Configure Exchange Server 2019

This article is for those looking for a detailed and clear guide on how to configure Exchange Server 2019.

IMPORTANT

We will consider the case when you already have two servers with the Windows Server 2019 operating system installed on them. In addition, one of the servers must have the Active Directory Domain Services role installed, and the second server must have Exchange Server 2019 installed.

NOTE

For step-by-step instructions on installing Exchange Server 2019 on Windows Server 2019, refer to my guide: Install Exchange Server 2019 on Windows Server 2019.

NOTE

To learn how to install Active Directory Domain Services on Windows Server 2019, read: Install Active Directory Domain Services on Windows Server 2019.

Open the Exchange Admin Center control panel, which is located at the link https://heva-server-2/ecp, where heva-server-2 is the name of my Exchange server. Accordingly, you need to provide the name or IP address of your server.

To access the Exchange Admin Center Control Panel, you will need to provide a username and password for an account that has Exchange Administrator rights.

Let’s create a mailbox database.

In the “Servers” section, select the “Databases” subsection and click on the ”+” button.

Next, you need to specify a name for the new database and select an Exchange server with the “Mailbox” role.

Specify the name of the database and click on the “Browse” button.

Select the Exchange server with the “Mailbox” role and click on the “OK” button.

Now you need to specify in which folder the mailbox database and its logs will be stored.

NOTE

You need to first create folders on the server in which you plan to store the database and its logs. In addition, it is better to store the database on a disk specially allocated for this task.

In the “Database file path” field, specify the folder where the database will be stored.

In the “Log folder path” field, specify the folder in which the database logs will be stored.

Check the “Mount this database” box and click on the “Save” button.

Now you need to restart the Microsoft Exchange Information Store service on the Exchange server.

Click on the “OK” button.

Open “Server Manager” on the server with Exchange Server 2019 installed, then click on the “Tools” button in the upper right corner of the screen and select “Services”.

Right-click on the “Microsoft Exchange Information Store” service and select “Restart”.

The service has restarted successfully and the new database is ready to go.

Further, in the “Servers” section, select the “Databases” subsection, and then select a new database and double-click on it with the left mouse button.

In the “Limits” section, you can configure the retention time for deleted mailboxes and letters.

Specify the required values and click on the “Save” button.

Now let’s create a database for shared folders.

In the “Servers” section, select the “Databases” subsection and click on the ”+” button.

Specify a name for the shared folder database and click the Browse button.

Select the Exchange server with the “Mailbox” role and click on the “OK” button.

Now you need to specify in which folder the database for public folders and its logs will be stored.

NOTE

You need to first create folders on the server in which you plan to store the database and its logs. In addition, it is better to store the database on a disk specially allocated for this task.

In the “Database file path” field, specify the folder where the database will be stored.

In the “Log folder path” field, specify the folder in which the database logs will be stored.

Check the “Mount this database” box and click on the “Save” button.

Now you need to restart the Microsoft Exchange Information Store service on the Exchange server.

Click on the “OK” button.

We return to the “Server Manager” on the server with Exchange Server 2019 installed, click on the “Tools” button in the upper right corner of the screen, and select “Services”.

Right-click on the “Microsoft Exchange Information Store” service and select “Restart”.

The service has restarted successfully and the new database is ready to go.

Next, go to the “Public Folders” section.

In the “Public Folders” section, select the “Public Folder Mailboxes” subsection and click on the ”+” button.

Specify a name for the public folder mailbox and in the “Mailbox database” section click on the “Browse” button.

Select the database for shared folders and click on the “OK” button.

Nothing can be changed in the “Organization unit” section.

Click on the “Save” button.

After the public folder mailbox is created, it appears under the Public Folder Mailboxes subsection.

Now let’s add the trusted domain.

In the “Mail Flow” section, select the “Accepted Domains” subsection and click on the ”+” button.

In the “Name” and “Accepted Domain” fields, specify the domain that you want to add to the trusted ones, then select “Authoritative Domain: E-mail is delivered only to valid recipients in this Exchange organization”.

Click on the “Save” button.

After the domain is added to the trusted ones, it will appear in the “Accepted Domains” section.

Now you need to create a policy for generating mailing addresses.

In the “Mail Flow” section, select the “Email Address Policies” subsection and click on the ”+” button.

Next, you need to specify a name for the new policy and choose who it will be applied to, as well as determine how mail addresses will be generated in your organization.

NOTE

In this tutorial, mailing addresses will be based on “Alias”.

Specify a name for the policy for generating postal addresses and click the ”+” button.

Specify the main domain and select “[email protected]”.

Click on the “Save” button.

Now let’s add a second domain so that users can receive mail using the second domain name as well.

Click on the ”+” button.

Specify the second domain and select “[email protected]”.

Click the “Save” button.

After you have determined how mail addresses will be formed in your organization, click on the “Save” button.

Pay attention to the warning. In order for the policy to take effect, you must click on the “Apply” button in the “E-mail Address Policies” subsection.

After the policy is added, it will appear in the “E-mail Address Policies” subsection with the “Unapplied” status.

To apply a policy, select it and click on the “Apply” button.

Next, a warning will appear stating that applying the policy may take a long time and you will not be able to perform other tasks while the policy is being applied.

Click on the “Yes” button.

The policy for generating postal addresses has been successfully applied.

Click on the “Close” button.

After the policy is applied, it will appear in the “E-mail Address Policies” subsection with the “Applied” status.

Now you need to create a send connector: to be able to send mail outside the organization.

In the “Mail Flow” section, select the “Send Connectors” subsection and click on the ”+” button.

Specify a name for the new Send Connector and select “Internet” in the “Type” section.

Click on the “Next” button.

NOTE

In this example, mail will be sent according to MX records.

Select “MX record associated with recipient domain” and click on the “Next” button.

Next, you need to specify for which domains the new connector will work.

Click on the ”+” button.

In the “Full Qualified Domain Name (FQDN)” field, enter *. This way, the new Send Connector will handle all domains except yours.

Click on the “OK” button.

After you have specified for which domains the new connector will work, click on the “Next” button.

Next, you need to specify on which Exchange server the Send connector will be created.

Click on the ”+” button.

Select the Exchange server on which the Send Connector will be created and click on the “OK” button.

Everything is ready to create a send connector.

Click on the “Finish” button.

Next, in the “Mail Flow” section, select the “Send Connectors” subsection, then select a new send connector and double-click on it with the left mouse button.

In the “General” section of the “Maximum send message size (MB)” menu, you can configure the maximum size of mail attachments to be sent.

Further, in the “Scoping” section, in the “Specify the FQDN this connector will provide in response to HELO or EHLO” field, specify the name by which your mail server is accessible from the Internet.

Click on the “Save” button.

In the “Mail Flow” section, select the “Send Connectors” subsection. Then click on the ”…” button and select “Organization transport settings”.

In the “Limits” section, you can configure the maximum size of mail attachments for sending and receiving.

Specify the required values and click on the “Save” button.

Now you need to provide your Exchange Server 2019 license key.

In the “Servers” section, select the “Servers” subsection and click on the “Edit” button.

In the “General” section, specify the Exchange Server 2019 license key and click on the “Save” button.

Now you need to configure DNS records for the domain. To do this, you need to open a web browser and go to the control panel for external DNS records for your domain.

This tutorial uses Amazon Route 53 to manage external DNS records for a domain.

Go to the AWS Management Console, sign in with an administrator account if prompted, and then click the “Services” button located in the upper-left corner of the screen.

Next, in the “Networking & Content Delivery” section, select “Route 53”.

Next, select “Hosted zones”.

Select the domain for which you want to configure DNS records.

Now you need to create several DNS records to access the Exchange services.

Click on the “Create Record Set” button to create a new DNS record.

Specify “mail” in the “Name” field.

In the “Type” field, select “A - IPv4 address”.

In the “TTL” field, enter “300”.

In the “Value” field, indicate the IP address by which your mail server is accessible from the Internet and click on the “Create” button.

Click on the “Create Record Set” button to create another DNS record.

In the “Name” field, enter “mx01”.

In the “Type” field, select “A - IPv4 address”.

In the “TTL” field, enter “300”.

In the “Value” field, indicate the IP address by which your mail server is accessible from the Internet and click on the “Create” button.

Click on the “Create Record Set” button to create another DNS record.

Specify “autodiscover” in the “Name” field.

In the “Type” field, select “A - IPv4 address”.

In the “TTL” field, enter “300”.

In the “Value” field, indicate the IP address by which your mail server is accessible from the Internet and click on the “Create” button.

Click on the “Create Record Set” button to create another DNS record.

Leave the “Name” field blank.

In the “Type” field, select “MX - Mail exchange”.

In the “TTL” field, enter “300”.

In the “Value” field, specify the priority “10”, then indicate the previously created A-record with the name “mx01” and click on the “Create” button.

Next, you need to make a request to your ISP to create a PTR record for your external IP address, where your mail server is accessible from the Internet. This is necessary in order for your IP address to resolve to a name.

NOTE

In this example, the IP 188.244.46.91 is translated to the name mail.heyvaldemar.net.

Now you need to create an SPF (Sender Policy Framework). Thanks to SPF, you can check if the sender’s domain has been tampered with. SPF allows you to specify a list of servers capable of sending mail messages on behalf of your domain.

You can get parameters for SPF recording using the SPF Wizard.

SPF example: v=spf1 mx a ip4:188.244.46.91 include:heyvaldemar.com -all

Leave the “Name” field blank.

In the “Type” field, select “SPF - Sender Policy Framework”.

NOTE

If there is no “SPF” record type in your control panel for external DNS records, then you need to select the “TXT” record type.

In the “TTL” field, enter “300”.

In the “Value” field, specify the SPF parameters obtained using the SPF Wizard and click on the “Create” button.

DNS records for the domain have been configured successfully.

Now you need to register the A-record on the internal DNS server.

Open “Server Manager” on the domain controller, then click on the “Tools” button in the upper right corner of the screen and select “DNS”.

In the “Forward Lookup Zones” section, select the main domain and right-click on it, then select “New Host (A or AAAA)”.

In the “Name (uses parent domain name if blank)” field, specify “Mail”.

In the “IP address” field, specify the IP address of the server on which Exchange Server 2019 is installed and click on the “Add Host” button.

A record has been successfully added.

Click on the “OK” button.

After the A-record is added, it will appear in the list with the rest of the records.

For further configuration, you need a certification authority.

NOTE

In this tutorial, the Active Directory Certificate Services role will be installed on a domain controller.

Go back to the “Server Manager” on the domain controller, then click on the “Manage” button in the upper right corner of the screen and select “Add Roles and Features”.

Click on the “Next” button.

Select the installation type “Role-based or feature-based installation” and click on the “Next” button.

Next, select the server on which the role will be installed.

Click on the “Next” button.

Select the Active Directory Certificate Services role.

In the next step, the Role Installation Wizard will warn you that several components need to be installed to install the Active Directory Certificate Services role.

Click on the “Add Features” button.

Click on the “Next” button.

At the stage of adding components, we leave all the default values.

Click on the “Next” button.

Next, the Role Installation Wizard invites you to learn more about the Active Directory Certificate Services role.

Click on the “Next” button.

Now you need to select the required services.

We select “Certification Authority Web Enrollment”.

In the next step, the Install Roles Wizard will warn you that several components need to be installed to install the Certification Authority Web Enrollment.

Click on the “Add Features” button.

Next, select “Online Responder”.

The Role Installation Wizard will warn you that several components need to be installed to install Online Responder.

Click on the “Add Features” button.

After all the necessary services are selected, click on the “Next” button.

In the next step, the “Role Installation Wizard” will warn you that the “Internet Information Services” webserver role will be additionally installed for the “Active Directory Certificate Services” role.

At the stage of adding components, we leave all the default values.

Click on the “Next” button.

In order to start the installation of the selected role, click on the “Install” button.

The installation of the selected role and the components required for it has begun.

Installation of the Active Directory Domain Services role is now complete.

Now you need to configure the role.

Click on the button “Configure Active Directory Certificate Services on the destination server”.

Click on the “Next” button.

Next, you need to select the services that you want to configure.

Select “Certification Authority”, “Certification Authority Web Enrollment” and “Online Responder” and click on the “Next” button.

The server is a member of the domain, so select “Enterprise CA” and click on the “Next” button.

There are no other servers with the Active Directory Certificate Services role in the domain, so select “Root CA” and click on the “Next” button.

Next, you need to create a new private key.

Select “Create a new private key” and click on the “Next” button.

Next, you can select the cryptography settings.

Leave the settings unchanged and click on the “Next” button.

In the “Common name for this CA” field, specify the name for the new certification authority and click on the “Next” button.

Now we select the validity period of the certificate and click on the “Next” button.

Next, you can specify where the certificate database and its logs will be stored.

Leave the settings unchanged and click on the “Next” button.

Everything is ready to configure the role.

Click on the “Configure” button.

The Active Directory Certificate Services role is now configured.

Click on the “Close” button.

Click on the “Close” button to close the role installation window.

Now you need to enable the SAN (Subject Alternative Name) function on the CA server. This feature is useful when publishing the “Autodiscover” service.

On the keyboard, press the key combination “Win” and “x” and in the menu that opens, select “Windows PowerShell (Admin)”.

We enable the SAN function using the command:

1
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Now you need to restart the “CertSvc” service.

Stop the “CertSvc” service using the command:

1
net stop certsvc

We start the “CertSvc” service using the command:

1
net start certsvc

Service “CertSvc” restarted successfully.

Now let’s make a request to create a new Exchange certificate.

We return to the Exchange Admin Center control panel.

In the “Servers” section, select the “Certificates” subsection and click on the ”+” button.

Select “Create a request for a certificate from a certification authority” and click on the “Next” button.

Specify a name for the new certificate and click on the “Next” button.

Then leave the settings unchanged and click on the “Next” button.

Now you need to specify the Exchange server where the certificate request will be stored.

Click on the “Browse” button.

Select the Exchange server where the certificate request will be stored and click on the “OK” button.

After the Exchange server is specified, click on the “Next” button.

Now you need to specify the domain names that need to be included in the certificate for all types of access.

Select “Outlook Web App (when accessed from the Internet)” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Outlook Web App” access type, and click on the “OK” button.

Select OAB (when accessed from the Internet) ”, and click on the” Edit “(Pencil) button.

We indicate the name by which your mail server is accessible from the Internet for the access type “OAB”, and click on the “OK” button.

Select “Exchange Web Services (when accessed from the Internet)”, and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Exchange Web Services” access type, and click on the “OK” button.

Select “Exchange ActiveSync (when accessed from the Internet)” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Exchange ActiveSync” access type, and click on the “OK” button.

Select “POP” and click on the “Edit” button.

We indicate the name by which your mail server is accessible from the Internet for the “POP” access type, and click on the “OK” button.

Select “IMAP” and click on the “Edit” button.

We indicate the name by which your mail server is accessible from the Internet for the type of access “IMAP”, and click on the “OK” button.

Select “Outlook Anywhere” and click on the “Edit” button.

Specify the name by which your mail server is accessible from the Internet for the “Outlook Anywhere” access type and click on the “OK” button.

The domain names that must be included in the certificate for all types of access are indicated.

Click on the “Next” button.

Below is a list of domains that will be included in the certificate.

Click on the “Next” button.

Next, you must specify the name of the organization, department, and geographic location of the company.

This guide is based on an organization based in Los Angeles, USA.

We indicate the necessary information and click on the “Next” button.

Now you need to specify the folder where the Exchange certificate request will be saved.

NOTE

In this tutorial, the certificate request will be saved to the local “C” drive on the Exchange server.

Specify where the Exchange certificate request will be saved and click on the “Finish” button.

After the certificate request is created, it will appear in the “Certificates” subsection with the “Pending request” status.

Now you need to validate your Exchange certificate with a CA.

On the Exchange server, go to the link http://heva-server-1/certsrv, where heva-server-1 is the name of my certification authority server. Accordingly, you need to specify the name of your server.

We go under an account with administrator rights and click on the “OK” button.

Now let’s add the address of the certification server to “Trusted sites”.

Click on the “Add” button.

In the “Add this website to the zone” field, specify the address of the certification server and click on the “Add” button.

Click on the “Close” button.

Now select “Request a certificate”.

Next, select “Advanced certificate request”.

Now select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file”.

Next, open “Explorer” and go to the local drive “C” where the Exchange certificate request was saved.

Click on the certificate request file twice with the left mouse button.

Click on the “Try an app on this PC” button.

Select “Notepad” and click on the “OK” button.

Copy the contents of the request file.

Next, insert the contents of the request file into the “Saved Request” field, then in the “Certificate Template” section, select “Web Server” and click on the “Submit” button.

Select “DER encoded” and click on the “Download certificate” button.

In the “Save” menu, select “Save as”.

Assign a name and save the Exchange certificate to the Downloads folder.

Click on the “Save” button.

Now you need to download the CA certificate.

Click on the “Home” button in the upper right corner of the screen.

Select “Download a CA certificate, certificate chain, or CRL”.

In the “Encoding method” section, select “DER” and click on the “Download CA certificate” button.

In the “Save” menu, select “Save as”.

We assign a name and save the certificate of the certification authority in the “Downloads” folder.

Click on the “Save” button.

To successfully validate your Exchange certificate request, you must import the CA certificate into the Trusted Root Certification Authorities on the Exchange server.

On the keyboard, press the key combination “Win” and “R”, then enter “certlm.msc” and click on the “OK” button.

In the “Certificates (Local Computer)” section, select the “Trusted Root Certification Authorities” subsection, then right-click on the “Certificates” subsection and select “All Tasks”, then “Import”.

Click on the “Next” button.

Next, you need to specify the path to the certificate of the certification authority.

Click on the “Browse” button.

Select the certificate of the certification authority and click on the “Open” button.

After the path to the certificate of the certification authority is indicated, click on the “Next” button.

Then leave the settings unchanged and click on the “Next” button.

Everything is ready to import the certificate into the “Trusted Root Certification Authorities”.

Click on the “Finish” button.

The CA certificate has been successfully imported.

Click on the “OK” button.

We return to the Exchange Admin Center control panel.

In the “Servers” section, select the “Certificates” subsection. Then select the new Exchange certificate and click on the “Complete” button on the right.

Next, you need to specify the path to the Exchange certificate.

Specify the path to the Exchange certificate and click on the “OK” button.

After the certificate is confirmed, it will appear in the “Certificates” subsection with the “Valid” status.

Now you need to assign a new Exchange certificate for SMTP and IIS services.

Select a new certificate and double-click on it with the left mouse button.

In the “Services” section, check the boxes for “SMTP”, “IMAP”, “POP”, and “IIS”, then click on the “Save” button.

Next, a warning will appear asking you to overwrite the existing certificate for SMTP.

After the Exchange certificate is assigned to the services, the list of services in the “Assigned to services” field is updated.

Now let’s take a look at the Outlook Web App settings.

In the “Servers” section, select the “Virtual Directories” subsection and select the “owa (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/owa”.

Now let’s configure user authorization by login without having to specify a domain.

In the “Authentication” section in the “Use forms-based authentication” section, select “User name only”.

Next, you need to select the main domain, click on the “Browse” button.

Select the main domain and click on the “OK” button.

After the domain is specified, click on the “Save” button.

Next, a warning will appear asking you to restart IIS.

IIS will restart later.

Click on the “OK” button.

Now let’s write the address where your mail server is accessible from the Internet in the Exchange server configuration.

In the “Servers” section, select the “Virtual Directories” subsection and select the “ecp (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/ecp”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “EWS (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/EWS/Exchange.asmx”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “mapi (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/mapi”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “Microsoft-Server-ActiveSync (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/Microsoft-Server-ActiveSync”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “OAB (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/OAB”.

Click on the “Save” button.

In the “Servers” section, select the “Virtual Directories” subsection and select the “PowerShell (Default Web Site)” virtual folder, and then double-click on it with the left mouse button.

In the “General” section, in the “External URL” field, specify the name by which your mail server is accessible from the Internet, and also specify “/powershell”.

Click on the “Save” button.

Now let’s configure the Outlook Anywhere service. This service is used to connect to the Exchange server via the Internet using “Outlook”.

In the “Servers” section, select the “Servers” subsection, select the Exchange server, and double-click on it with the left mouse button.

Next, in the “Specify the external hostname such as contoso.com that users will use to connect to your organization” field, specify the name by which your mail server is accessible from the Internet. Then, in the “Specify the authentication method for external clients to use when connecting to your organization” menu, select “NTLM” and uncheck the “Allow SSL offloading” checkbox.

Click on the “Save” button.

Now let’s restart IIS.

On the keyboard, press the key combination “Win” and “x” and in the menu that opens, select “Windows PowerShell (Admin)”.

Restart IIS using the command:

1
iisreset /noforce

IIS restarted successfully.

Now let’s configure the ability to receive mail.

In the “Mail Flow” section, select the “Receive Connectors” subsection, select the “Default Frontend HEVA-SERVER-2” receive connector, where HEVA-SERVER-2 is the name of my Exchange server. Then click on it twice with the left mouse button.

In the “General” section, in the “Maximum receive message size” field, you can configure the maximum allowable size of mail attachments for receiving.

In the “Security” section, check for a checkmark on the “Anonymous users” item.

Click on the “Save” button.

Now let’s create a new user with a mailbox.

In the “Recipients” section, select the “Mailboxes” subsection.

Click on the ”+” button and select “User mailbox”.

Now we specify the alias, first, and the last name for the new user.

Then you need to select the organization unit in which you plan to create a new user.

Click on the “Browse” button.

Select the OU in which you want to place the new user, and click on the “OK” button.

In the “User logon name” field, specify the login for the new user.

Next, specify a strong password and click on the “More options” button.

Now you need to select the database in which the mailbox will be created for the new user.

In the “Mailbox database” section, click on the “Browse” button.

Select the mailbox database and click on the “OK” button.

Everything is ready to create a user with a mailbox.

Click on the “Save” button.

After the user with the mailbox is created, it will appear in the “Mailboxes” section.

Now you need to import the Exchange certificate into Trusted Root Certification Authorities on all computers in the domain.

Go to the domain controller, create a folder and copy the Exchange certificate into it.

NOTE

In this tutorial, the certificate was copied to the “ExchangeCertificate” folder on the “C” drive.

Go back to “Server Manager” on the domain controller, then click on the “Tools” button in the upper right corner of the screen and select “Group Policy Management”.

Now let’s create a new Group Policy to import the certificate into Trusted Root Certification Authorities on all computers in the domain.

Right-click on the domain name and select “Create a GPO in this domain, and Link it here”.

Specify a name for the new group policy and click on the “OK” button.

Next, click on the new policy with the right mouse button and select “Edit”.

In the Group Policy Editor, go to the “Computer Configuration” section, then to the “Windows Settings” subsection, then find the “Security Settings” section and select “Public Key Policies”, now right-click on “Trusted Root Certification Authorities” and select ” Import ”.

Click on the “Next” button.

Next, you need to specify the path to the Exchange certificate.

Click on the “Browse” button.

Go to the folder with the Exchange certificate and click on the “Open” button.

After the path to the certificate is specified, click on the “Next” button.

Then leave the settings unchanged and click on the “Next” button.

Everything is ready to import the certificate into the “Trusted Root Certification Authorities” for all computers in the domain.

Click on the “Finish” button.

The Exchange certificate has been successfully imported into Group Policy settings.

Click on the “OK” button.

After the certificate is imported into Group Policy settings, it will appear in the “Trusted Root Certification Authorities” section.

The Exchange certificate will now be imported to all computers covered by this policy.