If we are hosting Exchange in an on-premise environment and we are using Edge server with Edge subscription, we usually fall into a scenario where we need to renew the certificate on Edge server. This article talks about the implication this can have and how best to achieve it.
Scenario: Exchange Edge Server subscribed to AD site on which we need to renew the Edge Subscription.
As we know that when we subscribe the edge server, an AD LDS account called the EdgeSync bootstrap replication account (ESBRA) is created. This is created using the default certificate private key of the certificate assigned to SMTP service as default, hence as long as we have that certificate my transport servers will be able to authenticate to edge server and replicate the required information to ADAM database.
Now when we install a third party certificate we assign SMTP service to it and overwrite the current certificate, basically we change the default SMPT certificate, now if we have done this by edge subscription will fail as Edge server will not be able to decrypt the ESRA account passed on by transport server using this new certificate keys.
Hence to deal with this we need to re-subscribe the edge server.
We can simply create new edge subscription file by running the command:
New-EdgeSubscription -FileName "c:\EdgeServerSubscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false
After that go to the mailbox/hub transport server and run the command:
New-EdgeSubscription -FileData ([byte]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "SiteA" -CreateInboundSendConnector $false -CreateInternetSendConnector $false
The command will overwrite the current subscription without impacting the current Send connectors you have.
Once you have done this make sure the Edge server is part of the source server list in the send connector and you are good to go.
You can test the edge subscription using the command: