Exchange EdgeTransport TlsCertificateName Not Replicating

Another day with a good problem in hand to resolve.

One of our Client was having trouble with Exchange Email flow after new certificate has been deployed to Exchange environment.

On troubleshooting we had found that send connector on edge servers were not getting the new “TlsCertificateName” value.

Here is the command you can use to check the connector properties

Get-SendConnector “Outbound to Office 365” | fl

We were scratching our head and then we thought let’s check with ADSIEDIT by adding the value manually.

On edge server open ADSIEDIT and connect using following settings

Ones connected, browse to Services à Microsoft Exchange àFirst organization àAdministrative Groups àExchange Administrative Group à Routing Groups à Exchange Routing Groups à Connections

Here you will find all connectors, Select the connector in Question and in its properties update the ms-Exch-Smtp-TLS-Certificate manually.

It resulted in range error which provided us the hint that value of tls name was out of range.

This lead us to the Microsoft article à

Emails sent from on-premises to Exchange Online appears to be external after running HCW

We have followed the Resolution 1 to increase the range from 256 to 1024 , After that we have fired the below command to resynchronize again.

Start-EdgeSynchronization -Server exchnage1 -TargetServer edgetransport1 -ForceFullSync

This has updated the connectors on Edge transport server and resolve the issue.

Steps to be followed for updating the Range:

Import-Module Active Directory (Install RSAT-ADDS tools if activedirectory module is not present)
Check the Current Range

Get-ADObject -Filter {name -eq “ms-Exch-Smtp-TLS-Certificate”} -SearchBase ((get-ADRootDSE -Server localhost:50389).schemaNamingContext) -Server localhost:50389 -Properties * | Select-Object rangeupper