Configuring Cross-Forest Connectors

  • Article

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to configure Send connectors and Receive connectors to enable cross-forest communication.

To establish direct mail flow between servers that are running Microsoft Exchange Server in different Active Directory directory service forests, you must configure Send connectors and Receive connectors.

This topic explains how to configure cross-forest connectors for the following scenarios:

  • Exchange 2007 to Exchange 2007

  • Exchange 2007 to Exchange Server 2003

Before You Begin

Verify that your organization meets the prerequisites for each scenario. The prerequisites are listed in the procedures for each scenario.

Verify that the account that you use to perform these procedures has the required administrative group memberships:

  • To create an Exchange 2007 Send connector, the account you use must be delegated the Exchange Organization Administrator role.

  • To create an Exchange 2007 Receive connector, the account you use must be delegated the Exchange Server Administrator role and local Administrators group for the server on which you will create the Receive connector.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

Exchange 2007 to Exchange 2007

In this scenario, you create the cross-forest connectors between the Hub Transport servers in two Exchange 2007 organizations that are located in separate Active Directory forests. Basic authentication or external authentication mechanisms provide authentication and authorization between the servers in different forests. If you use Basic authentication, you can select from the following two methods to also use Transport Layer Security (TLS):

  • Set the smart host authentication method to Basic authentication requires TLS. This method provides both confidentiality and authentication of the receiving server. If you select this smart host authentication method, the sending server will validate the certificate of the receiving server as a requirement for mail flow.

  • Set the RequireTLS parameter to $True. This method provides confidentiality, but does not authenticate the receiving server.

To configure a cross-forest connector between the Hub Transport servers in two Exchange 2007 organizations, you must meet the following prerequisites:

  • Each forest must have an Exchange organization with Exchange 2007 servers.

  • If you use Basic authentication, a domain account must exist in each forest to use for Basic authentication. For example, provide a user account that has the universal principal name (UPN) FourthCoffee@Contoso.com as the credentials that must be used for authentication by the Exchange servers in the Fourth Coffee domain when mail is sent to the Exchange servers in the Contoso domain.

  • If you use Basic authentication over TLS, the target server must be configured to use an X.509 certificate that contains an FQDN that is the same as the FQDN of the Receive connector.

  • If you use external authentication, a trusted network connection must exist between the Hub Transport servers. This connection may be an IPsec association, virtual private network, or the servers may reside in a trusted physically controlled network.

To establish mail flow between the forests, follow these steps:

  1. Create a user account in each forest to use for authentication to the receiving server in the second forest.

  2. Create a Send connector.

  3. Set permissions on the Send connector.

  4. For externally secured connectors, create a new Receive connector.

    Note

    If you are using Basic authentication over TLS, you must provide the FQDN of the remote Hub Transport server in the smart host settings. You cannot use an IP address.

The following procedure establishes cross-forest mail flow between the Exchange 2007 Hub Transport servers in the Contoso.com and FourthCoffee.com forests. You must perform the reciprocal procedure in each forest.

Procedure

To configure cross-forest connectors between Exchange 2007 servers by using Basic authentication

  1. Create a user account in each forest. Add the account to the Exchange Servers universal security group. This account is used by the Send connector to authenticate to the receiving server in the second forest.

    Important

    This account is granted the permissions that are associated with Exchange servers. Be sure to safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.

  2. Create a Send connector in the Contoso forest by using one of the following methods:

    • To use the Exchange Management Shell to create the Send connector from Contoso.com to FourthCoffee.com and to use Basic authentication over TLS to provide both confidentiality and authentication to the receiving server, run the following commands. The first command stores the credentials for use in authentication. The second command creates the Send connector.

      First, run the following command:

      $mycred = get-credential

      Then, in the dialog box that appears, enter the credentials for the user account in the Fourth Coffee domain. Use the domain\user format or UPN format to enter the user name and provide the user's password. Click OK, and then run the following command:

      New-SendConnector -Name "Cross-Forest" -Usage Internal  -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.Com, Hub2.FourthCoffee.com -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $False

    • To use the Exchange Management Shell to create the Send connector from Contoso.com to FourthCoffee.com and to use Basic authentication with TLS to provide only confidentiality, run the following command:

      New-SendConnector -Name "Cross-Forest" -Usage Internal  -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.Com, Hub2.FourthCoffee.com -SmartHostAuthMechanism BasicAuth -AuthenticationCredential $mycred -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -requireTLS $True -DNSRoutingEnabled $False

    • To use the Exchange Management Console to create the Send connector from Contoso.com to FourthCoffee.com, follow these steps:

    1. Open the Exchange Management Console. In the console tree, expand Organization Configuration, click Hub Transport, and then, in the action pane, click New Send connector.

    2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector.

    3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    4. On the Address Space page, click Add. In the Add Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

    5. On the Network Settings page, only the Route all mail through the following smart hosts: setting can be selected. Click Add.

    6. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the FQDN of a Hub Transport server in the remote forest, and then click OK. To specify more than one Hub Transport server as a smart host, click Add and enter additional FQDNs, and then click Next.

    7. On the Smart host security settings page, select Basic Authentication or Basic Authentication over TLS, type the user name and password that will be used to authenticate the connection, and then click Next.

    8. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

    9. On the New Connector page, click New, and then on the Completion page, click Finish.

  3. To set permissions on the Send connector, in the Exchange Management Shell, use the Enable-CrossForestConnector.ps1 script to run the following command:

    Enable-CrossForestConnector -Connector "Cross-Forest" -user "ANONYMOUS LOGON"

To configure cross-forest connectors between Exchange 2007 servers by using external authentication

  1. Create a Send connector by using one of the following methods:

    • To use the Exchange Management Shell to create the Send connector from Contoso.com to FourthCoffee.com, run the following command:

      New-SendConnector -Name "Cross-Forest" -Usage Internal  -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.Com, Hub2.FourthCoffee.com -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $False

    • To use the Exchange Management Console to create the Send connector from Contoso.com to FourthCoffee.com, follow these steps:

    1. Open the Exchange Management Console. In the console tree, expand Organization Configuration, click Hub Transport, and then in the action pane, click New Send connector.

    2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    3. On the Address Space page, click Add. In the Add Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

    4. On the Network Settings page, only the Route all mail through the following smart hosts: setting can be selected. Click Add.

    5. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN), type the IP address or FQDN of a Hub Transport server in the remote forest, and then click OK. To specify more than one Hub Transport server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.

    6. On the Smart host authentication settings page, select Externally Secured (for example with IPsec), and then click Next.

    7. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

    8. On the New Connector page, click New, and then on the Completion page, click Finish.

  2. Create a new Receive connector by using one of the following methods:

    • To use the Exchange Management Shell to create the Receive connector for Contoso.com to receive mail from FourthCoffee.com, run the following command:

      New-ReceiveConnector -Name "Cross-Forest" -Server HubA -PermissionGroups ExchangeServers -RemoteIPRanges <IP address of Fourth Coffee Hub Transport server> -AuthMechanism ExternalAuthoritative -Bindings 0.0.0.0:25

    • To use the Exchange Management Console to create the Receive connector for Contoso.com to receive mail from FourthCoffee.com, follow these steps:

    1. Open the Exchange Management Console. In the console tree, expand Server Configuration, click Hub Transport, and then in the action pane, click New Receive Connector.

    2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.

    3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    4. On the Remote Network settings page, delete the all network ranges entry, and then click Add.

    5. In the Add IP Address(es) of Remote Servers dialog box, type the IP address of the remote Hub Transport server, click OK, and then click Next.

    6. On the New Connector page, click New, and then on the Completion page, click Finish.

  3. To modify the authentication method that is used for this connector, follow these steps:

    1. In the task pane, select the Receive connector that you want to modify, and then in the action pane, click Properties.

    2. Click the Authentication tab. Clear the check boxes for Transport Layer Security (TLS) and Exchange Server authentication, select Externally Secured (for example with IPsec), and then click OK.

Exchange 2007 to Exchange 2003

In this scenario, you create the cross-forest connectors between an Active Directory forest with an Exchange organization that is running Exchange 2007 and a second Active Directory forest with an Exchange organization that is running Exchange 2003. You can create the Send connectors and Receive connectors between the Exchange 2007 Edge Transport server and the Exchange 2003 bridgehead server or between the Exchange 2007 Hub Transport server and the Exchange 2003 bridgehead server.

To establish mail flow between the forests, follow these steps:

  1. Create a user account in the Exchange 2003 forest to use for authentication to the receiving server in the Exchange 2007 forest.

  2. Create a Send connector and select Internal as the usage for this connector on either the Exchange 2007 Edge Transport server or Hub Transport server.

  3. Create an SMTP connector on Exchange 2003.

  4. Modify the registry on the Exchange 2003 server to allow the Exchange 2003 server to send and receive XExch50 properties anonymously.

The following procedure establishes cross-forest mail flow between the Exchange 2007 transport servers in the Contoso.com forest and the Exchange 2003 bridgehead servers in the FourthCoffee.com forest. After you perform this procedure, we recommend that you test mail flow by sending a message between the two organizations. You should also examine the protocol logs to verify that EXCH50 data is propagated to Exchange 2003.

Procedure

To configure cross-forest connectors between Exchange 2007 and Exchange 2003 servers in separate forests and use Basic authentication

  1. Create a Send connector from Exchange 2007 to Exchange 2003 by following these steps:

    1. In the Exchange 2003 forest, create a user account. Add the user account to the Exchange Domain Servers security group in the domain where the Exchange 2003 server that will act as smart host for this connector resides.

      Important

      This account is granted the permissions that are associated with Exchange servers. Be sure to safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.

    2. In the Exchange 2007 forest, open the Exchange Management Shell on the Edge Transport server or the Hub Transport server, and run the following command:

      $mycred = get-credential

      In the dialog box that appears, enter the credentials for the user account that you created in the Exchange 2003 forest. Use the domain\user format or the UPN format to enter the user name and provide the user's password. Click OK.

    3. In the Exchange Management Shell, use one of the following commands to create the Send connector.

    • To create a new Send connector and use Basic authentication over TLS to provide both confidentiality and authentication to the receiving server, run the following command:

      New-SendConnector -Name "Legacy Forest" -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred -AddressSpaces FourthCoffee.com -SmartHosts Bridgehead1.FourthCoffee.Com, Bridgehead2.FourthCoffee.com -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $False

    • To create a new Send connector and use Basic authentication with TLS to provide only confidentiality, run the following command:

      New-SendConnector -Name "Legacy Forest" -SmartHostAuthMechanism BasicAuth -AuthenticationCredential $mycred -AddressSpaces FourthCoffee.com -SmartHosts Bridgehead1.FourthCoffee.Com, Bridgehead2.FourthCoffee.com -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -RequireTLS $True -DNSRoutingEnabled $False

  2. To set permissions on the Send connector, in the Exchange Management Shell, use the Enable-CrossForestConnector.ps1 script to run the following command:

    Enable-CrossForestConnector -Connector "Legacy Forest" -user "ANONYMOUS LOGON" -genericMTA

  3. Create an SMTP connector on an Exchange 2003 bridgehead server in the remote forest by following these steps:

    1. In the Exchange 2007 forest, create a user account. Add the user account to the ExchangeLegacyInterop security group.

      Important

      This account is granted the permissions that are associated with Exchange servers. Be sure to safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.

    2. Open Exchange System Manager. Right-click the Connectors container that is located in the routing group where the server that will host this connector resides, select New, and then select SMTP Connector.

    3. Select the General tab. In the Name field, type a unique name for the connector.

    4. Select Forward all mail through this connector to the following smart hosts, and type the IP address or FQDN of the Exchange 2007 Edge Transport server or Hub Transport server. If you enter an IP address, it must be enclosed in brackets as follows, for example: [192.168.1.1].

    5. Click Add to add a local bridgehead server. In the Add Bridgehead dialog box, select one or more Exchange 2003 servers.

    6. Select the Address Space tab, and then click Add to create an address space. In the Add Address Space dialog box, select SMTP, and then click OK.

    7. On the Internet Address Space Properties page, enter the SMTP domain name of the Exchange 2007 forest, and then click OK.

    8. Select the Advanced tab, and then click Outbound Security. In the Outbound Security dialog box, select Basic Authentication, and then click Modify.

    9. In the Outbound Connection Credentials dialog box, enter the user name for the account that you created in the Exchange 2007 forest, enter the password for the account, and then click OK.

    10. Click OK to close the Outbound Security dialog box. Click OK.

Note

If the Exchange 2007 Send connector is configured to use Basic authentication over TLS or to use Basic authentication with the RequiredTLS parameter set to $True, the Exchange 2003 server must advertise the correct certificate before authentication can occur. You can verify that a certificate has been imported to the Exchange 2003 SMTP Virtual Server by viewing the properties of the Virtual Server. To view or import a server certificate, select the Access tab and click Certificate.

To configure cross-forest connectors between Exchange 2007 and Exchange 2003 servers without a trust relationship by using external authentication

  1. Create a Send connector by using one of the following methods:

    • To use the Exchange Management Shell to create the Send connector from Contoso.com to FourthCoffee.com, run the following command:

      New-SendConnector -Name "Legacy Forest" -Usage Internal -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.Com, Hub2.FourthCoffee.com -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $False

    • To use the Exchange Management Console to create the Send connector from Contoso.com to FourthCoffee.com, follow these steps:

    1. Open the Exchange Management Console. In the console tree, expand Organization Configuration, click Hub Transport, and then in the action pane, click New Send connector.

    2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    3. On the Address Space page, click Add. In the Add Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

    4. On the Network Settings page, only the Route all mail through the following smart hosts: setting can be selected. Click Add.

    5. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN), type the IP address or FQDN of bridgehead server in the Exchange 2003 forest, and then click OK. To specify more than one bridgehead server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.

    6. On the Smart host security settings page, select Externally Secured (for example with IPsec), and then click Next.

    7. On the Source Server page, click Add. In the Select Hub Transport and subscribed Edge Transport servers dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

    8. On the New Connector page, click New, and then on the Completion page, click Finish.

  2. Create a new Receive connector by using one of the following methods:

    • To use the Exchange Management Shell to create the Receive connector for Contoso.com to receive mail from FourthCoffee.com, run the following command:

      New-ReceiveConnector -Name "Legacy Forest" -Usage Internal -Server HubA -PermissionGroups ExchangeServers -RemoteIPRanges <IP address of Fourth Coffee Hub Transport server> -AuthMechanism ExternalAuthoritative -Bindings 0.0.0.0:25

    • To use the Exchange Management Console to create the Receive connector for Contoso.com to receive mail from FourthCoffee.com, follow these steps:

    1. Open the Exchange Management Console. In the console tree, expand Server Configuration, click Hub Transport, and then in the action pane, click New Receive Connector.

    2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.

    3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    4. On the Remote Network settings page, delete the all network ranges entry, and then click Add.

    5. In the Add IP address(es) of Remote Servers dialog box, type the IP address of the bridgehead server in the Exchange 2003 organization, click OK, and then click Next.

    6. On the New Connector page, click New, and then on the Completion page, click Finish.

  3. To modify the authentication method that is used for this connector, follow these steps:

    1. In the task pane, select the Receive connector that you want to modify, and then in the action pane, click Properties.

    2. Click the Authentication tab. Clear the check boxes for Transport Layer Security (TLS) and Exchange Server authentication, select Externally Secured (for example with IPsec), and then click OK.

  4. Perform the following steps to modify the registry settings on the Exchange 2003 bridgehead server to allow the Exchange 2003 server to send and receive XExch50 properties anonymously:

    Warning

    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

    1. Open Registry Editor.

    2. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\XEXCH50

    3. Right-click XEXCH50 and select New | DWORD Value. Type SuppressExternal for the value name. By default, the value data is 0, which indicates that the XEXCH50 properties are transmitted to the remote server anonymously.

    4. Right-click XEXCH50 and select New | Key. Type the number of the SMTP virtual server instance as the key value. For example, the default virtual server instance is 1, and the second SMTP virtual server created on a server is 2.

    5. Right-click the key that you just created, point to New, and then click DWORD Value.

    6. In the details pane, type Exch50AuthCheckEnabled for the value name. By default, the value data is 0, which indicates that the XEXCH50 properties are transmitted when e-mail is sent anonymously.

For More Information

For more information, see the following topics: