Resolving EdgeSync Synchronization – Supplied credential is invalid error
I have dealt with this error a few times with various customers and initially was difficult to get all the relevant bits of information together to make sure that I had it fixed, so have added the whole process here in one post.
I first noticed that Edge Sync wasn’t synchronizing correctly after a number of users with mail loops. Checking the queues I could see that all the mail loops were to a particular domain. This domain was removed from the Accepted Domain list a few days back and before that everything was fine.
First port of call was to run a manual Edge Sync. Using Exchange Managment Shell on your Hub server type:
Start-EdgeSynchronization
This came back with the following error. The supplied credential is invalid :
The next step was to test the Edge Sync via the following cmdlet on your Hub server:
Test-EdgeSynchronization
This gave FailureDetail : The supplied credential is invalid. Shown on the screen shot below:
This points to the Edge Sync account that is used to perform the Edge Sync. This is no ordinary account and is not a user in AD. Edge Sync uses an auto created account called the ESRA Bootstrap. This is refreshed every 30 days automatically. It works by creating a replacement account 7 days before it is due to expire and initiates a handover 3 days before the expiry date. A more in depth and eloquent explanation is found here: http://technet.microsoft.com/en-us/library/bb266959.aspx
As this account is not a user in AD, there is a little more involvement in finding out if it is valid or not. You need to locate an attribute in AD using ADSIedit. Instructions for using ADSIedit are here: http://technet.microsoft.com/en-us/library/cc773354.aspx
Before you go any further – A quick warning about ADSIedit. ADSIedit is direct access to your Active Directory. If you make any changes here without the knowledge of what these changes may do you can damage your Active Directory. Extreme caution must be taken when using ADSIedit. We are simply using ADSIedit to look and not touch in this walkthrough, so don’t be tempted to be gung ho and start making any changes. You access and use ADSIedit at your own risk and I will not be liable for any damage or data loss. You have been warned!
Right… You will need to navigate to the msEdgeSyncCredential attribute in the properties of your Edge server. The value can be located by following steps:
1. Run Adsiedit.msc
2. Navigate to Configuration->Services->Microsoft Exchange->Organization Name->Administrative Group->Exchange Administrative Groups->Servers->Edge Server Name
3. Right click the Edge Server and click Properties
4. Locate the msExchEdgeSyncCredential property. Does this have a value set? It will probably show as not set. As per the screen shot below. (If this is hard to read right click and save as to see it orginal size):
If this value is not set you will need to re-create the EdgeSubscription which will in turn re-create the ESRA Bootstrap account. The one question that got me thinking is why would this just randomly do this? No major changes had been made and everything had been working fine for months. The first thing I looked at was the Exchange versions installed. For an Exchange organization to work correctly all versions of Exchange installed must be the same version. This goes for service packs and also the update roll-ups. Both of these servers were SP1 and had the same build number, which can be found by right clicking the server in the Exchange Management Console and clicking properties. But, the update roll-up was not the same. Checking in Add/remove Programs and enabling updates showed the Hub server running on Roll-up 2, and the Edge server had no roll-ups installed.
So next step was to install the Exchange 2007 SP1 roll-up 2 onto the Edge Server to keep this in line. Beware – It does not seem to document anywhere (obvious at least) that it will restart Exchange services. Common sense says that any roll-up will restart services, but for those of you wanting to do this to a live environment beware that external mail transport will stop while the update takes place.
Now we have both servers running at the same level, we can re-subscribe the Edge Subscription.
How to create a new subscription file on the Edge server:
Before we start, it is best to note down how you Send Connectors are configured. This may be useful later in the process.
On the EdgeServer start up the Exchange Management Shell and type:
New-EdgeSubscription -file “c:\subscription.xml”
Browse to the root of C:\ and copy the subscription.xml file to your hub server. This can be tricky sometimes due to the Edge being located on a DMZ or inaccessible network. I used a USB key to move it between both servers.
On your Hub server open up Exchange System Manager and add the new subscription:
Organization Configuration> Hub Transport> Create New Edge Subscription.
Browse to your subscription.xml file and then click New. Make sure that your subscription is set to the correct site. It will choose Default site as default, so don’t just click next, double check that it is being subscribed to the same site as your Hub server.
NOTE - You do not need to remove the existing Edge Subscription. The new subscription will simply overwrite the existing one as it is for the same servers.
We now need to replicate Active Directory information and synchronize the Edge and the Hub server.
In Exchange Management Shell on your Hub servers and run the following command:
Start-EdgeSynchronization
Hopefully this completes successfully and you should now have a working Edge Sync.
To verify that it is all working as it should, run on your Hub server:
Test-EdgeSynchronization and you should receive a status of succeeded:
Some people have found that re-creating the EdgeSubscription resets your send connectors, but I have not come across this. The settings within the Send Connector and SPAM setting etc, will stay the same as we have not removed the existing Edge Subscription, we have just overwritten attributes within it. Just in case though, verify your Send Connectors with the settings you recorded at the start of the EdgeSubscription process.
Hopefully this had been helpful to you and that it has resolved your Edge Sync problems. I
I would love to hear from you if you have found this post to be helpful, or if you have an questions…
I have a problem with Exchange 2007 roles on a single server (600 users) and an Edge Server. Subscribed with Message Labs for Spam/AV filtering and am attempting to setup TLS with MessageLabs for Encryption. They are connecting to the Edge server via telnet (port 25) to test the TLS and it is coming up with a certificate error (Edge certificate is locally generated and Mail Server is Digicert) and they are saying that they only support valid 3rd party root certs. Should the TLS be stopped by the Edge or should it be passed through to the mail server? They are actually connecting to Edge server for verification…
The problem is likely due to you using a locally generated Edge Certificate. You will need to use the same cert all the way through your authenitcation process. Depending on how you requested your existing cert, you may be able to use the same cert as used by your Mail (Hub) server… Though, this must also have the appropriate FQDN’s in the DomainNames field to cover the different host names of the servers, i.e. edge.companydomain.com and mail.companydomain.com must appear in the certificate.
Regarding message transfer TLS will use the cert on your transport servers when sending/receiving mails, but it sounds like messagelabs may be specifying the edge server for its authentication, as strictly speaking it is not standard mail transfer, they may be able to confirm this. In which case this is why you are getting the message that the cert is not a valid 3rd party cert.
Rather than me explain the whole process, check out these links which are going to explain it a lot better than me!:
http://msexchangeteam.com/archive/2007/02/19/435472.aspx
http://technet.microsoft.com/en-us/library/bb430764(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx#WhenCAWhenSelf
Let me know if this helps
Kind regards,
Carl
This was a very helpful for the certifiacate part but what i am running into now it “the LDAP Server is unaviable” when i run my Start-EdeSync command. So any hints or help fo this would be great. Thanks and keep up the good work.
Good
I just wanted to say thanks for posting this article. I was hit by a number of e-mail issues (5-6?) that went unnoticed until I upgraded to Exchange Server 2010 SP1 with update rollup 2. I’d not have fixed this issue without your help.
Sincerely,
David Noble
Thanx a lot for this piece! We had this problem for months and I found myself setting up new Synchs on a monthly basis… One thing to add maybe: don’t forget to restart the service “Microsoft Exchange Transport” on the Edge Server when done.
Another problem with sync.
Credentials were invaid on exchange server for edge, after 24 hours period since subscription creation.
Problem was stopped Exchange Credential Service on Edge server.
After starting it and re-creating subscription, problems were gone.