Deploy Exchange 2010 in a Cross-Forest Topology

Applies to: Exchange Server 2010

Topic Last Modified: 2010-04-13

This topic explains how to deploy Microsoft Exchange Server 2010 in a cross-forest topology using Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1). To deploy Exchange 2010 in a cross-forest topology, you must first install Exchange 2010 in each forest and then connect the forests so that users can see address and availability data across the forests.

Example of Exchange 2010 multiple forest
This topic doesn't describe how to deploy Exchange 2010 in a dedicated Exchange forest (or resource forest) topology. For information about how to deploy Exchange 2010 in a resource forest topology, see Deploy Exchange 2010 in an Exchange Resource Forest Topology.

To synchronize the global address lists (GALs) in Exchange 2010 across forests, we recommend that you use ILM 2007 FP1. The GAL synchronization management agent in ILM 2007 FP1 calls the Update-Recipient cmdlet automatically. You don't need to perform additional steps to finish provisioning recipients that are created by ILM 2007 FP1 GAL synchronization.

To learn more about ILM 2007 FP1, see Microsoft Identity Lifecycle Manager 2007 Product Overview.

To perform the following procedure in Exchange 2010, confirm the following:

  • You have correctly configured Domain Name System (DNS) for name resolution across forests in your organization. To verify that DNS is configured correctly, use the Ping tool to test connectivity to each forest from the other forests in your organization and from the server on which you will run the GALSync agent.
  • The GALSync Management Agent communicates with the Exchange 2010 forest using Windows PowerShell V2.0 RTM. Make sure PowerShell v1.0 isn't installed on the computer on which you're installing Exchange 2010 by going to Control Panel, and then clicking Programs and Features.
  • Ensure that Windows Remote Management has not been installed by Windows Update.
  • Install Windows PowerShell and Windows Remote Management from this location: Description of the Windows Management Framework on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

  1. In each forest, install Exchange 2010 separately. To install Exchange 2010, perform the same steps that you would if you were installing Exchange 2010 in a single forest topology. For detailed steps, see the following topics:
  2. In each forest, use Active Directory Users and Computers to create a container in which ILM 2007 FP1 will create contacts for each mailbox from the other forest. We recommend that you name this container FromILM. To create the container, select the domain in which you want to create the container, right-click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromILM, and then click OK.
  3. Create a GALSync management agent for each forest by using ILM 2007 FP1. This allows you to synchronize the users in each forest and create a common GAL. For detailed steps, see the procedure "Configure a GAL Synchronization management agent with ILM 2007 FP1" later in this topic.
  4. Enable GALSync. To do this, in the main ILM Identity Manager window, click Tools > Options, and then select the Enable Provisioning Rules Extension check box. Click OK.
  5. Create an SMTP Send connector in each of the forests. For detailed steps, see Configure Cross-Forest Connectors.
  6. In each forest, enable the Availability service so that users in each forest can view free/busy data about users in the other forest. For more information, see Managing the Availability Service.
    The Availability service is supported only for Microsoft Office Outlook 2007 clients.
  7. If you require that mail can be relayed through any forest in your organization, you must configure a domain in that forest as an authoritative domain. For detailed steps, see Configure Exchange 2010 to Accept E-Mail for More Than One Authoritative Domain.
  8. Move mailboxes from your existing Exchange 2003 or Exchange 2007 servers to the new Exchange 2010 Mailbox servers in each forest. For detailed steps, see Create a Remote Legacy Move Request Where One of the Forests Doesn't Have Exchange 2010.

  1. In ILM 2007 FP1, select Management Agents from the toolbar, and then under Actions, click Create.
  2. On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).
  3. In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.
  4. In the Description box, type a description for this management agent, and then click Next.
  5. On the Connect to Active Directory Forest page, complete the following fields:
    • Forest name   Name of the source forest.
    • User name and Password   User name and password of an account that has permission to read schema information from the source forest.
    • Domain   Domain for the specified account.
      You can also enter the user name as <user>@<domain> and leave the domain field blank.
  6. Click Next.
  7. On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.
  8. On the Configure Directory Partitions page, click Containers.
  9. On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which ILM will create contacts for each mailbox from the other forest, such as the FromILM container.
  10. On the Configure Directory Partitions page, click Next.
  11. On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.
  12. On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.
  13. Under Exchange configuration, click Edit to specify at least one SMTP e-mail suffix that is managed in the source forest. Click Next.
  14. On the Select Object Types page, click Next.
  15. On the Select Attributes page, click Next.
  16. On the Configure Connector Filter page, click Next.
  17. On the Configure Join and Projection Rules page, click Next.
  18. On the Configure Attribute Flow page, click Next.
  19. On the Configure Deprovisioning page, click Next.
  20. On the Configure Extensions page, under Configure partition display name(s), next to Provision for, select Exchange 2010. If you select Exchange 2010, you will see the Exchange 2010 RPS URI field. Enter the URI of an Exchange 2010 Client Access server to make sure the remote PowerShell connection is functioning. (See "Testing a Remote PowerShell Connection" later in this topic for an example that describes how to verify that the connection is functioning.) The Exchange 2010 RPS URI should be in the following format: http://CAS_Server_FQDN/Powershell. Click OK.
    Make sure that the administrator credentials used to connect to the Exchange 2010 forest can also make remote PowerShell connections to that forest.
    The following figure shows how to select provisioning for Exchange 2010.
    Provision GalSync Management Agent for Exchange 2010
    Management Agent Exchange 2010  provisioning

This example shows how to test whether you can make a remote PowerShell call to an Exchange 2010 Client Access server to verify that remote PowerShell is functioning correctly. From the computer that is running ILM 2007 FP1, first run this command:

$rs = new-pssession -conf -conn http://CAS_SERVER_NAME/powershell -auth kerberos -cred (get-credential)

Then run this command:

Invoke-Command $rs {get-recipient -ResultSize 1}