Scenario: After a recent renewal of one of our Exchange On-Premises Certificates in our Exchange Online Hybrid Environment, we noticed a 2 minute delay when messages were sending from Exchange Online to Exchange On-Premises via a custom send connector (not the hybrid connector)
Investigating: After some troubleshooting, we realized the TLS string , $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject), was not the exact same than what was configured in various properties on our Exchange On-Premises Servers.
Solution: We ran the following PowerShell to check and set the correct certificate properties. In our specific scenario, it was the send connector (which was no longer able to send email to Exchange Online) and it was our receive connector, which was giving us a 2 minute email delay. I suspect this would have been a bigger issue if we removed the older certificate that it was still pointing to right away.
#Find the TLSCert Name:
$Cert = Get-ExchangeCertificate -Thumbprint <thumbprint of new certificate> -server <Exchange Server name>
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
#Check and set the Transport Server to the new cert:
Get-transportserver -identity <servername> | Select InternalTransportCertificateThumbprint
#If the thumbprint is not the new cert, move the SMTP Service, and any other service, to the new certificate
enable-exchangecertificate -thumbprint <thumbprint> -services SMTP
#Check and Set the Send Connector to the new TLS Certificate Name
Get-SendConnector -identity <Office 365 send Connector> | Select TLSCertificateName
#If its not using the new cert, run the following
Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert
#Check and Set the Receive Connector
Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Select TLSCertificateName
#If its not using the new cert, run the following
Get-ReceiveConnector "ServerName\Default Frontend ReceiveConnector" | Set-ReceiveConnector -TlsCertificateName $TLSCert
Ex-Shell 