To set up SMTP replication on Windows Server 2008-based domain controllers, use the following guidelines.
Setting up a certification authority
To enable SMTP replication, you must have a certification authority. You can select a domain controller to host this role. To install a certification authority on a domain controller, follow these steps:
- Click Start, point to Administrative Tools, and then click Server Manager.
- In the console tree, click Roles, click Add Roles in the details pane, and then click Next.
- Click to select the Active Directory Certificate Services check box, and then click Next two times.
- Verify that the Certification Authority check box is selected, and then click Next.
- Click Enterprise, and then click Next.
Note This setting lets you set up an enterprise certification authority that can work with automatic certificate enrollment. - If this is the first certification authority that you have created, click RootCA, and then click Next. If this is not the first certification authority that you have created, click Subordinate CA, and then click Next.
- Click Create a new private key, and then click Next.
- You can specify the settings that you want for the new key. Or, you can keep the default settings. Then, click Next.
- Specify a name for the certification authority, and then click Next.
- Specify a validity period for the certification authority certificate, and then click Next.
- Specify the certificate database location and the log location, and then click Next.
- Confirm the settings, and then click Install.
Configuring the membership of the Certificate Service DCOM Access group
To make sure that computers from all domains that are involved in the replication process receive certificates, you must include the following groups as members of the Certificate Service DCOM Access group on the certification authority:
- Domain Users
- Domain Controllers
- Domain Computers
The membership must include these groups for each domain that has computers that will replicate over SMTP connections. For example, assume that you have a domain
A.com and a child domain
B.
A.com. Additionally, assume that you want computers from both domains to replicate over SMTP connections. In this situation, you must include the following groups as members of the Certificate Service DCOM Access group:
- CN=Domain Users,CN=Users,DC=A,DC=com;
- CN=Domain Controllers,CN=Users,DC=A,DC=com;
- CN=Domain Computers,CN=Users,DC=A,DC=com;
- CN=Domain Users,CN=Users,DC=B,DC=A,DC=com;
- CN=Domain Controllers,CN=Users,DC=B,DC=A,DC=com;
- CN=Domain Computers,CN=Users,DC=B,DC=A,DC=com;
To add members to the Certificate Service DCOM Access group, follow these steps:
- Open the Active Directory Users and Computers snap-in.
- In the console tree, expand Active Directory Users and Computers, expand the node that corresponds to your domain, and then click Builtin.
- In the details pane, right-click Certificate Service DCOM Access, and then click Properties.
- On the Members tab, add the required members to the Members list, and then click OK.
Enrolling the certificates for SMTP replication
Automatic certificate enrollment
Enable automatic certificate enrollment in the enterprise so that the domain controllers that are involved in replication can request certificates automatically. To do this, follow these steps:
- Open the Group Policy Management snap-in.
- In the console tree, expand Group Policy Management, expand the node that corresponds to your forest, expand the node that corresponds to your domain, and then expand Group Policy Objects.
- Right-click Default Domain Policy or another effective Group Policy object that applies to the target computers, and then click Edit.
- In the Group Policy Management Editor window, locate and then enable the following Group Policy setting:
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment
- Run the following command at an elevated command prompt:
gpupdate /force
Automatic enrollment will start working in about 90 seconds for any applicable templates.
Manual certificate enrollment
To request a certificate manually, follow these steps on each domain controller that will replicate over SMTP connections:
- Click Start, click Run, type mmc, and then click OK.
- Add the Certificates snap-in. When you do this, click Computer account under the This snap-in will always manage certificates for option.
- Under the This snap-in will always manage option, click Local Computer.
- In the console tree, expand Certificates, right-click Personal, point to All Tasks, click Request New Certificate, and then click Next.
- Click to select the Direct Email Replication check box, and then click Enroll.
- Click Finish.
Note If the enrollment process fails, restart the computer, and then try requesting the certificate again.
Installing the SMTP Server feature
Install the SMTP Server feature on all domain controllers that will replicate over SMTP connections. To do this, follow these steps:
- Open the Server Manager snap-in.
- In the console tree, click Roles, click Add Roles in the details pane, and then click Next.
- Click to select the Web Server (IIS) check box, select all components except the FTP Server component, and then click Next.
- In the Server Manager snap-in, click Features in the console tree, and then click Add Features in the details pane.
- Click to select the SMTP Server check box, and then click Next.
- Click Install.
Installing the Intersite Messaging (ISM) service for SMTP transport
To install the Intersite Messaging service for SMTP transport on all Windows Server 2008 domain controllers that will replicate over SMTP connections, follow these steps:
- Open an elevated command prompt, and then run the following command:
%windir%\system32\pkgmgr /iu:DirectoryServices-ISM-Smtp
- Wait until the Ismsmtp.dll file is present in the following folder:
%windir%\system32
- Restart the Intersite Messaging service by running the following command at a command prompt:
net stop ismserv && net start ismserv
Configuring SMTP site links
Now you can configure SMTP site links in the Active Directory Site and Services snap-in. To do this, follow these steps:
- Click Start, click Run, type dssite.msc, and then click OK.
- In the console tree, expand Sites, expand Inter-Site Transports, right-click SMTP, and then click New Site Link.
- Specify a name for the new site link, add the sites that you want to the Sites in this site link list, and then click OK.
The domain controllers will start replicating after the new topology is propagated to all the domain controllers. For more information about site link settings, see the Windows Server 2008 Help documentation.