Deploying Exchange Server 2013 : Integrating Exchange server roles with Active Directory

Mailbox servers are service locations for email messages, voice-mail messages, and faxes. For outgoing mail, Mailbox servers can access Active Directory to retrieve information about the location of Mailbox servers in their site. Then they can use this information to forward messages for routing.

The Transport service running on Mailbox servers contacts Active Directory for message categorization. The Categorizer queries Active Directory to perform recipient lookup, retrieves the information needed to locate a recipient’s mailbox (according to the mailbox store in which it is created), and determines any restrictions or permissions that might apply to the recipient. The Categorizer also queries Active Directory to expand the membership of distribution lists and to perform the LDAP query processing when mail is sent to a dynamic distribution list.

After the Categorizer determines the location of a mailbox, the Transport service uses Active Directory site configuration information to determine the routing topology and locate the site of the mailbox. If the mailbox is in the same Active Directory site as the Mailbox server, the Transport service delivers the message directly to the user’s mailbox. If the mailbox is in a different Active Directory site than the Mailbox server, the Transport service delivers the message to a Mailbox server in the remote Active Directory site.

Mailbox servers store all configuration information in Active Directory. This configuration information includes the details of any transport or journaling rules and connectors. When this information is needed, a Mailbox server accesses it in Active Directory.

Mailbox servers also store configuration information about mailbox users, mailbox stores, agents, address lists, and policies in Active Directory. Mailbox servers retrieve this information to enforce recipient policies, mailbox policies, system policies, and global settings.

Client Access servers receive connections from local and remote clients. At a high level, when a user connection is received, the Client Access server contacts Active Directory to authenticate the user and to determine the location of the user’s mailbox. If the user’s mailbox is in the same Active Directory site as the Client Access server, the user is connected to the mailbox. If the user’s mailbox is in an Active Directory site other than the one the Client Access server is located in, the connection is redirected to a Client Access server in the same Active Directory site as the user’s mailbox.

When you use load balancing on your Client Access servers, Exchange 2013 creates arrays in Active Directory and associates each array with a specific Active Directory site. Each CAS array can be associated with only one Active Directory site. As with stand-alone CAS servers, the site information determines how connections are directed. If the user’s mailbox is in the same Active Directory site as the array, the user is connected to a CAS server and via the CAS server to the mailbox. If the user’s mailbox is in an Active Directory site other than the one in which the Client Access array is located, the connection is redirected.

You must have one Client Access server in each Active Directory site that contains a Mailbox server. At least one of your Client Access servers must be designated as Internet-facing. The Internet-facing CAS server proxies requests from Outlook Web App, Exchange ActiveSync, and Exchange Web Services to the Client Access server closest to the user’s mailbox.

With Exchange 2010, proxying was not used for POP3 or IMAP4, and you needed to manually configure cross-site connectivity so clients connecting on one site could access their mailboxes at another site. Exchange 2013 automatically proxies from a Client Access server in one site to the correct server in another site.

The Unified Messaging service accesses Active Directory to retrieve global configuration information, such as dial plans and IP gateway details. When a message is received by the Unified Messaging service, the service searches for Active Directory recipients to match the telephone number to a recipient address. When the service has resolved this information, it can determine the location of the recipient’s mailbox and then submit the message to the appropriate Mailbox server for submission to the mailbox.

You deploy legacy Edge Transport servers in perimeter networks to isolate them from the internal network. As such, they are not members of the internal domain and do not have direct access to the organization’s internal Active Directory servers for the purposes of recipient lookup or categorization. Thus, unlike the Transport service on Mailbox servers, legacy Edge Transport servers cannot contact an Active Directory server to help route messages.

To route messages into the organization, an administrator can configure a subscription from the legacy Edge Transport server to the Active Directory site that allows it to store recipient and configuration information about the Exchange organization in its AD LDS data store. After a legacy Edge Transport server is subscribed to an Active Directory site, it is associated with the Mailbox servers in that site for the purpose of message routing. Thereafter, Mailbox servers in the organization route messages being delivered to the Internet to the site associated with the legacy Edge Transport server, and Mailbox servers in this site relay the messages to the legacy Edge Transport server. The legacy Edge Transport server, in turn, routes the messages to the Internet.

The EdgeSync service running on Mailbox servers is a one-way synchronization process that pushes information from Active Directory to the legacy Edge Transport server. Periodically, the EdgeSync service synchronizes the data to keep the Edge Transport server’s data store up to date. The EdgeSync service also establishes the connectors needed to send and receive information that is being moved between the organization and the Edge Transport server and between the Edge Transport server and the Internet. The key data pushed to the Edge Transport server includes:

After the initial replication is performed, the EdgeSync service synchronizes the data periodically. Configuration information is synced once every hour, and it can take up to one hour for configuration changes to be replicated. Recipient information is synced once every four hours, and it can take up to four hours for changes to be replicated. If necessary, administrators can initiate an immediate synchronization using the Start-EdgeSynchronization cmdlet in Exchange Management Shell.