Exchange 2007 Edge Transport servers do not have direct access to Active Directory data because of the inherent security risk it would introduce. But the server still needs access to some configuration information stored in Active Directory.
To solve this problem, an Edge Transport server copies the necessary information from the Active Directory database to an Active Directory Application Mode (ADAM) partition.
Setup does not automatically extract the necessary Active Directory information though. Instead, you have to create an Edge Subscription. An Edge Subscription is essentially a one-way trust with the Active Directory database (the Edge Transport Server trusts the Active Directory, but not vice versa).
Once the subscription has been established, Exchange Server will use the EdgeSync synchronization service to copy the necessary configuration information from Active Directory to the Edge Transport server.
Edge Subscription caveats
Before I show you how to create an Edge Subscription, I need to warn you that doing so will completely undo any custom configurations that you might have applied to the Edge Transport server. Specifically if the Edge Transport server contains any of the following types of items, they will be deleted:
- Accepted domains
- Message classifications
- Remote domains
- Send connectors
The server's InternalSMTPServers list of TransportConfig objects will also
As an added precaution, the Edge Subscription process modifies the Exchange Management Shell so that it can no longer be used to manage the abovementioned objects. If you need to modify any of these types of objects in the future, you need to do it on a non-Edge Transport server. Your changes can then be replicated to the Edge Transport server via the EdgeSync service.
Up to this point, the Edge Transport server you created in Step 2 has no knowledge of your Exchange Server organization, and vice versa. Because of this, you can't just click a magic button and expect Active Directory information to be imported into the Edge Transport server. Instead, you have to make the Exchange Server organization aware of the Edge Transport server's existence.
The process involves exporting the Edge Transport server's configuration information to an XML file, which can then be imported into your Exchange Server organization.
How to set up an Edge Subscription
- Open the Exchange Management Shell on the Edge Transport server, and enter this command:
New-EdgeSubscription –file "C:subscription.xml"
- At this point, Exchange will display a rather ominous warning message. This warning just tells you about all of the types of objects that will be overwritten or deleted during the subscription process. When the warning asks you if you want to continue, press Y and the command will go to work.
- When you execute this command, Exchange Server will create an XML file named subscription.xml, which it will place in the root directory on the Edge Transport server's C: drive. The command also creates an ADAM account. This account is used for the purpose of securing the configuration data as it's replicated from Active Directory.
Now we need to import the subscription.xml file into the Hub Transport server in order to create the Edge Subscription.
- Copy the XML file to a location where it will be accessible to the machine that you are going to be using to set up the Edge Subscription. My personal recommendation is to copy the file to a USB thumb drive and then erase it from the Edge Transport server (for security reasons).
- Once the file has been copied to an accessible location, log in to your Hub Transport server using an account that is both a local administrator and a member of the Exchange Organization Administrator's group.
- Open the Exchange Management Console and navigate through the console tree to Organization Configuration -> Hub Transport.
- Select the Edge Subscription tab shown in Figure A and then click the New Edge Subscription link found in the Actions pane.
Figure A: This is the Edge Subscriptions tab.
The New Edge Subscription dialog box asks you which Active Directory site the Edge Transport server should become a part of. If your organization consists only of a single site, then there is no grand decision involved. If you have multiple sites though, then you should make the Edge Transport server a member of the site that has the fastest (or most reliable) network connectivity to the perimeter network.
Figure B: Create the subscription to the Edge Transport server here.
After you choose the Active Directory site in which the Edge Transport server should be included, it's time to import the XML file that you created earlier.
- Use the Browse button to browse for and select the subscription.xml file.
- Verify that the Automatically Create A Send Connector for this Edge Subscription checkbox is selected, then click the New button to import the XML file and create the Edge Subscription. (A send connector is used any time that messages are sent to the Internet through the Edge Transport server.)
The process of creating an Edge Subscription is kind of anticlimactic, but there is actually quite a bit going on behind the scenes. Specifically, Exchange Server creates a secure, authenticated communications channel between the Hub Transport server and the Edge Transport server. Once data can be transmitted securely, Exchange Server begins replicating data from Active Directory to the Edge Transport server's ADAM partition.
HOW TO INSTALL AND CONFIGURE AN EDGE TRANSPORT SERVER
Step 1: How an Edge Transport server works
Step 2: Install the Edge Transport server
Step 3: Create an Edge Subscription
Step 4: Replicate Active Directory data to the Edge Transport server
Step 5: Verify communication with the Hub Transport server
Step 6: Configure Edge Transport server email filtering agents
Step 7: Set up Edge Transport server advanced content-filtering features
|ABOUT THE AUTHOR:|
Brien M. Posey, MCSE|
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in June 2007