ptr:mail.vmkh.org mx:mx01.vmkh.org ip4:188.244.46.91 -all

Return to the “Advanced DNS Zone Editor” section.

In the “Domains” section, select the “Advanced DNS Zone Editor” item.

Next, in the domain field, you must specify the domain for which the A-records will be configured.

Add TXT record.

In the “Name” field, specify the domain.

In the “TTL” field, enter “14400”.

In the “Type” field, select “TXT”.

In the “TXT Data” field, specify the SPF parameters obtained using the SPF Wizard and click on the “Add Record” button.

Now you need to register the A-record on the internal DNS server.

Open “Server Manager” on the domain controller, then click on the “Tools” button in the upper right corner of the screen and select “DNS”.

In the “Forward Lookup Zones” section, select the main domain and right-click on it, then select “New Host (A or AAAA)”.

In the “Name (uses parent domain name if blank)” field, specify “Mail”.

In the “IP address” field, specify the IP address of the server on which Exchange Server 2016 is installed and click on the “Add Host” button.

A record has been successfully added.

Click on the “OK” button.

After the A-record is added, it will appear in the list with the rest of the records.

For further configuration, you need a certification authority.

NOTE

In this tutorial, the Active Directory Certificate Services role will be installed on a domain controller.

Go back to the “Server Manager” on the domain controller, then click on the “Manage” button in the upper right corner of the screen and select “Add Roles and Features”.

Click on the “Next” button.

Select the installation type “Role-based or feature-based installation” and click on the “Next” button.

Next, select the server on which the role will be installed.

Click on the “Next” button.

Select the Active Directory Certificate Services role.

In the next step, the Role Installation Wizard will warn you that several components need to be installed to install the Active Directory Certificate Services role.

Click on the “Add Features” button.

Click on the “Next” button.

At the stage of adding components, we leave all the default values.

Click on the “Next” button.

Next, the Role Installation Wizard invites you to learn more about the Active Directory Certificate Services role.

Click on the “Next” button.

Now you need to select the required services.

We select “Certification Authority Web Enrollment”.

In the next step, the Install Roles Wizard will warn you that several components need to be installed to install the Certification Authority Web Enrollment.

Click on the “Add Features” button.

Next, select “Online Responder”.

The Role Installation Wizard will warn you that several components need to be installed to install Online Responder.

Click on the “Add Features” button.

After all the necessary services are selected, click on the “Next” button.

In the next step, the Role Installation Wizard will warn you that the Internet Information Services webserver role will be additionally installed for the Active Directory Certificate Services role.

At the stage of adding components, we leave all the default values.

Click on the “Next” button.

In order to start the installation of the selected role, click on the “Install” button.

The installation of the selected role and the components required for it began.

Installation of the Active Directory Domain Services role is now complete.

Click on the “Close” button.

Now you need to reboot the server.

On the keyboard, press the key combination “Win” and “x”, in the menu that opens, select “Shut down or sign out”, then “Restart”.

Next, the server will start to reboot.

Now you need to configure the role.

Open the “Server Manager”, in the upper right corner of the screen, click on the plug and select “Settings”. Then select “Configure Active Directory Certificate Services on the destination server” in order to configure the role.

Click on the “Next” button.

Next, you need to select the services that you want to configure.

Select “Certification Authority”, “Certification Authority Web Enrollment” and “Online Responder” and click on the “Next” button.

The server is a member of the domain, so select “Enterprise CA” and click on the “Next” button.

There are no other servers with the Active Directory Certificate Services role in the domain, so select “Root CA” and click on the “Next” button.

Next, you need to create a new private key.

Select “Create a new private key” and click on the “Next” button.

Next, you can select the cryptography settings.

Leave the settings unchanged and click on the “Next” button.

Specify a name for the new certification authority and click on the “Next” button.

Now we select the validity period of the certificate and click on the “Next” button.

Next, you can specify where the certificate database and its logs will be stored.

Leave the settings unchanged and click on the “Next” button.

Everything is ready to configure the role.

Click on the “Configure” button.

The configuration for the Active Directory Certificate Services role has been completed successfully.

Click on the “Close” button.

Now you need to enable the SAN (Subject Alternative Name) function on the CA server. This feature is useful when publishing the “Autodiscover” service.

On the certification authority server, on the “Taskbar”, right-click on “Windows PowerShell” and select “Run as administrator”.

We enable the SAN function using the command:

1
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Now you need to restart the “CertSvc” service.

Stop the “CertSvc” service using the command:

1
net stop certsvc

We start the “CertSvc” service using the command:

1
net start certsvc

Service “CertSvc” restarted successfully.

Now let’s make a request to create a new Exchange certificate.

We return to the Exchange Admin Center control panel.

In the “Servers” section, select the “Certificates” subsection and click on the ”+” button.

Select “Create a request for a certificate from a certification authority” and click on the “Next” button.

Specify a name for the new certificate and click on the “Next” button.

Then leave the settings unchanged and click on the “Next” button.

Now you need to specify the Exchange server where the certificate request will be stored.

Click on the “Browse” button.

Select the Exchange server where the certificate request will be stored and click on the “OK” button.

After the Exchange server is specified, click on the “Next” button.

Now you need to specify the domain names that need to be included in the certificate for all types of access.

Select “Outlook Web App (when accessed from the Internet)” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Outlook Web App” access type, and click on the “OK” button.

Select OAB (when accessed from the Internet) “and click on the” Edit “(Pencil) button.

We indicate the name by which your mail server is accessible from the Internet for the “OAB” access type and click on the “OK” button.

Select “Exchange Web Services (when accessed from the Internet)” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Exchange Web Services” access type, and click on the “OK” button.

Select “Exchange ActiveSync (when accessed from the Internet)” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Exchange ActiveSync” access type, and click on the “OK” button.

Select “POP” and click on the “Edit” button (Pencil).

We indicate the name by which your mail server is accessible from the Internet for the “POP” access type, and click on the “OK” button.

Select “IMAP” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “IMAP” access type, and click on the “OK” button.

Select “Outlook Anywhere” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Outlook Anywhere” access type, and click on the “OK” button. Then click on the “Next” button.

Below is a list of domains that will be included in the certificate.

Click on the “Next” button.

Next, you must specify the name of the organization, department, and geographic location of the company.

This guide deals with an organization located in Russia, in the city of Moscow.

We indicate the necessary information and click on the “Next” button.

Now you need to specify the folder where the Exchange certificate request will be saved.

NOTE

In this tutorial, the certificate request will be saved to the local “C” drive on the Exchange server.

Specify where the Exchange certificate request will be saved and click on the “Finish” button.

After the certificate request is created, it will appear in the “Certificates” subsection with the “Pending request” status.

Now you need to validate your Exchange certificate with a CA.

On the Exchange server, go to the link http://us-boston-dc-01/certsrv, where us-boston-dc-01 is the name of my certification authority server. Accordingly, you need to specify the name of your server.

We go under an account with administrator rights and click on the “OK” button.

Now let’s add the address of the certification server to “Trusted sites”.

Click on the “Add” button.

In the “Add this website to the zone” field, specify the address of the certification server and click on the “Add” button.

Click on the “Close” button.

Now select “Request a certificate”.

Next, select “Advanced certificate request”.

Now select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file”.

Next, open “Explorer” and go to the local drive “C” where the Exchange certificate request was saved.

Click on the certificate request file twice with the left mouse button.

Click on the “More option” button.

We select “Notepad”.

Copy the contents of the request file.

Next, insert the contents of the request file into the “Saved Request” field, then in the “Certificate Template” section, select “Web Server” and click on the “Submit” button.

In the “Save” menu, select “Save as”.

Select “DER encoded” and click on the “Download certificate” button.

Assign a name and save the Exchange certificate to the Downloads folder.

Click on the “Save” button.

Now you need to download the certificate of the certification authority.

Click on the “Home” button in the upper right corner of the screen.

Select “Download a CA certificate, certificate chain, or CRL”.

In the “Encoding method” section, select “DER” and click on the “Download CA certificate” button.

In the “Save” menu, select “Save as”.

We assign a name and save the certificate of the certification authority in the “Downloads” folder.

Click on the “Save” button.

To successfully validate your Exchange certificate request, you must import the CA certificate into the Trusted Root Certification Authorities on the Exchange server.

Press “Start”, specify “mmc” in the search bar.

Launch Microsoft Management Console.

Now let’s add the Certificates snap-in.

Next, in the “File” menu, select “Add/Remove Snap-in”.

In the “Available snap-ins” section, select “Certificates” and click on the “Add” button.

Next, select “Computer account” and click on the “Next” button.

Select “Local computer” and click on the “Finish” button.

The snap-in has been added successfully.

Click on the “OK” button.

In the “Certificates (Local Computer)” section, select the “Trusted Root Certification Authorities” subsection, then right-click on the “Certificates” subsection and select “All Tasks”, then “Import”.

Click on the “Next” button.

Next, you need to specify the path to the certificate of the certification authority.

Click on the “Browse” button.

Select the certificate of the certification authority and click on the “Open” button.

After the path to the certificate of the certification authority is indicated, click on the “Next” button.

Then leave the settings unchanged and click on the “Next” button.

Everything is ready to import the certificate into the “Trusted Root Certification Authorities”.

Click on the “Finish” button.

The CA certificate has been successfully imported.

Click on the “OK” button.

We return to the Exchange Admin Center control panel.

In the “Servers” section, select the “Certificates” subsection. Then select the new Exchange certificate and click on the “Complete” button on the right.

Next, you need to specify the path to the Exchange certificate.

Specify the path to the Exchange certificate and click on the “OK” button.

After the certificate is confirmed, it will appear in the “Certificates” subsection with the “Valid” status.

Now you need to assign a new Exchange certificate for SMTP and IIS services.

Select a new certificate and double-click on it with the left mouse button.

In the “Services” section, check the boxes for “SMTP”, “IMAP”, “POP”, and “IIS”, then click on the “Save” button.

Next, a warning will appear asking you to overwrite the existing certificate for SMTP.

Click on the “Yes” button.

After the Exchange certificate is assigned to the services, the list of services in the “Assigned to services” field is updated.

Now let’s take a look at the Outlook Web App settings.

In the “Servers” section, select the “Virtual Directories” subsection and select the “owa (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/owa”.

Now let’s configure user authorization by login without having to specify a domain.

In the “Authentication” section in the “Use forms-based authentication” section, select “User name only”.

Next, you need to select the main domain, click on the “Browse” button.

Select the main domain and click on the “OK” button.

After the domain is specified, click on the “Save” button.

Next, a warning will appear asking you to restart IIS.

IIS will restart later.

Click on the “OK” button.

Now let’s write the address where your mail server is accessible from the Internet into the Exchange server configuration.

In the “Servers” section, select the “Virtual Directories” subsection and select the “ecp (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/ecp”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “EWS (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/EWS/Exchange.asmx”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “mapi (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/mapi”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “Microsoft-Server-ActiveSync (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/Microsoft-Server-ActiveSync”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “OAB (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/OAB”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “PowerShell (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/powershell”.

Click on the “Save” button.

Now let’s configure the Outlook Anywhere service. This service is used to connect to the Exchange server via the Internet using “Outlook”.

In the “Servers” section, select the “Servers” subsection, select the Exchange server, and double-click on it with the left mouse button.

Next, in the “Specify the external hostname such as contoso.com that users will use to connect to your organization” field, specify the name by which your mail server is accessible from the Internet. Then, in the “Specify the authentication method for external clients to use when connecting to your organization” menu, select “NTLM” and uncheck the “Allow SSL offloading” checkbox.

Click on the “Save” button.

Pay attention to the warning.

Click on the “OK” button.

Now let’s restart IIS.

On the Exchange server, on the “Taskbar” select “Windows PowerShell” and after clicking the right mouse button click on “Run as administrator”.

Restart IIS using the command:

1
iisreset /noforce

IIS restarted successfully.

Now let’s configure the ability to receive mail.

In the “Mail Flow” section, select the “Receive Connectors” subsection, select the “Default Frontend us-boston-ex-01” receive connector, where us-boston-ex-01 is the name of my Exchange server. Then click on it twice with the left mouse button.

In the “General” section, in the “Maximum receive message size” field, you can configure the maximum allowable size of mail attachments for receiving.

In the “Security” section, check for a checkmark on the “Anonymous users” item.

Click on the “Save” button.

Now let’s create a new user with a mailbox.

In the “Recipients” section, select the “Mailboxes” subsection and click on the ”+” button.

Now we specify the alias, first and last name for the new user.

Then you need to select the organization unit in which you plan to create a new user.

Click on the “Browse” button.

Select the OU in which you want to place the new user, and click on the “OK” button.

In the “User logon name” field, specify the login for the new user.

Next, specify a strong password and click on the “More options” button.

Now you need to select the database in which the mailbox for the new user will be created.

In the “Mailbox database” section, click on the “Browse” button.

Select the mailbox database and click on the “OK” button.

Everything is ready to create a user with a mailbox.

Click on the “Save” button.

After the user with the mailbox is created, it will appear in the “Mailboxes” section.

Now you need to import the Exchange certificate into Trusted Root Certification Authorities on all computers in the domain.

Go to the domain controller, create a folder and copy the Exchange certificate into it.

NOTE

In this tutorial, the certificate was copied to the “ExchangeCertificate” folder on the “C” drive.

Go back to “Server Manager” on the domain controller, then click on the “Tools” button in the upper right corner of the screen and select “Group Policy Management”.

Now let’s create a new Group Policy to import the certificate into Trusted Root Certification Authorities on all computers in the domain.

Right-click on the domain name and select “Create a GPO in this domain, and Link it here”.

Specify a name for the new group policy and click on the “OK” button.

Next, click on the new policy with the right mouse button and select “Edit”.

In the Group Policy Editor, go to the “Computer Configuration” section, then to the “Windows Settings” subsection, then find the “Security Settings” section and select “Public Key Policies”, now right-click on “Trusted Root Certification Authorities” and select ” Import ”.

Click on the “Next” button.

Next, you need to specify the path to the Exchange certificate.

Click on the “Browse” button.

Go to the folder with the Exchange certificate and click on the “Open” button.

After the path to the certificate is specified, click on the “Next” button.

Then leave the settings unchanged and click on the “Next” button.

Everything is ready to import the certificate into the “Trusted Root Certification Authorities” for all computers in the domain.

Click on the “Finish” button.

The Exchange certificate has been successfully imported into Group Policy settings.

Click on the “OK” button.

After the certificate is imported into Group Policy settings, it will appear in the “Trusted Root Certification Authorities” section.

The Exchange certificate will now be imported to all computers covered by this policy.

Now you need to restart your mail server.

We return to the server with Exchange Server 2016 installed.

On the keyboard, press the key combination “Win” and “x”, in the menu that opens, select “Shut down or sign out”, then “Restart”.