Deploy Multiple Forest Topologies
Applies to: Exchange Server 2010
Topic Last Modified: 2010-04-27
This topic provides an overview of deploying Microsoft Exchange Server 2010 in multiple forest topologies. You'll find information about the following subjects:
Supported Multiple Forest Topologies Exchange 2010 supports two types of multiple forest topologies: cross-forest and resource forest.
GAL Synchronization If you have a cross-forest environment, you need to ensure that the GAL in any given forest contains mail recipients from other forests.
Moving Mailboxes Across Forests The New-MoveRequest cmdlet in the Exchange Management Shell can help move mailboxes from one forest to another.
Understanding Multiple Forest Administration Learn about the permissions model to configure and manage the permissions between your forests.
Exchange 2010 supports two types of multiple forest topologies:
Cross-forest A cross-forest topology is one with multiple Exchange forests. Here is an overview of what you need to do to deploy Exchange 2010 in a topology with a multiple forest:
You must first install Exchange 2010 in each forest. For more information, see New Installation of Exchange 2010.
Next, you must synchronize the recipients in each of the forests, so that the Global Address List (GAL) in each forest contains users from all the synchronized forests. See the "GAL Synchronization" section below for more details.
Finally, you must configure the Availability service so that users in one forest can view availability data for users in another forest. For more information, see Configure the Availability Service for Cross-Forest Topologies.
- You must first install Exchange 2010 in each forest. For more information, see New Installation of Exchange 2010.
Resource forest A resource forest topology is one with an Exchange forest and one or more user accounts forests. Here is an overview of what you need to do to deploy Exchange 2010 in a topology with a resource forest:
You must have a forest with Exchange installed. In the Exchange forest, you must have disabled the user accounts that have Exchange mailboxes.
You must have at least one forest that contains user accounts. This forest should not have Exchange installed.
Then, you must associate the disabled user accounts in the Exchange forest with the user accounts in the accounts forest.
- You must have a forest with Exchange installed. In the Exchange forest, you must have disabled the user accounts that have Exchange mailboxes.
By default, a GAL contains mail recipients from a single forest. If you have a cross-forest environment, we recommend using Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1) to ensure that the GAL in any given forest contains mail recipients from other forests. ILM 2007 FP1 creates mail users that represent recipients from other forests, thereby allowing users to view them in the GAL and send mail. For example, users in Forest A appear as a mail user in Forest B and vice versa. Users in the target forest can then select the mail user object that represents a recipient in another forest to send mail.
To enable GAL synchronization, you create management agents that import mail-enabled users, contacts, and groups from designated Active Directory services into a centralized metadirectory. In the metadirectory, mail-enabled objects are represented as mail users. Groups are represented as contacts without any associated membership. The management agents then export these mail users to an organizational unit in the specified target forest.
For more information about Microsoft Identity Lifecycle Manager 2007 FP1, see Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 Evaluation Edition.
In a cross-forest topology, you may want to move mailboxes from one forest to another. To do this you must use the New-MoveRequest cmdlet in the Exchange Management Shell. This is the same command that you use to move mailboxes within a single forest. For more information about moving mailboxes across forests, see the following topics:
Microsoft Exchange Server 2010 uses new permissions functionality to manage your multiple forest environments.
Exchange 2010 uses a Role Based Access Control (RBAC) permissions model. The management role groups that administrators are members of, and the management role assignment policies that end-users are assigned, determine what each administrator and end-user can do. To understand multiple forest permissions, you need to be familiar with RBAC. For more information about RBAC and role groups and role assignment policies in particular, see Understanding Role Based Access Control.
You can use the RBAC permissions model to configure and manage the permissions between your forests. For more information about multiple forest permissions, see the following topics: