Share via

New-edgesubscription on edge server after certificate renewal generates LDAP error

Kreager, Keith C 0 Reputation points
2026-03-30T17:19:33.07+00:00

When installing the renewed EDGE certificate on our edge server, I ran 'new-edgesubscription' command to re-new the edge subscription. i immediately got an error 'ldap server unavailable'. This command worked when we setup the servers last year.

i am using a script written by a former employee, and he did specify the two optional parameters that i believe are not required when running the command on the edge server (-createinternetsendconnector and -createinboundsendconnector). i didn't try the command without those parameters.

another coworker noticed that port 50636 is open between the mailbox and edge server, but not bidirectional. the edge server cannot communicate to the mailbox server over that port. we are performing a change to open that port, but wanted to see if anyone had any other ideas.

Exchange | Exchange Server | Other
Exchange | Exchange Server | Other

A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hani-Ng 9,990 Reputation points Microsoft External Staff Moderator
    2026-03-31T01:08:27.8266667+00:00

    Hi Kreager, Keith C

    Based on my understanding and my research, your network team does not need to make any firewall changes. The "LDAP server unavailable" error is actually being caused by the parameters in the legacy script, which are being run on the wrong server.

    The parameters -CreateInternetSendConnector and -CreateInboundSendConnector are strictly intended to be run on your Mailbox server, not your Edge server. When you run New-EdgeSubscription with those parameters, the Exchange Management Shell attempts to write configuration data directly to your internal Active Directory. Because the Edge server sits in your DMZ, it is isolated and cannot reach your internal Domain Controllers. Therefore, it throws the exact error you are seeing: "LDAP server unavailable".

    Your coworker's observation about port 50636 is correct, but this is the intended design. The Microsoft Exchange EdgeSync service operates as a one-way push. The Mailbox server connects outbound to the Edge server's local directory (AD LDS) over TCP port 50636 to push recipient data. The Edge server never initiates a connection back to the internal network over 50636. You can consider advise your team to cancel the network change, as opening this port bidirectionally is unnecessary and could pose a security risk.

    To complete your Certificate Renewal and Edge Subscription

    • Generate the XML file on the Edge Server: Log into the Edge Server, open the Exchange Management Shell, and run the following command. (Note: Do not use any other parameters here): New-EdgeSubscription -FileName "C:\EdgeSubscription.xml" (Press 'Y' if prompted to overwrite the existing configuration).
    • Remove the old subscription on the Mailbox Server: Copy the EdgeSubscription.xml file you just created from the Edge server to the C:\ drive of your internal Mailbox server. Then, log into the Mailbox server and remove the old, expired subscription: Get-EdgeSubscription | Remove-EdgeSubscription
    • Import the XML on the Mailbox Server (Using your parameters): Still on the Mailbox server, import the file. This is where those optional parameters belong:
    $FileData = [System.IO.File]::ReadAllBytes('C:\EdgeSubscription.xml')New-EdgeSubscription -FileData $FileData -Site "Default-First-Site-Name" -CreateInternetSendConnector $true -CreateInboundSendConnector $true

    (Note: Please change "Default-First-Site-Name" if your Active Directory site is named differently).

    • Force Synchronization: Finally, on the Mailbox server, force the sync to establish the connection using the newly trusted certificate: Start-EdgeSynchronization

    Additionally, Exchange Server 2016 and 2019 reached their End of Support on October 14, 2025. If your environment is still running on those versions, I highly recommend planning an in-place upgrade to Exchange Server Subscription Edition (SE). The Edge Transport architecture has not changed in Exchange SE, so the steps outlined above will apply perfectly to your environment regardless of the version you are running.

    For your information, you can see:

    New-EdgeSubscription (ExchangePowerShell) | Microsoft Learn

    Network ports for clients and mail flow in Exchange | Microsoft Learn

    I hope this information helps. If you need further question, please feel free to let me know. I look forward to your response!

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Q&A Assist
    2026-03-30T17:19:57.5966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The LDAP error is expected if the required secure LDAP connectivity and Edge Subscription flow aren’t correctly in place. The key points from the documented behavior:

    1. New-EdgeSubscription on the Edge server
      • When run on the Edge Transport server, New-EdgeSubscription:
        • Creates the EdgeSync bootstrap replication account (ESBRA) in AD LDS.
        • Writes ESBRA credentials and the Edge server’s self-signed certificate public key into the XML subscription file.
        • Deletes and disables locally configured objects that will be replicated (Send connectors, accepted domains, remote domains, etc.).
      • The ESBRA account is used only for the first EdgeSync connection and expires after 24 hours. If the subscription process is not completed within that time, New-EdgeSubscription must be run again on the Edge server to generate a new file.
      • On the Edge server, the -CreateInternetSendConnector and -CreateInboundSendConnector parameters are not required; they are relevant when importing the subscription on the Mailbox server. Their presence in the script should not by itself cause an LDAP connectivity error, but they are unnecessary on the Edge side.
    2. New-EdgeSubscription on the Mailbox server
      • The XML file created on the Edge server must be copied to a Mailbox server in the target AD site.
      • On the Mailbox server, New-EdgeSubscription -FileData ... -Site <SiteName>:
        • Creates the Edge Subscription object in Active Directory.
        • Optionally creates the Internet Send connector and the inbound connector from Edge to the organization (controlled by -CreateInternetSendConnector and -CreateInboundSendConnector, both True by default).
      • After import, Start-EdgeSynchronization is run on the Mailbox server to initiate the first EdgeSync cycle.
    3. Network and LDAP requirements
      • The Edge Transport server does not access Active Directory directly; it uses AD LDS and EdgeSync over secure LDAP from the Mailbox servers.
      • The EdgeSync process uses the credentials and certificate information stored in the Edge Subscription file to establish a secure LDAP connection between the Mailbox server and the Edge server.
      • The documented flow assumes that the Mailbox servers can reach the Edge server’s AD LDS instance over the secure LDAP port (commonly 50636). If that port is blocked in either direction where required, the EdgeSync connection will fail and LDAP-related errors will appear.
      • Ensuring that port 50636 is open as required between the Mailbox servers and the Edge server is therefore essential. The observation that 50636 is not bidirectional is consistent with the LDAP error and should be corrected.
    4. Practical steps based on the documentation
      • On the Edge server:
        1. Run New-EdgeSubscription -FileName "C:\Data\EdgeSubscriptionInfo.xml" (optionally with -Force), without the -CreateInternetSendConnector and -CreateInboundSendConnector parameters.
        2. Ensure this is completed and the resulting XML file is copied to a Mailbox server within 24 hours.
      • On the Mailbox server:
        1. Import the file with New-EdgeSubscription -FileData ([System.IO.File]::ReadAllBytes('C:\Data\EdgeSubscriptionInfo.xml')) -Site "<SiteName>".
        2. Allow the cmdlet to automatically create the Internet and inbound Send connectors (default behavior) unless there is a specific need to suppress them.
        3. Run Start-EdgeSynchronization to trigger the first EdgeSync.
      • Verify that the secure LDAP port (50636) is open as required between the Mailbox servers and the Edge server so that the EdgeSync process can establish the secure LDAP connection using the credentials and certificate from the subscription file.

    Once the port is correctly opened and the subscription process is re-run within the ESBRA validity window, the LDAP error should no longer occur as part of the normal Edge Subscription and EdgeSync flow.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.