In Part 1 of this two-part series, I will explain how to set up Active Directory in an Exchange Autodiscover multi-forest environment and in Part 2 I will explain how Autodiscover works on the client side.

Many organizations have deployed Exchange in a multi-forest environment. The two most common reasons are:

  • Security reasons where the business requires separate accounts and services
  • Mergers, acquisitions, or divestures

Let’s take an example where we have two forests: an account forest and a resource forest. The account forest is, where all the users’ accounts are based, and the resource forest is, where Exchange 2010 is installed. We also assume that forest trust is enabled between these two forests, configured with an external SAN certificate. Client Access Server (CAS) Internal and External URLs are also configured in the Exchange server.

Account forest and resource forest

Account forest and resource forest

If an account from needs access to mailboxes at, linked mailboxes need to be created at The linked mailbox is the mailbox that has a disabled account in the local forest ( and is associated with the account from the external/account forest (

Let’s understand what happens when a user accesses Outlook from the account forest:

  1. User1 logs in to a computer at and accesses Outlook.
  2. Outlook tries to contact the local Active Directory and looks for a service connection point (SCP) in the Active Directory. SCP is created by CAS during its installation and has information about itself.
  3. Outlook automatic configuration fails because no SCP will be found as the Exchange servers are not installed in the account forest.
  4. Outlook can still be manually configured by providing CAS array details of the resource forest.

To get Outlook auto configuration working with the Autodiscover service, we have to configure the account forest Active Directory with the SCP information of the resource forest. Below are the steps to perform the same.

Create “Microsoft Exchange Autodiscover” container in configuration container at account forest (

Log in to DC of

  1. Access ADSI Edit and access the configuration container.
  2. Expand CN=services.
  3. Right-click CN=services. Click New and then select “Object.”
  4. Under “Select a Class,” select “Container” and then click Next.
  5. Enter the value “Microsoft Exchange Autodiscoverand click Next to finish.
  6. Force AD replication by running the repadmin /syncall command at the command prompt.

Export SCP information of resource forest ( to account forest (

  1. Log in to the Exchange server of the resource forest (
  2. Access the Exchange shell and enter the following command:
    $cert = get-Credential
  3. Provide admin credentials that have the necessary AD permission to modify the configuration container at the account forest
  4. Execute the following command to export the configuration to the target account forest at
    Export-AutoDiscoverConfig -DomainController -TargetForestDomainController -TargetForestCredential $cert

Below is the reference snapshot of SCP details after executing the export-autodiscoverconfig command. This will add a pointer record at with an LDAP URL to the resource forest (

Autodiscover in a multi-forest environment - Add pointer record

Autodiscover in a multi-forest environment - Add pointer record

Note: If you have multiple account forests, then you must execute the export-autodiscoverconfig command for all account forests. Multiple account forests normally exist in a very large organization, where account forests are created for each region (for example, US, EMEA, and APAC), and a single resource forest spreads across the entire region.

In Part 2, I will show you how Outlooks Autodiscover works in a multi-forest environment.

  1. Lee 10 years ago


    Great article, where is part 2? I am particularly interested in what happens to the Outlook clients which do not have a mailbox in the resource forest, i.e. during migration


  2. Lee, sorry that was my fault. I forgot to add the link. You can find the link to part 2 at the end of the text.

  3. Nathan 9 years ago

    Your command has a typo. The term “-TargetForestCredentials” should be ” -TargetForestCredential” without the “s” in it. Ref:

  4. Nathan, thanks for the hint. I changed the text.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account