Using an Edge Subscription to Populate ADAM with Active Directory Data

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic provides information about how to create and use an Edge Subscription to populate the Active Directory Application Mode (ADAM) directory service instance on the Microsoft Exchange Server 2007 Edge Transport server role with Active Directory directory service data.

An Edge Transport server can be subscribed to an Active Directory site. Subscribing the Edge Transport server to the Active Directory site associates the Edge Transport server with the Exchange organization. This process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server. An organization that deploys more than one Edge Transport server can maintain a consistent configuration by using Edge Subscriptions. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or the Domain Security feature.

The Edge Subscription Process

The Edge Subscription process is the procedure that an administrator follows to establish an Edge Subscription for an Edge Transport server. You subscribe an Edge Transport server to an Active Directory site to associate the Edge Transport server with the Exchange organization. A subscribed Edge Transport server is stamped with an Active Directory site attribute. Among other things, this association enables you to configure the Edge Subscription as a source server for Send connectors that are created in the Exchange organization. The Hub Transport servers in the Exchange organization use an implicit intra-organizational Send connector to route e-mail messages to the Internet through the subscribed Edge Transport server. The Active Directory site association enables the Hub Transport servers to locate the Edge Transport server for routing purposes.

An Edge Transport server can only be subscribed to a single Active Directory site. If you want to change the site association for a subscribed Edge Transport server, you must remove the Edge Subscription from the Hub Transport server and then create a new Edge Subscription.

After the Edge Subscription process is complete, the Microsoft Exchange EdgeSync service, which runs on Hub Transport servers, pushes information from Active Directory to the ADAM instance on the Edge Transport server in the boundary network. The information that is replicated to the Edge Transport server includes recipient information and some configuration information about the Exchange 2007 organization. The information is kept up to date through a periodic synchronization process.

When an Edge Transport server is subscribed to an Active Directory site, all the Hub Transport servers that are installed in that Active Directory site at that time can participate in the EdgeSync process. If one of those servers is removed, the Microsoft Exchange EdgeSync service that is running on the remaining Hub Transport servers continues the data synchronization process. However, if new Hub Transport servers are installed in the Active Directory site, they will not participate in the EdgeSync process. To enable those Hub Transport servers to participate in the EdgeSync process, you must resubscribe the Edge Transport server.

Important

To resubscribe an Edge Transport server, export a new XML file on the Edge Transport server and then import the XML file on a Hub Transport server. You must resubscribe the Edge Transport server to the same Active Directory site to which it was originally subscribed. You do not have to first remove the original Edge Subscription. The resubscription process will overwrite the existing subscription.

You start the Edge Subscription process by exporting an Edge Subscription XML file on the Edge Transport server. When the Edge Subscription file is created on the Edge Transport server by using the New-EdgeSubscription cmdlet in the Exchange Management Shell, the following actions occur:

  • An ADAM account is created.

  • Credentials are retrieved and written to the Edge Subscription XML file.

Each Edge Transport server requires an individual Edge Subscription. The credentials that are written to the Edge Subscription file are specific to the server from which the file is exported.

Next, the Edge Subscription XML file is transferred to a Hub Transport server that is located in the Active Directory site to which you want to subscribe the Edge Transport server. The Edge Subscription file is imported to the Hub Transport server by using either the New-EdgeSubscription cmdlet or the New Edge Subscription wizard in the Exchange Management Console. This step finishes the Edge Subscription process. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed will now perform one-way replication of data from Active Directory to ADAM. The ADAM credentials that are created during the Edge Subscription process are used to authenticate the secure Lightweight Directory Access Protocol (Secure LDAP) connection that is made during the synchronization process.

The Microsoft Exchange EdgeSync Service Synchronization Process

The Microsoft Exchange EdgeSync service is the data synchronization service that runs on a Hub Transport server. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed periodically performs one-way replication of recipient and configuration data to ADAM. The Microsoft Exchange EdgeSync service copies only the information that is required for the Edge Transport server to perform anti-spam configuration tasks or to use Domain Security, and information about the Send connector configuration that is required to enable mail flow between the Exchange 2007 organization's Hub Transport servers and the Internet through one or more Edge Transport servers. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.

The Microsoft Exchange EdgeSync service invokes administrative credentials and transfers data over an encrypted channel. When synchronization occurs, new objects are added to ADAM, deleted objects are removed, and property modifications are written to existing objects. During the initial replication, ADAM is populated. After the initial replication has finished, synchronization occurs at fixed intervals. Configuration data is synchronized at one-hour intervals. Recipient data is synchronized at four-hour intervals. If you have made significant changes to data in Active Directory, you may want to synchronize immediately. You can use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell to start immediate synchronization.

During synchronization, the Microsoft Exchange EdgeSync service replicates the following data from Active Directory to ADAM:

  • Accepted domains

  • Remote domains

  • Message classifications

  • Recipients (Hashed)

  • Safe Senders Lists (Hashed)

  • Send Connectors

  • Hub Transport server list (for dynamic connector generation)

  • TLS Send and Receive Domain Secure lists

  • Internal SMTP Servers list

The configuration data is used to automatically create Send connectors for an Edge Transport server that is subscribed to an Active Directory site. The Microsoft Exchange EdgeSync service establishes the connectors that are needed to send e-mail messages to the Exchange organization and to the Internet. When an Edge Transport server is subscribed to an Active Directory site, the Microsoft Exchange EdgeSync service creates the following connectors:

  • An implicit Send connector from the Hub Transport servers that are in the same forest to the Edge Transport server.

  • A Send connector from the Edge Transport server to the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed.

  • A Send connector from the Edge Transport server to the Internet.

For More Information

For more information, see the following topics: