Understanding Edge Subscriptions

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic provides detailed information about Edge Subscriptions and the EdgeSync synchronization process. Edge Subscriptions are used to populate the Active Directory Application Mode (ADAM) directory service instance on the Microsoft Exchange Server 2007 Edge Transport server role with Active Directory directory service data.

Note

Microsoft Exchange Server 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.

In Exchange 2007, the Edge Transport server role is deployed in your organization's perimeter network. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam and apply transport rules to control message flow.

Although creating an Edge Subscription is optional, subscribing an Edge Transport server to the Exchange organization provides a simpler management experience for the administrator and enhances the available anti-spam features. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or if you plan to help secure SMTP communications with partner domains by using mutual Transport Layer Security (TLS).

Edge Subscription Process

The computer that has the Edge Transport server role installed doesn't have access to Active Directory. All the configuration and recipient information that the Edge Transport server has to process messages is stored in ADAM. However, much of this information is also stored in Active Directory.

Creating an Edge Subscription establishes secure, automatic replication of information from Active Directory to ADAM. The Edge Subscription process provisions the credentials that are used to establish a secure Lightweight Directory Access Protocol (LDAP) connection between Hub Transport servers and a subscribed Edge Transport server. The Microsoft Exchange EdgeSync service that runs on Hub Transport servers then performs periodic one-way synchronization to transfer data to ADAM and keep that data up to date. This process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server.

You subscribe an Edge Transport server to an Active Directory site. Subscribing the Edge Transport server to the Active Directory site enables the Edge Transport server to receive updates to ADAM from Active Directory and creates a synchronization relationship between the Edge Transport server and the Hub Transport servers deployed in that site. The Edge Subscription process also creates an Active Directory site membership affiliation for the Edge Transport server. The site affiliation enables Hub Transport servers in the Exchange organization to relay messages to the Edge Transport server for delivery to the Internet without having to configure explicit Send connectors.

One or more Edge Transport servers can be subscribed to a single Active Directory site. However, an Edge Transport server cannot be subscribed to more than one Active Directory site. If you have more than one Edge Transport server deployed, each server can be subscribed to a different Active Directory site. Each Edge Transport server requires an individual Edge Subscription. A subscribed Edge Transport server can support only one Exchange organization.

The Microsoft Exchange EdgeSync service replicates the following data from Active Directory to ADAM:

  • Send connector configuration

  • Accepted domains

  • Remote domains

  • Message classifications

  • Safe Senders lists

  • Recipients

  • TLS Send and Receive Domain Secure lists

  • Internal SMTP Servers list

  • List of Hub Transport servers in the subscribed Active Directory site

For more information about the data that is replicated to ADAM and how it is used, see EdgeSync Replication Data.

To deploy an Edge Transport server and subscribe it to an Active Directory site, follow these steps:

Note

You must enter the product key prior to subscribing the Edge Transport server.

  1. Install the Edge Transport server role.

  2. Verify that the Hub Transport servers and the Edge Transport server can locate one another by using DNS name resolution. For more information about this step, see Configuring DNS Settings for Exchange 2007 Servers.

  3. Configure the objects and settings to be replicated to the Edge Transport server. For more information about this step, see Preparing to Run the Microsoft Exchange EdgeSync Service.

  4. Run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Edge Transport server to export the Edge Subscription file.

  5. Copy the Edge Subscription file to a Hub Transport server.

  6. Run the New-EdgeSubscription cmdlet in the Exchange Management Shell or use the New Edge Subscription wizard in the Exchange Management Console to import the Edge Subscription file.

The following figure illustrates the Edge Subscription process.

Edge Subscription process

Edge subscription file import and export process

When you run the New-EdgeSubscription cmdlet on the Edge Transport server, the following actions occur:

  • An ADAM account is created. This account is called the EdgeSync bootstrap replication account (ESBRA). These credentials are used to authenticate the first EdgeSync connection to the Edge Transport server. The account is configured to expire 1,440 minutes (24 hours) after it is created. Therefore, you must complete the subscription process before that time expires. If the ESBRA expires before the Edge Subscription process is complete, you must run the New-EdgeSubscription cmdlet on the Edge Transport server again to create a new Edge Subscription file.

  • The ESBRA credentials are retrieved from ADAM and written to the Edge Subscription file. The public key for the Edge Transport server's self-signed certificate is also exported to the Edge Subscription file. The credentials that are written to the Edge Subscription file are specific to the server from which the file is exported.

  • Any previously created configuration objects in a class that will now be replicated to ADAM from Active Directory are deleted from ADAM and the Exchange Management Shell tasks used to configure those objects are disabled. You can still use the tasks that let you view those objects. The following tasks are disabled on the Edge Transport server when you run the New-EdgeSubscription cmdlet:

    • Set-SendConnector

    • New-SendConnector

    • Remove-SendConnector

    • New-AcceptedDomain

    • Set-AcceptedDomain

    • Remove-AcceptedDomain

    • New-MessageClassification

    • Set-MessageClassification

    • Remove-MessageClassification

    • New-RemoteDomain

    • Set-RemoteDomain

    • Remove-RemoteDomain

When you import the Edge Subscription file on the Hub Transport server by running the New-EdgeSubscription cmdlet in the Exchange Management Shell or by using the New Edge Subscription wizard in the Exchange Management Console, the following actions occur:

  • The Edge Subscription is created, establishing a record of an Edge Transport server which has been joined to an Exchange organization and to which the Microsoft Exchange EdgeSync service will propagate configuration data. This step creates the Edge configuration object in Active Directory.

  • Each Hub Transport server in the Active Directory site receives notification from Active Directory that a new Edge Transport server has been subscribed. The Hub Transport server retrieves the ESBRA from the Edge Subscription file. The Hub Transport server then encrypts the ESBRA by using the public key of the Edge Transport server's self-signed certificate. The encrypted credentials are then written to the Edge configuration object.

  • Each Hub Transport server also encrypts the ESBRA by using its own public key and then stores the credentials in its own configuration object.

  • EdgeSync Replication Accounts (ESRA) is created in Active Directory for each Edge Transport-Hub Transport server pair. Each Hub Transport server stores its ESRA credentials as an attribute of the Hub Transport server configuration object.

  • Send connectors are automatically created to relay messages outbound from the Edge Transport server to the Internet, and inbound from the Edge Transport server to the Exchange organization. For more information about how the Microsoft Exchange EdgeSync service provisions Send connectors, see EdgeSync and Send Connectors.

  • The Microsoft Exchange EdgeSync service that runs on Hub Transport servers uses the ESBRA credentials to establish a secure LDAP connection between a Hub Transport server and the Edge Transport server and performs the initial replication of data. The following data is replicated to ADAM:

    • Topology data

    • Configuration data

    • Recipient data

    • ESRA credentials

  • The Microsoft Exchange Credential Service that runs on the Edge Transport server installs the ESRA credentials. These credentials are used to authenticate and secure later synchronization connections.

  • The EdgeSync synchronization schedule is established.

The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed will now perform one-way replication of data from Active Directory to ADAM on a regular schedule. You can also use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell to override the EdgeSync synchronization schedule and immediately start synchronization.

For more information about ESRA accounts and how they are used to help secure the EdgeSync synchronization process, see Understanding Edge Subscription Credentials.

Microsoft Exchange EdgeSync Service

The Microsoft Exchange EdgeSync service is the data synchronization service, located on a Hub Transport server, that periodically replicates configuration data from Active Directory to a subscribed Edge Transport server.

The Microsoft Exchange EdgeSync service is responsible for updating ADAM with information from Active Directory. Data is replicated from Active Directory by the Hub Transport servers inside the Exchange organization to the Edge Transport server in the perimeter network. The Microsoft Exchange EdgeSync service uses a secure LDAP channel to transfer this data. A mutually authenticated and authorized secure LDAP channel is established from the Hub Transport server to the Edge Transport server.

To replicate data to ADAM, the Hub Transport server binds to a global catalog server to retrieve updated data. The Microsoft Exchange EdgeSync service initiates a secure LDAP session between a Hub Transport server and the subscribed Edge Transport server over the non-standard TCP Port 50636. The EdgeSync synchronization process provides one-way replication of data from Active Directory to ADAM. Changed data in ADAM never synchronizes to Active Directory.

The following figure illustrates the EdgeSync synchronization process.

EdgeSync synchronization process

EdgeSync synchronization process

The initial replication populates ADAM with data from Active Directory and can take some time, depending on the quantity of data in the directory service. Successive synchronization updates ADAM with new and changed objects and removes any objects that have been deleted from Active Directory.

The directory service changes that are available to synchronize to ADAM at the synchronization intervals is completely dependent on the data that has been replicated to the global catalog server to which the Hub Transport server is bound. The Hub Transport server will bind to the global catalog server that is discovered by the Microsoft Exchange Active Directory Topology service when an Exchange 2007 server starts. Binding to a global catalog server makes sure that recipient data for every domain in the forest is propagated to ADAM.

Different types of data synchronize on different schedules. The EdgeSync synchronization schedule specifies the maximum length of time between EdgeSync synchronization intervals. EdgeSync synchronization occurs at the following intervals:

  • Configuration Data is scheduled to be synchronized at one hour intervals.

  • Recipient Data is scheduled to be synchronized at four hour intervals.

  • Topology Data is reloaded every 5 minutes.

The EdgeSync synchronization schedule intervals are not configurable.

If you use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell on the Hub Transport server to force Edge Subscription synchronization to occur immediately, you override the timer that determines the next time that EdgeSync synchronization is scheduled to occur.

For more information about the Microsoft Exchange EdgeSync service and EdgeSync synchronization, see Understanding the EdgeSync Synchronization Process.

Resubscribing an Edge Transport Server

Occasionally you may have to resubscribe an Edge Transport server to an Active Directory site. When the Edge Subscription is recreated, new credentials are generated and the complete Edge Subscription process must be followed. This process is used in the following scenarios:

  • New Hub Transport servers have been deployed in the subscribed Active Directory site and you want the new server to participate in EdgeSync synchronization. For more information about this scenario, see "Adding or Removing a Hub Transport Server" later in this topic.

  • The license key for the Edge Transport server was applied after the Edge Subscription was created. The licensing information for the Edge Transport server is captured when the Edge Subscription is created and is shown in the Exchange Management Console for the Exchange organization. For subscribed Edge Transport servers to appear as licensed, they must be subscribed to the Exchange organization after the license key is applied on the Edge Transport server. If the license key is applied on the Edge Transport server after you perform the Edge Subscription process, the licensing information is not updated in the Exchange organization and you must resubscribe the Edge Transport server.

  • You want to make sure that the Exchange server version information is synchronized after you upgrade an Exchange server to a more recent build. In this case, the Edge Transport server build version number is not replicated to other server roles. This is because the EdgeSync synchronization process provides a one-way replication of data from Active Directory to AD Lightweight Directory Services. For more information, see the "Microsoft Exchange EdgeSync Service" section of the Understanding the EdgeSync Synchronization Process topic.

  • The ESRA credentials are compromised.

Important

To resubscribe an Edge Transport server, export a new Edge Subscription file on the Edge Transport server and then import the XML file on a Hub Transport server. You must resubscribe the Edge Transport server to the same Active Directory site to which it was originally subscribed. You do not have to first remove the original Edge Subscription. The resubscription process will overwrite the existing Edge Subscription.

Removing an Edge Subscription

There are some scenarios where you may have to remove an Edge Subscription from the Exchange organization or from both the Exchange organization and the Edge Transport server. If the Edge Transport server will be resubscribed to the Exchange organization, do not remove the Edge Subscription from the Edge Transport server. When you remove the Edge Subscription from an Edge Transport server, all replicated data is deleted from ADAM. This can take a long time if you have lots of recipient data.

The following list provides examples of situations that require that you remove the Edge Subscription.

  • You no longer want the Edge Transport server to participate in the EdgeSync synchronization process. In this scenario, you must remove the Edge Subscription from both the Edge Transport server and from the Exchange organization.

  • An Edge Transport server is being decommissioned. In this scenario, you must remove the Edge Subscription from the Exchange organization only. If you uninstall the Edge Transport server role from the computer, the ADAM instance and all Active Directory data that is stored in ADAM is also removed.

  • You want to change the Active Directory site association for the Edge Subscription. In this scenario, you must remove the Edge Subscription from only the Exchange organization. After the Edge Subscription is removed from the Exchange organization, you can resubscribe the Edge Transport server to a different Active Directory site.

If you want to remove an Edge Subscription, follow these steps:

  1. Stop mail flow on the Edge Transport server. Disable any receive connectors on the Edge Transport server to prevent it from accepting any new messages and then wait for the queues to drain.

  2. Remove the Edge Subscription by running the Remove-EdgeSubscription cmdlet on a Hub Transport server inside the Exchange organization. If you are not going to resubscribe the Edge Transport server, also run this cmdlet on the Edge Transport server after this step has been performed on a Hub Transport server.

When you remove the Edge Subscription from the Exchange organization, the effect is as follows:

  • Synchronization of information from Active Directory to ADAM stops.

  • The ESRA accounts are removed from both Active Directory and ADAM.

  • The computer that has the Edge Transport server role installed is removed from the source server list of any Send connector.

  • The automatic inbound Send connector from the Edge Transport server to the Exchange organization is removed from ADAM.

When you remove the Edge Subscription from an Edge Transport server, the effect is as follows:

  • You can no longer use the Edge Transport server features that rely on Active Directory data.

  • Replicated data is removed from ADAM.

  • The tasks that were disabled when the Edge Subscription was created are re-enabled to allow for local configuration.

Depending on the reason that you have removed an Edge Subscription, you may want to resubscribe that same Edge Transport server to the original Active Directory site to which it was subscribed or to a different Active Directory site. When the Edge Subscription is recreated, new credentials are generated and the complete Edge Subscription process must be followed.

If you are removing the Edge Transport server from service, follow the procedures in How to Completely Remove Exchange 2007 from a Server.

Adding an Edge Transport Server

You can subscribe one or more Edge Transport servers to a single Active Directory site. If you deploy additional Edge Transport servers in your perimeter network and subscribe them to the same Active Directory site where an Edge Subscription already exists, the following actions occur:

  • A new Edge Subscription object is created in Active Directory.

  • Additional ESRA accounts are created for each Hub Transport server in the Active Directory site. These accounts are replicated to ADAM and used by the EdgeSync synchronization process during synchronization with the new server.

  • The new Edge Subscription is added to the source server list of the automatic Send connector to the Internet. Messages submitted to that connector for processing will be load-balanced between the subscribed Edge Transport servers.

  • An inbound Send connector from the Edge Transport server to the Exchange organization is automatically created.

  • EdgeSync synchronization to the Edge Transport server starts.

Adding or Removing a Hub Transport Server

If a Hub Transport server is added to the Active Directory site to which an Edge Transport server is already subscribed, it does not automatically participate in the EdgeSync synchronization process. To enable a newly deployed Hub Transport server to participate in the EdgeSync synchronization process, you must resubscribe each Edge Transport server to the Active Directory site.

Removing a Hub Transport server from an Active Directory site where an Edge Transport server is subscribed will not affect EdgeSync synchronization, unless that Hub Transport server is the last Hub Transport server in that site. If you remove all Hub Transport servers from the Active Directory site where an Edge Transport server is subscribed, the subscribed Edge Transport servers are orphaned.

Verifying EdgeSync Results

Any errors that occur during the EdgeSync synchronization process are reported to the Application log of the Windows Event Viewer. These errors will typically appear on the Hub Transport server. However, subscribed Edge Transport servers will report errors if synchronization has not occurred in a long time.

Test-EdgeSynchronization is a diagnostic cmdlet that provides a report of the synchronization status of subscribed Edge Transport servers. This task provides useful information to the administrator when it is run manually. It can also be called by Microsoft Operations Manager. When the task is called by Microsoft Operations Manager, alerts are generated if an Edge Transport server is not synchronized.

The Test-EdgeSynchronization cmdlet provides proactive alerting when an Edge Transport server is no longer synchronized. The output of this cmdlet lets you view which objects have not been synchronized to the Edge Transport server. The task compares the data that is stored in Active Directory and the data that is stored in ADAM. Any inconsistencies in data are reported in the results output by this command.

You can use the ExcludeRecipientTest parameter with the Test-EdgeSynchronization cmdlet to exclude validation of recipient data synchronization. If you include this parameter, only the synchronization of configuration objects is validated. Validating that recipient data is synchronized will take longer than validating only configuration data.

If you want to verify the EdgeSync synchronization results for a specific recipient, you can use Ldp.exe to view the recipient properties that are stored in ADAM. You must locate the recipient by its Active Directory GUID and, because the data is sent hashed, you must also be able to interpret the information that is returned when you view the recipient details. This tool should be used only for viewing recipient information and should never be used to modify data in ADAM. For more information, see How to Verify EdgeSync Results for a Recipient.

New in Exchange 2007 SP1

If you have installed Exchange 2007 SP1 on the Hub Transport server role, you can use the Test-EdgeSynchronization cmdlet with the VerifyRecipient parameter to verify the EdgeSync synchronization status for a single recipient. You specify the recipient by its proxy address. The results that are returned when you run the Test-EdgeSynchronization cmdlet indicate whether the recipient is synchronized.

For More Information

For more information, see the following topics: