Emails sent from on-premises to Exchange Online appears to be external after running HCW
Original KB number: 4052493
Symptoms
Consider the following scenario:
- You run the Hybrid Configuration Wizard against an Exchange Server 2016 or Exchange Server 2013 environment that includes an Edge server.
- A user sends an email message from Exchange on-premises to the Exchange Online account of another user. Both users are in your organization.
In this scenario, you notice the following issues on the receiver side:
- The message appears to be external.
- The sender doesn't resolve to a recipient in the global address list (GAL).
Additional symptoms when the issue occurs:
There is an Outbound to Office 365 TLSCertificateName attribute on the Send connector that sends messages to Microsoft 365. When the issue occurs, the attribute value isn't replicated to the Edge servers.
When you run the
start-edgesynchronization
command from the mailbox server, the output shows the Configuration type as Incomplete. The following is a sample excerpt:RunspaceId: RunspaceId Result: Incomplete Type: Configuration Name: userwap
The following error is logged in the EdgeSync logs that are located in the
<ExchangeInstallation>\TransportRoles\Logs\EdgeSync
folder.Date/Time.082Z,c76158dc155c4e2eab69305612c58890,689,,EdgeServerName.contoso.com,50636,SyncEngine,Low,A value in the request is invalid. [ExDirectoryException]; Inner Exception: A value in the request is invalid. [DirectoryOperationException],"Failed to synchronize entry CN=Outbound to Office 365,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ExchangeOrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com",,,
To enable the EdgeSync logs, run the following command:
Get-EdgeSyncServiceConfig | Set-EdgeSyncServiceConfig -LogLevel high -LogEnabled $true
Cause
This issue occurs for the following reasons:
The cap is set to 256 for the ms-Exch-Smtp-TLS-Certificate attribute that is stored in the schema for ADAM on the Edge servers.
The length of the following string from the third-party certificate is more than 256 characters:
<I>Issuer<S>Subject name
To determine the length of the string, run the following command:
("<I>$((Get-SendConnector 'outbound to Office 365').tlscertificatename.certificateissuer)<S>$((Get-SendConnector 'outbound to Office 365').tlscertificatename.certificatesubject)").length
To resolve this issue, use one of the following methods.
Resolution 1: Increase the cap to 1024 on the Edge server
Open a Windows PowerShell window by using the Run as administrator option.
Install the remote server administration toolkit by running the following command:
Add-WindowsFeature RSAT-ADDS
Import the Active Directory module by running the following command:
Import-Module ActiveDirectory
Verify the cap value for the attribute TLSCertificateName by running the following command:
Get-ADObject -Filter {name -eq "ms-Exch-Smtp-TLS-Certificate"} -SearchBase ((get-ADRootDSE -Server localhost:50389).schemaNamingContext) -Server localhost:50389 -Properties * | Select-Object rangeupper
Set the 1024 cap by running the following command:
Get-ADObject -Filter {name -eq "ms-Exch-Smtp-TLS-Certificate"} -SearchBase ((get-ADRootDSE -Server localhost:50389).schemaNamingContext) -Server localhost:50389 -Properties * | Set-ADObject -Replace @{rangeupper=1024}
On the HUB Transport or Mailbox servers, run the following command to sync the changes to the Edge server:
start-EdgeSynchronization
Resolution 2: Configure Send connector use FQDN
Configure the Send connector not to use the TLSCertificateName attribute for specifying the certificate to be used during TLS negotiation. Instead, use an FQDN to select the appropriate third-party certificate based on the certificate selection procedure that is described in Selection of Outbound Anonymous TLS Certificates.
To configure the Send connector to use the FQDN, follow these steps:
Make sure that the domain name that will be set as the FQDN is set as the Subject Name or Subject Alternative Name of the third-party certificate.
Set the Send connector to use the FQDN by running the following command. This command also clears the TLSCertificateName attribute.
Set-SendConnector "outbound to Office 365" -Fqdn "Domain Note in step 1 of option 2" -TlsCertificateName:$null
On the HUB Transport or Mailbox servers, run the following command to sync the changes to the Edge server:
start-EdgeSynchronization
Resolution 3: Use certificate that doesn't cause the cap to be exceeded
Use a certificate that doesn't cause the cap to be exceeded. To do this, follow these steps:
Create a certificate in which the following string from the certificate is less than 256 characters:
<I>Issuer<S>SubjectName
Import the certificate.
Associate the certificate with the respective services.
Run the Hybrid Configuration Wizard again to use the new certificate.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for