One of the new roles in Exchange 2007 is the Edge server role. The edge server is an Exchange server that sits in your DMZ and receives and sends SMTP mail to and from the Internet. It also performs a lot of other task like spam checking, anti-virus (if installed) etc. The Edge server is not a member of you Active Directory domain and uses an ADAM partition to hold the directory information it receives from an internal Hub/Transport server. The Edge server is present in Active Directory though, it is listed with the other servers under the Exchange Administrative Group (FYDIBOHF23SPDLT) in the configuration partition.
Whenever you install any Exchange 2007 server, before you enter a product key, each time you open the Exchange Management Console (EMC) you are reminded of the Exchange servers that still do not have a product key registered and are thus regarded by the EMC as trial servers. You can enter the product keys by using EMC or the Exchange Management Shell (EMS) which is PowerShell with some additions. I recently ran across an interesting problem trying to enter the product key for my Edge server.
After entering the product key for my combined Mailbox, Hub/Transport server and the CAS server; they disappeared from the warning displayed when I opened the EMC. But that still left me with the Edge server. First I tried entering the product key on the Edge server itself, that succeeded and the warning disappeared from the local EMC on the Edge server, but since there is no communication from the Edge server to the Hub/Transport server, only the other way, that did not help with the error displayed in the EMC on the internal servers. Next I tried using the EMS to set the key on the Edge server. The command is:
Set-ExchangeServer <servername> -ProductKey AAAAA-BBBBB-CCCCC-DDDDD-EEEEE
I then received this error:
Set-ExchangeServer : An error happened while accessing registry of the specified server: “<servername>”. The error message: “Attempted to perform an unauthorized operation.”.
At line:1 char:19
+ Set-ExchangeServer <<<< <servername> -ProductKey AAAAA-BBBBB-CCCCC-DDDDD-EEEEE
I guessed that the reason was that my domain administrator account was not allowed to update the registry on the Edge server, which made sense. (I did open port 445/TCP from the H/T server to the Edge server in the firewall, in addition to the ports required for ADAM sync.) I then tried running the cmdlet using runas in different ways, using the NETONLY option etc. If I ran runas with NETONLY I could access the Edge server, but then I lost access to the DC since the local account on the Edge server, which runas was using, did not have access to Active Directory. After pondering this duality for a while, the need to access the Active Directory and the registry on the Edge server at the same time over the network, using only one account I figured it out. How do you get “single-sign-on” in Windows across different security boundaries? You create duplicate accounts in each security boundary and give them the same password.
I created an account in the Edge Server’s security database (SAM) with the same name as my internal Domain Admins account and gave it the same password. Immediately the Set-ExchangeServer cmdlet succeeded and my Edge server was licensed in the eyes of Active Directory. No more warnings in the EMC.
I have installed a few Exchange 2007 servers now, but never had this problem before. That was also the reason it took me some time to figure this out; it had never been a problem before! I kept asking myself “Why doesn’t it work at this site, when it has worked so many times before?”. The reason was that on all the other sites I was already running with identical accounts on the internal network and on the Edge server. But this time the accounts were different.