Exchange Server 2010 makes
extensive use of Active Directory. Each Exchange Server 2010 role must
access Active Directory to retrieve information about recipients and
other Exchange server roles. Each Exchange server role uses Active
Directory in other ways as well, as discussed in the sections that
follow.
Note:
You can configure Windows Server 2008 domain controllers as read-only or read-writeable. As long as writeable domain controllers and writeable Global
Catalog servers are available, Exchange Server 2010 can work in an
environment where you've deployed read-only domain controllers and
read-only Global Catalog servers. However, Exchange Server 2010 does not
make use of read-only domain controllers or read-only Global Catalog
servers.
1. Using Hub Transport Servers with Active Directory
Hub Transport servers contact Active Directory when they perform message categorization.
The Categorizer queries Active Directory to perform recipient lookup,
retrieves the information needed to locate a recipient's mailbox
(according to the mailbox store in which it is created), and determines
any restrictions or permissions that might apply to the recipient. The
Categorizer also queries Active
Directory to expand the membership of distribution lists and to perform
the Lightweight Directory Access Protocol (LDAP) query processing when
mail is sent to a dynamic distribution list.
After the Categorizer
determines the location of a mailbox, the Hub Transport server uses
Active Directory site configuration information to determine the routing
topology and locate the site in which the mailbox is located. If the
mailbox is in the same Active Directory site as the Hub Transport
server, the Hub Transport server delivers the message directly to the
user's mailbox. If the mailbox is in a different Active Directory site
from the Hub Transport server, the Hub Transport server delivers the
message to a Hub Transport server in the remote Active Directory site.
Hub
Transport servers store all configuration information in Active
Directory. This configuration information includes the details of any
transport or journaling rules and connectors. When this information is
needed, a Hub Transport server accesses it in Active Directory.
2. Using Client Access Servers with Active Directory
Client Access servers
receive connections from local and remote clients. At a high level, when
a user connection is received, the Client Access server contacts Active
Directory to authenticate the user and to determine the location of the
user's mailbox. If the user's mailbox is in the same Active Directory
site as the Client Access server, the user is connected to his mailbox.
If the user's mailbox is in an Active Directory site other than the one
the Client Access server is located in, the connection is redirected to a
Client Access server in the same Active Directory site as the user's
mailbox.
When you use load
balancing on your Client Access servers, you register CAS arrays in
Active Directory to create related objects and associate each array with
a specific Active Directory site. Each CAS array can be associated with
only one Active Directory site. As with stand-alone CAS servers, the
site information determines how connections are directed. If the user's
mailbox is in the same Active Directory site as the array, the user is
connected to a CAS server and via the CAS server to his mailbox. If the
user's mailbox is in an Active Directory site other than the one in
which the Client Access array is located, the connection is redirected.
Client Access servers
communicate with Mailbox servers using RPC. You must have one Client
Access server in each Active Directory site that contains a Mailbox
server. At least one of your Client Access servers must be designated as
Internet-facing. The Internet-facing CAS server proxies requests from
Outlook Web App, Exchange
ActiveSync, and Exchange Web Services to the Client Access server
closest to the user's mailbox. Proxying is not used for POP3 or IMAP4. A
client that is using POP3 or IMAP4 must connect to a Client Access
server in the same Active Directory site as its Mailbox server.
3. Using Unified Messaging Servers with Active Directory
Unified Messaging servers access Active
Directory to retrieve global configuration information, such as dial
plans and IP gateway details. When a message is received by the Unified
Messaging server, the server searches for Active Directory recipients to
match the telephone number to a recipient address. When the server has
resolved this information, it can determine the location of the
recipient's mailbox and then submit the message to the appropriate Hub
Transport server for submission to the mailbox.
4. Using Mailbox Servers with Active Directory
Mailbox servers are
service locations for e-mail messages, voice-mail messages, and faxes.
For outgoing mail, Mailbox servers can access Active Directory to
retrieve information about the location of Hub
Transport servers in their site. Then they can use this information to
forward messages for routing. Mailbox servers also store configuration
information about mailbox users, mailbox stores, agents, address lists,
and policies in Active Directory. Mailbox servers retrieve this
information to enforce recipient policies, mailbox policies, system
policies, and global settings.
5. Using Edge Transport Servers with Active Directory
You deploy Edge
Transport servers in perimeter networks, and they are not members of the
internal domain. Because of this, Edge Transport servers do not have
direct access to the organization's internal Active Directory servers
for the purposes of recipient lookup or categorization. Thus, unlike Hub
Transport servers, Edge Transport servers cannot contact an Active
Directory server to help route messages.
To route messages into
the organization, an administrator can configure a subscription from
the Edge Transport server to the Active Directory site that allows it to
store recipient and configuration information about the Exchange
organization in its AD LDS data store. After an Edge Transport server
is subscribed to an Active Directory site, it is associated with the Hub
Transport servers in that site for the purpose of message routing.
Thereafter, Hub Transport servers in the organization route messages
being delivered to the Internet to the site associated with the Edge
Transport server, and Hub Transport servers in this site relay the
messages to the Edge Transport server. The Edge Transport server, in
turn, routes the messages to the Internet.
The EdgeSync
service running on Hub Transport servers is a one-way synchronization
process that pushes information from Active Directory to the Edge
Transport server. Periodically, the EdgeSync service synchronizes the
data to keep the Edge Transport server's data store up to date. The
EdgeSync service also establishes the connectors needed to send and
receive information that is being moved between the organization and the
Edge Transport
server and between the Edge Transport server and the Internet. The key
data pushed to the Edge Transport server includes:
Accepted and remote domains
Valid recipients
Safe senders
Send connectors
Available Hub Transport servers
Available SMTP servers
Message classifications
TLS Send and Receive Domain Secure lists
After the initial replication is performed, the EdgeSync
service synchronizes the data periodically. Configuration information
is synced once every hour, and it can take up to 1 hour for
configuration changes to be replicated. Recipient information is synced
once every 4 hours, and it can take up to 4 hours for changes to be
replicated. If necessary, administrators can initiate an immediate
synchronization using the Start-EdgeSynchronization cmdlet in the Exchange Management Shell.
Note:
During synchronization, objects can be added to, deleted from, or modified in the Edge
Transport server's AD LDS data store. To protect the integrity and
security of the organization, no information is ever pushed from the
Edge Transport server's AD LDS data store to Active Directory.
