Exchange Hybrid - Customers configuring hybrid with edge can hit a problem where on prem users can’t email cloud users

Situation: Customers configuring hybrid with edge can hit a problem where on prem users can’t email cloud users.  All other mail flow works as expected.  Bounce message indicates a local loop is detected.

Problem: If the name of the certificate is longer than 256 characters then the EdgeSync fails to create the Outbound to Office 365 send connector on the edge server(s).  This causes mail to bounce back and forth between internal transport servers and the edge servers as the special routing for the mail.onmicrosoft.com smtp namespace isn’t present on Edge.  This is caused by the fact that the schema on the ADLDS on the Edge servers was not updated when the schema extensions for internal ADDS was.  The rangeUpper for the ms-Exch-Smtp-TLS-Certificate type is only 256 in Edge ADLDS whereas it is 1024 in internal ADDS schema.

Symptoms:

-On premises users attempting to email cloud users get a bounce message indicating that a local loop was detected

-The ‘Outbound to Office 365’ send connector is created on the internal systems (with Edge server(s) as the source) but the send connector is not created on the Edge Server(s)

-If logging on Edge Synchronization is increased the EdgeSync log will indicate: A value in the request is invalid. [ExDirectoryException]; Inner Exception: A value in the request is invalid. [DirectoryOperationException],"Failed to synchronize entry CN=Outbound to Office 365…

Resolution

Connect to each Edge server, open ADSI Edit and connect to the Schema Partition, find the ms-Exch-Smtp-TLS-Certificate object, and change rangeUpper from 256 to 1024.  Restart the ADLDS service (which will in turn restart the associated Exchange Services).  Re-run Edge Synchronization.  This will need to be performed on each Edge server individually and will need to be repeated for new servers or servers that are rebuilt.