The configurations of any two DCs are required to meet certain conditions before the DRS Protocol Extensions for SMTP can be used to replicate state between them.
Until these conditions are met all message requests received SHOULD be ignored and any message requests to send SHOULD not be generated. The conditions are as follows.
Each DC MUST have a Domain Controller certificate, and all Domain Controller certificates MUST be signed by the same certification authority (CA). Domain Controller certificates are as specified in section 2.3. Certificate enrollment and storage are specified in [MS-WCCE].
The DCs MUST be configured to be in different sites.
The configuration NC for the forest MUST specify that the DRS Protocol Extensions for SMTP can be used for replication between the DCs. The replication transport is governed by the configuration of connection, site link, and intersite transport objects, as specified in [MS-ADTS].
One of the following statements MUST apply to the NC being replicated. The intuition behind these requirements is that replication between two full-master replicas of the same domain NC is not permitted via the DRS Protocol Extensions for SMTP to enforce an administrative best practice.
The NC is the configuration NC.
The NC is the schema NC.
Both DCs hold NC replicas of the same application NC.
Both DCs hold a partial read-only replica of the same NC (for example, both DCs are global catalogs).
One DC holds a writable full replica of its domain NC, and the other DC holds a partial read-only copy of that domain NC (for example, the other DC is a global catalog).
The configuration NC MUST contain a server object for each DC. Both server objects MUST contain a mailAddress attribute, and the mailAddress MUST be a syntactically valid SMTP recipient (as specified in [RFC2822]).
The state variable Local-DC-Mail-Address MUST be initialized with the SMTP address of the local DC, as taken from the configuration NC. The configuration NC MUST include the SMTP address of the local DC.
The state variable Local-DC-Certificate MUST be initialized with a certificate from the Public Key Infrastructure. This certificate MUST meet the criteria set forth in section 2.3.
The state variable SMTP-ADDR-DC-CERT-MAP MUST be initialized with an entry for the local DC, as follows: <Local-DC-Mail-Address, Local-DC-Certificate>.
The implementation MAY populate the map with additional entries at initialization time, although this is not required for correct operation. As an alternative, the implementation MAY populate the map with knowledge of additional partner DCs as they are discovered during operation.<11>
The SMTP MTA MUST be initialized so that it delivers messages sent with a From address of Local-DC-Mail-Address. All required initialization MUST be performed so that the local DC will be able to receive SMTP messages that are sent to Local-DC-Mail-Address. For example, the domain of Local-DC-Mail-Address might need to be registered in the DNS in a fashion that allows the local DC to receive SMTP messages that are sent to the domain.