Update Send Connector SSL Certificate for Hybrid Configuration

​Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate.  When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.

This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).

The fix was to perform the following:

  1. Open Exchange Management Shell on the on-premises Exchange server
  2. Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used. 
  3. Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
  4. Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
    $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
  5. Update the send connector with the new values
    Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert

After completing this, any queued mail destined for the Office 365 tenant should begin flowing


Solution: Unable to update Active Directory information for the source mailbox at the end of the move

This scenario applies to hybrid configurations when moving mailboxes from on-premises to Office 365.

Whenever you see the error in the migration log that says “Unable to update Active Directory information for the source mailbox at the end of the move” it means that when the mailbox move completed, MRS could not disable the mailbox on the on-premises Exchange server and then RemoteMailbox-enable the user account as a cloud mailbox.

This results in two mailboxes – the original one on-premises and the new one in the cloud. However, the on-premises mailbox is inaccessible and autodiscover gets invalid information to setup the outlook profile.

To resolve this, perform these steps manually on the on-premises Exchange server in the Exchange Management Shell:

  1. Disable-Mailbox <alias>
  2. Enable-RemoteMailbox –Identity <alias> -PrimarySmtpAddress alias@contoso.com –RemoteRoutingAddress alias@TenantName.mail.onmicrosoft.com
  3. Wait for (or force) AD replication, then manually force a DirSync