Solved

Exchange 2010 changed transport server cert, now edge sync fails

Posted on 2014-09-08
5
916 Views
Last Modified: 2014-09-08
I replaced my main exchange server's certificate and now the edgesync fails.

When I do a "Start-EdgeSynchroinzation" on the hub transport server I get:

Result: CouldNotConnect
Type: Recipients
Name: EXCH2-EDGE
...
Result: CouldNotConnect
Type: Configuration
Name: EXCH2-EDGE

and the "Test-EdgeSynchronization" command Returns this:

SyncStatus: Failed
UtcNow : [a few seconds ago]
Name: EXCH2-EDGE
LeaseHolder:
FailureDetail: EdgeSync service cannot connect to this subscription because of error "No EdgeSync credentials were found for Edge Transport server. Remove the Edge subscription and re-subscribe to the Edge Transport server."
...
CredentialRecords: Number of credentials 0
CookieRecords: Number of cookies 0

Just to be clear it was the cert on the hub transport that was replaced, not the cert on the edge server.

I've removed the edge subscription from the hub transport server using EMC then went to the edge server and ran:

New-EdgeSubscription -FileName C:\Users\Administrator\Desktop\edge-subcription.xml

Then copied the file to the hub transport server and used "New Edge Subscription" in the EMC to re-add the subscription. After adding the subscription the EMC shows the EXCH2-EDGE subscription as valid under the "Is Valid" column.

However when I run the Start-EdgeSynchronization or Test-EdgeSynchronization commands (on the hub transport server) in the EMS I get the results I posted above. Given that it was the Hub transport that had it's cert replaced, it's likely that the edge server can't authenticate against the hub transport and not the other way around. Does anyone have any idea how I can fix this?
0
Comment
Question by:jdhwpgmbca
  • 3
  • 2
5 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40310671
What did you replace the certificate with?
A trusted certificate or self signed?

In most instances, you now need two certificates on Exchange.
- A trusted certificate for web services etc.
- A self signed certificate as the default SMTP certificate for internal traffic.

Therefore the easiest fix is to run

new-exchangecertificate

on the Hub transport server, no further attributes required. When prompted to replace the default SMTP certificate say Yes. Then test again.

Simon.
0
 

Author Comment

by:jdhwpgmbca
ID: 40310699
A trusted cert from comodo. I just paid $600 for it, so I'm reluctant to run new-exchangecertificate on the hub transport. That would generate a new key which would need to be re-signed by the CA. Besides, I'm not convinced that doing that is any different from generating a request and having it signed by a CA then importing the cert (in EMC). It's not that the advice isn't appreciated - but I don't want to lose my new certificate.
0
 

Author Comment

by:jdhwpgmbca
ID: 40310749
I think it's likely that changing the web server certificate on the hub transport is what broke the trust between the servers. In order to re-establish the trust I have to get the edge server to refetch the ldap information containing the hub transport certificate into it's AD-LDS. I just don't know how to do this.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40310841
$600 for an SSL certificate? You can get ones suitable for Exchange for less than $70/year!
Anyway, I am not proposing replacing your trusted certificate, this is an additional SSL certificate for SMTP traffic only. New-Exchangecertificate on its own creates a new self signed certificate, which Exchange trusts.

Exchange wants to communicate with the server over SMTP using its real FQDN. However with SSL certificates that expire after November 2015 you cannot put internal names on the certificates, so you need to use a combination of trusted certificates and a self signed certificate.

Simon.
0
 

Author Comment

by:jdhwpgmbca
ID: 40311018
There's a bunch of Subject-Alt-Names, they say that's why it's so expensive, but I think it's a rip-off. Anyway that's off topic.

Thanks for the tip about needing two certificates, that's what did it. I generated a new cert on the hub transport using New-ExchangeCertificate. It asked me if I wanted to replace another certificate and identified the certificate as something that expired yesterday (it also showed the certs fingerprint). This was obviously not my commercial cert so I just answered yes to the prompt. After this I needed to do a "Start-EdgeSynchronization -ForceFullSync" on the hub transport. This sent the certificate to the edge server. And after this everything worked fine.

James
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now