At work, our group was updating the Exchange Edge Server certificates and having mail flow problems causing messages to be in the Poison Queue and not transfer to Office365 properly. We finally got the procedure down to where it started working. I wanted to post that procedure here since I had never really worked with Edge Servers in the past. If this post can help you in the future, then “I done good!”
Now, everywhere I had read said that you have to remove and then re-create the Edge Subscription between your Transport Servers and the Edge Servers when changing the certificate.
Here is why:
When we subscribe the edge server, an AD LDS account called the EdgeSync Bootstrap Replication Account (ESBRA) is created. This is created using the default certificate private key of the certificate assigned to SMTP service as default, hence as long as we have that certificate the transport servers will be able to authenticate to the Edge server and replicate the required information to ADAM database.
Now when we install a third party certificate we assign SMTP service to it and overwrite the current certificate, basically we change the default SMTP certificate. So, by doing this, the current Edge Subscription will fail as the Edge server will not be able to decrypt the ESRA account passed on when communicating with the transport servers using the new certificate private key.
So, once you have your new 3rd party certificate, you install it to your edge servers:
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path C:\Certs\EDGE-NEW.cer -Encoding byte -ReadCount 0))
Then, you enable the Exchange Certificate to be used for SMTP:
Enable-ExchangeCertificate -Thumbprint "The Certificate Thumbprint" -Services SMTP
Mail flow will be broken at this point. Since messages were going to the poison queue due to the ESBRA account encryption failing when authenticating with the internal Transport Servers, I had to completely stop transport by disabling the Send Connectors between the internal Transport Servers and the Edge servers from the Transport Server.
Get-SendConnector -identity "Edge To Internet" | Set-SendConnector -Enabled:$False
Get-SendConnector -identity "Inbound - Edge To Internal Site" | Set-SendConnector -Enabled:$False
The configuration of the Edge Servers were that there were two servers in the Edge Farm. Since one of the servers had not had a proper sync in a while, I decided to remove the recipient database that had been replicated to the failing server when removing the Edge Subscription. The other server, I left the recipient database in place so that we could get one server up and running quickly since transport was stopped at this point.
Here is the command that was run to remove the Edge Subscriptions. This needed to be completed on both the Edge Servers and the corresponding Transport Server:
Get-EdgeSubscription | Remove-EdgeSubscription
I then had to create a new Edge Subscription file on each Edge Server to copy to the Transport Server. I already had connectors set so I did not need to recreate those connectors.
New-EdgeSubscription -FileName "c:\EdgeSubscriptionFiles\Edge01Subscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false -Site "YourADSite"
New-EdgeSubscription -FileName "c:\EdgeSubscriptionFiles\Edge02Subscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false -Site "YourADSite"
I copied the xml files of each Edge Server to the Transport Server and ran the following cmdlet to create the Edge Subscription to the Edge Servers. I then had the Edge Servers Rebooted for good measure before redoing a Full Manual Edge Sync.
New-EdgeSubscription -FileData ([byte]$(Get-Content -Path "C:\XMLImport\Edge01Subscription.xml" -Encoding Byte -ReadCount 0)) -Site "YourADSite" -CreateInboundSendConnector $false -CreateInternetSendConnector $false
New-EdgeSubscription -FileData ([byte]$(Get-Content -Path "C:\XMLImport\Edge02Subscription.xml" -Encoding Byte -ReadCount 0)) -Site "YourADSite" -CreateInboundSendConnector $false -CreateInternetSendConnector $false
I next had to preform a full manual EdgeSync from the transport server to the Edge Servers to assure that the recipient database on the AD LDS instance was up to date and that the send connectors were replicated properly.
Start-EdgeSynchronization -TargetServer Edge01 -ForceFullSync | fl
Start-EdgeSynchronization -TargetServer Edge02 -ForceFullSync | fl
I next had to re-run the Hybrid Configuration Wizard so that I could configure the Edge Servers as the transport for Hybrid cloud-bound Messages. Once the Edge Servers were chosen to transport Hybrid cloud-bound messages, I selected the new Edge Certificate so that transport would work properly when re-enabled and O365 would recognize the new certificate for Hybrid messages bound for the cloud.
I next re-enabled the Edge Send Connectors so that mail flow would begin working once the Full Edge Synchronization was completed. You have to let that complete before you can begin mail flow again so that messages won’t be delivered to the Poison Queue.
Get-SendConnector -identity "Edge To Internet" | Set-SendConnector -Enabled:$True
Get-SendConnector -identity "Inbound - Edge To Internal Site" | Set-SendConnector -Enabled:$True
Mail flow began working. It took about 90 minutes for all the queues to clear properly that had queued messages waiting to transport. Any Poison Queued messages were removed with NDRs sent to the senders.
It was a doozy to say the least. Happy Troubleshooting!
Leave Comments or Questions you may have!