How to Deploy Exchange 2007 in a Cross-Forest Topology

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to deploy Microsoft Exchange Server 2007 in a cross-forest topology. To deploy Exchange 2007 in a cross-forest topology, you must first install Exchange 2007 in each forest, and then connect the forests so that users can see address and availability data across the forests.

This topic does not describe how to deploy Exchange 2007 in a dedicated Exchange forest (or resource forest) topology. For more information about how to deploy Exchange 2007 in a resource forest topology, see How to Deploy Exchange 2007 in an Exchange Resource Forest Topology.

This topic assumes that you do not have an existing Exchange 2000 Server or Exchange Server 2003 topology. If you do have an existing Exchange topology and you want to upgrade, see Upgrading to Exchange 2007.

GAL Synchronization and MIIS 2003

If you use Microsoft Identity Integration Server (MIIS) 2003 to synchronize the global address lists (GALs), you must perform additional steps to finish provisioning the recipients that are created by the MIIS GAL synchronization (GALSync) process. GALSync in MIIS 2003 is designed to work with Exchange 2003 or Exchange 2000. In these versions of Microsoft Exchange, the Recipient Update Service performs the tasks that are required to finish provisioning recipients. The Recipient Update Service is not available in Exchange 2007. Therefore, you must manually finish provisioning the mail-enabled contacts that are created by the MIIS 2003 GALSync process.

Additionally, Exchange 2007 recipients have some attributes that are not present in recipients from previous versions of Exchange. GALSync in MIIS 2003 does not synchronize these new attributes. As a result, if you use GALSync in MIIS 2003 to synchronize recipients across forests, you will experience the following limitations:

  • If a user is delegated access to another user's mailbox, and then that mailbox or the mailbox of the delegate is moved to another forest, delegation is lost.

  • The contact that represents the room or equipment mailbox in the other forest will not have the detailed information about these resources.

  • Microsoft Office Outlook does not recognize that a synchronized contact represents a mailbox in another Exchange forest. Outlook displays the contact as a normal contact.

Note

Synchronizing Exchange 2007 GALs by using MIIS 2003 is supported only as a custom solution. The recommended solution for synchronizing Exchange 2007 GALs is to use Exchange 2007 Service Pack 1 (SP1) and Identity Lifecycle Manager (ILM) 2007 Feature Pack 1

New in Exchange 2007 SP1

Microsoft Exchange 2007 SP1 provides the Update-Recipient cmdlet to finish provisioning recipients that are created by GALSync.

To synchronize the GALs in Exchange 2007 SP1, we recommend that you use ILM 2007 Feature Pack 1 instead of MIIS 2003. The GAL synchronization management agent in ILM 2007 Feature Pack 1 will call the Update-Recipient cmdlet automatically. To finish provisioning recipients that are created by ILM 2007 Feature Pack 1 GAL synchronization, you do not need to perform additional steps.

Note

To use ILM 2007 Feature Pack 1 to synchronize GALs, you must have Exchange 2007 SP1 installed.

If you use ILM 2007 Feature Pack 1, all the recipient attributes for Exchange 2007 recipients are synchronized. As a result, you will not experience limitations regarding:

  • Cross-forest delegation.

  • Synchronization of room and equipment information.

  • Outlook failing to recognize contacts as synchronized contacts.

To learn more about ILM 2007, see Microsoft Identity Lifecycle Manager 2007 Product Overview.

Before You Begin

Before you perform the following procedure, you must perform the actions in one of the following sections based on whether you are working with the release to manufacturing (RTM) version of Exchange 2007 or Exchange 2007 SP1.

Permissions and Prerequisites for Exchange 2007 SP1

To perform the following procedure in Exchange 2007 SP1, confirm the following:

  • You have installed ILM 2007 Feature Pack 1. For information about deploying ILM 2007 Feature Pack 1, see Identity Lifecycle Manager.

  • You have read the information about planning your multiple forest topology, including the topic Planning for a Complex Exchange Organization.

  • You have correctly configured Domain Name System (DNS) for name resolution across forests in your organization. To verify that DNS is configured correctly, use the Ping tool to test connectivity to each forest from the other forests in your organization and from the server on which you will run the GALSync agent.

Permissions and Prerequisites for Exchange 2007 RTM

To perform the following procedure in Exchange 2007 RTM, confirm the following:

Procedure

Example of a complex Exchange organization with multiple Exchange forests

Complex Exchange Organization with Multiple Forest

Exchange 2007 SP1 and ILM 2007 Feature Pack 1

To deploy Exchange 2007 SP1 in a cross-forest topology with ILM 2007 Feature Pack 1

  1. In each forest, install Exchange 2007 separately. To install Exchange 2007, perform the same steps that you would if you were installing Exchange 2007 in a single forest topology. For detailed steps, see one of the following topics:

  2. In each forest, use Active Directory Users and Computers to create a container in which ILM will create contacts for each mailbox from the other forest. We recommend that you name this container FromILM. To create the container, select the domain in which you want to create the container, right-click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromILM, and then click OK.

  3. Create a GALSync management agent for each forest by using ILM 2007 Feature Pack 1. This allows you to synchronize the users in each forest and create a common GAL. For detailed steps, see the procedure "To configure a GAL Synchronization management agent with ILM 2007 Feature Pack 1" later in this topic.

  4. Enable GALSync. To do this, in the main ILM Identity Manager window, click Tools, click Options, and then select the Enable Provisioning Rules Extension check box. Click OK.

    The Options page

    Options page, Enable Prov Rules Extension selected

  5. Create an SMTP Send connector in each of the forests. For detailed steps, see Configuring Cross-Forest Connectors.

  6. In each forest, enable the Availability service so that users in each forest can view free/busy data about users in the other forest. For more information, see Managing the Availability Service.

    Note

    The Availability service is supported only for Office Outlook 2007 clients. If you are using earlier versions of Outlook, you must use the Microsoft Exchange Inter-Organization Replication tool to synchronize free/busy data across multiple forests. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles, or on an Exchange 2003 or Exchange 2000 server. If you install the tool on a computer that has the Exchange 2007 management tools installed, you must also install the Exchange MAPI client libraries. For more information about the Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication. For more information about downloading the Exchange MAPI client libraries, see Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1.

To configure a GAL Synchronization management agent with ILM 2007 Feature Pack 1

  1. In ILM 2007 Feature Pack 1, select Management Agents from the toolbar, and then under Actions, click Create.

    The Management Agents pane in ILM

    MIIS Management page, Management Agents selected

  2. On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).

  3. In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.

  4. In the Description box, type a description for this management agent, and then click Next.

  5. On the Connect to Active Directory Forest page, complete the following fields:

    • Forest name   Name of the source forest.

    • User name and Password   User name and password of an account that has permission to read schema information from the source forest.

    • Domain   Domain for the specified account.

      Note

      You can also enter the user name as <user>@<domain> and leave the domain field blank.

  6. Click Next.

  7. On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.

    The Configure Directory Partitions page

    Create MA, Config Directory Partitions page

  8. On the Configure Directory Partitions page, click Containers.

    The Containers button on the Configure Directory Partitions page

    Config Directory Partitions page Containers button

  9. On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which ILM will create contacts for each mailbox from the other forest, such as the FromILM container.

  10. On the Configure Directory Partitions page, click Next.

  11. On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.

    The Target button on the Configure GAL page

    Configure Gal page, Target button

  12. On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.

    The Source button on the Configure GAL page

    Configure GAL page, Source button

  13. Under Exchange configuration, click Edit to specify at least one Simple Mail Transfer Protocol (SMTP) e-mail suffix that is managed in the source forest. Click Next.

    The Edit button on the Configure GAL page

    Configure GAL page, Edit button

  14. On the Select Object Types page, click Next.

  15. On the Select Attributes page, click Next.

  16. On the Configure Connector Filter page, click Next.

  17. On the Configure Join and Projection Rules page, click Next.

  18. On the Configure Attributes Flow page, click Next.

  19. On the Configure Deprovisioning page, click Next.

  20. On the Configure Extensions page, select Enable Exchange 2007 provisioning, and then click Finish.

    Enable Exchange 2007 provisioning

    ConfigureExtensions page, enable E2K7 provisioning

Note

To validate the connection parameters, run a Full Import (Stage Only) on the management agent. (To run a Full Import (Stage Only), in Identity Manager, select the management agent you want, and then under Actions, click Run.) A Full Import (Stage Only) does not populate the ILM metaverse. However, it is useful for validation and troubleshooting. If running the Full Import (Stage Only) causes any errors, you should resolve those errors before synchronizing users and groups.

Exchange 2007 RTM

To deploy Exchange 2007 RTM in a cross-forest topology with MIIS 2003

  1. In each forest, install Exchange 2007 separately. To install Exchange 2007, follow the same steps that you would if you were installing in a single forest topology. For detailed steps, see one of the following topics:

  2. In each forest, in Active Directory Users and Computers, create a container where MIIS will create contacts for each mailbox from the other forest. We suggest that you name this container "FromMIIS." To create the container, select the domain in which you want the container, right click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromMIIS, and then click OK.

  3. Create a GAL Synchronization management agent for each forest using MIIS 2003 or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2. This enables you to synchronize the users in each forest, and create a GAL. For detailed steps, see the procedure "To configure a GAL Synchronization management agent" later in this topic.

  4. Enable GALSync. To do this, in the main MIIS Identity Manager window, click Tools, click Options, and then select the Enable Provisioning Rules Extension. Click OK.

    The Options page

    Options page, Enable Prov Rules Extension selected

  5. Create an SMTP send connector in each of the forests. For detailed steps, see Configuring Cross-Forest Connectors.

  6. In each forest, enable the Availability service so that users in each forest can view free/busy data about users in the other forest. For more information, see Managing the Availability Service.

    Note

    The Availability service is supported with Office Outlook 2007 clients only. If you are using any other versions of Outlook, you must use the Microsoft Exchange Inter-Organization Replication tool to synchronize free/busy data across multiple forests. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles, or on an Exchange 2003 or Exchange 2000 server. If you install the tool on a computer that has the Exchange 2007 management tools installed, you must also install the Exchange MAPI client libraries. For more information about the Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication. For more information about downloading the Exchange MAPI client libraries, see Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1.

  7. To create a script that finishes provisioning the recipients that were created by the GALSync process, perform one of the following steps:

    • Create an Exchange Management Shell script called MyScript.ps1 that updates all the e-mail address policies, address lists, and GALs for all the recipients in your organization. The script should contain the following lines:

      Get- EmailAddressPolicy | Update-EmailAddressPolicy
      Get- AddressList | Update-AddressList
      Get- GlobalAddressList  | Update-GlobalAddressList
      

      Note

      This script updates all recipients in your organization. This is a costly update and can take several minutes depending on the complexity of your environment.

    • Create an Exchange Management Shell script called MyScript.ps1 that updates specific e-mail address policies, address lists, and GALs for all the recipients in your organization. The script should contain the following lines:

      Update-EmailAddressPolicy -Identity AddressPolicy01
      Update-AddressList -Identity "All Contacts\AddressList01"
      Update-GlobalAddressList -Identity "My Global Address List"
      

      If you customized your GALSync management agent to create other types of objects, such as mailboxes, you must add additional lines to update the corresponding address lists, such as "All Users\AddressList01."

      Note

      This script updates all recipients in your organization. This is a costly update and can take several minutes depending on the complexity of your environment.

    • Create an Exchange Management Shell script called MyScript.ps1 that updates only the recipients that are in the FromMIIS organizational unit (OU). The script should contain the following line:

      Get-MailContact -OrganizationalUnit "FromMIIS" | Where-Object  { $_.legacyexchangedn -eq "" }  | Set-MailContact
      
  8. In each forest, use either the Windows at.exe command or Windows Scheduled Tasks to schedule the script that you created in Step 7 to run at least once a day. To schedule Exchange Management Shell commands, you must run Microsoft Windows PowerShell (PowerShell.exe) with the PsConsoleFile parameter to load the Exchange Console Extensions and with the Command parameter to run the specific Exchange Management Shell command. The command that you use is the script you created in Step 7. For example, schedule the following command:

    PowerShell.exe -PsConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command d:\scripts\MyScript.ps1
    

To configure a GAL Synchronization management agent with MIIS 2003

  1. In MIIS or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2, select Management Agents from the toolbar, and then under Actions, click Create.

    The Management Agents pane in MIIS

    MIIS Management page, Management Agents selected

  2. On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).

  3. In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.

  4. In the Description box, type a description for this management agent, and then click Next.

  5. On the Connect to Active Directory Forest page, complete the following fields:

    • Forest name   Name of the source forest.

    • User name and Password   User name and password of an account that has permission to read schema information from the source forest.

    • Domain   Domain for the specified account.

      Note

      You can also enter the user name as <user>@<domain> and leave the domain field blank.

  6. Click Next.

  7. On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.

    The Configure Directory Partitions page

    Create MA, Config Directory Partitions page

  8. On the Configure Directory Partitions page, click Containers.

    The Containers button on the Configure Directory Partitions page

    Config Directory Partitions page Containers button

  9. On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which MIIS will create contacts for each mailbox from the other forest, such as the FromMIIS container.

  10. On the Configure Directory Partitions page, click Next.

  11. On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.

    The Target button on the Configure GAL page

    Configure Gal page, Target button

  12. On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.

    The Source button on the Configure GAL page

    Configure GAL page, Source button

  13. Under Exchange configuration, click Edit to specify at least one Simple Mail Transfer Protocol (SMTP) e-mail suffix that is managed in the source forest. Click Next.

    The Edit button on the Configure GAL page

    Configure GAL page, Edit button

  14. On the Select Object Types page, click Next.

  15. On the Select Attributes page, click Next.

  16. On the Configure Connector Filter page, click Next.

  17. On the Configure Join and Projection Rules page, click Next.

  18. On the Configure Attributes Flow page, click Next.

  19. On the Configure Deprovisioning page, click Next.

  20. On the Configure Extensions page, click Finish.

Note

To validate the connection parameters, run a Full Import (Stage Only) on the management agent. (To run a Full Import (Stage Only), in Identity Manager, select the management agent you want, and then under Actions, click Run.) A Full Import (Stage Only) does not populate the MIIS or Identity Integration Feature Pack metaverse. However, it is useful for validation and troubleshooting. If running the Full Import (Stage Only) causes any errors, you should resolve those errors before synchronizing users and groups.