Hi everyone,
this is my first entry here, so please have mercy if I forget something.
Let's start with our systems:
- Hybrid environment
- 6 Exchange Server 2019 onPrem + 1 test server
- Around 60 resource mailboxes are in the cloud for testing and some test users
- remaining users are still onPrem
- 2 Edge MS Server 2019
A week ago we received a message that the Edge certificate had expired. Of course, we did not have any monitoring for this (we have learned from this). So (unfortunately still not) no mails/booking requests could be sent to the above mentioned resources. So we installed a new certificate on ONE onPrem server (why only one is beyond me)
It should be said here that I'm still quite new to the exchange game and have yet to get to grips with it. Of course, this happens during vacation time and the person who could fix it is sick...
In short, I made this with a colleague: https://ficilitydotnet.wordpress.com/2013/04/26/smtp-certificate-renewal-and-edge-subscription/
The test for booking resources has worked and is still working. Some other colleagues from IT can invite the resources and the appointments appear in the calendar.
However, this does not happen for me, for example. I get the following message when I want to load resources in the cloud:
======================
Diagnostic information for administrators:
Generating server: Blub-dmz.de
Receiving server: Blub-mail-onmicrosoft-com.mail.protection.outlook.com ()
Blub@blub.de
Server at Blub-mail-onmicrosoft-com.mail.protection.outlook.com () returned '400 4.4.7 Message delayed'
12.07.2022 17:11:15 - Server at Blub-mail-onmicrosoft-com.mail.protection.outlook.com () returned '451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed out'
======================
Just for fun, I loaded all resources together. Unfortunately, the result is the same.
I'm at my wit's end. Do you have any tips?
Hi Dexter,
Why the Edge itself? Do you use it for inbound mail filtering or what is the reason? You don't need it for a pure hybrid environment between OnPrem and EOL.
Otherwise, I would first activate logging for the relevant transport connectors for the hybrid connection and take a look at them in live operation. This might give you some clues as to why it is only partially working. Also keep an eye on the event log on the OnPrem and Edge servers, you will usually find clues quite quickly as to where things are stuck. Especially with regard to certificates, the advice is not only to create/import them, but also to assign the services to the appropriate cert. Also make sure that the cert is not only assigned on the front end, but also on the back end, otherwise the whole thing will not work. Then start the relevant transport services on the server(s).
Greetings,
Ralf
Why the Edge itself?
Why not? Not everyone wants direct access to the internal exchange ;)
services to the appropriate cert. Make sure that the cert is not only assigned on the frontend, but also on the backend, otherwise the whole thing will not work. Then start the relevant transport services on the server(s).
The IIS really has nothing to do with the transport service.
The IIS really has nothing to do with the transport service.
correct, the transport service itself is not. What I wanted to point out was the fact that a certificate change on the server does not automatically mean that this is also replaced on the backend and this can then lead to connection problems (HTTPS).
It was probably rather confusing for this scenario. :)
To set the new certificate for the SMTP protocol itself, it is sufficient to activate it via PS (set-exchangecertificate -services...)
correct, the transport service itself is not. What I wanted to point out was the fact that a certificate change on the server does not automatically mean that this is also replaced on the backend and this can then lead to connection problems (HTTPS).
But there is no IIS on an Edge ;) When renewing the certificate on an Edge, the certificate should also be available on the internal Exchange and then the Hybrid Wizard should be run again so that the connectors are configured correctly. This can also be done manually, but is usually quicker.
So we have installed a new certificate on ONE onPrem server (why only one is beyond me)
that's why i wrote that. nothing more
Thank you @Monthy,
Which events in the Edge Server LOG do I need to look at?
The Edge is in the DMZ, perhaps this information will help.
I moved an account to the cloud and sent a test email. Unfortunately, no error message has come back since yesterday. In the MessageTrackingLog from Exchange onPrem it is forwarded to the Edge. Now it is just a matter of finding out whether it was forwarded to EXO.
It's been a few months since I worked with edge servers in the Exchange environment. From my point of view, the Edge itself is always located in a separate network area (DMZ) in front of the actual internal Exchange servers and takes over the pre-filtering of mails, etc.
After renewing the certificate, use new-edgesubscription... to create a new connection between an internal Exchange and the Edge Server.
I can no longer say whether a separate Send/Receive Connector is also set up for this, as is normally done when setting up the hybrid connection against Exchange Online, for example. Norbert can certainly say more about this.
In the MessageTrackingLog from Exchange onPrem, it is forwarded to the Edge.
If the internal system is already transmitting to the Edge, then I would also try the event display on the Edge or search through its message tracking logs.
As I said, Edge was a long time ago for me. Others can help you better.
Greetings,
Ralf
If the internal system is already transmitting to the Edge, then I would also try the event display on the Edge or search through its message tracking logs.
That's exactly what I tried. Using PS, I can only find the other mails or resource invitations in the MessageTrackingLog that I sent as a test a few days ago. These resulted in the NDR mentioned above.
How can I get the event display to show me what arrives at the Edge?
As I said, maybe the Hybrid Wizard has to be run again after the certificate change, I can't judge in connection with the Edge.
In the event log, however, there should at least be indications of a faulty connection setup/attempt between EOL and the Edge.
'451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed out'
at least indicates that during the delivery phase (approx. 2 days depending on the config) it was not possible to successfully deliver the messages.
'400 4.4.7 Message delayed'
Do you still get the information after you have redone the cert?
As I said, perhaps after the change of certificate
Should and almost certainly fixes the problem. At least then you can be sure that the connector fits. Of course, if you renew the certificate with the same key, you can save yourself the trouble ;) Keep an eye on the configuration. And yes, I have various edges in use.
Thank you, unfortunately we now have a follow-up problem, I think.
Various error messages have been appearing in the event log since Thursday evening:
The local server couldn't be found. Microsoft Exchange can't update the Active Directory Lightweight Directory Services (AD LDS) credentials. Exception is Active Directory error '0x52' when checking the eligibility of the server 'localhost': 'Active Directory response: Local error. Make sure that the service account used by the Microsoft Exchange Edge Credential service has permission to access the local Exchange server object in the Active Directory service. Also make sure that the FQDN of the computer matches the FQDN attribute of the server object in Active Directory.
Microsoft Exchange couldn't read the configuration from the Active Directory directory service because of error: Microsoft.Exchange.Transport.Common.TransportComponentLoadFailedException: The configuration loader failed to initialize 'TransportServerConfiguration'.
for Microsoft.Exchange.Transport.Configuration.ConfigurationLoader`2.Builder.RegisterWithAD[T](Func`1 rootIdGetter)
for Microsoft.Exchange.Transport.TransportServerConfiguration.Builder.Register()
for Microsoft.Exchange.Transport.Configuration.ConfigurationLoader`2.Load()
for Microsoft.Exchange.Transport.Logging.Search.LogSearchService.BeginStart(Object state).
Microsoft Exchange couldn't read the Receive connector configuration because the directory is unavailable. The service will be stopped.
The first message in particular appears every second. The AD sync in the DMZ to the Edge servers seems to be disrupted. We have already read through Google. I cannot execute EXC cmdlets locally:
Get-ReceiveConnector : Active Directory error '0x52' when checking the eligibility of the server 'localhost': 'Active
Directory response: Local error.'.
In line:1 Character:1
+ Get-ReceiveConnector
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ReceiveConnector], NoSuitableServerFoundException
+ FullyQualifiedErrorId : [Server=SMSXE01ES,RequestId=2ae5558a-9bf1-4d86-b08e-3eb5559a3579,TimeStamp=19.07.2022 11
00:19] [FailureCategory=Cmdlet-NoSuitableServerFoundException] 4F6F5C1C,Microsoft.Exchange.Management.SystemConfi
gurationTasks.GetReceiveConnector
Accordingly, it is not possible, for example, to check connectors on the edges, etc.
The FQDNs of the Edge and in the AD are the same. Strangely enough, no gateways are set on the Edge servers. Is that important?
HELP! :-(
The error messages come from the Edge
This looks more like an AD problem to me, not a communication problem from/to the Edge.
You wrote that you have more than one Exchange OnPrem in the internal network. Do you have several errors in the event log regarding AD?
At first glance, the Exchange cannot find any valid DC/GC and therefore does not even start up the Exchange topology service. As a result, other services are also not started (e.g. transport).
Has anything been changed to the network cards, the bindings, the order of the adapters or DNS server, port sharing between DMZ and Lan etc...?
[FailureCategory=Cmdlet-NoSuitableServerFoundException] 4F6F5C1C
NoSuitableServerFound actually means that he cannot/may not ask/find a DC.
maybe this will help?
https://practical365.com/msexchange-edgesync-service-wont-start-and-event-id-1045/
Greetings,
Ralf
Microsoft Exchange can't update the Active Directory Lightweight Directory Services (AD LDS) credentials.
In most cases, the MSExchangeEdgeCredential service is not running, or someone has replaced the certificate and destroyed the Edge subscription. In the latter case, it helps to delete the subscription and create a new one. You should definitely take a close look at the steps and functionality of the Edge subscription in connection with the certificates and not think that your certificate is good ;) This is because the certificate is then also used for access to the AD-LDS (ADAM) if the standard certificate is overwritten, and it is then clear that you can no longer access it.
This looks more like an AD problem to me, not a communication problem from/to the Edge.
The local server couldn't be found. Microsoft Exchange can't update the Active Directory Lightweight Directory Services (AD LDS) credentials.
But an ADAM directory problem on the Edge ;)
I still don't particularly like the Edge.
In my opinion, debugging takes too much time here, because it is not the actual SMTP transmission that is the problem, but the subscription or the certificate exchange and the subsequent renewal of the subscription.
Ralf
I still don't particularly like the Edge.
I'll stick to the fact that I like the Edge ;)
In my opinion, debugging takes too much time here, because it is not the actual SMTP transmission that is the problem, but the subscription or the certificate exchange and the subsequent renewal of the subscription.
If you know what you're doing, it's not as complicated as it looks here. But it is definitely an unfavorable topic for the forum.
