Configure a Cross-Forest Send Connector
Topic Last Modified: 2013-02-21
In Active Directory, the forest represents the outer boundary of your directory service. You can create Send connectors to enable communication between forests. In this example, the connectors use Basic authentication.
For additional management tasks related to configuring connectors, see Connectors.
Interested in scenarios where this procedure is used? See the following topics:
Estimated time to complete: 20 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Send connectors" entry and “Receive connectors” entry in the Mail Flow Permissions topic.
See Deploy a New Installation of Exchange 2013 if you are beginning your installation. After the installation you can use the steps in this topic to create connectors to configure a cross-forest topology.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.
You must create a user account in each forest to use for Basic authentication. Create an account in each forest and add each to the universal security group of the Exchange Server used for communication. This account is used by the Send connector to authenticate to the server receiving mail in the other forest. For example, provide a user account that has the user principal name (UPN) FourthCoffee@Contoso.com as the credentials that must be used for authentication by the Exchange server in the Fourth Coffee domain when mail is sent to the Exchange server in the Contoso domain.
Establish cross-forest mail flow using Basic authentication.
In the EAC, navigate to mail flow > send connectors. Click Add .
In the new send connector wizard, specify a name for the send connector and then select Internal for the Type. Click next.
Choose Route mail through smart hosts, and then click Add . In the add smart host window, specify the IP address of the target server in the second forest, such as 188.8.131.52. Click save and then next.
For Smart host authentication, choose Basic authentication and provide a user name and password. Here you can choose Offer basic authentication only after starting TLS for secure communication over TLS.
Note: If you use Basic authentication over TLS, the target server must be configured to use an X.509 certificate.
Under Address space, click Add . In the add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter the receiving domain, such as fourthcoffee.com. Click save and then next.
For Source server, click Add . In the Select a server window, choose the server to use and click add . Click ok.
Click finish. The connector appears in the list of Send connectors.
After you create your Send connector, create a Send connector in the second forest that sends mail to the original forest. In this case, the Fully Qualified Domain Name (FQDN) you specify will be the domain name of the first forest. For example, contoso.com.
This example uses the Enable-CrossForestConnector.ps1 script in the Shell to set permissions on the Send connector for use in a cross-forest topology.
.\Enable-CrossForestConnector.ps1 -Connector "Cross-Forest" -user "ANONYMOUS LOGON"
To verify that you have successfully created Send connectors to route email to a second forest, send a message from a user in your organization (you can use the Outlook Web App) to the domain you specified for the Address space. If the recipient receives the message, you've successfully configured the send connector.