In Part 1 of this two-part series, I will explain how to set up Active Directory in an Exchange Autodiscover multi-forest environment and in Part 2 I will explain how Autodiscover works on the client side.

Krishna Kumar

Krishna Kumar specializes in PowerShell, Exchange and Active Directory. Follow his blog SMTP Port 25.

Many organizations have deployed Exchange in a multi-forest environment. The two most common reasons are:

  • Security reasons where the business requires separate accounts and services
  • Mergers, acquisitions, or divestures

Let’s take an example where we have two forests: an account forest and a resource forest. The account forest is Green.com, where all the users’ accounts are based, and the resource forest is Blue.com, where Exchange 2010 is installed. We also assume that forest trust is enabled between these two forests, configured with an external SAN certificate. Client Access Server (CAS) Internal and External URLs are also configured in the Exchange server.

Account forest Green.com and resource forest Blue.com

Account forest Green.com and resource forest Blue.com

If an account from Green.com needs access to mailboxes at Blue.com, linked mailboxes need to be created at Blue.com. The linked mailbox is the mailbox that has a disabled account in the local forest (Blue.com) and is associated with the account from the external/account forest (Green.com).

Let’s understand what happens when a user accesses Outlook from the account forest:

  1. User1 logs in to a computer at Green.com and accesses Outlook.
  2. Outlook tries to contact the local Active Directory and looks for a service connection point (SCP) in the Active Directory. SCP is created by CAS during its installation and has information about itself.
  3. Outlook automatic configuration fails because no SCP will be found as the Exchange servers are not installed in the account forest.
  4. Outlook can still be manually configured by providing CAS array details of the resource forest.

To get Outlook auto configuration working with the Autodiscover service, we have to configure the account forest Active Directory with the SCP information of the resource forest. Below are the steps to perform the same.

Create “Microsoft Exchange Autodiscover” container in configuration container at account forest (Green.com):

Log in to DC of Green.com.

  1. Access ADSI Edit and access the configuration container.
  2. Expand CN=services.
  3. Right-click CN=services. Click New and then select “Object.”
  4. Under “Select a Class,” select “Container” and then click Next.
  5. Enter the value “Microsoft Exchange Autodiscoverand click Next to finish.
  6. Force AD replication by running the repadmin /syncall command at the command prompt.

Export SCP information of resource forest (Blue.com) to account forest (Green.com):

  1. Log in to the Exchange server of the resource forest (Blue.com).
  2. Access the Exchange shell and enter the following command:
    $cert = get-Credential
  3. Provide admin credentials that have the necessary AD permission to modify the configuration container at the account forest Green.com.
  4. Execute the following command to export the configuration to the target account forest at Green.com:
    Export-AutoDiscoverConfig -DomainController bluedc.blue.com -TargetForestDomainController greendc.green.com -TargetForestCredential $cert

Below is the reference snapshot of SCP details after executing the export-autodiscoverconfig command. This will add a pointer record at Green.com with an LDAP URL to the resource forest (Blue.com).

Autodiscover in a multi-forest environment - Add pointer record

Autodiscover in a multi-forest environment - Add pointer record

Note: If you have multiple account forests, then you must execute the export-autodiscoverconfig command for all account forests. Multiple account forests normally exist in a very large organization, where account forests are created for each region (for example, US, EMEA, and APAC), and a single resource forest spreads across the entire region.

In Part 2, I will show you how Outlooks Autodiscover works in a multi-forest environment.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
4 Comments
  1. Lee 7 years ago

    Hi

    Great article, where is part 2? I am particularly interested in what happens to the Outlook clients which do not have a mailbox in the resource forest, i.e. during migration

    Thanks

    0

  2. Michael Pietroforte 7 years ago

    Lee, sorry that was my fault. I forgot to add the link. You can find the link to part 2 at the end of the text.

    0

  3. Nathan 6 years ago

    Your command has a typo. The term "-TargetForestCredentials" should be " -TargetForestCredential" without the "s" in it. Ref: http://technet.microsoft.com/en-us/library/aa996849(v=exchg.141).aspx

    0

  4. Michael Pietroforte 6 years ago

    Nathan, thanks for the hint. I changed the text.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account