Note: I practically installed Exchange Server SE role Mailbox server on Windows Server 2025. In an environment with different internal and public DNS domain and Split DNS (Split-Brain DNS). Into existing Exchange 2016 organization using DAG (Database Availability Group).
Exchange Server Subscription Edition (SE)
- What's new in Exchange Server SE
- Exchange Server Subscription Edition (SE) is now available
- Upgrading your organization from current versions to Exchange Server SE
The new Exchange Server SE version was released on July 1, 2025, it's a Release to Manufacturing (RTM) build. It can be installed as a cumulative update (CU) to Exchange Server 2019 CU14 or CU15 (In-place upgrade) and can be connected to Exchange 2016/2019 organizations. When transitioning from Exchange Server 2016, we must perform a Legacy upgrade (new server installation into the organization) and classic mailbox migration.
For Exchange Server 2016 CU23 and Exchange Server 2019 CU14/CU15, standard support ends on October 14, 2025. By then, we should perform migration or upgrade to Subscription Edition. Exchange Server SE RTM doesn't contain any significant code updates or feature changes compared to Exchange 2019 CU15. It will start differing from Exchange Server SE CU1.
Exchange Server SE RTM has Build Number 15.2.2562.17. Since version 2013, which had 15.0, the major version hasn't changed. The SE version is
15.2
, same as 2019. Exchange Server build numbers and release dates
With Exchange Server SE, the modern support lifecycle changes (it should still be a major version) and licensing. Besides server licenses and CALs for users, we must have an active subscription. This means licenses with Software Assurance (SA) or cloud subscription (like Microsoft 365 E3).
Exchange SE Architecture
The architecture is the same for Exchange 2016 and Exchange SE. The main role is Mailbox server (contains mailbox databases, transport services, and client access services), optionally we can deploy Edge Transport server for securing internet communication. There can be only one role per server, and we can have multiple servers with the same role.
Note: Since Exchange 2019, the Unified Messaging service is no longer available, which was previously part of the Mailbox server.
In the articles here, we focus only on the Mailbox server role. For management, we use the web-based Exchange admin center (EAC) or CLI Exchange Management Shell (EMS). For high availability of mailboxes, Database Availability Group (DAG) is used.
Exchange Server SE Deployment (migration)
Years ago, I worked on Migrating Exchange organization 2010 to 2016. The transition to Exchange SE is simpler because the architecture hasn't changed since version 2016. Various configuration areas described for Exchange 2016 are still the same, and it's possible to use the older article series.
To create a deployment plan, we can use the online tool Microsoft Exchange setup and migration guides (On-premises Exchange deployments).
Exchange SE Migration Process
- install a new Exchange server, which will automatically connect to the existing Exchange organization
- configure the new server and its services (addresses, certificates, connectors)
- migrate all mailboxes and resources to new servers
- uninstall original servers
Installation Media
Installation media is obtained according to how we acquired the license. If we have Volume Licensing (VL) agreements, we download from Microsoft 365 admin center along with the license key. Or we can publicly download Exchange Server Subscription Edition RTM (KB5047155). The installation ISO is 6 GB.
System Requirements
Before we start installing the server, we must verify that we meet the requirements.
- Domain Functional Level and Forest Functional Level minimum Windows Server 2012 R2
- Exchange servers in the organization must be minimum Exchange 2016 CU23
- clients are supported from Outlook 2016
Server for Exchange (VM)
- hardware requirements (most often VM) 64-bit processor, recommended minimum 128 GB RAM (but I can confirm functionality with 32 GB)
- supported OS on server Windows Server 2019, Windows Server 2022 or Windows Server 2025 in Standard or Datacenter edition, both GUI (Desktop Experience) and Server Core versions are supported (actually recommended)
- disk partitions for system and Exchange must be NTFS, for Mailbox DB and transaction logs can be ReFS
- paging file set minimum and maximum value to 25% of installed memory
Prerequisites
When installing Exchange server, we can choose to automatically install Windows Server roles and features, nevertheless some things must be installed manually and it might be better to enable system features in advance.
We need to install applications
- .NET Framework 4.8.1
- Visual C++ Redistributable Package for Visual Studio 2012
- Visual C++ Redistributable Package for Visual Studio 2013
- Unified Communications Managed API 4.0 (I don't understand why, when the Unified Messaging service no longer exists)
- IIS URL Rewrite Module
Enabling features using PowerShell
Install-WindowsFeature Server-Media-Foundation, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, NET-WCF-Pipe-Activation45, NET-WCF-TCP-Activation45, NET-WCF-TCP-PortSharing45, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS
I also manually removed the Wireless LAN (WLAN) and Microsoft Defender Antivirus features (which we still have performance issues with on the server). It's definitely useful to remove other unnecessary features and services (like Bluetooth and Print Spooler).
Prepare Active Directory Domain Services (AD DS)
Before installing Exchange Server, we must extend (update) the schema and prepare the forest and its domains. These modifications can be performed by the Exchange installation wizard, which must be run with sufficient permissions (member of Schema Admins and Enterprise Admins groups). Or we can run manually from the command line (from the Exchange ISO image).
Extending Active Directory schema
Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareSchema
Subsequently, we must wait for AD replication (or trigger it). We perform Active Directory preparation (Forest and current Domain).
Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAD
If we have multiple domains and want to prepare all of them, we use another command.
Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains
Exchange Server SE Mailbox server Installation
Installation of the Exchange Mailbox server role is straightforward using the wizard, which is the same as in version 2016. Description with images is in the official documentation Install Exchange Mailbox servers using the Setup wizard.
The server is automatically added to the existing Exchange organization. Right after installation, we must modify some settings because clients (MS Outlook) in the internal network will start connecting to the new server, which will be offered to them via AutoDiscover.
Note: It's important that after installing Exchange on a server, we must not change the server name.
Individual installation steps:
- from the installation ISO, we run setup.exe
- Copying Files - files are copied to the local disk, by default to
%WinDir%\Temp\ExchangeSetup, logs are saved toC:\ExchangeSetupLogs - Introduction - the wizard initializes and displays a page with advice on where to get information
- License Agreement - we must agree to the license terms
- Recommended Settings - we can choose recommended settings, where information is sent to MS, or not use it and sending is disabled
- Server Role Selection - we choose Mailbox role, Management Tools is automatically added and it won't allow installing Edge Transport role, for safety we check that Windows components should be installed, but we already installed those in advance
- Installation Space and Location - we can keep the standard installation path
C:\Program Files\Microsoft\Exchange Server\V15, and we learn that the installation takes 5,711 MB (less than Exchange 2016) - since we are performing migration, an Exchange Organization already exists and therefore the step where we would create it is not displayed now
- Malware Protection Settings - in the next step we choose whether we want to use Microsoft Malware Protection
- Readiness Checks - verification occurs to check if all prerequisites are met (installed applications and system features), if any error is found, we can only choose Retry once we fix it
- if everything is in order, we click Install (installation took about 16 minutes for me)
- we perform a server restart
Server Version Information
We can list the version of our Exchange servers using PowerShell. The official list of versions and build numbers can be found in Exchange Server build numbers and release dates.
[PS] C:\>Get-ExchangeServer | FT Name, Edition, AdminDisplayVersion -AutoSize Name Edition AdminDisplayVersion ---- ------- ------------------- MAIL2 Enterprise Version 15.1 (Build 2507.6) MAIL0 Enterprise Version 15.1 (Build 2507.6) MAIL1 StandardEvaluation Version 15.2 (Build 2562.17)
EAC Access for Exchange Server SE
I don't know if this is important in the case of Exchange Server 2016 and Exchange Server SE coexistence, but it was needed between Exchange 2010 and 2016 versions and problems are described with Exchange 2013 and 2019.
If our administrator account for Exchange management has a mailbox on the older Exchange 2016, then when connecting to the new server's ECP, we still get the older version interface. To access the new version ECP, we must add a parameter to the URL.
https://<Exchange Server SE>/ecp/?ExchClientVer=15.2
By default, Forms Based Authentication (FBA) is used to log in to ECP and we must use the name format Domain\user name.
Entering License Key (Product Key)
The key determines whether it's a Standard or Enterprise edition.
- EAC - Exchange Admin Center
- Servers - Servers
- we select the server and click Enter Product Key (or Edit)
- on the General tab we enter the key and click Save
- we restart the Microsoft Exchange Information Store service
The above procedure is from the official documentation. When I entered my Product Key, an error was displayed
error Invalid Product Key.
The working solution for me was to use PowerShell.
[PS] C:\>Set-ExchangeServer Mailbox01 -ProductKey 12345-12345-12345-12345-12345 WARNING: The product key has been validated and the product ID has been successfully created. This change won't take effect until the Information Store service has been restarted. [PS] C:\>Restart-Service MSExchangeIS WARNING: Waiting for service 'Microsoft Exchange Information Store (MSExchangeIS)' to start...
Service Addresses (Client Access Namespaces)
Since the architecture is the same, we can keep the service addresses we use on Exchange Server 2016, and we don't need to change anything. There are several variants of how we use DNS domains and addresses. We discussed this in the article Exchange Server 2016 Namespaces - service addresses.
I'm dealing with a situation where an internal non-public domain firma.local is used. So services have different addresses internally and externally. Additionally with Split DNS, so internal queries for the public name firma.cz return internal IP address and external queries return public IP address. Related to this, internally we must use certificates from our own CA. Thanks to Split DNS, we could also use the public domain internally.
For a series of services we use the same address, yet we need a certificate with multiple names (Subject Alternative Name). Because we have multiple Exchange servers, and for simple change (migration) of servers, we use a virtual name (FQDN) internally, i.e., DNS A record with IP addresses of all Exchange servers.
mail0.firma.local,mail1.firma.local,mail2.firma.local- internal addresses of Exchange serversfirma.cz- primary SMTP namespacemail.firma.cz,mail.firma.local- virtual address for services MAPI over HTTP, Outlook Anywhere (RPC over HTTP), Offline Address Book (OAB), Exchange Web Services (EWS), Exchange ActiveSync (EAS), Outlook on the web (OWA), Exchange admin center (EAC)autodiscover.firma.cz- Autodiscover, alias tomail.firma.czmaildownload.firma.cz- Download Domain due to vulnerability CVE-2021-1730, alias tomail.firma.cz, I didn't find this domain in general address lists
Note: We can use a separate address for OWA, but it seems unnecessary to me. It's recommended to simplify and minimize the number of DNS addresses, public IP addresses, and certificates.
SSL Certificate for New Exchange Server
- Digital certificates and encryption in Exchange Server
- Configure an SSL certificate
- Certificate procedures in Exchange Server
A series of services use TLS encryption, so they need a certificate. This must be trusted by clients connecting to the service. For use within the company, it can be a certificate issued by an internal certificate authority (CA). But for communication within the internet (for example SMTP encryption), we need a certificate from a publicly trusted CA (commercial third party).
We can use different certificates for different services and thus separate internal and external access. When accessing from the internet, we can set a trusted certificate on the Firewall. Generally, it is recommended to minimize the number of certificates. For internal access, we issue a certificate from internal CA with a series of names in SAN (according to the previous address list), which we use on all Exchange servers. For simplification, we can use a wildcard certificate.
Note: After installing Exchange Server, a Self-signed certificate is issued, which is set on services for client access. On these services, the address of the given server is also configured for internal access (instead of the virtual address we want to use). Thanks to this, clients (Outlook) start connecting to the new server and display warnings about an untrusted certificate. We must therefore issue a trusted certificate as soon as possible or change the service settings (we can use a virtual address that does not yet contain the IP of the new server).
Certificate Issuance
We have various options for certificate issuance (or request). We can use the wizard in EAC, which offers addresses according to configured services (which we don't have yet).
- EAC - Exchange Admin Center
- Servers - Certificates
- click on the plus button (New)
For internal CA, I prefer a different option. Using the MMC console Certificates - Local Computer.
- run
certlm.msc - Personal - Certificates
- right-click and select All Tasks - Request New Certificate
- choose our policy and certificate template for webserver certificate
- fill in additional information Subject Name (at least Common Name) and Alternative Name (DNS for all addresses)
- click Enroll
- for clarity, we can set a Friendly Name, right-click on the issued certificate and Properties, enter for example
Exchange Internal
Service Assignment
- EAC - Exchange Admin Center
- Servers - Certificates
- select the new Exchange server and mark the new certificate
- click on the pencil (Edit)
- on the Services tab, select the required services (IMAP, POP, IIS, SMTP)
- click on Save
Dobry den, chapu dobre, ze legacy upgrade lze provest z Exchange 2016 primo na SE? Z oficialnich zdroju MS mi pripadalo, ze je nejdriv nutna migrace na Exchange 2019 s poslednim CU a pak teprve in-place upgrade na SE. Diky za info.
respond to [1]mms: Ano, je to tak. Do Exchange 2016 organizace můžeme přidat Exchange SE RTM (on je stejný jako Exchange 2019 CU15) a provést migraci. Původní zprávy jsem také chápal, že bude potřeba nejprve migrace na 2019, ale od vydání SE je to obsaženo v oficiální dokumentaci.
Pri procitani vaseho postupu jsem narazil na to, ze v mem pripade byl na starem Exchange v nastaveni sluzeb misto DNS aliasu pouzity primo nazev serveru. Nejde tedy nastavit vsechno stejne a pak jen zmenit v DNS ip serveru. Exchange navic bezi na domain controlleru. Je v takove situaci mozne pridat novy alias, zmenit virtualni slozky, certifikaty atd. jeste v bezici instalaci Exchange (i s ohledem na DC) a pak pouzit standardni postup, nebo to radeji nechat byt a zmenu udelat az po prestehovani mailboxu na novy Exchange?
respond to [3]mms: Nejsem si jist, jestli úplně rozumím. Asi máte pouze 1 server (a asi víte, že není doporučeno mít Exchange na DC). Možné řešení je, že se používá Ačkový záznam (mail.firma.cz) a do něj se dají IP adresy všech Exchange serverů, které se pak nastaví pro služby. Nepoužívá se tam alias.
U vás myslím, že jde udělat nový DNS záznam a změnit nastavení služeb na současném server (aby pak stačilo změnit IP v záznamu), ale musí se řešit certifikáty a další věci (stejně jako u přechodu na nový server). Nebo při přechodu změnit nastavení a použít nové jméno serveru.
Dekuji za reakci. Ano, jde o jednoserverovou instalaci. Puvodni myslenka byla pouzit soucasny certifikat i pro novy server, aby si Outlooky niceho nevsimly, ale to kvuli pouzitemu jmenu zrejme nelze udelat. Ze dvou moznosti, ktere zminujete, se klonim spis ke druhe. K prepnuti klientu dojde az ve chvili, kdy novy server pobezi.