Looking for migration instructions for moving Exchange SE from a single 2019 Server OS to another single 2025 Server OS

Mathew Narbut 0 Reputation points

I have a Exchange SE server running as a VM on VMWare. The server OS is 2019 and I wanted to setup a new VM running the 2025 OS and then Install SE and migrate all roles to the new server. I plan to decommission the 2019 server at the end and just have a single server. The office is small with only 35 mailboxes to migrate. And no they do not want to move to 0365 like everyone else I do work for, they want their mail onsite.

I was hoping there might be a guide for the steps, so that I may not miss anything and be able to get this done over a weekend.

My concerns are things like:

Will I need to install a second signed certificate on the 2025 server for this to work?

Will I be keeping the new server name internally and just re-mapping the public names to the new server via the firewall?

Is it preferable/safer to bring up the second server and keep it running in parallel with the older one, and decommission the older one after a week or two? Or can I just move all the mailboxes and remove the older server right away?

Thanks for any advice / experience you may offer.

  1. Deleted

    This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Sign in to comment

3 answers

  1. Hani-Ng 11,825 Reputation points Microsoft External Staff Moderator

    Hi Mathew Narbut

    Based on my research that some small businesses prefer keeping their data entirely on premises rather than moving to Microsoft 365, and Exchange Server Subscription Edition (SE) is designed exactly to support organizations that choose to stay on-site.  

    Because they are migrating from Windows Server 2019 to Windows Server 2025, this requires a Legacy Upgrade (Side-by-Side Migration) path. (While Exchange SE supports a fast in-place upgrade, Windows Server OS changes require a new VM build).  

    Will I need to install a second signed certificate on the 2025 server?

    You do not need to buy or issue a separate, unique certificate. The best practice is to export your existing commercial SSL certificate (including the private key) from the 2019 server as a .pfx file and import it directly into the new Windows Server 2025 environment. Exchange SE will utilize the exact same namespaces (mail.company.com, autodiscover.company.com). During the brief coexistence period, both servers can share the same certificate.

    Will I keep the new internal server's name and just re-map public names via the firewall?

    Yes, exactly. The new VM will have its own unique internal Active Directory host name (e.g., EXCH2025.domain.local). However, inside Exchange SE, you will configure all the Virtual Directories (OWA, ECP, ActiveSync, Autodiscover, Web Services) to use the exact same external and internal URLs currently pointed at your old server (ex: ).

    During the weekend, you will update your internal DNS records and your external firewall/NAT rules to point the IP target from the old server to the new server's IP address.

    Is it safer to run them in parallel for a week or two, or decommission right away?

    It is recommended to run them in parallel for at least a week. Even for 35 mailboxes, keeping the old server online but "empty" gives you a safe fallback window.

    • It ensures that if any stray devices (like printers, scanners, or legacy applications) are hardcoded to the old server's IP address for SMTP relay, you will catch them in the logs.
    • Once you confirm that zero traffic is hitting the old 2019 server, you can safely uninstall Exchange through the Control Panel to gracefully remove it from Active Directory.

    Step-by-Step Migration Checklist

    Pre-Migration & Prerequisites

    • Update Exchange 2019: Ensure the source 2019 server is updated to the latest Cumulative Update (CU14 or CU15) to guarantee Schema compatibility.
    • Prepare Windows Server 2025: Build the new VM, join it to the domain, and install the required Exchange SE prerequisites (including .NET Framework 4.8.1, Visual C++ Redistributables, and the IIS URL Rewrite Module).  
    • Prepare Active Directory: Run the Exchange SE setup with the AD switches: Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms_DiagnosticDataON followed by /PrepareAD.
    • Install Exchange SE: Run the installer on the Windows Server 2025 VM to establish the Mailbox role.

    Configuration & Certificate

    • Import SSL Certificate: Import the .pfx certificate onto the 2025 server and assign it to the IIS and SMTP services via the Exchange Admin Center (EAC).
    • Configure Virtual Directories: Match the internal and external URLs on the new server to mirror the old server's configuration.  
    • Configure Send/Receive Connectors: Recreate any custom anonymous relay connectors on the new server for scanners or local applications.  

    Mailbox Migration & Cutover

    • Create Local Move Requests: Start moving the 35 mailboxes from the old database to the new database. With 35 mailboxes over a local virtual network, this should complete very quickly.
    • Update DNS and Firewall: Change internal DNS records for your mail namespace and update external firewall forwarding rules to point to the new server's local IP.
    • Test Connectivity: Test external Outlook connection, Autodiscover, OWA, and mobile device mail flow.

    Coexistence & Decommissioning

    • Monitor Logs: Keep both servers running. Watch for any legacy internal devices attempting to relay mail through the old server's IP.
    • Graceful Uninstall: After a week of total silence on the old server, log into the 2019 server and uninstall Exchange via Programs and Features. This cleanly cleans up the Active Directory topology configuration. Decommission the VM afterward.

    Note on Licensing: Ensure that the client has an active Software Assurance (SA) plan or eligible cloud licensing subscriptions (like M365 E3/E5 which cover hybrid on-premises rights), as Exchange Server SE utilizes a subscription-based licensing structure rather than traditional fixed perpetual keys. 

    I hope this information helps. and if you have any further questions, please feel free to ask via comment section!

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1. Hani-Ng 11,825 Reputation points Microsoft External Staff Moderator

      Hi Mathew Narbut

      I just wanted to follow up to see if you need any additional information regarding this matter. Please don’t hesitate to reach out! 

    2. Mathew Narbut 0 Reputation points

      Thanks for the help and advice. The source (server 2019) server is already running SE and has the latest security update, not Exchange 2019. I assume this changes nothing about your answer provided.

      I do not understand how the Classic Outlook clients know which server their mailbox is on while there are 2 servers running. Do they just check them both and try to find their mailbox? Is there any issues with accessing a shared calendar that is still running from a mailbox on the other server? Sorry, I have only managed single server installations, so running multiple servers even if just for 1 week is new to me.

      Thank you.

    3. Austin-H 8,355 Reputation points Microsoft External Staff Moderator

      Hi Mathew Narbut
      Thank you for your questions.

      Outlook doesn’t try to “check both servers.” It always talks to Autodiscover, which returns the correct connection info for that specific mailbox, and whichever Exchange server the client hits will proxy the connection internally to the server that actually hosts the mailbox.

      Because of that, having two servers during coexistence is normal: users connect to the same namespace (e.g. mail.domain.com) and Exchange handles everything behind the scenes. There’s also no issue with shared calendars or mailboxes across servers—Exchange is designed to handle cross-server access seamlessly, so users won’t notice whether the mailbox they’re opening is on the old or new server.
      Sincerely.

    4. Hani-Ng 11,825 Reputation points Microsoft External Staff Moderator

      Hi Mathew Narbut

      Just quick checking in to see if you need any additional information without Austin's response. Please don’t hesitate to reach out if you need anything.

    Sign in to comment

  2. AI answer

    Exchange Server Subscription Edition (SE) is treated as the next evolution of Exchange Server 2019, so the move from one SE server on Windows Server 2019 to another SE server on Windows Server 2025 follows the same “legacy upgrade” pattern used when moving to new hardware/OS.

    A suitable high‑level approach based on the provided information:

    1. Plan the migration as a legacy upgrade
      Exchange SE supports two upgrade methods: in‑place upgrade (from Exchange 2019 CU14/15) and legacy upgrade. Because the goal is to move to a new Windows Server 2025 VM, this is a legacy upgrade scenario:
      • Add a new Exchange SE server on Windows Server 2025 to the existing organization.
      • Move mailboxes and system mailboxes to the new server.
      • Move any remaining services (e.g., mail flow, client access namespaces).
      • Decommission the old Exchange SE server on Windows Server 2019.
        This is consistent with the guidance that legacy upgrades are used when switching to new hardware or a newer Windows Server version.
    2. Server naming and namespaces
      The new Exchange SE server joins the existing organization with its own server name. The internal and external client access is controlled by namespaces (URLs) and DNS, not by the Windows server name.
      • Keep the existing namespaces (for example, mail.contoso.com, autodiscover.contoso.com) and point them to the new server when ready.
      • Internally, Outlook and other clients continue to use the same URLs; only DNS and load balancer/firewall mappings change.
      • There is no requirement that the new server reuse the old server’s name.
    3. Certificates
      Certificates are bound to namespaces, not to specific servers. For the new Windows Server 2025 Exchange SE server:
      • Use the same certificate subject/subject alternative names as on the current server (for example, mail.contoso.com, autodiscover.contoso.com).
      • Either export the existing certificate (with private key) from the old server and import it on the new server, or request a new certificate from the CA that covers the same names.
      • Assign the certificate to the required Exchange services (IIS, SMTP, etc.) on the new server.
        A second signed certificate is not strictly required if the existing one can be reused and is still valid, but a new certificate is also acceptable as long as it covers the same namespaces.
    4. Parallel operation vs. immediate cutover
      The documented guidance for legacy upgrades is to add the new server, migrate workloads, and then uninstall the old server. This naturally implies a period of coexistence:
      • Bring up the new Exchange SE server on Windows Server 2025 and join it to the organization.
      • Move all user mailboxes, arbitration/system mailboxes, and any remaining resources to the new server.
      • Reconfigure mail flow and client access (DNS/firewall) to point to the new server.
      • Once validated, decommission the old server.
        Keeping both servers running in parallel for a short period (for example, a week or two) is aligned with the legacy upgrade pattern and provides a safer rollback window than removing the old server immediately after the move.
    5. Use the Exchange Server Deployment Assistant
      For a detailed, step‑by‑step checklist tailored to this scenario (on‑premises Exchange SE moving to new hardware/OS), use the Exchange Server Deployment Assistant. It generates a scenario‑specific plan for adding the new server, moving mailboxes and services, and decommissioning the old server.
    6. General upgrade/maintenance practices
      When installing Exchange SE on the new Windows Server 2025 VM, follow the same best practices as for installing/upgrading Exchange 2019 CUs (for example, maintenance windows, backups, and validation steps) as referenced in the cumulative update guidance.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
  3. Andy David - MVP 160.3K Reputation points MVP Volunteer Moderator

    Since Windows 2019 is supported with Exch SE, I would simply do an inplace upgrade of Exchange for now:

    https://learn.microsoft.com/en-us/exchange/plan-and-deploy/deploy-new-installations/upgrade-to-exchange-server-se

    After that, you can step back and consider a migration to a new server with the 2025 O/S if you want. End of support for W2019 lasts till 2029.

    1. Mathew Narbut 0 Reputation points

      Here was a minor setback for me as I never had been running more than one mail server:

      In order to export your certificate from one mail server and then import it on the new server, your private key must be marked as exportable. I didn't know.

      To accomplish this I had to create a new CSR with the following: -PrivateKeyExportable $true. I then had to have this re-keyed and applied to the older server. Then finally I was able to export my certificates. I'll keep filling in the knowledge gaps as it may help someone else in the future.

    Sign in to comment
Sign in to answer

Your answer