Users in your Exchange 2013-based hybrid deployment experience mail issues after April 15, 2016

Consider the following scenario:
  • You have a Microsoft Exchange Server 2013-based hybrid deployment.
  • You run the Hybrid Configuration wizard on a server that's running Exchange 2013 Cumulative Update 8 (CU8) or an earlier version.
  • You haven't run the Hybrid Configuration wizard on a server that's running Exchange 2013 Cumulative Update 9 (CU9) or a later version.
In this scenario, you experience one or more of the following symptoms after April 15, 2016:
  • Email messages from Exchange Online users to on-premises users are missing Skype for Business presence information.
  • Email messages from Exchange Online users to on-premises users display the sender name as <FirstName> <LastName <SMTPaddress> instead of as <FirstName> <LastName>.
  • If you disabled any receive connectors other than the Default FrontEnd connector, and you enabled domain validation on the Default Frontend connector in your environment, the following error message is shown when Exchange Online users send mail to on-premises users. This message is displayed in the deferral message in the Message Tracking dialog box in the Exchange admin center.
    451 4.7.0 Temporary server error. Please try again later. PRX5
  • On-premises users are unable to send email messages to Exchange Online users. The on-premises mail queue shows the following error message:
    454 4.7.5 The certificate specified in the tlscertificatename of the send connector could not be found.
  • If you have a centralized mail transport configuration, Exchange Online users who send email messages to external recipients receive a nondelivery report (NDR) that contains the following error message:
    Your message to <recipient> couldn't be delivered.
    Security or policy settings at <recipient domain> have rejected your message.

    If you view the details of the NDR, you see info that resembles the following: 
    Error Details:
    Reported error: 550 5.7.1 Unable to relay
    DSN generated by:
    Remote server: <Server>
To verify that you're experiencing this issue, open the Exchange Management Shell, and then run the following command:
Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like "*MSIT Machine Auth CA 2*"}
Examine the output. If the command returns a connector in which the value of the TlsDomainCapabilities parameter is the following, the connector is affected.
<I>CN=MSIT Machine Auth CA 2, DC=Redmond, DC=corp, DC=microsoft, DC=com...
This problem occurs because a change was made to the Transport Layer Security (TLS) certificate in Exchange Online on April 15, 2016.
To resolve this problem, use one of the following methods.

Method 1: Run the Office 365 Hybrid Configuration Wizard

Use the Office 365 Hybrid Configuration Wizard (HCW) to configure the Exchange 2013 servers to work by using the new TLS certificate. To do this, follow these steps:

  1. If the servers that are running Exchange Server 2013 and that are handling hybrid mail flow are running Exchange Server 2013 CU8 or an earlier version, follow the instructions at Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the Office 365 Hybrid Configuration Wizard from, and then run it by following the instructions at Introducing the Microsoft Office 365 Hybrid Configuration Wizard.
For information about the releases of Exchange Server that are supported in Office 365, see Hybrid deployment prerequisites.

Method 2: Manually configure the servers

If you can't upgrade Exchange Server 2013 to the latest cumulative update now (as a reminder, see the support policy), you can manually configure the servers to work together with the new TLS certificate.

To do this, open the Exchange Management Shell on each server that's running Exchange Server 2013 and is used for hybrid mail flow. Then, run the following commands:

$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like "*MSIT Machine Auth CA 2*"}
$rc | foreach {Set-ReceiveConnector -Identity $_.identity -TlsDomainCapabilities "”}
For more information, see the following Microsoft Knowledge Base article:

3145044 Important notice about certificate expiration if you have an Exchange 2013 hybrid deployment with Office 365

Article ID: 3156771 - Last Review: 05/12/2016 17:21:00 - Revision: 8.0

Microsoft Exchange Online, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard

  • o365e o365m o365022013 o365 o365a hybrid KB3156771