Symptoms:
When running Hybrid Configuration Wizard you may receive the following error:
Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Mail Flow Execution of the New-SendConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. An Active Directory Constraint Violation error occurred on Domain_Controller_Name. Additional information: A value for the attribute was not in the acceptable range of values. Active directory response: 00002082: AtrErr: DSID-03151816, #1: 0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)'. Additional troubleshooting information is available in the Update-HybridConfiguration log file on server 365HYP01 located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\HybridConfiguration_4_13_2014_7_57_9_635329726296799568.log
In the above error note the highlighted parts which will be useful to troubleshoot the error. The first is indicating that the error occurred when executing New-SendConnector cmdlet.
The second one indicated that the response is coming from Active Directory but so far is not useful.
The third shows that A value for the attribute was not in the acceptable range of value.
The forth part shows (msExchSmtpTLSCertificate) :len 552.
The following snapshot shows the error:
Troubleshooting:
The next step is to check the log file mentioned in the above error, when checking the log file under C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration the following error is logged:
04/13/2014 07:57:39] INFO : Task='Configure Mail Flow' Step='Configure' START
[04/13/2014 07:57:39] INFO : Session=OnPrem Cmdlet=New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces {smtp:TENANT_NAME.mail.onmicrosoft.com;1} -SourceTransportServers {SERVER_NAME} -DNSRoutingEnabled: $true -TLSDomain 'mail.protection.outlook.com' -RequireTLS: $true -TLSAuthLevel 'DomainValidation' -ErrorPolicies 'Default' -TLSCertificateName 'From your Certificate Issuer and Subject Fields' -CloudServicesMailEnabled: $true -Fqdn $null START
[04/13/2014 07:57:39] ERROR : System.Management.Automation.RemoteException: An Active Directory Constraint Violation error occurred on DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.
Active directory response: 00002082: AtrErr: DSID-03151816, #1:
0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35 (msExchSmtpTLSCertificate):len 552
[04/13/2014 07:57:39] INFO : Session=OnPrem Cmdlet=New-SendConnector FINISH Time=296.8075ms
[04/13/2014 07:57:39] ERROR : Subtask Configure execution failed: Configure Mail Flow
Execution of the New-SendConnector cmdlet has thrown an exception.
From the above log file we have some useful details:
1. We have the cmdlet that caused the error New-SendConnector.
2. We have the same attribute (msExchSmtpTLSCertificate):len 552
3. And we have the famous error of the cmdlet has thrown an exception.
So let’s try to execute the cmdlet from Exchange Management Shell, check the below snapshot:
The error returned in the snapshot:
An Active Directory Constraint Violation error occurred on YOUR_DOMAIN_CONTROLLER. Additional information: A value for the attribute was not in the acceptable range of values.
Active directory response: 00002082: AtrErr: DSID-03151816, #1:
0: 00002082: DSID-03151816, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 811c7e35
(msExchSmtpTLSCertificate):len 552
First thing to notice from the snapshot and the log file that the switch –TLSCertificateName is using two fields from the certificate:
- Issuer: this field shows the name of the Certificate Authority (CA) who issued the certificate, and as you can see Comodo has a very long name compared with other CAs.
- Subject: this field shows information like Organization (O), Country (C), Common Name (CN). And again as you can see from the marked field in the snapshot the customer was using a very long name.
The KB explains the cause of the problem as:
“This issue occurs if the value of the rangeUpper attribute for the TlsCertificateName parameter contains more than 256 characters. Certificate names can't have more than 256 characters.”
The article also indicates that this problem has been fixed in Exchange 2013 Cumulative Update 3 (CU3), in this environment I’ve used Exchange 2013 with Service Pack 1 as the Hybrid Servers, it seems that the fix is not included in SP1 because checking the rangeupper limit attribute I found it as the old value 256.
To check the rangeupper limit value, run the following command:
dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper
The following snapshot shows the result:
Solution:
The first option now that we issue a new certificate with shorter name in the subject field as we don’t have control over the Issuer field.
The only remaining option is to modify the Schema manually and change the rangeupper limit to a higher value.
The following steps show how to modify the attribute using ADSIEDIT:
1. Use user account that member of Schema Admins and Enterprise Admins.
2. Open adsiedit.msc
3. Right click ADSI Edit and click on Connect To.
4. Select “Well known Naming Context” and from the drop down menu select “Schema” as the following snapshot:
5. Browse to CN=ms-Exch-Smtp-Tls-Certificate, open the properties and scroll down to rangeUpper as the following snapshot
6. Click Edit and enter the new value 1024, as the following snapshot:
7. Enforce the replication by running repadmin /syncall from the command prompt.
8. Verify that the rangeupper limit has been increased by running the following command:
dsquery * CN=ms-Exch-Smtp-TLS-Certificate,CN=Schema,CN=Configuration,DC=DOMAIN_NAME,DC=com -scope base -attr rangeUpper
Check the following snapshot for the result:
Rerun the Hybrid Configuration Wizard to complete the configuration
![]()
