Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-09-15
As its name implies, a complex Exchange organization represents the most intricate topology into which Microsoft Exchange Server 2007 is deployed. Of the four defined organization models for Exchange 2007, the complex Exchange organization is the only model that includes multiple Active Directory directory service forests or the use of synchronization technology.
The deployment of multiple Active Directory forests that host Exchange servers and mailbox-enabled accounts is becoming a common scenario. A major driver of these deployments is the need to segregate administration of user environments and trusted security contexts. Because the forest represents the security boundary of Active Directory in deployments where security and controlling access to resources is the primary concern, it is common to find multiple Active Directory forests deployed in parallel.
 Note: |
|---|
| All multiple forest topologies require directory servers in each forest that are running Windows Server 2003 with Service Pack 1 or later. |
Examples of Complex Exchange
Organizations
There are a variety of reasons for implementing multiple Active Directory forests. Some of these reasons include:
- You have multiple business units that require data and service
isolation.
- You have multiple business units that have separate schema
requirements.
- You are confronted with a merger, acquisition, or
divestiture.
Exchange Resource Forest Topology
The only way to establish strict boundaries between business units is to create a separate Active Directory forest for each business unit. If this is your Active Directory configuration, we recommend that you use an Exchange resource forest.
Figure 1 illustrates an example of a complex Exchange organization that contains an Exchange resource forest.
In Figure 1, Forest B contains Exchange servers, and Forest A contains the user accounts. Forest B also contains identical user accounts, but those accounts are disabled, and mailbox-enabled users log on to Active Directory using their account in Forest A.
If you deploy Exchange 2007 in a resource forest, the administrator in the forest that only contains the user accounts does not have permission to create mailboxes in the Exchange forest by default. Although the administrator in the forest that contains user accounts can create user accounts, in a resource forest topology, this administrator cannot perform any mailbox management tasks without delegating special permissions to the account administrator. An administrator in the Exchange forest must manually create mailboxes separately from the user accounts and link the mailboxes back to existing user accounts. In addition, you must also add any additional information (such as telephone number or office location) to the Exchange forest separately, even though that information may already exist with the associated user account.
Multiple Exchange Forest Topology
In the case of mergers and acquisitions, it is not uncommon to have multiple Active Directory forests and multiple Exchange organizations. When running Exchange in a multiple forest environment, system architects and Exchange administrators generally encounter the same design issues found in the simple, standard, and large Exchange organization models. However, unique to the complex Exchange organization is the need to synchronize directory objects across disparate forests, and to replicate free/busy data. Microsoft provides two solutions for directory synchronization:
- Identity Integration Feature Pack for
Microsoft Windows Server Active Directory
(IIFP) with Service Pack 2 (SP2)
- Microsoft Identity Integration Server (MIIS)
Both solutions are based upon MIIS. IIFP is a freely available, simpler version of MIIS. MIIS is a feature-rich, though more costly, solution.
| Note: |
|---|
| For more information about IIFP, see Identity Integration Feature Pack for Microsoft Windows Server Active Directory with Service Pack 2 (SP2). For more information about MIIS, see Microsoft Identity Integration Server 2003 TechCenter. |
In addition to synchronizing the directory, a frequent requirement is that free/busy data or public folders be made available between the Exchange organizations that are hosted in each forest. In previous versions of Exchange Server, this required the use of the Microsoft Exchange Server Inter-Organization Replication (IORepl) tool, which allowed for the coordination of meeting, appointments, contacts, and public folder information between disjointed Exchange organizations. To share free/busy and calendaring information between Exchange 2007 organizations that are hosted in separate forests, you can:
- If both organizations use
Microsoft Office Outlook 2007, the Availability
Service in Exchange 2007 can be used to share free/busy and
calendaring information between the organizations. However, this
solution does not share public folder data between the
organizations.
- If earlier versions of Outlook are being used, you can use
IORepl to share free/busy and calendaring information between the
organizations. It is supported to install IORepl on a computer that
has the Exchange 2007 management tools installed without any
other Exchange 2007 server roles or on a server that is
running Exchange Server 2003 or Exchange 2000 Server. This solution
would also allow you to share public folder data between the
organizations. If you install the tool on a computer that has the
Exchange 2007 management tools installed, you must also
install the Exchange MAPI client libraries. For more information
about the Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization
Replication. For more information about downloading the
Exchange MAPI client libraries, see Microsoft Exchange Server MAPI Client and Collaboration
Data Objects 1.2.1.
| Note: |
|---|
| Functionality that is required by IORepl may be missing. By default, Exchange Server 2007, and later versions, do not include the Messaging API (MAPI) client libraries or Collaboration Data Objects (CDO), version 1.2.1 as a part of the base product installation. You must install Microsoft Exchange MAPI and CDO 1.2.1 to provide access to the contents of MAPI stores. If Office Outlook is installed on the server, you must uninstall Outlook before you install Exchange MAPI and CDO 1.2.1. |
For more information about how to use IORepl with Exchange 2007, see the Inter-Organization Replication Tool topic in Exchange Help.
Figure 2 illustrates an example of a complex Exchange organization that contains multiple Exchange forests.
Exchange Cross-Forest
Topology
In a cross-forest environment, Exchange Server runs in separate Active Directory forests, but mail functionality is available across forests. Deploying Exchange 2007 in a cross-forest environment with directory synchronization has the following limitations:
- Inability to view distribution list membership, if members have
mailboxes in a different forest
- Inability to add users in a different forest to a distribution
list
- Inability to nest distribution lists across forests
- No tool to move distribution lists to another forest
- Inability to retain delegation properties, if you move a
mailbox across forests
- No tool to move public folders to another forest
- Inability to send signed or encrypted messages across forests,
if you use a Microsoft Windows public key infrastructure (PKI)
self-signed certificate
Planning Considerations for
Complex Exchange Organizations
During the planning phase of your deployment, and before you deploy any Exchange 2007 servers in a complex Exchange organization, we recommend that you consider the following points:
- Multiple Exchange organizations sharing a common global address
list (GAL) introduces the need for some form of GAL
synchronization, and the need for replication of calendaring
resources across forests.
- Complex Exchange organizations often have multiple points of
egress and ingress to the Internet. As the number of types of
services that are exposed to the Internet increases, the firewall
systems that are deployed become more advanced as well. Microsoft
Internet Security and Acceleration (ISA) Server is an
application-level firewall that can be used to publish Exchange
services such as Outlook Web Access, Post Office
Protocol 3 (POP3) and Internet Message Access Protocol 4
(IMAP4), ActiveSync, and Outlook Anywhere. We recommend that you
deploy ISA Server, or an array of servers running ISA Server, on
the boundary between the perimeter network and the private
corporate network.
- When deploying a complex Exchange organization, it is often
necessary to provide high availability. In Exchange 2007,
there are multiple solutions that can be used to provide high
availability for each server role. For more information about high
availability strategies and features for Exchange 2007, see
High
Availability.
- The use of multiple Active Directory forests also means
that multiple namespaces are in use. In Exchange 2007, the
Client Access server requires the use of a unique URL namespace
within each forest in a cross-forest environment.
Transitioning a Complex Exchange
Organization
If you are transitioning from an existing Exchange Server 2003 or Exchange 2000 Server organization to an Exchange 2007 organization, be aware that you cannot perform an in-place upgrade of your servers. You must add one or more Exchange 2007 servers to your existing organization, move mailboxes and other data to Exchange 2007, and then remove the Exchange 2003 or Exchange 2000 server from the organization.
For more information about deploying and transitioning to a complex Exchange 2007 organization, see Deploying a Complex Exchange Organization.