Exchange 2007 Edge Synchronization transaction failure

Dear experts,

I face a possible problem with Edge Synchronization on Exchange 2007. Mails can not get routed to- and from my domain, the queues on hub and edge fill up, so I am really desperately searching for a solution.

Setup: Essential Business Server 2008 with Exchange 2007 SP2. German version.

MessagingServer: Hub, Mailbox, CA
SecurityServer: EdgeTransport
All "standard" according to MS installation whitepaper.

Mail-delivery/routing has worked fine ever since initial installation, there was no change in HW, nor was any software recently installed.

When executing Test-EdgeSynchronyzation on hub, this is what I get:

[PS] C:\Windows\System32>Test-EdgeSynchronization

Name                        : ReefSecurity
LeaseHolder                 :
LeaseType                   : 0
ConnectionResult            : Failed
FailureDetail               : Für den Edge-Transport-Server 'ReefSecurity.Reefd
                              iver.lan' wurden keine EdgeSync-Anmeldeinformatio
                              nen auf dem lokalen Hub-Transport-Server gefunden
                              . Entfernen Sie das Edge-Abonnement, und abonnier
                              en Sie den Edge-Transport-Server erneut.
LeaseExpiry                 : 01.01.0001 00:00:00
LastSynchronized            : 01.01.0001 00:00:00
CredentialStatus            : Skipped
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 0

FailureDetail plainly translated: "No EdgeSync-logon-information was found for Edge-Transport-Server ... on local Hub-Transport-Server. Delete Edge-subscription, and re-subscribe to Edge-Transport-Sever".

I have done some research, this is what I have tested & done so far:

From Edge

PING from Edge to Hub works both via IP and FQDN
NSLOOKUP on Edge for FQDN <Hub> delivers IP
NSLOOKUP on Edge for IP <Hub> fails (non-existend domain)
TELNET from Edge to Hub on port 25 works
TELNET from Edge to Hub on port 50636 does not work (blocked by firewall)

From Hub

PING from Hub to Edge for FQDN fails
PING from Hub to Edge for IP fails
NSLOOKUP on Hub for FQDN <Edge> delivers IP
NSLOOKUP on Hub for IP <Edge>  fails (non-existend domain)
TELNET from Hub to Edge via FQDN on port 25 works
TELNET from Hub to Edge via FQDN on port 50636 works

On Edge, the logs show following errors

MSExchangeTransport, 1036
MSExchangeTransport, 2018

On Hub, the logs show following errors

MSExchange EdgeSync, 1032
MSExchangeTransport, 12023

Get-ExchageCertificate | fl shows only valid certificates on Edge and Hub

Several times, I have recreated new subscriptions on Edge and renewed on Hub with- and without deleting the EdgeSubscription on Hub; Start-EdgeSynchronization was executed, however there was no detail-log afterwards like I saw some people had in their threads. This is what I get when executing Start-EdgeSynchronization in Hub:

[PS] C:\Windows\System32>Start-EdgeSynchronization
[PS] C:\Windows\System32>

So far, all actions to no avail - my mail queues keep growing.

Again - mail flow has worked just fine all the time with stated setup; There are no invalid certificates in the ExchangeStore from what I can tell.

I am definitely no AD- and Exchange-expert, so I hope there is someone out there who has seen such a problem before and who can lead me though the necessary steps.

Thanks in advance.
Who is Participating?
ReefdiverConnect With a Mentor Author Commented:
Ok, I figured it out myself now. For anyone out there who might come across the same problem:

The solution to the problem was like described above - steps 1 through 7 - however I should have used the FQDN instead of "". Also, I didn't remove and renew the EdgeSubscription; I found that synchronization will just overwrite the existing subscription. That saved me from some additional customizing (i.e. the smtp-relay-account I use as send-connector) afterwards.

I tried this solution with an older backup first (I am running EBS 2008 in a virtualized mode), then restored the production servers from backup and voila - everything's fine. Hope this description helps someone else.

Kind regards,
AmitIT ArchitectCommented:
Hi Mark,

Is it possible for you to create a connector in HUB server and directly route your mail to the internet. This will resolve your current issue.

For Edge issue, as you mentioned you haven't made any changes, but is there any patching made on this server.
AmitIT ArchitectCommented:
Can you run Exchange Best practice analyser and Mail flow troubshooting tool. It is part of tool snap-in. This can give more understanding.

I assume, you haven't done any service pack updates in CAS or HUB. Try this, also

Login to Edge server and run New-EdgeSubscription, then export this file with anyname like edge.xml. Copy this over to Hub server and run

New-EdgeSubscription -filename "Exported XML Path"
New-EdgeSubscription -filename "c:\edge.xml"
ReefdiverAuthor Commented:
HI all,

thanks for your replies. The key to my problem seems to be error message 12023 MSExchangeTransport on hub. Apparently, Exchange could not load a certain certificate from personal information store, which was used for authentication with other servers with Exchange (freely translated).

I don't know how & why the certificate is missing, nor do I know how to retrieve it; I have not updated or patched the servers with anything but the normal Microsoft security patches via WSUS (there were non related to Exchange lately, though).

I have taken following steps:

On Hub:

1.) New- ExchangeCertificate -DomainName -Services SMTP
2.) Test- EdgeSynchronization -> apparently, a new Edge-Synchronization is needed
3.) Remove- EdgeSubscription

On Edge

4.) New-EdgeSubscription -> afterwards, copied xml-file to Hub

On Hub:

5.) New-EdgeSubscription -filename "c:\edge.xml" -site "Default-First-Site-Name"
6.) Start-EdgeSynchronization -> seems to have worked
7.) Test-EdgeSynchronization -> result now good ('synchronized')

Afterwards, mail-flow to and from my domain worked, the queues emptied and all mails got delivered.

HOWEVER: I can now not access my OWA-site any more, neither from the internet, nor via calling the FQDN of the Exchange-server from the intranet..

I do have a SAN-certificate for my server from a third-party; it's valid till 2012 and installed on the gateway-/security-server. Calling some of the other hosted websites on my web-server works without any problem - only OWA replies with error '500 - internal server error'.

Can anyone please explain to me how I can re-enable the certificate for OWA to work?

-> Do I need to export the SAN from the security-server and import int into Exchange?
-> Or do I need to Enable-ExchangeCertificate with other services besides SMTP?

Again, thanks for your input - it's highly appreciated.

ReefdiverAuthor Commented:
No comments
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.