Exchange 2019 Edge Sync: No EdgeSync credentials were found

Andres Bohren
Exchange 2019 Edge Sync: No EdgeSync credentials were found

Hi All,

Recently i wanted to do some Tests with my Exchange 2019 Infrastructure in my Azure Lab and did run in some Problems with EdgeSync.

I knew it was working before, because i have blogged how to setup Exchange 2019 Edge Transport Role.

I was lucky and explained the Problem on the Exchange Coffee Talk with some experienced Friends from the Exchange Community. They gave me some helpful tips 😍

Problem

So let me explain what happens…

First we create a new Edge Subscription

#Edge: New Edge Subscription
If (Test-Path "E:\Install\EdgeSubscriptionInfo.xml")
{
	Remove-Item "E:\Install\EdgeSubscriptionInfo.xml"
}
New-EdgeSubscription -FileName "E:\Install\EdgeSubscriptionInfo.xml"

I had a look at the XML File and it looked fine

Copied the EdgeSubscriptionInfo.xml to the Mailbox Server for Import. Before importing the New Edge Subscription i removed the Edge Subscription.

#Mailboxserver: Import Edge Subscription
Get-EdgeSubscription | Remove-EdgeSubscription
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "E:\Install\EdgeSubscriptionInfo.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

It is pretty well documented what happens if you import Edge Subscriptions in Exchange Server

- The Edge Subscription is created, joining the Edge Transport server to the Exchange organization. EdgeSync will propagate configuration data to this Edge Transport Server, creating an Edge configuration object in Active Directory.

- Each Mailbox server in the Active Directory site receives notification from Active Directory that a new Edge Transport server has been subscribed. The Mailbox server retrieves the ESBRA from the Edge Subscription file. The Mailbox server then encrypts the ESBRA by using the public key of the Edge Transport server's self-signed certificate. The encrypted credentials are then written to the Edge configuration object.

- Each Mailbox server also encrypts the ESBRA using its own public key and then stores the credentials in its own configuration object.

- EdgeSync replication accounts (ESRAs) are created in Active Directory for each Edge Transport-Mailbox server pair. Each Mailbox server stores its ESRA credentials as an attribute of the Mailbox server configuration object.

- Send connectors are automatically created to relay messages outbound from the Edge Transport server to the Internet, and inbound from the Edge Transport server to the Exchange organization. For more information, see the Send connectors created automatically by the Edge Subscription section in this topic.

- The Microsoft Exchange EdgeSync service that runs on Mailbox servers uses the ESBRA credentials to establish a secure LDAP connection between a Mailbox server and the Edge Transport server, and performs the initial replication of data. The following data is replicated to AD LDS:

  - Topology data
  - Configuration data
  - Recipient data
  - ESRA credentials

- The Microsoft Exchange Credential Service that runs on the Edge Transport server installs the ESRA credentials. These credentials are used to authenticate and secure later synchronization connections.

- The EdgeSync synchronization schedule is established.

- The Microsoft Exchange EdgeSync service running on the Mailbox servers in the subscribed Active Directory site then performs one-way replication of data from Active Directory to AD LDS on a regular schedule. You can also use the Start-EdgeSynchronization cmdlet to override the EdgeSync synchronization schedule and immediately start synchronization.

So far, the Edge Subscription looks fine.

Get-EdgeSubscription | Format-List

But only until you test the Edge Subscription

Error: EdgeSync service cannot connect to this subscription because of error “No EdgeSync credentials were found for Edge Transport server EDGE01.hq.serveralive.ch on the local mailbox server. Remove the Edge subscription and re-subscribe the Edge Transport

Test-EdgeSynchronization

If i try to start the Edge Sync i get the Result: CouldNotConnect.

I tested the Port and i am sure i can connect to TCP Port 50636

Start-EdgeSynchronization

I had a look at the Certificates. And Changed the Default SMTP Certificate to the SelfSigned Certificate from Exchange - although that resulted in “A special RPC Error”

Get-ExchangeCertificate
Enable-ExchangeCertificate -Thumbprint "Thumbprint" -Service SMTP

I decided to remove the Edge Subscription

Get-EdgeSubscription | Remove-EdgeSubscription

Change the Default SMTP Certificate again. Seems it was already the set to the SelfSigned Certificate by Exchange - even i had an Error earlier.

Get-ExchangeCertificate
Enable-ExchangeCertificate -Thumbprint "Thumbprint" -Service SMTP

Now i Imported the EdgeSubscriptionInfo.xml again and Test-EdgeSynchronization showed no Error

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "E:\Install\EdgeSubscriptionInfo.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"
Test-EdgeSynchronization

This time starting the Edge Synchronization was sucessful.

Start-EdgeSynchronization

Learnings:

  • Edge Sync is dependent on the Default SMTP Certificate of Edge and Mailbox Server
  • Don’t change the Default SMTP Certificate (the SelfSigned Certificate from Exchange) on Exchange Edge and Mailbox Server
  • EdgeSync requires a CAPI1-based private key / CNG (Cryptography Next Generation) Certificates are not supported - details can be found on the Blog of MVP Thomas Stensiztki Edge Transport Server, EdgeSync, and Certificates

Regards
Andres Bohren

Exchange Logo