Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-04-01
This topic describes the data that is replicated from the Active Directory directory service to the Active Directory Application Mode (ADAM) directory service instance on a Microsoft Exchange Server 2007 Edge Transport server when the Edge Transport server is subscribed to an Active Directory site.
The computer that has the Edge Transport server role installed doesn't have access to Active Directory. The Edge Transport server stores all configuration and recipient information in ADAM. To perform recipient lookup and safelist aggregation tasks, and to implement domain security by using mutual authentication Transport Layer Security (TLS), the Edge Transport server requires data that resides in Active Directory.
Because Active Directory and ADAM both use Lightweight Directory Access Protocol (LDAP), and because both directory services use the Exchange 2007 schema, you can replicate data from Active Directory to ADAM. This replication is established when you subscribe an Edge Transport server to an Active Directory site. The Edge Subscription process enables the Hub Transport servers in that site to use the Microsoft Exchange EdgeSync service to synchronize recipient and configuration data from Active Directory to the ADAM instance on the Edge Transport server. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.
Note: |
---|
The Microsoft Exchange EdgeSync service performs only one-way replication of data from Active Directory to ADAM. Information from ADAM is never replicated to Active Directory, and any existing data in ADAM is not merged with Active Directory data. When an Edge Subscription is created, Active Directory becomes the authoritative data source for the Edge Transport server and any existing objects in ADAM of a replicated data class are overwritten. |
Types of Data Replicated to ADAM
Several types of data are replicated from Active Directory to ADAM:
- Edge Subscription information
- Configuration information
- Recipient information
- Topology information
The following sections describe these types of data and the way that they are used by the Edge Transport server.
Edge Subscription Information
Exchange 2007 extends both the Active Directory and ADAM schemas to provide attributes on the ms-Exch-ExchangeServer object to represent the data needed to control the EdgeSync synchronization process. These attributes provide the following three functions that are important to the EdgeSync synchronization process:
- They provide automatic provisioning and maintenance of the
credentials that are used to help secure the LDAP connection
between a Hub Transport server and a subscribed Edge Transport
server.
- They arbitrate the synchronization lock and lease process that
makes sure that only one Hub Transport server at a time will try to
synchronize with an individual Edge Transport server. For more
information about the lock and lease process, see Understanding the
EdgeSync Synchronization Process.
- They optimize the EdgeSync synchronization process to maintain
a record of the current synchronization status and avoid excessive
manual synchronization.
The following table lists the schema extensions that are specific to Edge Subscriptions. The values assigned to these attributes are maintained by the Edge Subscription and EdgeSync synchronization process. You should not manually edit these attributes by using editing tools, such as Ldp.exe or Active Directory Service Interfaces (ADSI) Edit.
Edge Subscription schema extensions
Attribute name | Description |
---|---|
ms-Exch-Server-EKPK-Public-Key |
This attribute represents the current public key for the certificate being used by the server. This value is stored by both Edge Transport servers and Hub Transport servers. The public key is used to encrypt the credentials that are used to authenticate the server during LDAP and Simple Mail Transfer Protocol (SMTP) communication. |
ms-Exch-EdgeSync-Credential |
This attribute represents the list of credentials that the Microsoft Exchange EdgeSync service uses to establish an authenticated LDAP session to ADAM. On Hub Transport servers, this attribute contains only the credentials that the Hub Transport server uses to authenticate to the subscribed Edge Transport servers. On Edge Transport servers, this attribute contains the credentials of each Hub Transport server in the subscribed Active Directory site that participates in the EdgeSync synchronization process. This attribute is only present on Hub Transport servers that run the EdgeSync synchronization process and on subscribed Edge Transport servers. |
ms-Exch-Edge-Sync-Lease |
This attribute is used to arbitrate between Hub Transport servers when more than one Hub Transport server tries to replicate to the same Edge Transport server. |
ms-Exch-Edge-Sync-Status |
This attribute is only present in ADAM on the Edge Transport server object. This attribute tracks the status of replication to an ADAM instance and includes information about replication. |
For more information, see the following topics:
Configuration Information
When you subscribe to an Edge Transport server to the organization, you can manage the configuration objects that are common to the Edge Transport server and the Exchange organization from inside the organization and then write those changes to the Edge Transport server by using the Microsoft Exchange EdgeSync service. This process helps maintain a consistent configuration across all servers involved in message processing.
A subset of the configuration data for the Exchange organization must also be maintained on the Edge Transport server. During the EdgeSync synchronization process, the configuration data that the Edge Transport server needs is written to the configuration partition of ADAM. If you manually configure the Edge Transport server and then decide to create an Edge Subscription for that server, the affected configuration objects are deleted. The configuration data written to ADAM includes the following:
- Hub Transport servers The fully
qualified domain name (FQDN) of each Hub Transport servers in the
subscribed Active Directory site is made available to the
local ADAM store on the Edge Transport server. This information is
used to derive a list of smart host servers for the inbound Send
connector.
- Accepted domains All authoritative,
internal relay, and external relay domains configured for the
Exchange organization are written to ADAM. Having the accepted
domains available to Edge Transport enables the Exchange
organization to perform domain filtering and reject invalid SMTP
traffic into their organization as early as possible. For more
information about accepted domains, see Managing Accepted
Domains.
- Message classifications If message
classifications are available on the Edge Transport server,
transport agents and content conversion can act on message
classifications in the perimeter network. For example, the
Attachment Filter agent can apply the “Attachment Removed”
classification when it removes an attachment. Therefore,
informational text will be displayed to a
Microsoft Outlook user or
an Outlook Web Access user to tell the recipient
what happened. Agents that are developed for use by third-party
applications can use message classifications in a similar manner.
Also, message classifications may have to be translated by the Edge
Transport server from a GUID in an X-header to TNEF as a localized
recipient description.
- Remote domains All remote domain
policies configured for the Exchange organization are written to
ADAM. Remote domain policies control out-of-office message settings
and message format settings for a remote domain. For more
information about remote domains, see Managing Remote
Domains.
- Send connectors By default, the Send
connectors required to enable end-to-end mail flow between the
Exchange organization and the Internet are automatically created.
Any existing Send connectors on the Edge Transport server are
deleted. If you want to configure additional Send connectors, you
configure the Send connector inside the Exchange organization and
select the Edge Subscription as the source server for the
connector. For more information, see EdgeSync and Send
Connectors.
- Internal SMTP servers The value for the
InternalSMTPServers attribute is stored on the
TransportConfig object for both the Exchange organization
and the local Edge Transport server. During the EdgeSync
synchronization process, the value that is stored on the local Edge
transport server object is overwritten with the value that is
stored on this object for the Exchange organization. This attribute
specifies a list of internal SMTP server IP addresses or
IP address ranges that should be ignored by Sender ID and
connection filtering.
- Domain Secure lists The
TLSReceiveDomainSecureList and the
TLSSendDomainSecureList attributes are stored on the
TransportConfig object for both the Exchange organization
and the local Edge Transport server. During the EdgeSync
synchronization process, the value that is stored on the local Edge
transport server object is overwritten with the value that is
stored on this object for the Exchange organization. These
attributes specify the list of remote domains that are configured
for mutual TLS authentication.
The tasks used to configure the configuration objects described earlier in this section are disabled on the Edge Transport server when it is subscribed to the Exchange organization. You can still use the tasks that let you view these objects. If you remove an Edge Subscription, all replicated configuration objects are removed from ADAM.
Recipient Information
The recipient information that is replicated to ADAM includes only a subset of the recipient attributes. Only the data on which the Edge Transport server must have to perform certain anti-spam tasks is replicated. The recipient information replicated to ADAM includes the following:
- Recipients The list of recipients in
the Exchange organization is replicated to ADAM. Each recipient is
identified by the GUID assigned to it in Active Directory. If
you configure a recipient's user account to deny receipt of mail
from outside the organization, the recipient is not replicated to
ADAM. If you disable or delete the mailbox for a recipient, it is
not replicated to ADAM.
- Proxy addresses All proxy addresses
assigned to each recipient are replicated to ADAM as hashed data.
This is a one-way hash that uses Secure Hash Algorithm (SHA) 256.
SHA-256 generates a 256-bit message digest of the original data.
Storing proxy addresses as hashed data helps secure this
information in case the Edge Transport server or ADAM is
compromised. Proxy addresses are referenced when the Edge Transport
server performs the recipient lookup anti-spam task.
- Safe Senders List and Safe Recipients
List The Safe Senders Lists and Safe
Recipients Lists that are defined in each recipient's Outlook
instance are aggregated and replicated to ADAM. These settings are
stored on the Mailbox store where the recipient's mailbox resides.
Information about blocked senders is not replicated. An Outlook
user's safelist collection is the combined data from the user's
Safe Senders List, Safe Recipients List, Blocked Senders List, and
external contacts. Having safelist collection data available
in ADAM enables the Edge Transport server to screen senders
appropriately, reducing the operational overhead involved with
filtering mail. This information is sent as hashed data.
Important: Although the safe recipient data is stored in Outlook and can be aggregated into the safelist collection on the ADAM instance on the Edge Transport server, the content filtering functionality does not act on safe recipient data. Because content filtering does not use the safe recipient data, we recommend that you do not configure the Update-Safelist cmdlet to update the safe recipient data. For more information, see How to Configure Safelist Aggregation and Update-SafeList. - Per recipient anti-spam settings By
using the Set-Mailbox cmdlet, you can assign anti-spam
threshold settings per recipient that differ from the
organization-wide anti-spam settings. If you configure per
recipient anti-spam settings, these settings override the
organization-wide settings. By replicating these settings to ADAM,
the per recipient settings can be considered before the message is
relayed to the Exchange organization. This information is sent as
hashed data.
If you remove an Edge Subscription, all the replicated data is also removed and you will no longer be able to use the Edge Transport features that rely on this recipient data.
Topology Information
The topology information includes notification of newly subscribed Edge Transport servers or removed Edge Subscriptions. This data is refreshed every five minutes.
For More Information
For more information, see the following topics:
- Understanding Edge
Subscriptions
- Understanding the
EdgeSync Synchronization Process
- EdgeSync and
Send Connectors
- Understanding Edge
Subscription Credentials
- How to
Verify EdgeSync Results for a Recipient
- EdgeSync
Cmdlets
- Subscribing
the Edge Transport Server to the Exchange Organization
- Test-EdgeSynchronization