Microsoft Exchange Server Edge Synchronization
Edge Subscriptions are used to populate the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server with Active Directory data. Although creating an Edge Subscription is optional, subscribing an Edge Transport server to the Exchange organization provides a simpler management experience and enhances antispam features. You need to create an Edge Subscription if you plan to use recipient lookup or safelist aggregation, or if you plan to help secure SMTP communications with partner domains by using Mutual Transport Layer Security (MTLS).
Deploying an Edge Transport server and subscribing it to an Active Directory site is a multi-step process.
Let’s examine each step individually.
Note: Edge Subscriptions must be created using the Exchange Management Shell since there is no method for creating them in the Exchange Admin Center.
Step 1: Prepare for the Edge Subscription
To prepare for EdgeSync, you need to:
- License the Edge Transport server.
- Open ports in the firewall for mail flow and EdgeSync synchronization.
- SMTP. Port 25/TCP must be open for inbound and outbound mail flow between the Internet, the Edge Transport server, and the internal Exchange organization.
- Secure LDAP . Non-standard port 50636/TCP is used for directory synchronization from Mailbox servers to AD LDS on the Edge Transport server.
- Verify that the mailbox servers and the Edge Transport server can locate one another using DNS name resolution.
- On the mailbox server, configure the transport settings to be replicated to the Edge Transport server.
- Internal SMTP servers. Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and Connection Filtering agents on the Edge Transport server.
- Accepted domains. Configure all authoritative domains, internal relay domains, and external relay domains.
- Remote domains. Configure the settings for the default remote domain object (used for recipients in all remote domains), and configure remote domain objects as required for recipients in specific remote domains.
Step 2: Create and export an Edge Subscription file on the Edge Transport server
When you create an Edge Subscription file by running the New-EdgeSubscription cmdlet on the Edge Transport server, the following actions occur:
- An account called the EdgeSync bootstrap replication account (ESBRA) is created. The ESBRA credentials are used to authenticate the first EdgeSync connection to the Edge Transport server. This account is configured to expire 24 hours after being created. Therefore, you need to complete the five-step subscription process described here within 24 hours.
- The ESBRA credentials are retrieved from AD LDS and written to the Edge Subscription file. The public key for the Edge Transport server’s self-signed certificate is also exported to the Edge Subscription file.
- Any previously created configuration objects on the Edge Transport server that will be replicated to AD LDS from Active Directory are deleted from AD LDS, and the Exchange Management Shell Set-* cmdlets used to configure those objects are disabled. However, you can still use the Get-* cmdlets to view those objects.
This example creates and exports the Edge Subscription file on the Edge Transport server.
New-EdgeSubscription -FileName "C:\Data\EdgeSubscriptionInfo.xml"
Step 3: Import the Edge Subscription file on a Mailbox server
After you have copied the Edge Subscription file to a mailbox server or a file share that is accessible from the Active Directory site containing your mailbox servers, you need to import the Edge Subscription xml file.
This example subscribes an Edge Transport server to the specified site, “Default-First-Site-Name”.
New-EdgeSubscription -FileData ([byte]$(Get-Content -Path "C:\Data\EdgeSubscriptionInfo.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"
Once you import the Edge Subscription file on a mailbox server, Edge synchronization (EdgeSync) takes place and the following actions occur:
- The Edge Subscription is created, joining the Edge Transport server to the Exchange organization. EdgeSync will propagate configuration data to this Edge Transport Server, creating an Edge configuration object in Active Directory Domain Services (AD DS).
- Each mailbox server in the Active Directory site receives notification from AD DS that a new Edge Transport server has been subscribed. The mailbox server retrieves the ESBRA from the Edge Subscription file, encrypts it using the public key of the Edge Transport server’s self-signed certificate, and then the encrypted credentials are written to the Edge configuration object.
- Each mailbox server also encrypts the ESBRA using its own public key and then stores the credentials in its own configuration object.
- EdgeSync replication accounts (ESRAs) are created in AD DS for each Edge Transport-mailbox server pair. Each mailbox server stores its ESRA credentials as an attribute of the mailbox server configuration object.
- Send connectors are automatically created to relay messages outbound from the Edge Transport server to the Internet, and inbound from the Edge Transport server to the Exchange organization.
- The Microsoft Exchange EdgeSync service that runs on mailbox servers uses the ESBRA credentials to establish a secure LDAP connection between a mailbox server and the Edge Transport server and replicates topology data, configuration data, recipient data, and ESRA credentials to AD LDS.
- The Microsoft Exchange Credential Service that runs on the Edge Transport server installs the ESRA credentials. These credentials are used to authenticate and secure later synchronization connections.
- The EdgeSync synchronization schedule is established.
- The Microsoft Exchange EdgeSync service running on the mailbox servers in the subscribed Active Directory site then performs one-way replication of data from Active Directory to AD LDS on a regular schedule. You can also use the Start-EdgeSynchronization cmdlet to override the EdgeSync synchronization schedule and immediately start synchronization.
EdgeSync uses a mutually authenticated and authorized secure LDAP channel to transfer data from the mailbox server to the Edge Transport server. To replicate data to AD LDS, the mailbox server binds to a global catalog server to retrieve updated data. EdgeSync initiates a secure LDAP session between a mailbox server and the subscribed Edge Transport server over the non-standard TCP port 50636.
EdgeSync replicates data from Active Directory to AD LDS that includes the following information:
- Send connector configuration
- Accepted domains
- Remote domains
- Safe Senders Lists
- Blocked Senders Lists
- List of send and receive domains used in domain secure communications with partners
- List of SMTP servers listed as internal in your organization’s transport configuration
List of mailbox servers in the subscribed Active Directory site
When you first subscribe an Edge Transport server to an Active Directory site, the initial replication that populates AD LDS with data from Active Directory can take five minutes or more, depending on the quantity of data in the directory service. After initial replication, EdgeSync only synchronizes new and changed objects, and removes any deleted objects.
The EdgeSync synchronization schedule specifies the maximum interval between EdgeSync synchronizations. By default, EdgeSync synchronizes data at the following intervals:
- Configuration data: 3 minutes.
- Recipient data: 5 minutes.
You can change these intervals by using the Set-EdgeSyncServiceConfig cmdlet. You can also use the Start-EdgeSynchronization cmdlet on the mailbox server to override the timer for the next scheduled EdgeSync synchronization and start EdgeSync immediately.