Background reading: http://tsoorad.blogspot.com/2015/07/windows-pki-sha-1-to-sha-2.html
Mixed Lync 2013 (Edge) with SfB user pools. CMS on SfB SE. Operating systems: All user pools are 2012R2, Edge servers are 2012 (no R2). Windows updates are current. PKI is public for Edge external land FE external; PKI is AD DS for FE internal and Edge internal. Customer changed AD certificate authority from sha-1 to sha-2. New root cert pushed to all servers via active directory routines; edge server new trusted root manually imported.
Lync Edge server fails to pick up on the concept that the domain root cert had changed even after we manually imported the new root cert (sha-2) into the certificate store. The certs on both the CMS master and the Edge server all chained up properly, but the cmsreplication was failing. All the certificates assigned to all services in the Lync/SfB environment checked good, were all current, and all showed that they chained properly to either the internal PKI root or the Digicert root. Basic connection testing using <telnet fqdn 4443> were successful both directions.
We had to reboot the Edge server to get it to recognize the trusted root cert chain.
The CMS master was presenting the edge server with changes, but the Edge server did not like the new cert on the CMS master. The Edge server had a copy of the new Root Cert, but would not accept the TLS from the CMS master until the Edge restarted. Restarting services on the Edge server did not resolve the issue; a reboot was needed.
If you change the domain Root cert, Lync and SfB may or may not like the root certificate change AT THE OPERATING SYSTEM LEVEL, until a reboot, or even longer. <Sigh>