What to do when your self-signed certificate for Microsoft Exchange 2016 expires, Microsoft provide some good guidance about this:
You might see errors such as this when you’re trying to administer via PowerShell:
[PS] C:\Windows\system32>set-mailbox myaccount -type shared
Active Directory operation failed on DC-02.internal.sanger.ac.uk. This error is not retriable. Additional
information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], ADOperationException
+ FullyQualifiedErrorId : [Server=SERVER1,RequestId=6336ceb6-c37c-413e-ba36-d65112b69786,TimeStamp=14/01/2
026 16:29:26] [FailureCategory=Cmdlet-ADOperationException] 404D2B85,Microsoft.Exchange.Management.RecipientTasks.
SetMailbox
+ PSComputerName : server1.mydomain.comYou’ll have permissions so the error is a red herring, what is actually happening is you’re attempting to perform an operation on a mailbox which is hosted on an Exchange Server which is not the one you are using PowerShell from. It uses a Back End connection on TCP 444 (SSL/HTTPS) to make the calls between the Exchange Servers, and if the certificate used for this has expired, you’ll see issues such as this.
You won’t likely see any operational issues to the Exchange Server for clients or mail flow.
Ali Tajran has a great article on how to replace the certificate: Renew Microsoft Exchange Certificate.
In our case however we were not using a default self-signed certificate, instead we had a third-party certificate which has all the hostnames of the Exchange servers within it (as SANs).
But the process is the same, install the new (third-party) certificate onto all your Exchange Servers, give it a sensible name like “Exchange Back End” to make it easy to identify.
Using the IIS Manager (MMC Snap-in), edit the site bindings on the “Exchange Back End” site running on port 444.
Select the new SSL certificate from the drop down, and click on “OK”.
You should not need to restart IIS services for the change to take effect.
Your issues with PowerShell saying permissions issues should be resolved.
If you wish to confirm if port 444 is using the correct certificate you can use an OpenSSL connection to verify the correct certificate is being used.
openssl s_client -connect server1.mydomain.com:444Although not directly relevant to us, because we’re not using a self-signed certificate be aware of this from his post:
No, (the command that sets the certificate) it will not automatically update the “Microsoft Exchange” certificate to the other Exchange Servers, and you have to do the steps on the other Exchange Servers too.
Every Exchange Server will have a unique self-signed “Microsoft Exchange” certificate.