EdgeSync Replication Data
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-04-01
This topic describes the data that is replicated from the Active Directory directory service to the Active Directory Application Mode (ADAM) directory service instance on a Microsoft Exchange Server 2007 Edge Transport server when the Edge Transport server is subscribed to an Active Directory site.
The computer that has the Edge Transport server role installed doesn't have access to Active Directory. The Edge Transport server stores all configuration and recipient information in ADAM. To perform recipient lookup and safelist aggregation tasks, and to implement domain security by using mutual authentication Transport Layer Security (TLS), the Edge Transport server requires data that resides in Active Directory.
Because Active Directory and ADAM both use Lightweight Directory Access Protocol (LDAP), and because both directory services use the Exchange 2007 schema, you can replicate data from Active Directory to ADAM. This replication is established when you subscribe an Edge Transport server to an Active Directory site. The Edge Subscription process enables the Hub Transport servers in that site to use the Microsoft Exchange EdgeSync service to synchronize recipient and configuration data from Active Directory to the ADAM instance on the Edge Transport server. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.
|The Microsoft Exchange EdgeSync service performs only one-way replication of data from Active Directory to ADAM. Information from ADAM is never replicated to Active Directory, and any existing data in ADAM is not merged with Active Directory data. When an Edge Subscription is created, Active Directory becomes the authoritative data source for the Edge Transport server and any existing objects in ADAM of a replicated data class are overwritten.|
Several types of data are replicated from Active Directory to ADAM:
Edge Subscription information
The following sections describe these types of data and the way that they are used by the Edge Transport server.
Exchange 2007 extends both the Active Directory and ADAM schemas to provide attributes on the ms-Exch-ExchangeServer object to represent the data needed to control the EdgeSync synchronization process. These attributes provide the following three functions that are important to the EdgeSync synchronization process:
They provide automatic provisioning and maintenance of the credentials that are used to help secure the LDAP connection between a Hub Transport server and a subscribed Edge Transport server.
They arbitrate the synchronization lock and lease process that makes sure that only one Hub Transport server at a time will try to synchronize with an individual Edge Transport server. For more information about the lock and lease process, see Understanding the EdgeSync Synchronization Process.
They optimize the EdgeSync synchronization process to maintain a record of the current synchronization status and avoid excessive manual synchronization.
The following table lists the schema extensions that are specific to Edge Subscriptions. The values assigned to these attributes are maintained by the Edge Subscription and EdgeSync synchronization process. You should not manually edit these attributes by using editing tools, such as Ldp.exe or Active Directory Service Interfaces (ADSI) Edit.
Edge Subscription schema extensions
This attribute represents the current public key for the certificate being used by the server. This value is stored by both Edge Transport servers and Hub Transport servers. The public key is used to encrypt the credentials that are used to authenticate the server during LDAP and Simple Mail Transfer Protocol (SMTP) communication.
This attribute represents the list of credentials that the Microsoft Exchange EdgeSync service uses to establish an authenticated LDAP session to ADAM. On Hub Transport servers, this attribute contains only the credentials that the Hub Transport server uses to authenticate to the subscribed Edge Transport servers. On Edge Transport servers, this attribute contains the credentials of each Hub Transport server in the subscribed Active Directory site that participates in the EdgeSync synchronization process. This attribute is only present on Hub Transport servers that run the EdgeSync synchronization process and on subscribed Edge Transport servers.
This attribute is used to arbitrate between Hub Transport servers when more than one Hub Transport server tries to replicate to the same Edge Transport server.
This attribute is only present in ADAM on the Edge Transport server object. This attribute tracks the status of replication to an ADAM instance and includes information about replication.
For more information, see the following topics:
When you subscribe to an Edge Transport server to the organization, you can manage the configuration objects that are common to the Edge Transport server and the Exchange organization from inside the organization and then write those changes to the Edge Transport server by using the Microsoft Exchange EdgeSync service. This process helps maintain a consistent configuration across all servers involved in message processing.
A subset of the configuration data for the Exchange organization must also be maintained on the Edge Transport server. During the EdgeSync synchronization process, the configuration data that the Edge Transport server needs is written to the configuration partition of ADAM. If you manually configure the Edge Transport server and then decide to create an Edge Subscription for that server, the affected configuration objects are deleted. The configuration data written to ADAM includes the following:
- Hub Transport servers The fully qualified domain name (FQDN) of each Hub Transport servers in the subscribed Active Directory site is made available to the local ADAM store on the Edge Transport server. This information is used to derive a list of smart host servers for the inbound Send connector.
- Accepted domains All authoritative, internal relay, and external relay domains configured for the Exchange organization are written to ADAM. Having the accepted domains available to Edge Transport enables the Exchange organization to perform domain filtering and reject invalid SMTP traffic into their organization as early as possible. For more information about accepted domains, see Managing Accepted Domains.
- Message classifications If message classifications are available on the Edge Transport server, transport agents and content conversion can act on message classifications in the perimeter network. For example, the Attachment Filter agent can apply the “Attachment Removed” classification when it removes an attachment. Therefore, informational text will be displayed to a Microsoft Outlook user or an Outlook Web Access user to tell the recipient what happened. Agents that are developed for use by third-party applications can use message classifications in a similar manner. Also, message classifications may have to be translated by the Edge Transport server from a GUID in an X-header to TNEF as a localized recipient description.
- Remote domains All remote domain policies configured for the Exchange organization are written to ADAM. Remote domain policies control out-of-office message settings and message format settings for a remote domain. For more information about remote domains, see Managing Remote Domains.
- Send connectors By default, the Send connectors required to enable end-to-end mail flow between the Exchange organization and the Internet are automatically created. Any existing Send connectors on the Edge Transport server are deleted. If you want to configure additional Send connectors, you configure the Send connector inside the Exchange organization and select the Edge Subscription as the source server for the connector. For more information, see EdgeSync and Send Connectors.
- Internal SMTP servers The value for the InternalSMTPServers attribute is stored on the TransportConfig object for both the Exchange organization and the local Edge Transport server. During the EdgeSync synchronization process, the value that is stored on the local Edge transport server object is overwritten with the value that is stored on this object for the Exchange organization. This attribute specifies a list of internal SMTP server IP addresses or IP address ranges that should be ignored by Sender ID and connection filtering.
- Domain Secure lists The TLSReceiveDomainSecureList and the TLSSendDomainSecureList attributes are stored on the TransportConfig object for both the Exchange organization and the local Edge Transport server. During the EdgeSync synchronization process, the value that is stored on the local Edge transport server object is overwritten with the value that is stored on this object for the Exchange organization. These attributes specify the list of remote domains that are configured for mutual TLS authentication.
The tasks used to configure the configuration objects described earlier in this section are disabled on the Edge Transport server when it is subscribed to the Exchange organization. You can still use the tasks that let you view these objects. If you remove an Edge Subscription, all replicated configuration objects are removed from ADAM.
The recipient information that is replicated to ADAM includes only a subset of the recipient attributes. Only the data on which the Edge Transport server must have to perform certain anti-spam tasks is replicated. The recipient information replicated to ADAM includes the following:
- Recipients The list of recipients in the Exchange organization is replicated to ADAM. Each recipient is identified by the GUID assigned to it in Active Directory. If you configure a recipient's user account to deny receipt of mail from outside the organization, the recipient is not replicated to ADAM. If you disable or delete the mailbox for a recipient, it is not replicated to ADAM.
- Proxy addresses All proxy addresses assigned to each recipient are replicated to ADAM as hashed data. This is a one-way hash that uses Secure Hash Algorithm (SHA) 256. SHA-256 generates a 256-bit message digest of the original data. Storing proxy addresses as hashed data helps secure this information in case the Edge Transport server or ADAM is compromised. Proxy addresses are referenced when the Edge Transport server performs the recipient lookup anti-spam task.
- Safe Senders List and Safe Recipients List The Safe Senders Lists and Safe Recipients Lists that are defined in each recipient's Outlook instance are aggregated and replicated to ADAM. These settings are stored on the Mailbox store where the recipient's mailbox resides. Information about blocked senders is not replicated. An Outlook user's safelist collection is the combined data from the user's Safe Senders List, Safe Recipients List, Blocked Senders List, and external contacts. Having safelist collection data available in ADAM enables the Edge Transport server to screen senders appropriately, reducing the operational overhead involved with filtering mail. This information is sent as hashed data.
Important: Although the safe recipient data is stored in Outlook and can be aggregated into the safelist collection on the ADAM instance on the Edge Transport server, the content filtering functionality does not act on safe recipient data. Because content filtering does not use the safe recipient data, we recommend that you do not configure the Update-Safelist cmdlet to update the safe recipient data. For more information, see How to Configure Safelist Aggregation and Update-SafeList.
- Per recipient anti-spam settings By using the Set-Mailbox cmdlet, you can assign anti-spam threshold settings per recipient that differ from the organization-wide anti-spam settings. If you configure per recipient anti-spam settings, these settings override the organization-wide settings. By replicating these settings to ADAM, the per recipient settings can be considered before the message is relayed to the Exchange organization. This information is sent as hashed data.
If you remove an Edge Subscription, all the replicated data is also removed and you will no longer be able to use the Edge Transport features that rely on this recipient data.
The topology information includes notification of newly subscribed Edge Transport servers or removed Edge Subscriptions. This data is refreshed every five minutes.
For more information, see the following topics:
- Understanding Edge Subscriptions
- Understanding the EdgeSync Synchronization Process
- EdgeSync and Send Connectors
- Understanding Edge Subscription Credentials
- How to Verify EdgeSync Results for a Recipient
- EdgeSync Cmdlets
- Subscribing the Edge Transport Server to the Exchange Organization