- Review of Stellar Phoenix Mailbox Exchange Recovery - Wed, Jul 22 2015
- Configure Exchange 2013 Internet mail flow during migration - Fri, Dec 27 2013
- Exchange 2013 DAG recovery in a stretched AD site - Part 2 - Wed, Dec 25 2013
Many organizations have deployed Exchange in a multi-forest environment. The two most common reasons are:
- Security reasons where the business requires separate accounts and services
- Mergers, acquisitions, or divestures
Let’s take an example where we have two forests: an account forest and a resource forest. The account forest is Green.com, where all the users’ accounts are based, and the resource forest is Blue.com, where Exchange 2010 is installed. We also assume that forest trust is enabled between these two forests, configured with an external SAN certificate. Client Access Server (CAS) Internal and External URLs are also configured in the Exchange server.
Account forest Green.com and resource forest Blue.com
If an account from Green.com needs access to mailboxes at Blue.com, linked mailboxes need to be created at Blue.com. The linked mailbox is the mailbox that has a disabled account in the local forest (Blue.com) and is associated with the account from the external/account forest (Green.com).
Let’s understand what happens when a user accesses Outlook from the account forest:
- User1 logs in to a computer at Green.com and accesses Outlook.
- Outlook tries to contact the local Active Directory and looks for a service connection point (SCP) in the Active Directory. SCP is created by CAS during its installation and has information about itself.
- Outlook automatic configuration fails because no SCP will be found as the Exchange servers are not installed in the account forest.
- Outlook can still be manually configured by providing CAS array details of the resource forest.
To get Outlook auto configuration working with the Autodiscover service, we have to configure the account forest Active Directory with the SCP information of the resource forest. Below are the steps to perform the same.
Create “Microsoft Exchange Autodiscover” container in configuration container at account forest (Green.com):
Log in to DC of Green.com.
- Access ADSI Edit and access the configuration container.
- Expand CN=services.
- Right-click CN=services. Click New and then select “Object.”
- Under “Select a Class,” select “Container” and then click Next.
- Enter the value “Microsoft Exchange Autodiscover” and click Next to finish.
- Force AD replication by running the repadmin /syncall command at the command prompt.
Export SCP information of resource forest (Blue.com) to account forest (Green.com):
- Log in to the Exchange server of the resource forest (Blue.com).
- Access the Exchange shell and enter the following command:
$cert = get-Credential
- Provide admin credentials that have the necessary AD permission to modify the configuration container at the account forest Green.com.
- Execute the following command to export the configuration to the target account forest at Green.com:
Export-AutoDiscoverConfig -DomainController bluedc.blue.com -TargetForestDomainController greendc.green.com -TargetForestCredential $cert
Below is the reference snapshot of SCP details after executing the export-autodiscoverconfig command. This will add a pointer record at Green.com with an LDAP URL to the resource forest (Blue.com).
Autodiscover in a multi-forest environment - Add pointer record
Note: If you have multiple account forests, then you must execute the export-autodiscoverconfig command for all account forests. Multiple account forests normally exist in a very large organization, where account forests are created for each region (for example, US, EMEA, and APAC), and a single resource forest spreads across the entire region.
In Part 2, I will show you how Outlooks Autodiscover works in a multi-forest environment.