445
8815
8816
8817
50389
I will add the directions from-to later.
When EDGE subscription synchronization is not working check the following:
First seen in the eventviewer as event ID:1033
EdgeSync failed to decrypt the credential for Edge Transport server servername.domain.lan using the private key of the default Exchange certificate with exception Bad Data.
. The certificate's thumbprint is XXXXXXXXXXXXXXXXXXXXXX3954C8D6C78B and its subject is CN=servername.domain.lan, OU=ICT, O=Company N.V., L=State, S=Provence, C=NL. Use either Enable-ExchangeCertificate or New-ExchangeCertificate to set the proper Exchange default certificate and re-subscribe the Edge Transport server servername.domain.lan again.
In powershell:
Test-EdgeSynchronization
RunspaceId : b92a6789-50ce-4aec-a37c-95599e35ae52
SyncStatus : Failed
UtcNow : 20-8-2013 8:35:32
Name : servername
LeaseHolder :
LeaseType : None
FailureDetail : EdgeSync service cannot connect to this subscription because of error "No EdgeSync creden
tials were found for Edge transport server servername.domain.lan on the local Hub Transport
server. Remove the Edge subscription and re-subscribe the Edge Transport server.".
LeaseExpiryUtc : 1-1-0001 0:00:00
LastSynchronizedUtc : 1-1-0001 0:00:00
TransportServerStatus : Skipped
TransportConfigStatus : Skipped
AcceptedDomainStatus : Skipped
RemoteDomainStatus : Skipped
SendConnectorStatus : Skipped
MessageClassificationStatus : Skipped
RecipientStatus : Skipped
CredentialRecords : Number of credentials 0
CookieRecords : Number of cookies 0
As you can see the "Syncstatus" is failed.
Get-ExchangeCertificate | fl
AccessRules :System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {servername.domain.lan, outlook.domain.lan, mail.domain.lan, webmail.domain.nl, autodiscover.domain.nl, }
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Domain-IssuingCA, DC=Domain, DC=lan
NotAfter : 15-8-2013 14:08:18
NotBefore : 4-3-2013 11:11:46
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 537C7FB7000200000BE7
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=Servername.domain.lan, OU=ICT, O=Company, L=State, S=Provence, C=Country
Thumbprint : XXXXXXXXXXXXXXXXXXXXXX3954C8D6C78B
Check thumbprint
Set thumbprint as Exchange enabled cert
Enable-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXX3954C8D6C78B -DoNotRequireSsl -services:SMTP,IIS,IMAP,POP
The problem right now is we do not refresh the certificate used by ADAM when issue a new subscription, so if you have created a new certificate, we keep presenting the old one. Ok, so here's what you need to do to get ADAM to present the new one:
1. On the Hub, Remove the Subscription
2. On the Edge, Remove the cert used by ADAM to establish secure
connections. You can do this by following the following steps:
- a. Open up an empty mmc console (Run -> mmc)
- b. Select File -> Add / Remove Snap-in
- c. Hit Add
- d. Select "Certificates" from the List of Snap-Ins available, and
- hit Add.
- e. Select "Service Account" on the "Certificates Snap-In" page,
- click next.
- f. Select "Local Computer" on the "Select Computer" page, click
- next.
- g. Select "Microsoft Exchange ADAM" from the list of services,
- click Finish.
- h. Close the "Add Snap-in" dialog.
- i. Navigate to "Certifcates – Service" ->
- "ADAM_MSExchange\Personal" -> Certificates
- j. You should see a single certificate here. Remove it.
3. On the Edge, Unsubscribe, then create a new subscription file
(you should see a new certificate show up at this point on the ADAM cert container from the step above) by calling new-edgesubscription
New-EdgeSubscription -FileName "Path to file".xml
4. Re-start the "Microsoft Exchange ADAM" service.
5.Export the file to the Hub server.
6.On the Hub server import the new subscription.7.Create a new Edge subscription in the EMC
Then you have to wait a few minutes.
To check if synchronization works run;
start-edgesynchronization
test-edgesynchronization
Source 2
After remove "j. You should see a single certificate here. Remove it." i receive below error:
ReplyDelete[PS] C:\Windows\system32>New-EdgeSubscription -FileName "D:\TMG3Edge.xml"
Confirm
The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
New-EdgeSubscription : Microsoft Exchange couldn't create or update the Edge Subscription account on the Edge Transport
server for the following reason: The LDAP server is unavailable.. Stack is at System.DirectoryServices.Protocols.Ld
apConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCred
ential)
at Microsoft.Exchange.MessageSecurity.EdgeSync.AdamUserManagement.CreateOrUpdateADAMPrincipal(String user, String pa
ssword, Boolean bootStrapAccount, TimeSpan expiry)
at Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription.InitiateSubscriptionOnEdge()
At line:1 char:21
+ New-EdgeSubscription <<<< -FileName "D:\TMG3Edge.xml"
+ CategoryInfo : InvalidOperation: (:) [New-EdgeSubscription], InvalidOperationException
+ FullyQualifiedErrorId : 713AD31B,Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription
Why ?
I was having this issue and, in Googling this, found this post. I followed all of the steps but the issue persisted. Then I launched the EMC on the 2016 Edge Transport server as administrator and was able to create the new Edge subscription file.
ReplyDeleteVery helpful
ReplyDelete