I'm still plugging away at this. Current status is I decided to go to the single Exchange 2013 node and just run the script for the ASA setup there to see what would happen.

.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer mta01.domainname.com -GenerateNewPasswordFor domain\EXCH2019ASA$

Now on my internal Outlook clients they connect right up to the Exchange 2013 node. It is indeed the ASA configuration messing with things. With this knowledge I am now trying to get the same ASA credentials on all three systems.

When I run the script to copy the credential from my Exchange 2013 node to a 2019 node I get this error.

`.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer mta03.domainname.com -CopyFrom mta01.domainname.com

Record Errors: Cannot convert value "MTA01" to type "Microsoft.Exchange.Data.Directory.Management.ClientAccessServer". Error: "Cannot convert the "MTA01" value of type "Deserialized.Microsoft.Exchange.Data.Directory.Management.ClientAccessServer" to type"Microsoft.Exchange.Data.Directory.Management.ClientAccessServer". At C:\Program Files\Microsoft\Exchange\V15\Scripts\RollAlternateServiceAccountPassword.ps1:1000 char:1 + RecordErrors —ExceptionsOnly { $script:success = Body } + CategoryInfo: NotSpecified: (:) [Write —Error]. WriteErrorException + FullyQualifiedErrorId: Microsoft.PowerShell.Commands.WriteErrorException.RecordErrors`

If I switch over to a 2019 node and try to copy it in reverse I get a bunch of errors.

`.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer mta03.domainname.com -CopyFrom mta01.domainname.com

========== Starting at 04/08/2023 16:47:37 ==========

RecordErrors : The term 'Get-ClientAccessService' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Program Files\Microsoft\Exchange Server\V15\Scripts\RollAlternateServiceAccountPassword.ps1:371 char:3 + RecordErrors ` + ~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors

Destination servers that will be updated:

Name PSComputerName

MTA03 mta03.domainname.com

Credentials that will be pushed to every server in the specified scope (recent first): RecordErrors : No credentials to push to destination servers. The script cannot continue. Check script parameters and errors output above. At C:\Program Files\Microsoft\Exchange Server\V15\Scripts\RollAlternateServiceAccountPassword.ps1:1000 char:1 + RecordErrors -ExceptionsOnly { $script:success = Body } + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors

Retrieving the current Alternate Service Account configuration from servers in scope Alternate Service Account properties:

StructuralObjectClass QualifiedUserName Last Pwd Update SPNs

computer domain\EXCH2019ASA$ 4/8/2023 4:45:05 PM http/autodiscover.domainname.com http/mail.domainname.com

Per-server Alternate Service Account configuration as of the time of script completion:

Array: {mail.domainname.com, mail.domainname.com}

Identity AlternateServiceAccountConfiguration

MTA03 Latest: 4/8/2023 2:11:30 PM, domain\EXCH2019ASA$ Previous: 4/8/2023 1:44:50 PM, domain\EXCH2019ASA$

========== Finished at 04/08/2023 16:47:51 ==========

    THE SCRIPT HAS FAILED`