Integrating Exchange Server Roles with Active Directory

Exchange Server 2007 makes extensive use of Active Directory. Each Exchange Server 2007 role must access Active Directory to retrieve information about recipients and other Exchange Server roles. Each Exchange Server role uses Active Directory in other ways as well, as discussed in the sections that follow.

Using Hub Transport Servers with Active Directory

Hub Transport servers contact Active Directory when they perform message categorization. The Categorizer queries Active Directory to perform recipient lookup, retrieves the information needed to locate a recipient's mailbox (according to the mailbox store in which it is created), and determines any restrictions or permissions that may apply to the recipient. The Categorizer also queries Active Directory to expand the membership of distribution lists and to perform the Lightweight Directory Access Protocol (LDAP) query processing when mail is sent to a dynamic distribution list.

After the Categorizer determines the location of a mailbox, the Hub Transport server uses Active Directory site configuration information to determine the routing topology and locate the site in which the mailbox is located. If the mailbox is in the same Active Directory site as the Hub Transport server, the Hub Transport server delivers the message directly to the user's mailbox. If the mailbox is in a different Active Directory site from the Hub Transport server, the Hub Transport server delivers the message to a Hub Transport server in the remote Active Directory site.

Hub Transport servers store all configuration information in Active Directory. This configuration information includes the details of any transport or journaling rules and connectors. When this information is needed, a Hub Transport server accesses it in Active Directory.

Using Client Access Servers with Active Directory

Client Access servers receive connections from the Internet for users who access their mailbox using Outlook Web Access, POP3, IMAP4, or Exchange ActiveSync. When a user connection is received, the Client Access server contacts Active Directory to authenticate the user and to determine the location of the user's mailbox. If the user's mailbox is in the same Active Directory site as the Client Access server, the user is connected to his or her mailbox. If the user's mailbox is in an Active Directory site other than the one in which the Client Access server is located, the connection is redirected to a Client Access server in the same Active Directory site as the user's mailbox.

Using Unified Messaging Servers with Active Directory

Unified Messaging servers access Active Directory to retrieve global configuration information, such as dial plans and IP gateway details. When a message is received by the Unified Messaging server, the server searches for Active Directory recipients to match the telephone number to a recipient address. When the server has resolved this information, it can determine the location of the recipient's mailbox and then submit the message to the appropriate Hub Transport server for submission to the mailbox.

Using Mailbox Servers with Active Directory

Mailbox servers are service locations for e-mails, voice mails, and faxes. For outgoing mail, Mailbox servers can access Active Directory to retrieve information about the location of Hub Transport servers in their site. Then they can use this information to forward messages for routing. Mailbox servers also store configuration information about mailbox users, mailbox stores, agents, address lists, and policies in Active Directory. Mailbox servers retrieve this information to enforce recipient policies, mailbox policies, system policies, and global settings.

Using Edge Transport Servers with Active Directory

You deploy Edge Transport servers in perimeter networks and they are not domain members. Because of this, Edge Transport servers do not have direct access to the organization's internal Active Directory servers for the purposes of recipient lookup or categorization. Thus, unlike Hub Transport servers, Edge Transport servers cannot contact an Active Directory server to help route messages.

To route messages into the organization, an administrator can configure a subscription from the Edge Transport server to the Active Directory site that allows it to store recipient and configuration information about the Exchange organization in its Active Directory Application Mode (ADAM) data store. After an Edge Transport server is subscribed to an Active Directory site, it is associated with the Hub Transport servers in that site for the purposes of message routing. Thereafter, Hub Transport servers in the organization route messages being delivered to the Internet to the site with which the Edge Transport server is associated, and Hub Transport servers in this site relay the messages to the Edge Transport server. The Edge Transport server, in turn, routes the messages to the Internet.

A one-way synchronization process that pushes information from Active Directory to the Edge Transport server is the EdgeSync service running on Hub Transport servers. Periodically, the EdgeSync service synchronizes the data to keep the Edge Transport server's data store up-to-date. The EdgeSync service also establishes the connectors needed to send and receive information that is being moved between the organization and the Edge Transport server and between the Edge Transport server and the Internet. The key data pushed to the Edge Transport server includes:

• Accepted domains

• Valid recipients

• Safe senders

• Send connectors

• Available Hub Transport servers

After the initial replication is performed, the EdgeSync service synchronizes the data periodically. Configuration information is synced once every hour. Recipient information is synced once every four hours. If necessary, administrators can initiate an immediate synchronization using the Start-EdgeSynchronization cmdlet in Exchange Management Shell.