Last week, two of our child domains were decommissioned, and as a result, SCOM almost immediately started throwing alerts related to EdgeSync Enterprise synchronization failures.
******************************
CurrentTime (UTC):09/13/2012 11:01:05
Name:EDGESERVER
SyncStatus:Failed
LeaseHolder:CN=INTERNALSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MYEXCHANGEORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL
LeaseType:Option
LeaseExpiry (UTC):09/13/2012 11:30:19
LastSynchronized (UTC):09/13/2012 11:00:19
Cookie Records (5):
Domain:DC=child1,DC=domain,DC=local; LastUpdated (UTC):09/13/2012 11:00:19; DC:dc1.domain.local
Domain:DC=domain,DC=local; LastUpdated (UTC):09/13/2012 11:00:19; DC:dc1.domain.local
Domain:CN=Configuration,DC=domain,DC=local; LastUpdated (UTC):09/13/2012 10:59:52; DC:dc2.domain.local
Domain:DC=child2,DC=domain,DC=local; LastUpdated (UTC):09/06/2012 19:15:52; DC:dc1.domain.local
Domain:DC=grandchild1,DC=child2,DC=domain,DC=local; LastUpdated (UTC):09/05/2012 21:05:11; DC:dc1.domain.local
Failure Details:The EdgeSync cookie has not been updated as expected. It may indicate EdgeSync has encountered synchronization errors. For more information, check the EdgeSync logs.
Diagnostic command: "Test-EdgeSynchronization -MonitoringContext:$true"
EventSourceName: MSExchange Monitoring EdgeSynchronization
******************************
I noticed that the cookie records still included the domains that had been decommissioned - grandchild1 and child2. I took to Google and searched on "EdgeSync cookie has not been updated" (in the Failure Details section), and found the following article: http://social.technet.microsoft.com/Forums/nl/exchange2010/thread/c918600c-f233-47dd-9efa-86ecc88d13e9. In the event that that article disappears, it basically says that the ADAM database on the Edge server still contains entries for the domains that had been decommissioned, and since those domains no longer exist in Active Directory, it causes synchronization failures when the edgesync process runs. The solution is to edit the entries in the ADAM database, and remove the references to the non-existent domains. To do that, the following steps must be completed.
1.On the Edge server, open a command prompt and run the following command:
Type "dsdbutil" and then type "list instances", which produces output similar to the following:
2. Launch ADSIEdit.msc, and open a new connection.
3. Expand Configuration > Services > Microsoft Exchange > First Organization > Administrative Groups > Servers > (name of edge server)
4. Back on the internal Exchange server, open an Exchange Management Shell and run "Start-EdgeSynchronization -ForceFullSync -ForceUpdateCookie". This may take some time, depending on how many recipient objects exist in your organization. We've got around 12,000, and it took about a minute and a half to complete.
5.Now run Test-EdgeSynchronization again. Assuming the entries in your ADAM database match what's in your Active Directory now, the test should complete successfully, and SCOM should no longer throw any alerts.
Make a note of the LDAP port (50389 in this example)
Instance Name: MSExchange
Long Name: MSExchange
LDAP Port: 50389
SSL Port: 50636
Install folder: C:\Windows\
Database file: D:\Exchange\TransportRoles\Data\Adam\adamntds.dit
Log folder: D:\Exchange\TransportRoles\Data\Adam
Service state: Running
2. Launch ADSIEdit.msc, and open a new connection.
In the Connection Point section, set the well known naming context to Configuration.In the Computer section, type in the server name (or localhost) followed by the number of the LDAP port you noted in the previous step (Example: localhost:50389)Click OK to connect it.
3. Expand Configuration > Services > Microsoft Exchange > First Organization > Administrative Groups > Servers > (name of edge server)
Right Click the server object and locate the attribute called msExchEdgeSyncCookies and edit the attribute to remove any DC's that no longer exist.
4. Back on the internal Exchange server, open an Exchange Management Shell and run "Start-EdgeSynchronization -ForceFullSync -ForceUpdateCookie". This may take some time, depending on how many recipient objects exist in your organization. We've got around 12,000, and it took about a minute and a half to complete.
5.Now run Test-EdgeSynchronization again. Assuming the entries in your ADAM database match what's in your Active Directory now, the test should complete successfully, and SCOM should no longer throw any alerts.