White Paper: Edge Subscription and Synchronization

 

Dernière rubrique modifiée : 2007-03-29

Kate Follis, Senior Technical Writer, Microsoft Exchange Server

March 2007

Résumé

This white paper provides detailed information about Edge Subscriptions and the EdgeSync synchronization process. You use Edge Subscriptions to populate the Active Directory Application Mode (ADAM) directory service instance on the Microsoft Exchange Server 2007 Edge Transport server role with Active Directory directory service data. This establishes secure, automatic replication of information from Active Directory to ADAM. The EdgeSync synchronization process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server.

Applies To

Microsoft Exchange Server 2007

Table of Contents

• Introduction

• Definitions

• Order of Operations

• Preparing to Create an Edge Subscription

• Edge Subscription Process

• The Edge Subscription File

• EdgeSync Replication Accounts

• EdgeSync Synchronization

• Replication Data

• EdgeSync and Send Connectors

• Managing Edge Subscriptions

• Verifying EdgeSync Results

• Appendix 1: Exchange Management Shell EdgeSync Cmdlets

Introduction

In Exchange 2007, the Edge Transport server role is deployed in your organization's perimeter network. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam and apply transport rules to control message flow.

An Edge Transport server can be subscribed to an Active Directory site. Subscribing the Edge Transport server to the Active Directory site associates the Edge Transport server with the Exchange organization. This process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server. An organization that deploys more than one Edge Transport server can maintain a consistent configuration by using Edge Subscriptions. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or the Domain Security feature.

Objectives and acknowledgements Much of the information in this white paper originally appeared as individual Help topics in the Exchange Server 2007 Help. In this white paper, we have consolidated this information to provide an end-to-end, printable guide that you can use to deploy, test, and maintain Edge Subscriptions for Exchange 2007.

This white paper is intended to walk you through the deployment of Edge Subscriptions. Read all of it. Also, as with any software deployment, we recommend that you set up the solution in a lab and experiment with the functionality before you deploy it in the real world.

During the development of Exchange 2007, the Microsoft IT department deployed Edge Subscriptions with early adopter partners. As a result, configuration and deployment issues were discovered and fixed. Other minor configuration and deployment issues have also been identified and are documented in this white paper.

The following people reviewed this content for technical accuracy: Chris Ahlers, Felix Deschamps, Hao Zhang, Matt Kuzior, Steve Clagg, and Shawn Thomas.

Retour au début

Definitions

The Exchange 2007 Edge Subscription feature introduces new terminology and functionality. Familiarity with the Edge Subscription terminology will help you understand the information in this document. In this section, I define Edge Subscription terminology and components to help you understand the Edge Subscription feature.

• Edge Subscription   The Edge Subscription is the record of an Edge Transport server that has been subscribed to an Exchange organization. The ADAM directory service on a subscribed Edge Transport server is updated with information from Active Directory by the Microsoft Exchange EdgeSync service.

• Edge Subscription process   The Edge Subscription process is the procedure that an administrator follows to establish an Edge Subscription for an Edge Transport server. You subscribe an Edge Transport server to an Active Directory site to associate the Edge Transport server with the Exchange organization.

• Edge Subscription file   The Edge Subscription file is an XML file that is exported from the Edge Transport server and imported to the Hub Transport server to establish the Edge Subscription. The Edge Subscription file contains information about the Edge Transport server and information about the credentials that are used to establish the initial synchronization.

• EdgeSync bootstrap replication account   The EdgeSync bootstrap replication account (ESBRA) is the set of credentials that is generated on the Edge Transport server whenever a new Edge Subscription file is generated. The credentials are written to the Edge Subscription file, transferred to the Exchange organization, and used by Hub Transport servers to authenticate to the Edge Transport server during the initial synchronization of data. These credentials are used only to establish the initial synchronization. They expire 1,440 minutes (24 hours) after the Edge Subscription file is created.

• EdgeSync replication account   An EdgeSync replication account (ESRA) is the set of credentials that is used to authenticate and authorize the secure LDAP connection between an Edge Transport server and a Hub Transport server. After the Edge Subscription is created in the Exchange organization, each Hub Transport server generates a unique set of ESRA credentials for each subscribed Edge Transport server. The credentials are managed by the system, stored on the Exchange server Active Directory configuration object in an encrypted form, and replicated to ADAM to create a reciprocal ESRA.

• Edge Credential service   The Edge Credential service, which runs on Edge Transport servers only, creates the reciprocal ESRA accounts in ADAM so that a Hub Transport server can authenticate to an Edge Transport server to perform EdgeSync synchronization.

• Microsoft Exchange EdgeSync service   The Microsoft Exchange EdgeSync service is the data synchronization service that runs on a Hub Transport server. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed periodically performs one-way replication of recipient and configuration data to ADAM. The Microsoft Exchange EdgeSync service copies only the information that is required for the Edge Transport server to perform anti-spam configuration tasks or to use Domain Security, and information about the Send connector configuration that is required to enable mail flow between the Exchange 2007 organization's Hub Transport servers and the Internet through one or more Edge Transport servers. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.

• EdgeSync synchronization process   The EdgeSync synchronization process is the task or process that the Microsoft Exchange EdgeSync service performs to propagate data from Active Directory to the subscribed Edge Transport server. Configuration data is synchronized one time each hour. Recipient data is synchronized one time every four hours. The Microsoft Exchange EdgeSync service invokes ESRA credentials and transfers data over an encrypted channel. When synchronization occurs, new objects are added to ADAM, deleted objects are removed, and property modifications are written to existing objects. During the initial replication, ADAM is populated. After the initial replication has finished, synchronization occurs at fixed intervals. Configuration data is synchronized at one-hour intervals. Recipient data is synchronized at four-hour intervals. You can use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell to start immediate synchronization.

Retour au début

Order of Operations

You start the Edge Subscription process by exporting an Edge Subscription XML file on the Edge Transport server. When the Edge Subscription file is created on the Edge Transport server by using the New-EdgeSubscription cmdlet in the Exchange Management Shell, the following actions occur:

• An ADAM account is created.

• Credentials are retrieved and written to the Edge Subscription XML file.

Each Edge Transport server requires an individual Edge Subscription. The credentials that are written to the Edge Subscription file are specific to the server from which the file is exported.

Next, the Edge Subscription XML file is transferred to a Hub Transport server that is located in the Active Directory site to which you want to subscribe the Edge Transport server. The Edge Subscription file is imported to the Hub Transport server by using either the New-EdgeSubscription cmdlet or the New Edge Subscription wizard in the Exchange Management Console. This step finishes the Edge Subscription process. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed will now perform one-way replication of data from Active Directory to ADAM. The ADAM credentials that are created during the Edge Subscription process are used to authenticate the secure Lightweight Directory Access Protocol (secure LDAP) connection that is made during the initial synchronization process.

To deploy an Edge Transport server and subscribe it to an Active Directory site, follow these steps:

1. Install the Edge Transport server role.

2. Verify that the Hub Transport servers and the Edge Transport server can locate one another by using Domain Name System (DNS) name resolution. For more information about this step, see Configuring DNS Settings for Exchange 2007 Servers.

3. Configure the objects and settings to be replicated to the Edge Transport server.

4. Run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Edge Transport server to export the Edge Subscription file.

5. Copy the Edge Subscription file to a Hub Transport server.

6. Run the New-EdgeSubscription cmdlet in the Exchange Management Shell or use the New Edge Subscription wizard in the Exchange Management Console to import the Edge Subscription file.

   Important

   The ESBRA credentials are written to the Edge Subscription file in clear text. You must protect this file throughout the Edge Subscription process. As noted earlier in this white paper, these credentials are used only to establish the initial synchronization and will expire 1,440 minutes (24 hours) after the Edge Subscription file is created. If the Edge Subscription process is not completed within that time, you must run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Edge Transport server again to create a new Edge Subscription file. After the Edge Subscription file is imported to a Hub Transport server, you should immediately delete the Edge Subscription file from the Edge Transport server, the Hub Transport server, and any removable media.

The following figure illustrates the Edge Subscription process.

Edge Subscription process

To perform the Edge Subscription procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

To perform the Edge Subscription procedures on a computer that has the Hub Transport server role installed, the account you use must be delegated the Exchange Organization Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Retour au début

Preparing to Create an Edge Subscription

When the New-EdgeSubscription command is run on the Edge Transport server to export the Edge Subscription file, any objects that will be replicated from Active Directory to ADAM by the Microsoft Exchange EdgeSync service are removed from the Edge Transport server. After you import the Edge Subscription file on the Hub Transport server, recipient and configuration data is replicated from Active Directory to ADAM. Therefore, you must configure settings on the Hub Transport server to populate the settings on the Edge Transport server.

Verify that the perimeter network firewall that separates the Edge Transport server from the Exchange organization is configured to enable communications through the correct ports. The Edge Transport server uses non-standard LDAP ports. By default, these ports are configured when the Edge Transport server role is installed. You can modify the ports that are used by ADAM by using the ConfigureAdam.ps1 script that is provided with Exchange 2007. However, do not modify the ports after you create the Edge Subscription. If you modify the ports after you create the Edge Subscription, you must resubscribe the Edge Transport server. By default, the following LDAP ports are used to access ADAM:

• LDAP   Port 50389/TCP is used locally to bind to the ADAM instance. This port does not have to be open on the perimeter network firewall.

• Secure LDAP   Port 50636/TCP is used for directory synchronization from Hub Transport servers to ADAM. This port must be open for successful EdgeSync synchronization.

Verify that DNS host name resolution is successful from the Edge Transport server to the Hub Transport servers, and from the Hub Transport servers to the Edge Transport server.

License the Edge Transport server. The licensing information for the Edge Transport server is captured when the Edge Subscription is created and is shown in the Exchange Management Console for the Exchange organization. For subscribed Edge Transport servers to appear as licensed, they must be subscribed to the Exchange organization after the license key is applied on the Edge Transport server. If the license key is applied on the Edge Transport server after you perform the Edge Subscription process, the licensing information is not updated in the Exchange organization, and you must resubscribe the Edge Transport server.

Configuring Settings for Propagation to Edge Transport Servers

You configure the following settings for propagation to the Edge Transport server role:

• Internal SMTP servers   Use the Set-TransportConfig cmdlet to configure the InternalSMTPServers parameter. This parameter specifies a list of internal SMTP server IP addresses or IP address ranges that should be ignored by Sender ID and connection filtering.

• Accepted domains   Configure all authoritative domains, internal relay domains, and external relay domains.

• Remote domains   Configure remote domain settings.

• Domain Secure lists   Configure the TLSReceiveDomainSecureList and the TLSSendDomainSecureList attributes on the TransportConfig object for the Exchange organization. These attributes specify the list of remote domains that are configured for mutual Transport Layer Security (TLS) authentication.

Retour au début

Edge Subscription Process

You subscribe an Edge Transport server to an Active Directory site. Subscribing the Edge Transport server to the Active Directory site enables the Edge Transport server to receive updates to ADAM from Active Directory and creates a synchronization relationship between the Edge Transport server and the Hub Transport servers deployed in that site. The Edge Subscription process also creates an Active Directory site membership affiliation for the Edge Transport server. The site affiliation enables Hub Transport servers in the Exchange organization to relay messages to the Edge Transport server for delivery to the Internet without having to configure explicit Send connectors.

One or more Edge Transport servers can be subscribed to a single Active Directory site. However, an Edge Transport server cannot be subscribed to more than one Active Directory site. If you have more than one Edge Transport server deployed, each server can be subscribed to a different Active Directory site. Each Edge Transport server requires an individual Edge Subscription. A subscribed Edge Transport server can support only one Exchange organization.

When you run the New-EdgeSubscription cmdlet on the Edge Transport server, the following actions occur:

• An ADAM account is created. This account is the EdgeSync bootstrap replication account (ESBRA). As noted earlier in this white paper, these credentials are used to authenticate the first EdgeSync connection to the Edge Transport server. The account is configured to expire 1,440 minutes (24 hours) after it is created. Therefore, you must complete the Edge Subscription process before that time expires. If the ESBRA expires before the Edge Subscription process is complete, you must run the New-EdgeSubscription cmdlet on the Edge Transport server again to create a new Edge Subscription file.

• The ESBRA credentials are retrieved from ADAM and written to the Edge Subscription file. The public key for the Edge Transport server's self-signed certificate is also exported to the Edge Subscription file. The credentials that are written to the Edge Subscription file are specific to the server from which the file is exported.

• Any previously created configuration objects in a class that will now be replicated to ADAM from Active Directory are deleted from ADAM and the Exchange Management Shell tasks used to configure those objects are disabled. You can still use the tasks that let you view those objects. The following tasks are disabled on the Edge Transport server when you run the New-EdgeSubscription cmdlet:

  • Set-SendConnector

  • New-SendConnector

  • Remove-SendConnector

  • New-AcceptedDomain

  • Set-AcceptedDomain

  • Remove-AcceptedDomain

  • New-MessageClassification

  • Set-MessageClassification

  • Remove-MessageClassification

  • New-RemoteDomain

  • Set-RemoteDomain

  • Remove-RemoteDomain

When you import the Edge Subscription file on the Hub Transport server by running the New-EdgeSubscription cmdlet in the Exchange Management Shell or by using the New Edge Subscription wizard in the Exchange Management Console, the following actions occur:

• The Edge Subscription is created, establishing a record of an Edge Transport server which has been joined to an Exchange organization and to which the Microsoft Exchange EdgeSync service will propagate configuration data. This step creates the Edge configuration object in Active Directory.

• Each Hub Transport server in the Active Directory site receives notification from Active Directory that a new Edge Transport server has been subscribed. The Hub Transport server retrieves the ESBRA from the Edge Subscription file. The Hub Transport server then encrypts the ESBRA by using the public key of the Edge Transport server's self-signed certificate. The encrypted credentials are then written to the Edge configuration object.

• Each Hub Transport server also encrypts the ESBRA by using its own public key and then stores the credentials in its own configuration object.

• EdgeSync replication accounts (ESRA) are created in Active Directory for each Edge Transport-Hub Transport server pair. Each Hub Transport server stores its ESRA credentials as an attribute of the Hub Transport server configuration object.

• Send connectors are automatically created to relay messages outbound from the Edge Transport server to the Internet, and inbound from the Edge Transport server to the Exchange organization. For more information, see "EdgeSync and Send Connectors" later in this white paper.

• The Microsoft Exchange EdgeSync service that runs on Hub Transport servers uses the ESBRA credentials to establish a secure LDAP connection between a Hub Transport server and the Edge Transport server and performs the initial replication of data. The following data is replicated to ADAM:

  • Topology data

  • Configuration data

  • Recipient data

  • ESRA credentials

• The Microsoft Exchange Credential Service that runs on the Edge Transport server installs the ESRA credentials. These credentials are used to authenticate and secure later synchronization connections.

• The EdgeSync synchronization schedule is established.

The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed will now perform one-way replication of data from Active Directory to ADAM on a regular schedule.

Retour au début

How to Export an Edge Subscription File

Perform the following procedure on the Edge Transport server. You must provide the complete file path of the Edge Subscription file that you are creating.

Procedure

To use the Exchange Management Shell to create an Edge Subscription file

• Run the following command:

  New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
  

How to Import the Edge Subscription File

When you import the Edge Subscription file, you can select whether to have the Send connector to the Internet automatically created. You can also select whether to have the Send connector from the Edge Transport server to the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed created automatically. If you decide not to have the Send connectors created automatically, you can manually configure Send connectors as needed.

Procedure

To use the Exchange Management Console to import the Edge Subscription file

1. Copy the Edge Subscription file from the Edge Transport server to the Hub Transport server where you will perform this procedure.

2. Open the Exchange Management Console. Expand Organization Configuration, select Hub Transport, and then in the result pane, click the Edge Subscriptions tab.

3. In the action pane, click New Edge Subscription. The New Edge Subscription Wizard starts.

4. On the New Edge Subscription page, in the Active Directory Site: drop-down list, select an Active Directory site.

5. On the New Edge Subscription page, click Browse. Locate the Edge Subscription file to import. Select the file, and then click Open.

6. On the New Edge Subscription page, click New.

7. On the Completion page, click Finish.

To use the Exchange Management Shell to import the Edge Subscription file

• Run the following command to subscribe an Edge Transport server to the specified site and to have the Internet Send connector and the Send connector from the Edge Transport server to the Hub Transport servers created automatically. This command also forces the initial synchronization to immediately start:

  New-EdgeSubscription -filename "C:\EdgeSubscriptionInfo.xml" -CreateInternetSendConnector $true - CreateInboundSendConnector $true -site "Default-First-Site-Name" -Force
  

  Notes

  The default value of the CreateInternetSendConnector parameter and the CreateInboundSendConnector parameter is $true. It is shown here for demonstration only.

Retour au début

The Edge Subscription File

When you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on an Edge Transport server, information about the Edge Transport server and the ESBRA credentials is written to the Edge Subscription file.

The following table describes the data that is contained in the Edge Subscription XML file.

Contents of the Edge Subscription file

Subscription data	Description
Edge Transport server name	The NetBIOS name of the Edge Transport server. The name of the Edge Subscription in Active Directory will match this name.
Edge Transport server FQDN	The fully-qualified domain name (FQDN) of the Edge Transport server. The Hub Transport servers in the subscribed Active Directory site must be able to locate the Edge Transport server by using DNS to resolve the FQDN.
Edge certificate binary large object (BLOB)	The public key of the Edge Transport server's self-signed certificate.
ESRA user name	The name assigned to the ESBRA. The ESBRA account has the following format: ESRA.Edge Transport server name. ESRA means EdgeSync replication account.
ESRA password	The password assigned to the ESBRA. The password is generated by using a random number generator and is stored in the Edge Subscription file in clear text.
Effective date	The creation date of the Edge Subscription file.
Duration	The length of time that these credentials will be valid before they expire. The ESBRA account is valid for only 24 hours.
ADAM SSL port	The secure LDAP port to which the Microsoft Exchange EdgeSync service binds when synchronizing data from Active Directory to ADAM. By default, this is TCP port 50636.
Product ID	The licensing information for the Edge Transport server. After an Edge Transport server is subscribed to Active Directory, the licensing information about the Edge Transport server is displayed in the Exchange Management Console for the Exchange organization. You must license the Edge Transport server before you create the Edge Subscription for this information to be displayed correctly.

Important :
The ESBRA credentials are written to the Edge Subscription file in clear text. You must protect this file throughout the subscription process. After the Edge Subscription file is imported to a Hub Transport server, you should immediately delete the Edge Subscription file from the Edge Transport server, the Hub Transport server, and any removable media.

Retour au début

EdgeSync Replication Accounts

EdgeSync replication accounts (ESRA) are an important part of EdgeSync security. Authentication and authorization of the ESRA is the mechanism used to help secure the connection between an Edge Transport server and a Hub Transport server.

The ESBRA contained in the Edge Subscription file is used to establish a secure LDAP connection only during the initial synchronization. After the Edge Subscription file is imported to a Hub Transport server in the Active Directory site to which the Edge Transport is being subscribed, additional ESRA accounts are created in Active Directory for each Edge Transport-Hub Transport server pair. During initial synchronization, the newly created ESRA credentials are replicated to ADAM. These ESRA credentials are used to help secure later synchronization sessions.

Each EdgeSync replication account is assigned the properties described in the following table.

Ms-Exch-EdgeSyncCredential properties

Property name	Type	Description
TargetServerFQDN	String	The Edge Transport server that will accept these credentials.
SourceServerFQDN	String	The Hub Transport server that will present these credentials. This value is empty if the credential is the bootstrap credential.
EffectiveTime	DateTime (Coordinated Universal Time [UTC])	When to start using this credential.
ExpirationTime	DateTime (UTC)	When to stop honoring this credential.
UserName	String	The user name that is used to authenticate.
Password	Byte	The password that is used to authenticate. The password is encrypted by using ms-Exch-EdgeSync-Certificate.

The following sections of this white paper describe how the ESRA credentials are provisioned and used during the EdgeSync synchronization process.

Provisioning the EdgeSync Bootstrap Replication Account (ESBRA)

When the New-EdgeSubscription cmdlet is run on the Edge Transport server, the ESBRA is provisioned as follows:

• A self-signed certificate (Edge-Cert) is created on the Edge Transport server. The private key is stored in the local computer store and the public key is written to the Edge Subscription file.

• The ESBRA (ESRA.Edge) is created in ADAM and the credentials are written to the Edge Subscription file.

• The Edge Subscription file is exported by copying it to removable media. The file is now ready to import to a Hub Transport server.

Provisioning EdgeSync Replication Accounts in Active Directory

When the Edge Subscription file is imported on a Hub Transport server, the following steps occur to establish a record of the Edge Subscription in Active Directory and to provision additional ESRA credentials.

1. An Edge Transport server configuration object is created in Active Directory. The Edge-Cert certificate is written to this object as an attribute.

2. Every Hub Transport server in the subscribed Active Directory site receives an Active Directory notification that a new Edge Subscription has been registered. As soon as the notification is received, each Hub Transport server retrieves the ESRA.Edge account and encrypts the account by using the Edge-Cert public key. The encrypted ESRA.Edge account is written to the Edge Transport server configuration object.

3. Each Hub Transport server creates a self-signed certificate (Hub-Cert). The private key is stored in the local computer store and the public key is stored in the Hub Transport server configuration object in Active Directory.

4. Each Hub Transport server encrypts the ESRA.Edge account by using the public key of its own Hub-Cert certificate and then stores it on its own configuration object.

5. Each Hub Transport server generates an ESRA for each existing Edge Transport server configuration object in Active Directory (ESRA.Hub.Edge). The account name is generated by using the following naming convention:

   ESRA.<Hub Transport server NetBIOS Name>.<Edge Transport server NetBIOS Name>.<Effective Date UTC Time>

   The password for ESRA.Hub.Edge is generated by a random number generator and is encrypted by using the public key of the Hub-Cert certificate. The generated password has the maximum length allowed for Microsoft Windows Server.

6. Each ESRA.Hub.Edge account is encrypted by using the public key of the Edge-Cert certificate and is stored on the Edge Transport server configuration object in Active Directory.

The following sections of this white paper explain how these accounts are used during the EdgeSync synchronization process.

Retour au début

Authenticating Initial Replication

The ESBRA account, ESRA.Edge, is used only when establishing the initial synchronization session. During the first EdgeSync synchronization session, the additional ESRA accounts, ESRA.Hub.Edge, are replicated to ADAM. These accounts are used to authenticate later EdgeSync synchronization sessions.

The Hub Transport server that performs the initial replication is determined randomly. The first Hub Transport server in the Active Directory site to perform a topology scan and discover the new Edge Subscription performs the initial replication. Because this discovery is based on the timing of the topology scan, any Hub Transport server in the site may perform the initial replication.

The Microsoft Exchange EdgeSync service initiates a secure LDAP session from the Hub Transport server to the Edge Transport server. The Edge Transport server presents its self-signed certificate and the Hub Transport server verifies that the certificate matches the certificate that is stored on the Edge Transport server configuration object in Active Directory. After the Edge Transport server's identity is verified, the Hub Transport server provides the credentials of the ESRA.Edge account to the Edge Transport server. The Edge Transport server verifies the credentials against the account that is stored in ADAM.

The Microsoft Exchange EdgeSync service on the Hub Transport server then pushes the topology, configuration, and recipient data from Active Directory to ADAM. The change to the Edge Transport server configuration object in Active Directory is replicated to ADAM. ADAM receives the newly added ESRA.Hub.Edge entries and the Edge Credential service creates the corresponding ADAM account. These accounts are now available to authenticate later scheduled EdgeSync synchronization sessions.

Edge Credential Service

The Edge Credential service is part of the Edge Subscription process. It runs only on the Edge Transport server. This service creates the reciprocal ESRA accounts in ADAM so that a Hub Transport server can authenticate to an Edge Transport server to perform EdgeSync synchronization. The Microsoft Exchange EdgeSync service does not communicate directly with the Edge Credential service. The Edge Credential service communicates with ADAM and installs the ESRA credentials whenever the Hub Transport server updates them.

Authenticating Scheduled Synchronization Sessions

After initial EdgeSync synchronization finishes, the EdgeSync synchronization schedule is established and data that has changed in Active Directory is regularly updated in ADAM. A Hub Transport server initiates a secure LDAP session with the ADAM instance on the Edge Transport server. ADAM proves its identity to that Hub Transport server by presenting its self-signed certificate. The Hub Transport server presents its ESRA.Hub.Edge credentials to ADAM. The ESRA.Hub.Edge password is encrypted by using the Hub Transport server's self-signed certificate's public key. This means that only that particular Hub Transport server can use those credentials to authenticate to ADAM.

Renewing EdgeSync Replication Accounts

The password for the ESRA account must comply with the local server's password policy. To prevent the password renewal process from causing temporary authentication failure, a second ESRA.Hub.Edge account is created seven days before the first ESRA.Hub.Edge account expires with an effective time that is three days before the first ESRA expiration time. As soon as the second ESRA account becomes effective, EdgeSync stops using the first account and starts to use the second account. When the expiration time for the first account is reached, those ESRA credentials are deleted. This renewal process will continue until the Edge Subscription is removed.

Retour au début

EdgeSync Synchronization

The following figure illustrates the EdgeSync synchronization process.

EdgeSync synchronization process

The initial replication populates ADAM with data from Active Directory. This can take some time, depending on the quantity of data in the directory service. Successive synchronization updates ADAM with new and changed objects and removes any objects that have been deleted from Active Directory.

The directory service changes that are available to synchronize to ADAM at the synchronization intervals are completely dependent on the data that has been replicated to the global catalog server to which the Hub Transport server is bound. The Hub Transport server will bind to the global catalog server that is discovered by the Microsoft Exchange Active Directory Topology service when an Exchange 2007 server starts. Binding to a global catalog server makes sure that recipient data for every domain in the forest is propagated to ADAM.

As noted earlier in this white paper, the Microsoft Exchange EdgeSync service is the data synchronization service that periodically replicates configuration data from Active Directory to a subscribed Edge Transport server. The Microsoft Exchange EdgeSync service runs on all Hub Transport servers under the context of the Local Service account. Data is pushed from Active Directory by the Hub Transport server inside the organization to the Edge Transport server in the perimeter network. This means that the Hub Transport server always initiates the synchronization session and that the Microsoft Exchange EdgeSync service performs only one-way synchronization from Active Directory to ADAM. Data from ADAM is never synchronized to Active Directory.

To perform synchronization, the Microsoft Exchange EdgeSync service establishes a mutually authenticated and authorized secure LDAP channel from the Hub Transport server to the Edge Transport server. The ESRA credentials that are provisioned during the Edge Subscription process are used to establish the secure LDAP connection.

By default, the Microsoft Exchange EdgeSync service uses the non-standard TCP port 50636 for secure LDAP communications. Your internal firewall must allow outbound communication through this port to the Edge Transport servers in the perimeter network. If you want to modify the secure LDAP port that is used to connect to ADAM, you must use the ConfigureAdam.ps1 script that is provided with Exchange 2007.

Retour au début

Selection of a Preferred Hub Transport Server

If more than one Hub Transport server exists in the site to which an Edge Transport server is subscribed, any of those Hub Transport servers can replicate data to the subscribed Edge Transport servers. However, to avoid contention among the Hub Transport servers during synchronization, a single Hub Transport server is preferred. The preferred Hub Transport server continues to perform synchronization for a particular Edge Transport server. If the preferred Hub Transport server is not available, another Hub Transport server takes over as the preferred server.

The selection of the preferred Hub Transport server occurs as follows:

• The first Hub Transport server in the Active Directory site to perform a topology scan and discover the new Edge Subscription performs the initial replication. Because this discovery is based on the timing of the topology scan, any Hub Transport server in the site may perform the initial replication.

• The Hub Transport server that performs the initial replication establishes an EdgeSync lease option and sets a "lock" on the Edge Subscription. The lease option establishes that Hub Transport server as the preferred server to provide synchronization services to that Edge Transport server. The lock prevents the Microsoft Exchange EdgeSync service on another Hub Transport server from taking over the lease option.

• The EdgeSync lease option lasts for one hour. No other Microsoft Exchange EdgeSync service can take over the option from another Hub Transport server during this one-hour period unless a manual synchronization occurs before this period expires. If the preferred Hub Transport server is not available to provide the Microsoft Exchange EdgeSync service when manual synchronization is performed, after a five-minute wait, the lock is released and another Microsoft Exchange EdgeSync service takes over the lease option and performs synchronization.

• If manual synchronization is not performed, synchronization occurs based on the EdgeSync synchronization schedule. If the preferred server is not available when scheduled synchronization occurs, after a five-minute wait, the lock is released and another Microsoft Exchange EdgeSync service takes over the lease option and performs synchronization.

This method of locking and leasing prevents more than one instance of the Microsoft Exchange EdgeSync service from pushing data to the same Edge Transport server at the same time.

The following table lists the EdgeSync properties that are related to the locking and leasing process. The properties are not configurable.

EdgeSync lease properties

Property name	Value	Description
Lock duration	5 minutes	This setting determines for how long a particular Microsoft Exchange EdgeSync service will acquire a lock. If the Microsoft Exchange EdgeSync service on the Hub Transport server that is holding this lock does not respond, it will take five minutes for the Microsoft Exchange EdgeSync service on another Hub Transport server to take over the lease. Forcing EdgeSync synchronization does not override this value.
Option duration	1 hour	This setting determines for how long a Microsoft Exchange EdgeSync service can declare a lease option on an Edge Transport server. If the Microsoft Exchange EdgeSync service holding the lease is unavailable and does not restart during this option period, no other Microsoft Exchange EdgeSync service will take over the lease option, unless you force EdgeSync synchronization.
Lock renewal	1 minute	This setting determines how frequently the lock field is updated when a Microsoft Exchange EdgeSync service has acquired a lock to an Edge Transport server.

Retour au début

Synchronization Schedule

Different types of data synchronize on different schedules. The schedule specifies the maximum length of time that a Microsoft Exchange EdgeSync service should go between synchronization intervals. The EdgeSync schedule intervals are not configurable. However, if you use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell to force synchronization of Edge Subscriptions to occur immediately, you override the timer that determines the next time that EdgeSync synchronization is scheduled to occur.

The following table lists the EdgeSync schedule parameters that determine when different types of data are synchronized to ADAM.

EdgeSync schedule parameters

Parameter	Value	Description
Configuration	1 hour	This parameter determines the frequency at which the Microsoft Exchange EdgeSync service will try to synchronize configuration data to an Edge Transport server.
Recipients	4 hours	This parameter determines the frequency at which the Microsoft Exchange EdgeSync service will try to synchronize recipient data to an Edge Transport server.
Topology	5 minutes	This parameter determines how frequently topology information is reloaded.

How to Force EdgeSync Synchronization

You can use the Start-EdgeSynchronization cmdlet to force synchronization to start immediately. You may want to do this to start initial replication immediately after you create the Edge Subscription or if you have made significant changes to the configuration or recipients in Active Directory. The Start-EdgeSynchronization cmdlet resets the EdgeSync synchronization schedule. The time of the subsequent synchronization intervals is based on the time that this command is initiated.

Procedure

To use the Exchange Management Shell to force EdgeSync synchronization

• Run the following command:

  Start-EdgeSynchronization
  

Retour au début

Replication Data

Because Active Directory and ADAM both use LDAP, and because both directory services use the Exchange 2007 schema, you can replicate data from Active Directory to ADAM. This replication is established when you subscribe an Edge Transport server to an Active Directory site. The Edge Subscription process enables the Hub Transport servers in that site to use the Microsoft Exchange EdgeSync service to synchronize recipient and configuration data from Active Directory to the ADAM instance on the Edge Transport server. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.

Several types of data are replicated from Active Directory to ADAM:

• Edge Subscription information

• Configuration information

• Recipient information

• Topology information

The following sections describe these types of data and the way that they are used by the Edge Transport server.

Edge Subscription Information

Exchange 2007 extends both the Active Directory and ADAM schemas to provide attributes on the ms-Exch-ExchangeServer object to represent the data needed to control the EdgeSync synchronization process. These attributes provide the following three functions that are important to the EdgeSync synchronization process:

• They provide automatic provisioning and maintenance of the credentials that are used to help secure the LDAP connection between a Hub Transport server and a subscribed Edge Transport server.

• They arbitrate the synchronization lock and lease process that makes sure that only one Hub Transport server at a time will try to synchronize with an individual Edge Transport server.

• They optimize the EdgeSync synchronization process to maintain a record of the current synchronization status and avoid excessive manual synchronization.

The following table lists the schema extensions that are specific to Edge Subscriptions. The values assigned to these attributes are maintained by the Edge Subscription and EdgeSync synchronization process. You should not manually edit these attributes by using editing tools, such as Ldp.exe or Active Directory Service Interfaces (ADSI) Edit.

Edge Subscription schema extensions

Attribute name	Description
ms-Exch-Server-EKPK-Public-Key	This attribute represents the current public key for the certificate being used by the server. This value is stored by both Edge Transport servers and Hub Transport servers. The public key is used to encrypt the credentials that are used to authenticate the server during LDAP and SMTP communication.
ms-Exch-EdgeSync-Credential	This attribute represents the list of credentials that the Microsoft Exchange EdgeSync service uses to establish an authenticated LDAP session to ADAM. On Hub Transport servers, this attribute contains only the credentials that the Hub Transport server uses to authenticate to the subscribed Edge Transport servers. On Edge Transport servers, this attribute contains the credentials of each Hub Transport server in the subscribed Active Directory site that participates in the EdgeSync synchronization process. This attribute is only present on Hub Transport servers that run the EdgeSync synchronization process and on subscribed Edge Transport servers.
ms-Exch-Edge-Sync-Lease	This attribute is used to arbitrate between Hub Transport servers when more than one Hub Transport server tries to replicate to the same Edge Transport server.
ms-Exch-Edge-Sync-Status	This attribute is only present in ADAM on the Edge Transport server object. This attribute tracks the status of replication to an ADAM instance and includes information about replication.

Retour au début

Configuration Information

When you subscribe to an Edge Transport server to the organization, you can manage the configuration objects that are common to the Edge Transport server and the Exchange organization from inside the organization and then write those changes to the Edge Transport server by using the Microsoft Exchange EdgeSync service. This process helps maintain a consistent configuration across all servers involved in message processing.

A subset of the configuration data for the Exchange organization must also be maintained on the Edge Transport server. During the EdgeSync synchronization process, the configuration data that the Edge Transport server needs is written to the configuration partition of ADAM. If you manually configure the Edge Transport server and then decide to create an Edge Subscription for that server, the affected configuration objects are deleted. The configuration data written to ADAM includes the following:

• Hub Transport servers   The FQDN of each Hub Transport servers in the subscribed Active Directory site is made available to the local ADAM store on the Edge Transport server. This information is used to derive a list of smart host servers for the inbound Send connector.

• Accepted domains   All authoritative, internal relay, and external relay domains configured for the Exchange organization are written to ADAM. Having the accepted domains available to Edge Transport enables the Exchange organization to perform domain filtering and reject invalid SMTP traffic into their organization as early as possible. For more information about accepted domains, see Managing Accepted Domains.

• Message classifications   If message classifications are available on the Edge Transport server, transport agents and content conversion can act on message classifications in the perimeter network. For example, the Attachment Filter agent can apply the “Attachment Removed” classification when it removes an attachment. Therefore, informational text will be displayed to a Microsoft Outlook user or an Outlook Web Access user to tell the recipient what happened. Agents that are developed for use by third-party applications can use message classifications in a similar manner. Also, message classifications may have to be translated by the Edge Transport server from a GUID in an X-header to TNEF as a localized recipient description.

• Remote domains   All remote domain policies configured for the Exchange organization are written to ADAM. Remote domain policies control out-of-office message settings and message format settings for a remote domain. For more information about remote domains, see Managing Remote Domains.

• Send connectors   By default, the Send connectors required to enable end-to-end mail flow between the Exchange organization and the Internet are automatically created. Any existing Send connectors on the Edge Transport server are deleted. If you want to configure additional Send connectors, you configure the Send connector inside the Exchange organization and select the Edge Subscription as the source server for the connector.

• Internal SMTP servers   The value for the InternalSMTPServers attribute is stored on the TransportConfig object for both the Exchange organization and the local Edge Transport server. During the EdgeSync synchronization process, the value that is stored on the local Edge transport server object is overwritten with the value that is stored on this object for the Exchange organization. This attribute specifies a list of internal SMTP server IP addresses or IP address ranges that should be ignored by Sender ID and connection filtering.

• Domain Secure lists   The TLSReceiveDomainSecureList and the TLSSendDomainSecureList attributes are stored on the TransportConfig object for both the Exchange organization and the local Edge Transport server. During the EdgeSync synchronization process, the value that is stored on the local Edge transport server object is overwritten with the value that is stored on this object for the Exchange organization. These attributes specify the list of remote domains that are configured for mutual TLS authentication.

The tasks used to configure the configuration objects described earlier in this section are disabled on the Edge Transport server when it is subscribed to the Exchange organization. You can still use the tasks that let you view these objects. If you remove an Edge Subscription from an Edge Transport server, all replicated configuration objects are removed from ADAM.

Retour au début

Recipient Information

The recipient information that is replicated to ADAM includes only a subset of the recipient attributes. Only the data that the Edge Transport server must have to perform certain anti-spam tasks is replicated. Distribution groups are not replicated to ADAM. The recipient information replicated to ADAM includes the following:

• Recipients   The list of recipients in the Exchange organization is replicated to ADAM. Each recipient is identified by the GUID assigned to it in Active Directory. If you configure a recipient's user account to deny receipt of mail from outside the organization, the recipient is not replicated to ADAM. If you disable or delete the mailbox for a recipient, it is not replicated to ADAM.

• Proxy addresses   All proxy addresses assigned to each recipient are replicated to ADAM as hashed data. This is a one-way hash that uses Secure Hash Algorithm (SHA) 256. SHA-256 generates a 256-bit message digest of the original data. Storing proxy addresses as hashed data helps secure this information in case the Edge Transport server or ADAM is compromised. Proxy addresses are referenced when the Edge Transport server performs the recipient lookup anti-spam task.

• Safe Senders List and Safe Recipients List   The Safe Senders Lists and Safe Recipients Lists that are defined in each recipient's Outlook instance are aggregated and replicated to ADAM. These settings are stored on the Mailbox store where the recipient's mailbox resides. Information about blocked senders is not replicated. An Outlook user's safelist collection is the combined data from the user's Safe Senders List, Safe Recipients List, Blocked Senders List, and external contacts. Having safelist collection data available in ADAM enables the Edge Transport server to screen senders appropriately, reducing the operational overhead involved with filtering mail. This information is sent as hashed data.

• Per Recipient anti-spam settings   By using the Set-Mailbox cmdlet, you can assign anti-spam threshold settings per recipient that differ from the organization-wide anti-spam settings. If you configure per recipient anti-spam settings, these settings override the organization-wide settings. By replicating these settings to ADAM, the per recipient settings can be considered before the message is relayed to the Exchange organization. This information is sent as hashed data.

If you remove an Edge Subscription, all the replicated data is also removed and you will no longer be able to use the Edge Transport features that rely on this recipient data.

Topology Information

The topology information includes notification of newly subscribed Edge Transport servers or removed Edge Subscriptions. This data is refreshed every five minutes.

Retour au début

EdgeSync and Send Connectors

After an Edge Transport server is subscribed to the Exchange organization, all configuration of Send connectors for that Edge Transport server must be performed on a Hub Transport server. The EdgeSync synchronization process then replicates those Send connectors to ADAM as part of the configuration data. This section describes the Send connectors that are automatically created during the EdgeSync synchronization process and how the Edge Subscription affects the configuration of Send connectors for the Edge Transport server.

Automatically Created Send Connectors

By default, when you complete the Edge Subscription process by importing the Edge Subscription file to a Hub Transport server, the Send connectors that are required to enable end-to-end mail flow between the Internet and the Exchange organization are created automatically. Any existing Send connectors on the Edge Transport server are deleted. You can also select to suppress automatic creation of Send connectors and configure Send connectors manually. Manual Send connector configuration for a subscribed Edge Transport server is discussed in "Manually Configuring Send Connectors" later in this white paper.

The EdgeSync synchronization process provisions the following Send connectors:

• A Send connector that is configured to relay e-mail messages from the Exchange organization to the Internet

• A Send connector that is configured to relay e-mail messages from the Edge Transport server to the Exchange organization

Also, by subscribing an Edge Transport server to the Exchange organization, you enable Hub Transport servers that are located in the Active Directory directory service site to which the Edge Transport server is subscribed to use the intra-organization Send connector to relay messages to that Edge Transport server. These Send connectors are described in the following sections of this white paper.

Automatically Created Send Connector to the Internet

By default, when you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Hub Transport server, the CreateInternetSendConnector parameter is set to $true. The following table shows the default configuration of this Send connector.

Automatic Internet Send connector configuration

Parameter	Value
Name	EdgeSync - <Site Name> to Internet
Address Space	SMTP:*;100
Source Servers	Edge Subscription name > [!Note] > The name of the Edge Subscription is the same as the name of the subscribed Edge Transport server.
Enabled	True
DNS Routing Enabled	True
Domain Secure Enabled (Mutual Auth TLS)	True

If more than one Edge Transport server is subscribed to the same Active Directory site, additional Send connectors to the Internet are not created. Instead, all Edge Subscriptions are added to the same Send connector as source servers. This configuration causes outbound connections to the Internet to be load balanced between the subscribed Edge Transport servers.

This Send connector is configured to send e-mail messages from the Exchange organization to all remote SMTP domains. It will use DNS routing to resolve domain names to mail exchange (MX) records. You can modify the configuration of this connector manually. However, if you must route outbound e-mail through a smart host, for example, you can suppress creation of this connector and manually configure a Send connector to the Internet.

Automatically Created Inbound Send Connector

By default, when you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Hub Transport server, the CreateInboundSendConnector is parameter set to $true. You cannot change the value of this parameter when you use the New Edge Subscription Wizard in the Exchange Management Console. The following table shows the configuration of this Send connector.

Automatic inbound Send connector configuration

Parameter	Value
Name	EdgeSync - Inbound to <Site Name>
Address Space	SMTP:--;1
Source Servers	Edge Subscription name
Enabled	True
DNS Routing Enabled	False
Smart Hosts	--

The -- placeholder in the address space for the inbound Send connector represents the authoritative and internal relay accepted domains for the Exchange organization and is the literal character displayed. Any messages that the Edge Transport server receives for authoritative and internal relay accepted domains are routed to this Send connector and relayed to the smart hosts.

The -- placeholder in the list of smart hosts represents all the Hub Transport servers that are located in the subscribed Active Directory site and is the literal character displayed. Hub Transport servers that are added to an Active Directory site after an Edge Subscription has been established do not participate in the EdgeSync synchronization process. However, they are automatically added to the list of smart hosts for the inbound Send connector. If more than one Hub Transport server is located in the subscribed Active Directory site, inbound connections will be load balanced across the smart hosts.

You cannot modify the address space or list of smart hosts for the inbound Send connector. However, if you use the New-EdgeSubscription cmdlet in the Exchange Management Shell when you create the Edge Subscription on the Hub Transport server, you can set the value of the CreateInboundSendConnector parameter to $false. If you do this, no inbound connector is created and you must manually configure a Send connector from the Edge Transport server to the Exchange organization.

After the initial EdgeSync synchronization has finished, you can run the Get-SendConnector cmdlet in the Exchange Management Shell on the subscribed Edge Transport server to verify that these Send connectors are created.

Intra-organization Send Connector

The intra-organization Send connector is an implicit and hidden Send connector that is automatically computed by Exchange 2007 and enables Hub Transport servers in the same organization to relay messages to one another without using explicit Send connectors. Because a configuration object that has an Active Directory site association exists in Active Directory for an Edge Subscription, the intra-organization Send connector will also be used to relay messages to that Edge Transport server.

Only Hub Transport servers that are located in the same Active Directory site to which the Edge Transport server is subscribed can send and receive e-mail directly to or from the subscribed Edge Transport server. If you have a multi-site forest and Exchange 2007 is deployed in more than one site, the Hub Transport servers in non-subscribed sites will route outbound e-mail to the subscribed site. A Hub Transport server in the subscribed site will route outbound e-mail to the Edge Transport server.

The following figure shows outbound mail flow from a non-subscribed Active Directory site in an Exchange organization. An Active Directory forest with two sites has associated an Edge Subscription with Site-A. If a message is sent from Site-B to an Internet recipient, it will be relayed first to Site-A. The receiving Hub Transport server in Site-A relays the message to the Edge Transport server by using the intra-organization Send connector. The Edge Transport server then routes the message to the automatically created EdgeSync - Site-A to Internet Send connector for delivery to the recipient domain.

Outbound mail flow with an Edge Subscription

The following figure illustrates inbound mail flow from the Internet through a subscribed Edge Transport server. In this example, a message is received for a recipient whose mailbox is stored on a Mailbox server that is located in Site-B. The Edge Transport server receives the message and routes it to the EdgeSync - Inbound to Site-A Send connector. The receiving Hub Transport server in Site-A then routes the message to Site-B by using the intra-organization Send connector.

Inbound mail flow with an Edge Subscription

Retour au début

Manually Configuring Send Connectors

After an Edge Transport server is subscribed to an Active Directory site, the tasks for creating and modifying Send connectors are disabled on the Edge Transport server. If you want to create a Send connector for which the Edge Transport server is a source server, you create the Send connector inside the Exchange organization. You can specify one or Edge Subscriptions as the source server for a Send connector. You cannot specify both Hub Transport servers and Edge Subscriptions as source servers for the same Send connector. The Send connector will be replicated to the ADAM instance on the Edge Transport server that is configured as a source server the next time that configuration data is synchronized by the EdgeSync synchronization process. If you list more than one Edge Subscription as a source server, connections to that Send connector will be load balanced between the subscribed Edge Transport servers. However, the Edge Transport servers have to be subscribed to the same Active Directory site for load balancing to occur. If Edge Subscriptions in different Active Directory sites are configured as source servers on the same Send connector, Hub Transport servers will route only to the closest source server.

You have to create Send connectors manually in the following scenarios:

• You have suppressed automatic creation of the Internet or Inbound Send connectors.

• You have accepted domains that are configured as external relay domains.

Suppressing Automatic Creation of Send Connectors

Depending on the topology of your Exchange organization, you may decide to suppress automatic creation of Send connectors. The following scenarios provide examples of topologies that require that you suppress automatic creation of Send connectors.

Partitioning Mail Flow

You may decide to partition the inbound and outbound mail processing between two Edge Transport servers. In this scenario, one Edge Transport server is responsible for processing outbound mail flow and a second Edge Transport server is responsible for processing inbound mail flow. To achieve this scenario, you configure the Edge Subscriptions as follows:

• For the Edge Transport server that processes only outbound mail flow, run the following command in the Exchange Management Shell on the Hub Transport server:

  New-EdgeSubscription -File "c:\edge1subscriptionfile.xml" -Site "Site-A" -CreateInboundSendConnector $false -CreateInternetSendConnector $true
  

• For the Edge Transport server that processes only inbound mail flow, run the following command in the Exchange Management Shell on the Hub Transport server:

  New-EdgeSubscription -File "c:\edge2subscriptionfile.xml" -Site "Site-A" -CreateInboundSendConnector $true -CreateInternetSendConnector $false
  

Routing Outbound E-Mail to a Smart Host

If your Exchange organization routes all outbound e-mail through a smart host, the default automatically created Send connector to the Internet will not have the correct configuration.

In this scenario, you run the following command in the Exchange Management Shell on the Hub Transport server to suppress automatically creation of the Send connector to the Internet:

New-EdgeSubscription -File "c:\edgesubscriptionfile.xml" -Site "Site-A" -CreateInternetSendConnector $false

After the Edge Subscription process is complete, manually create a Send connector to the Internet. Create the Send connector inside the Exchange organization and select the Edge Subscription as the source server for the connector. Select the Custom usage and configure one or more smart hosts. The Send connector will be replicated to the ADAM instance on the Edge Transport server the next time that EdgeSync synchronizes configuration data. You can also force EdgeSync synchronization to immediately start by running the Start-EdgeSynchronization cmdlet in the Exchange Management Shell on a Hub Transport server.

The following code provides an example of how to use the Exchange Management Shell to configure a Send connector for a subscribed Edge Transport server to route messages for all Internet address spaces through a smart host. This task is run inside the Exchange organization, not on the Edge Transport server.

New-SendConnector -Name "EdgeSync - Site-A to Internet" -Usage Custom -AddressSpaces SMTP:*;100 -DNSRoutingEnabled $false -SmartHosts 192.168.10.1 -SmartHostAuthMechanism None -SourceTransportServers EdgeSubscriptionName

Important :
This example does not specify any smart host authentication mechanism. Make sure that you configure the correct authentication mechanism and provide all necessary credentials when you create a smart host connector in your own Exchange organization.

Configuring Send Connectors for External Relay Domains

If you have accepted domains in your Exchange organization that are configured as external relay domains, you have to manually create a Send connector for those address spaces. Messages that are being delivered to external relay domains are relayed by the Edge Transport server. The Edge Subscription process does not automatically create and configure Send connectors for external relay domains. Therefore, you have to configure Send connectors for those domains and specify one or more Edge Subscriptions as the source server for those Send connectors. 

The DNS MX resource record for an external relay domain resolves to your Edge Transport server. Configure a Send connector that relays e-mail to an external relay domain to use a smart host for routing. If you configure the Send connector for an external relay domain to use DNS routing, a routing loop will occur. For more information about external relay domains, see Managing Accepted Domains.

Retour au début

Managing Edge Subscriptions

An Edge Subscription doesn't require periodic maintenance. However, the following tasks may be performed to manage Edge Subscriptions:

• Force EdgeSync synchronization   If you have made significant changes to the recipients or configuration in Active Directory, you may want to start the Microsoft Exchange EdgeSync service to synchronize immediately, instead of waiting for the scheduled replication interval.

• Remove an Edge Subscription   If an Edge Transport server is being decommissioned you can remove the Edge Subscription. You must also remove and re-create an Edge Subscription if you want to change the Active Directory site association. The Edge Subscription must be removed from only the Exchange organization.

• Resubscribe an Edge Transport server   If Hub Transport servers are added to an Active Directory site after an Edge Subscription to that site is created, they do not participate in the EdgeSync synchronization process. To have those servers participate in the EdgeSync synchronization process, you must resubscribe the Edge Transport server. You must also resubscribe the Edge Transport server if errors occur during authentication of the EdgeSync replication account credentials.

• Test Edge synchronization   You can use the Test-EdgeSynchronization cmdlet in the Exchange Management Shell to validate that Active Directory and ADAM are synchronized.

Resubscribing an Edge Transport Server

Occasionally you may have to resubscribe an Edge Transport server to an Active Directory site. When the Edge Subscription is recreated, new credentials are generated and the complete Edge Subscription process must be followed. This process is used in the following scenarios:

• New Hub Transport servers have been deployed in the subscribed Active Directory site and you want the new server to participate in EdgeSync synchronization. For more information about this scenario, see "Adding or Removing a Hub Transport Server" later in this white paper.

• The license key for the Edge Transport server was applied after the Edge Subscription was created. The licensing information for the Edge Transport server is captured when the Edge Subscription is created and is shown in the Exchange Management Console for the Exchange organization. For subscribed Edge Transport servers to appear as licensed, they must be subscribed to the Exchange organization after the license key is applied on the Edge Transport server. If the license key is applied on the Edge Transport server after you perform the Edge Subscription process, the licensing information is not updated in the Exchange organization and you must resubscribe the Edge Transport server. 

• The ESRA credentials are compromised.

Important :

To resubscribe an Edge Transport server, export a new Edge Subscription file on the Edge Transport server and then import the XML file on a Hub Transport server. You must resubscribe the Edge Transport server to the same Active Directory site to which it was originally subscribed. You do not have to first remove the original Edge Subscription. The resubscription process will overwrite the existing Edge Subscription.

Removing an Edge Subscription

There are some scenarios where you may have to remove an Edge Subscription from the Exchange organization or from both the Exchange organization and the Edge Transport server. If the Edge Transport server will be resubscribed to the Exchange organization, do not remove the Edge Subscription from the Edge Transport server. When you remove the Edge Subscription from an Edge Transport server, all replicated data is deleted from ADAM. This can take a long time if you have lots of recipient data.

The following list provides examples of situations that require that you remove the Edge Subscription.

• You no longer want the Edge Transport server to participate in the EdgeSync synchronization process. In this scenario, you must remove the Edge Subscription from both the Edge Transport server and from the Exchange organization.

• An Edge Transport server is being decommissioned. In this scenario, you must remove the Edge Subscription from the Exchange organization only. If you uninstall the Edge Transport server role from the computer, the ADAM instance and all Active Directory data that is stored in ADAM is also removed.

• You want to change the Active Directory site association for the Edge Subscription. In this scenario, you must remove the Edge Subscription from only the Exchange organization. After the Edge Subscription is removed from the Exchange organization, you can resubscribe the Edge Transport server to a different Active Directory site.

If you want to remove an Edge Subscription, follow these steps:

1. Stop mail flow on the Edge Transport server. Disable any receive connectors on the Edge Transport server to prevent it from accepting any new messages and then wait for the queues to drain.

2. Remove the Edge Subscription by running the Remove-EdgeSubscription cmdlet on a Hub Transport server inside the Exchange organization. If you are not going to resubscribe the Edge Transport server, also run this cmdlet on the Edge Transport server after this step has been performed on a Hub Transport server.

When you remove the Edge Subscription from the Exchange organization, the effect is as follows:

• Synchronization of information from Active Directory to ADAM stops.

• The ESRA accounts are removed from both Active Directory and ADAM.

• The computer that has the Edge Transport server role installed is removed from the source server list of any Send connector.

• The automatic inbound Send connector from the Edge Transport server to the Exchange organization is removed from ADAM.

When you remove the Edge Subscription from an Edge Transport server, the effect is as follows:

• You can no longer use the Edge Transport server features that rely on Active Directory data.

• Replicated data is removed from ADAM.

• The tasks that were disabled when the Edge Subscription was created are re-enabled to allow for local configuration.

Depending on the reason that you have removed an Edge Subscription, you may want to resubscribe that same Edge Transport server to the original Active Directory site to which it was subscribed or to a different Active Directory site. When the Edge Subscription is recreated, new credentials are generated and the complete Edge Subscription process must be followed.

If you are removing the Edge Transport server from service, follow the procedures in How to Completely Remove Exchange 2007 from a Server.

How to Remove an Edge Subscription

After you remove the Edge Subscription, synchronization of information from Active Directory to ADAM stops. All the accounts that are stored in ADAM are removed, and the computer that has the Edge Transport server role installed is removed from the source server list of any Send connector. You will no longer be able to use the Edge Transport server features that rely on Active Directory data.

Procedure

To use the Exchange Management Console to remove an Edge Subscription

1. Open the Exchange Management Console. Expand Organization Configuration, select Hub Transport, and then in the result pane, click the Edge Subscriptions tab.

2. Select the Edge Subscription that you want to remove. In the action pane, click Remove.

To use the Exchange Management Shell to remove an Edge Subscription

• Run the following command:

  Remove-EdgeSubscription -Identity EdgeServerName -DomainController dc.domain.com
  

  Notes

  The DomainController parameter is optional. Use this parameter when you want to specify the domain controller that will write this change to Active Directory.

Retour au début

Adding an Edge Transport Server

You can subscribe one or more Edge Transport servers to a single Active Directory site. If you deploy additional Edge Transport servers in your perimeter network and subscribe them to the same Active Directory site where an Edge Subscription already exists, the following actions occur:

• A new Edge Subscription object is created in Active Directory.

• Additional ESRA accounts are created for each Hub Transport server in the Active Directory site. These accounts are replicated to ADAM and used by the EdgeSync synchronization process during synchronization with the new server.

• The new Edge Subscription is added to the source server list of the automatic Send connector to the Internet. Messages submitted to that connector for processing will be load-balanced between the subscribed Edge Transport servers.

• An inbound Send connector from the Edge Transport server to the Exchange organization is automatically created.

• EdgeSync synchronization to the Edge Transport server starts.

Adding or Removing a Hub Transport Server

If a Hub Transport server is added to the Active Directory site to which an Edge Transport server is already subscribed, it does not automatically participate in the EdgeSync synchronization process. To enable a newly deployed Hub Transport server to participate in the EdgeSync synchronization process, you must resubscribe each Edge Transport server to the Active Directory site.

Removing a Hub Transport server from an Active Directory site where an Edge Transport server is subscribed will not affect EdgeSync synchronization, unless that Hub Transport server is the last Hub Transport server in that site. If you remove all Hub Transport servers from the Active Directory site where an Edge Transport server is subscribed, the subscribed Edge Transport servers are orphaned.

Retour au début

Verifying EdgeSync Results

Any errors that occur during the EdgeSync synchronization process are reported to the Application log of the Windows Event Viewer. These errors will typically appear on the Hub Transport server. However, subscribed Edge Transport servers will report errors if synchronization has not occurred in a long time.

The Test-EdgeSynchronization cmdlet is a diagnostic cmdlet that provides a report of the synchronization status of subscribed Edge Transport servers. This task provides useful information to the administrator when it is run manually. It can also be called by Microsoft Operations Manager. When the task is called by Microsoft Operations Manager, alerts are generated if an Edge Transport server is not synchronized.

The Test-EdgeSynchronization cmdlet provides proactive alerting when an Edge Transport server is no longer synchronized. The output of this cmdlet lets you view which objects have not been synchronized to the Edge Transport server. The task compares the data that is stored in Active Directory and the data that is stored in ADAM. Any inconsistencies in data are reported in the results output by this command.

You can use the ExcludeRecipientTest parameter with the Test-EdgeSynchronization cmdlet to exclude validation of recipient data synchronization. If you include this parameter, only the synchronization of configuration objects is validated. Validating that recipient data is synchronized will take longer than validating only configuration data.

To run the Test-EdgeSynchronization cmdlet, you must log on to a computer that has the Hub Transport server role installed and that is located in the Active Directory site to which the Edge Transport server is subscribed.

If you want to verify the EdgeSync synchronization results for a specific recipient, you can use Ldp.exe to view the recipient properties that are stored in ADAM. You must locate the recipient by its Active Directory GUID and, because the data is sent hashed, you must also be able to interpret the information that is returned when you view the recipient details.

How to Verify EdgeSync Results for a Recipient

This section explains how to use the Ldp.exe support tool to verify the EdgeSync synchronization results for a specific recipient. Ldp.exe is a Windows Support Tools utility that you can use to perform LDAP searches of an LDAP directory, such as viewing directory data in ADAM. You can use Ldp.exe to retrieve information about a recipient from ADAM when an Edge Transport server is subscribed to an Active Directory site. A subscribed Edge Transport server receives information about recipients through the EdgeSync synchronization process. The Microsoft Exchange EdgeSync service runs on Hub Transport servers and replicates data from Active Directory to ADAM. The recipient data that is replicated includes the attributes that are used by the recipient lookup and safelist aggregation anti-spam features.

Important :
Ldp.exe is intended to be used by experienced administrators to gain low-level access to a directory service. This tool should not be used to modify the data that is stored in ADAM.

Use this procedure to verify that the correct attribute values for a specific recipient have been synchronized to ADAM. Inconsistencies between the attribute values that are stored in Active Directory and the attribute values that are stored in ADAM may be caused by Active Directory replication latency. To make sure that the ADAM instance on the Edge Transport server is current before you perform this procedure, do the following:

• Use the Active Directory Replication Monitor tool to view the replication status of the domain controllers and global catalog servers that are located in the subscribed Active Directory site. If you have been granted the correct permissions, you can synchronize the directory partitions to bring the local directory servers up to date. For more information about the Active Directory Replication Monitor, see the Microsoft Windows Server 2003 Help.

• Use the Test-EdgeSynchronization cmdlet in the Exchange Management Shell on a Hub Transport server in the subscribed site to determine whether the subscribed Edge Transport servers have a current synchronization status. You can use the Start-EdgeSynchronization cmdlet to start immediate synchronization and bring ADAM up to date.

Several steps are required to view the recipient data in ADAM for the following reasons:

• Only a subset of recipient data is replicated from Active Directory to ADAM.

• Some of the attributes are stored in hashed form. This includes e-mail addresses.

To verify the EdgeSync synchronization results for a recipient, follow these steps:

1. Determine the user name of the recipient for which you want to verify EdgeSync synchronization results.

2. Determine the GUID that is associated with the recipient in Active Directory. This GUID is represented as the recipient's canonical name (CN) in ADAM.

3. Determine the Active Directory value of the attributes that you want to verify for that recipient.

4. Use Ldp.exe on the Edge Transport server to retrieve information about that recipient from ADAM.

5. Use the Windows Calculator to translate the retrieved decimal attribute values to hexadecimal and determine the significant byte.

6. Compare the Active Directory attribute values and the ADAM attribute values, and verify that they match.

Procedure

To use the Exchange Management Shell to determine Active Directory recipient attribute values

1. Open the Exchange Management Shell on a domain-joined computer that has the Exchange 2007 administrative tools installed.

2. Type the following command to determine the Active Directory GUID for a recipient that has the user name Susan:

   Get-User -Identity Susan | ft Name, GUID
   

3. Type the following command to determine the value of all spam confidence level (SCL) attributes configured for a recipient that has the user name Susan:

   Get-Mailbox -Identity Susan | ft SCL*
   

   Notes

   This code provides an example of how to retrieve anti-spam attribute values for a recipient. You can use the Get-Mailbox cmdlet to view whatever attributes you want to verify.

To use Ldp.exe to determine ADAM recipient attribute values

1. Start Ldp.exe on the Edge Transport server. By default, this tool is located at <System drive>\WINDOWS\ADAM\ldp.exe.

2. Click Connection on the menu bar, and then click Connect…

3. In the Connect dialog box, type the name of the Edge Transport server in the Server field. In the Port field, type the ADAM LDAP port. By default, this port number is 50389. Do not select the Connectionless or SSL check boxes. Click OK.

4. Click Connection on the menu bar, and then click Bind.

5. If you are logged on as a local administrator, in the Bind dialog box, select Bind as currently logged on user. To enter administrator credentials, select Bind with credentials, and then enter a user name and password. Click OK.

6. Click View on the menu bar, and then click Tree.

7. In the Tree View dialog box, clear any entry in the BaseDN field. Click OK. You are now connected to the root of the ADAM directory.

8. Click Browse on the menu bar, and then click Search.

9. In the Search dialog box, use the drop-down box for the BaseDN field to select OU=MsExchangeGateway.

10. In the Filter field, enter search criteria that will find the recipient whose CN is equal to the GUID that you obtained from Active Directory. For example, if the GUID starts with 21664853, enter (cn=21664853*). Notice that you do not have to type the complete GUID. You can type the first several characters and then use the * wildcard character to search for all GUIDs that begin with those characters.

11. Select Subtree as the Scope. Click Run. The search results appear in the right pane of Ldp.exe.

12. You can change the list of attributes that are included in the search results. To do this, click Browse on the menu bar, and then click Search. Enter the BaseDN, Filter, and Scope options as instructed in the previous steps. Click Options.

13. In the Attributes field, enter a list of attributes to display. Separate each attribute by using a semicolon. For example, to list the SCL delete threshold and the SCL reject threshold, enter the following text:

    MsExchMessageHygieneSCLDeleteThreshold;MsExchMessageHygieneSCLRejectThreshold

14. Click OK, and then click Run in the Search dialog box. The search results appear in the right pane of Ldp.exe. Attributes that have a null value do not appear.

To use the Windows Calculator to translate Ldp.exe search results

1. The attribute values that are returned when you use Ldp.exe to search ADAM must be translated from the decimal value that appears to hexadecimal, and then the significant byte must be isolated to verify that the value matches the attribute value in Active Directory. For example, the value returned for the SCL delete threshold may appears as follows:

   msExchMessageHygieneSCLDeleteThreshold:-2147483643
   

   To translate this value, click Start, select Programs, select Accessories, and then click Calculator.

2. Click View on the menu bar, and then click Scientific.

3. Enter the decimal value, and then select Hex. The number 2147483643 now appears as 7FFFFFFB.

4. Click And, click F, and then click =. The number 7FFFFFFB now appears as 5.

5. Verify that the resulting attribute value that is stored in ADAM matches the value assigned to that attribute for this recipient in Active Directory.

Retour au début

Appendix 1: Exchange Management Shell EdgeSync Cmdlets

This section provides information about the Exchange Management Shell cmdlets that can help you manage the Edge Subscription and EdgeSync synchronization processes that are associated with the Microsoft Exchange EdgeSync service.

Get-EdgeSubscription

Run the Get-EdgeSubscription cmdlet on an Exchange 2007 server in the organization. This cmdlet retrieves the list of Edge Subscriptions. Each computer that has the Edge Transport server role installed and that is subscribed to the Exchange organization has a separate Edge Subscription. You can use this cmdlet to view the Edge Subscription information for a specific Edge Transport server. You can also use this cmdlet to view the Edge Subscription information for all Edge Transport servers that are subscribed to Active Directory sites.

The Get-EdgeSubscription cmdlet uses the following syntax:

Get-EdgeSubscription [-Identity <TransportServerIdParameter>] [-DomainController <Fqdn>]

Parameters

Parameter	Required	Type	Description
DomainController	Optional	Microsoft.Exchange.Data.Fqdn	Use the DomainController parameter to specify the host name or FQDN of the domain controller that processes this query.
Identity	Optional	Microsoft.Exchange.Configuration.Tasks.TransportServerIdParameter	Use the Identity parameter to specify the name of the Edge Transport server for which you want to retrieve Edge Subscription information. The identity is expressed as the host name of the Edge Transport server. If no identity is specified, all Edge Subscriptions are returned.

Example

The following code examples show you how to use the Get-EdgeSubscription cmdlet to retrieve Edge Subscription information. The first example binds to the specified domain controller and retrieves the Edge Subscription information for the specified Edge Transport server. The second example retrieves Edge Subscription information for all Edge Transport servers that are subscribed to the Exchange organization. The command is piped to the Format-List command to format the results as a detailed list.

Get-EdgeSubscription -DomainController dc.domain.com -Identity EdgeServerName
Get-EdgeSubscription | format-list

Retour au début

New-EdgeSubscription

Run the New-EdgeSubscription cmdlet on the Edge Transport server to export the Edge Subscription file. This command creates the ADAM account that is used to help secure LDAP communications during data transfer, retrieves those credentials, and exports the Edge Subscription file. This procedure removes the existing configuration for objects on the Edge Transport server that are replicated to ADAM from Active Directory. After you perform this procedure, you must import the Edge Subscription file on a Hub Transport server. After the Edge Subscription is imported, the Edge Transport server receives its configuration information through replication from Active Directory. The controls that are used to edit those configuration settings on the Edge Transport server are disabled during the subscription process. Copy this file to removable media so that the file can be imported on the Hub Transport server, and then delete the file from the Edge Transport server.

Run the New-EdgeSubscription cmdlet on the Hub Transport server to import the Edge Subscription file and subscribe the Edge Transport server to an Active Directory site. The Active Directory site to which the Edge Transport server is subscribed must contain at least one Hub Transport server. This command imports the Edge Subscription file, establishes an authenticated communication channel, and completes the Edge Subscription process by starting the initial replication. By default, this process also creates the Send connector that is used to send messages to the Internet through the Edge Transport server and the Send connector that is used to send messages from the Edge Transport server to the Exchange organization.

The New-EdgeSubscription cmdlet uses the following syntax:

New-EdgeSubscription -FileName <LongPath> [-CreateInboundSendConnector <$true | $false>] [-CreateInternetSendConnector <$true | $false>] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-Site <AdSiteIdParameter>] [-TemplateInstance <PSObject>]

Parameters

Parameter	Required	Type	Description
FileName	Required	Microsoft.Exchange.Data.LongPath	Use the FileName parameter to specify the full path of the Edge Subscription file.
CreateInboundSendConnector	Optional	System.Boolean	Use the CreateInboundSendConnector parameter to specify whether to create the Send connector from the Edge Transport server to the Hub Transport servers. The default value is $True. The Send connector address space will be set to "--", the smart hosts will be set to "--", the Edge Transport server will be set as the source server, and DNS routing will be disabled. This parameter is only used when you run the command on the Hub Transport server.
CreateInternetSendConnector	Optional	System.Boolean	Use the CreateInternetSendConnector parameter to specify whether to create the Send connector to the Internet. The default value is $true. The Send connector address space will be set to all domains (*), the Edge Transport server will be set as the source server, and DNS routing will be enabled. This parameter is only used when you run the command on the Hub Transport server.
DomainController	Optional	Microsoft.Exchange.Data.FqdnSystem.String	Use the DomainController parameter to specify the host name or FQDN of the domain controller that will process this command. This parameter is used only when you run the command on a Hub Transport server.
Force	Optional	System.Management.Automation.SwitchParameter	Use the Force parameter to specify that Edge Synchronization should begin immediately after the New-EdgeSubscription cmdlet runs. This parameter is used only when you run the command on a Hub Transport server.
Site	Optional	Microsoft.Exchange.Configuration.Tasks.AdSiteIdParameter	Use the Site parameter to specify the name of the Active Directory site that contains the Hub Transport servers with which the Edge Transport servers will be associated. This parameter is used only when you run the command on a Hub Transport server and it is a required parameter when the command is run on a Hub Transport server.
TemplateInstance	Optional	System.Management.Automation.PSObject	When an existing object is supplied to this parameter, the command will use that object configuration to create an identical copy of the object on a local or target server.

Example

You must run the New-EdgeSubscription cmdlet on both the Edge Transport server and the Hub Transport server to complete the Edge Subscription process.

The following code example shows how to use the New-EdgeSubscription cmdlet on the Edge Transport server to create the Edge Subscription file. Transfer the resulting file to the Hub Transport server, and then run the command in the second example on the Hub Transport server to import the Edge Subscription file and to subscribe the Edge Transport server to the specified Active Directory site.

New-EdgeSubscription -FileName "c:\EdgeServerSubscription.xml"
New-EdgeSubscription -FileName "c:\EdgeServerSubscription.xml" -site "Default-First-Site-Name"

Retour au début

Remove-EdgeSubscription

The Remove-EdgeSubscription cmdlet removes an Edge Subscription. After you remove the Edge Subscription, synchronization of information from Active Directory to ADAM stops. All the accounts that are stored in ADAM are removed, and the Edge Transport server is removed from the source server list of any Send connector.

Edge Transport servers are subscribed to an Active Directory site by using the Edge Subscription process. You remove an Edge Subscription when an Edge Transport server is being replaced or when a server is compromised. You must perform this procedure on the Edge Transport server and on the Hub Transport server to completely remove the Edge Subscription.

The Remove-EdgeSubscription cmdlet uses the following syntax:

Remove-EdgeSubscription -Identity <TransportServerIdParameter> [-DomainController <Fqdn>]

Parameters

Parameter	Required	Type	Description
Identity	Required	Microsoft.Exchange.Configuration.Tasks.TransportServerIdParameter	This parameter specifies the identity of the Edge Transport server for which you want to remove the Edge Subscription. The identity is expressed as the host name of the Edge Transport server.
DomainController	Optional	Microsoft.Exchange.Data.Fqdn	Use the DomainController parameter to specify the host name or FQDN of the domain controller that will write this change to Active Directory. This parameter is used only when the procedure is run on the Hub Transport server.

Example

The following code example shows how to use the Remove-EdgeSubscription cmdlet to remove the Edge Subscription for the specified Edge Transport server.

Remove-EdgeSubscription -Identity EdgeServerName -DomainController dc.domain.com

Retour au début

Start-EdgeSynchronization

Use the Start-EdgeSynchronization cmdlet to immediately start synchronization of configuration data from Active Directory to the subscribed computers that have the Edge Transport server role installed.

The synchronization of configuration data occurs at one-hour intervals. The synchronization of recipient data occurs at four-hour intervals. If you want to synchronize Active Directory changes to ADAM immediately, run the Start-EdgeSynchronization cmdlet. This cmdlet has no parameters. To perform the following procedure, you must log on to an Exchange 2007 server in the organization.

Example

The following example shows how to use the Start-EdgeSynchronization cmdlet to start synchronization of changed data from Active Directory to the subscribed Edge Transport servers.

Start-EdgeSynchronization

Retour au début

Test-EdgeSynchronization

Use the Test-EdgeSynchronization cmdlet to diagnose whether the subscribed Edge Transport servers have a current and accurate synchronization status.

To run the Test-EdgeSynchronization cmdlet, you must log on to a computer that has the Hub Transport server role installed and that is located in the Active Directory site to which the Edge Transport server is subscribed.

The Test-EdgeSynchronization cmdlet uses the following syntax:

Test-EdgeSynchronization [-DomainController <Fqdn>] [-ExcludeRecipientTest <SwitchParameter>] [-MaxReportSize <Unlimited>] [-MonitoringContext <$true | $false>]

Parameters

Parameter	Required	Type	Description
DomainController	Optional	Microsoft.Exchange.Data.Fqdn	To specify the FQDN of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command.
ExcludeRecipientTest	Optional	System.Management.Automation.SwitchParameter	Use the ExcludeRecipientTest parameter to exclude validation of recipient data synchronization. If you include this parameter, only the synchronization of configuration objects is validated. Validating that recipient data is synchronized will take longer than validating only configuration data.
MaxReportSize	Optional	Microsoft.Exchange.Data.Unlimited	Use the MaxReportSize parameter to specify the total number of objects and properties that will be listed in the results. The results output by this cmdlet include a list of all out-of-sync objects and properties in both ADAM and Active Directory. If the directory services are not synchronized, lots of data can result. If you don't specify a value for this parameter, the default value of 1,000 will be used. The minimum value for this parameter is 1. The maximum value for this parameter is unlimited.
MonitoringContext	Optional	System.Boolean	The MonitoringContext parameter is used only when Microsoft Operations Manager is being used for server monitoring. If you set the value to $true, the cmdlet populates the MonitoringContext object with events and performance counters that are used by Microsoft Operations Manager. The default value of this parameter is $false.

Example

The Test-EdgeSynchronization cmdlet must be run from a Hub Transport server that is located in the Active Directory site to which the Edge Transport server is subscribed. The following code example diagnoses the synchronization status of subscribed Edge Transport servers, outputs only the first 500 data inconsistencies, and generates events and performance counters for use by Microsoft Operations Manager.

Test-EdgeSynchronization -MaxReportSize 500 -MonitoringContext $true

Conclusion

Subscribing the Edge Transport server to the Exchange organization reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server. An organization that deploys more than one Edge Transport server can maintain a consistent configuration by using Edge Subscriptions. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or if you want to use the Domain Security feature.

Informations supplémentaires

For the complete Exchange 2007 documentation, including documentation about the anti-spam features, recipient lookup or safelist aggregation, and the Domain Security feature, see Exchange Server 2007 Help.

Retour au début