Configure Cross-Forest Connectors

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

You can use the EMC or the Shell to configure Send connectors and Receive connectors to enable cross-forest communication. To establish direct mail flow between servers that are running Microsoft Exchange in different Active Directory forests, you must configure Send connectors and Receive connectors.

This topic explains how to configure cross-forest connectors for the following scenarios:

  • Exchange Server 2010 to Exchange Server 2010

  • Exchange 2010 to Exchange Server 2003

Configure cross-forest connectors between Exchange 2010 forests

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

In this scenario, you create the cross-forest connectors between the Hub Transport servers in two Exchange 2010 organizations that are located in separate Active Directory forests. Basic authentication or external authentication mechanisms provide authentication and authorization between the servers in different forests. If you use Basic authentication, you can select from the following two methods to also use Transport Layer Security (TLS):

  • Set the smart host authentication method to Basic authentication over TLS. This method provides both confidentiality and authentication of the receiving server. If you select this smart host authentication method, the sending server will validate the certificate of the receiving server as a requirement for mail flow.

  • Set the RequireTLS parameter to $true. This method provides confidentiality, but doesn't authenticate the receiving server.

To configure a cross-forest connector between the Hub Transport servers in two Exchange 2010 organizations, you must meet the following prerequisites:

  • Each forest must have an Exchange organization with Exchange 2010 servers.

  • If you use Basic authentication, a domain account must exist in each forest to use for Basic authentication. For example, provide a user account that has the user principal name (UPN) FourthCoffee@Contoso.com as the credentials that must be used for authentication by the Exchange servers in the Fourth Coffee domain when mail is sent to the Exchange servers in the Contoso domain.

  • If you use Basic authentication over TLS, the target server must be configured to use an X.509 certificate that contains a fully qualified domain name (FQDN) that's the same as the FQDN of the Receive connector.

  • If you use external authentication, a trusted network connection must exist between the Hub Transport servers. This connection may be an IPsec association or VPN. Alternatively, the servers may reside in a trusted physically controlled network.

To establish mail flow between the forests, follow these steps:

  1. Create a user account in each forest to use for authentication to the receiving server in the second forest.

  2. Create a Send connector.

  3. Set permissions on the Send connector.

  4. For externally secured connectors, create a new Receive connector.

    Note

    If you're using Basic authentication over TLS, you must provide the FQDN of the remote Hub Transport server in the smart host settings. You can't use an IP address.

The following procedures establish cross-forest mail flow between the Exchange 2010 Hub Transport servers in the Contoso.com and FourthCoffee.com forests by using either Basic authentication or external authentication. You must perform the reciprocal procedure in each forest.

Configure cross-forest connectors between Exchange 2010 servers by using Basic authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

Step 1: Create a user account in each forest

  • Create the user account in each forest and then add the account to the Exchange Servers universal security group. This account is used by the Send connector to authenticate to the receiving server in the second forest.

    Important

    This account is granted the permissions that are associated with Exchange servers. Be sure to safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.

Step 2: Create a Send connector in the Contoso forest

Use the EMC to create a Send connector

  1. In the console tree, navigate to Organization Configuration > Hub Transport, and then in the action pane, click New Send connector.

  2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector.

  3. From the Select the intended use for this Send connector drop-down list, select Internal, and then click Next.

  4. On the Address Space page, click Add. In the SMTP Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

  5. On the Network settings page, only the Route mail through the following smart hosts setting can be selected. Click Add.

  6. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the FQDN of a Hub Transport server in the remote forest, and then click OK. To specify more than one Hub Transport server as a smart host, click Add and enter additional FQDNs, and then click Next.

  7. On the Configure smart host authentication settings page, select Basic Authentication or Basic Authentication over TLS, type the user name and password that will be used to authenticate the connection, and then click Next.

  8. On the Source Server page, click Add. In the Select Hub Transport or Subscribed Edge Transport Server dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

  9. On the New Connector page, click New.

  10. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a Send connector

This example creates the Send connector from Contoso.com to FourthCoffee.com and uses Basic authentication over TLS to provide both confidentiality and authentication to the receiving server.

  1. This command stores the credentials for use in authentication.

    $mycred = Get-Credential
    
  2. In the dialog box that appears, enter the credentials for the user account in the Fourth Coffee domain. Use the domain\user format or UPN format to enter the user name and provide the user's password.

  3. Click OK.

  4. This command creates the Send connector.

    New-SendConnector -Name "Cross-Forest" -Usage Internal -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.com, Hub2.FourthCoffee.com -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $false
    

This example creates the Send connector from Contoso.com to FourthCoffee.com and uses Basic authentication over TLS to provide only confidentiality.

  1. This command stores the credentials for use in authentication.

    $mycred = Get-Credential
    
  2. In the dialog box that appears, enter the credentials for the user account in the Fourth Coffee domain. Use the domain\user format or UPN format to enter the user name and provide the user's password.

  3. Click OK.

  4. This command creates the Send connector.

    New-SendConnector -Name "Cross-Forest" -Usage Internal -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.com, Hub2.FourthCoffee.com -SmartHostAuthMechanism BasicAuth -AuthenticationCredential $mycred -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -RequireTLS $true -DNSRoutingEnabled $false
    

For detailed syntax and parameter information, see New-SendConnector.

Step 3: Use the Shell to set permissions on the Send connector

Note

You can't use the EMC to set permissions on the Send connector.

This example uses the Enable-CrossForestConnector.ps1 script in the Shell to set permissions on the Send connector.

.\Enable-CrossForestConnector.ps1 -Connector "Cross-Forest" -user "ANONYMOUS LOGON"

Configure cross-forest connectors between Exchange 2010 servers by using external authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

Step 1: Create a Send connector

Use the EMC to create a Send connector

  1. In the console tree, navigate to Organization Configuration > Hub Transport, and then in the action pane, click New Send connector.

  2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this Send connector drop-down list, select Internal, and then click Next.

  3. On the Address space page, click Add. In the SMTP Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

  4. On the Network settings page, only the Route mail through the following smart hosts setting can be selected. Click Add.

  5. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of a Hub Transport server in the remote forest, and then click OK. To specify more than one Hub Transport server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.

  6. On the Configure smart host authentication settings page, select Externally Secured (for example, with IPsec), and then click Next.

  7. On the Source Server page, click Add. In the Select Hub Transport or Subscribed Edge Transport Server dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

  8. On the New Connector page, click New.

  9. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a Send connector

This example creates the Send connector from Contoso.com to FourthCoffee.com.

New-SendConnector -Name "Cross-Forest" -Usage Internal -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.com, Hub2.FourthCoffee.com -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $false

For detailed syntax and parameter information, see New-SendConnector.

Step 2: Create a Receive connector

Use the EMC to create a Receive connector

  1. In the console tree, navigate to Server Configuration > Hub Transport, and then in the action pane, click New Receive Connector.

  2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.

  3. From the Select the intended use for this Receive connector drop-down list, select Internal, and then click Next.

  4. On the Remote Network settings page, remove the all network ranges entry, and then click Add.

  5. In the Add IP Address(es) of Remote Servers dialog box, type the IP address of the remote Hub Transport server, click OK, and then click Next.

  6. On the New Connector page, click New.

  7. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a Receive connector

This example creates the Receive connector for Contoso.com to receive mail from FourthCoffee.com.

New-ReceiveConnector -Name "Cross-Forest" -Server HubA -PermissionGroups ExchangeServers -RemoteIPRanges <IP address of Fourth Coffee Hub Transport server> -AuthMechanism ExternalAuthoritative -Bindings 0.0.0.0:25

For detailed syntax and parameter information, see New-ReceiveConnector.

Step 3: Modify the authentication method used for this connector

Note

This step isn't necessary if you used the Shell to create the Receive connector in step 2. It's required if you used the EMC in step 2.

  1. In the console tree, navigate to Server Configuration > Hub Transport.

  2. In the result pane, select the Receive connector that you want to modify, and then in the action pane, click Properties.

  3. Click the Authentication tab.

  4. Clear the check boxes for Transport Layer Security (TLS) and Exchange Server authentication, and then select Externally Secured (for example with IPsec).

  5. Click OK.

Configure cross-forest connectors between Exchange 2010 and Exchange 2003

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

In this scenario, you create the cross-forest connectors between an Active Directory forest with an Exchange organization that's running Exchange 2010 and a second Active Directory forest with an Exchange organization that's running Exchange 2003. You can create the Send connectors and Receive connectors between the Exchange 2010 Edge Transport server and the Exchange 2003 bridgehead server or between the Exchange 2010 Hub Transport server and the Exchange 2003 bridgehead server.

To establish mail flow between the forests, follow these steps:

  1. Create user accounts in each forest for authenticating the sending server. This step isn't required if you use external authentication.

  2. Create a Send connector and select Internal as the usage for this connector on either the Exchange 2010 Edge Transport server or Hub Transport server.

  3. Modify the authentication for the new Send connector.

  4. Create an SMTP connector on Exchange 2003.

  5. If you're using external authentication, modify the registry on the Exchange 2003 server to allow the Exchange 2003 server to send and receive XEXCH50 properties anonymously.

The following procedures establish cross-forest mail flow between the Exchange 2010 transport servers in the Contoso.com forest and the Exchange 2003 bridgehead servers in the FourthCoffee.com forest by using either Basic authentication or external authentication. After you perform one of the following procedures, we recommend that you test mail flow by sending a message between the two organizations. You should also examine the protocol logs to verify that XEXCH50 data is propagated to Exchange 2003.

Configure cross-forest connectors between Exchange 2010 and Exchange 2003 servers in separate forests and use Basic authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

Step 1: Create a user account in each forest

In the Exchange 2003 forest, create a user account. Add the user account to the Exchange Domain Servers security group in the domain where the Exchange 2003 server that will act as smart host for this connector resides.

Important

This account is granted the permissions that are associated with Exchange servers. Be sure to safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.

In the Exchange 2010 forest, create a user account. Add the user account to the ExchangeLegacyInterop security group in the domain where the Exchange 2010 server that will act as the smart host for receiving messages from Exchange 2003 resides.

Step 2: Create a Send connector from Exchange 2010 to Exchange 2003

Use the EMC to create a Send connector

  1. In the console tree, navigate to Organization Configuration > Hub Transport, and then in the action pane, click New Send connector.

  2. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this Send connector drop-down list, select Internal, and then click Next.

  3. On the Address Space page, click Add. In the SMTP Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

  4. On the Network settings page, only the Route mail through the following smart hosts setting can be selected. Click Add.

  5. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of the Exchange 2003 bridgehead server in the remote forest, and then click OK. To specify more than one bridgehead server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.

  6. On the Configure smart host authentication settings page, in either Basic Authentication or Basic Authentication over TLS, type the user name and password that will be used to authenticate the connection, and then click Next.

  7. On the Source Server page, click Add. In the Select Hub Transport or Subscribed Edge Transport Server dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

  8. On the New Connector page, click New.

  9. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a Send connector

If the Exchange 2010 Send connector is configured to use Basic authentication over TLS or to use Basic authentication with the RequiredTLS parameter set to $true, the Exchange 2003 server must advertise the correct certificate before authentication can occur. You can verify that a certificate has been imported to the Exchange 2003 SMTP virtual server by viewing the properties of the virtual server. To view or import a server certificate, select the Access tab and click Certificate.

  1. This command stores the credentials for use in authentication. In the Exchange 2010 forest, open the Shell on the Edge Transport server or the Hub Transport server, and run the following command.

    $mycred = Get-Credential
    

    In the dialog box that appears, enter the credentials for the user account that you created in the Exchange 2003 forest. Use the domain\user format or the UPN format to enter the user name and provide the user's password. Click OK.

  2. In the Shell, use one of the following commands to create the Send connector.

    • This example creates a Send connector to use Basic authentication over TLS to provide both confidentiality and authentication to the receiving server.

      New-SendConnector -Name "Legacy Forest" -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred -AddressSpaces FourthCoffee.com -SmartHosts Bridgehead1.FourthCoffee.com, Bridgehead2.FourthCoffee.com -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $false
      
    • This example creates a Send connector to use Basic authentication with TLS to provide only confidentiality.

      New-SendConnector -Name "Legacy Forest" -SmartHostAuthMechanism BasicAuth -AuthenticationCredential $mycred -AddressSpaces FourthCoffee.com -SmartHosts Bridgehead1.FourthCoffee.com, Bridgehead2.FourthCoffee.com -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -RequireTLS $true -DNSRoutingEnabled $false
      

For detailed syntax and parameter information, see New-SendConnector.

Step 3: Use the Shell to set permissions on the Send connector

Note

You can't use the EMC to set permissions on the Send connector.

This example uses the Enable-CrossForestConnector.ps1 script in the Shell to set permissions on the Send connector.

.\Enable-CrossForestConnector.ps1 -Connector "Legacy Forest" -user "ANONYMOUS LOGON" -genericMTA

Step 4: Use Exchange System Manager to create an SMTP connector on an Exchange 2003 bridgehead server in the remote forest

  1. In the Exchange 2010 forest, create a user account. Add the user account to the ExchangeLegacyInterop security group.

    Important

    This account is granted the permissions that are associated with Exchange servers. Be sure to safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.

  2. In the Exchange 2003 forest, open Exchange System Manager. Right-click the Connectors container that's located in the routing group where the server that will host this connector resides, select New, and then select SMTP Connector.

  3. Select the General tab. In the Name field, type a unique name for the connector.

  4. Select Forward all mail through this connector to the following smart hosts, and then type the IP address or FQDN of the Exchange 2010 Edge Transport server or Hub Transport server. If you enter an IP address, it must be enclosed in brackets, for example, [192.168.1.1].

  5. Click Add to add a local bridgehead server. In the Add Bridgehead dialog box, select one or more Exchange 2003 servers.

  6. Select the Address Space tab, and then click Add to create an address space. In the Add Address Space dialog box, select SMTP, and then click OK.

  7. On the Internet Address Space Properties page, enter the SMTP domain name of the Exchange 2010 forest, and then click OK.

  8. Select the Advanced tab, and then click Outbound Security. In the Outbound Security dialog box, select Basic Authentication, and then click Modify.

  9. In the Outbound Connection Credentials dialog box, enter the user name for the account that you created in the Exchange 2010 forest, enter the password for the account, and then click OK.

  10. Click OK to close the Outbound Security dialog box. Click OK.

Configure cross-forest connectors between Exchange 2010 and Exchange 2003 servers without a trust relationship by using external authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" and "Receive connectors" entries in the Transport Permissions topic.

Step 1: Create a Send connector

Use the EMC to create a Send connector

  1. In the console tree navigate to Organization Configuration > Hub Transport.

  2. In the action pane, click New Send connector.

  3. On the New SMTP Send connector wizard Introduction page, in the Name field, type a unique name for the connector. From the Select the intended use for this Send connector drop-down list, select Internal, and then click Next.

  4. On the Address Space page, click Add. In the SMTP Address Space dialog box, type the name of the remote SMTP domain, and then click Next.

  5. On the Network settings page, only the Route mail through the following smart hosts setting can be selected. Click Add.

  6. In the Add Smart Host dialog box, in the IP address or Fully qualified domain name (FQDN) field, type the IP address or FQDN of the bridgehead server in the Exchange 2003 forest, and then click OK. To specify more than one bridgehead server as a smart host, click Add and enter additional IP addresses or FQDNs, and then click Next.

  7. On the Configure smart host authentication settings page, select Externally Secured (for example with IPsec), and then click Next.

  8. On the Source Server page, click Add. In the Select Hub Transport or Subscribed Edge Transport Server dialog box, select one or more Hub Transport servers in your organization, click OK, and then click Next.

  9. On the New Connector page, click New.

  10. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a Send connector

This example creates the Send connector from Contoso.com to FourthCoffee.com.

New-SendConnector -Name "Legacy Forest" -Usage Internal -AddressSpaces FourthCoffee.com -SmartHosts Hub1.FourthCoffee.com, Hub2.FourthCoffee.com -SmartHostAuthMechanism ExternalAuthoritative -SourceTransportServers HubA.Contoso.com, HubB.Contoso.com -DNSRoutingEnabled $false

For detailed syntax and parameter information, see New-SendConnector.

Step 2: Create a Receive connector

Use the EMC to create a Receive connector

  1. In the console tree, navigate to Server Configuration > Hub Transport, and then in the action pane, click New Receive Connector.

  2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.

  3. From the Select the intended use for this Receiver connector drop-down list, select Internal, and then click Next.

  4. On the Remote Network settings page, remove the all network ranges entry, and then click Add.

  5. In the Add IP address(es) of Remote Servers dialog box, type the IP address of the bridgehead server in the Exchange 2003 organization, click OK, and then click Next.

  6. On the New Connector page, click New.

  7. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a Receive connector

This example creates the Receive connector for Contoso.com to receive mail from FourthCoffee.com.

New-ReceiveConnector -Name "Legacy Forest" -Usage Internal -Server HubA -PermissionGroups ExchangeServers -RemoteIPRanges <IP address of Fourth Coffee Hub Transport server> -AuthMechanism ExternalAuthoritative -Bindings 0.0.0.0:25

For detailed syntax and parameter information, see New-ReceiveConnector.

Step 3: Modify the authentication method used for this connector

Note

This step isn't necessary if you used the Shell to create the Receive connector in step 2. It's required if you used the EMC in step 2.

  1. In the console tree, navigate to Server Configuration > Hub Transport.

  2. In the result pane, select the Receive connector that you want to modify, and then in the action pane, click Properties.

  3. Click the Authentication tab.

  4. Clear the check boxes for Transport Layer Security (TLS) and Exchange Server authentication, select Externally Secured (for example with IPsec), and then click OK.

Step 4: Modify the registry settings on the Exchange 2003 bridgehead server to allow the Exchange 2003 server to send and receive XEXCH50 properties anonymously

Warning

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

  1. Open Registry Editor.

  2. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\XEXCH50

  3. Right-click XEXCH50 and select New | DWORD Value. Type SuppressExternal for the value name. By default, the value data is 0, which indicates that the XEXCH50 properties are transmitted to the remote server anonymously.

  4. Right-click XEXCH50 and select New | Key. Type the number of the SMTP virtual server instance as the key value. For example, the default virtual server instance is 1, and the second SMTP virtual server created on a server is 2.

  5. Right-click the key that you just created, point to New, and then click DWORD Value.

  6. In the details pane, type Exch50AuthCheckEnabled for the value name. By default, the value data is 0, which indicates that the XEXCH50 properties are transmitted when e-mail is sent anonymously.

 © 2010 Microsoft Corporation. All rights reserved.