Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-01-02

This topic explains how to transition from an existing, single forest Microsoft Exchange Server 2003 or Exchange 2000 Server topology to a cross-forest topology in which one forest is the existing Exchange 2003 or Exchange 2000 forest and the new forest has Microsoft Exchange Server 2007.

We recommend this scenario if you want to deploy Exchange 2007 in your production environment with only a small number of users, and if you are not ready to upgrade the Active Directory directory service schema in the forest where most of your existing users reside. To validate your deployment in a production environment, you can add a separate Exchange 2007 forest to your topology and move a small number of users to that forest before moving all of your users and upgrading the schema to Exchange 2007.

GAL Synchronization and MIIS 2003

If you use Microsoft Identity Integration Server (MIIS) 2003 to synchronize the global address lists (GALs), you must perform additional steps to finish provisioning the recipients that are created by the MIIS GAL synchronization (GALSync) process. GALSync in MIIS 2003 is designed to work with Exchange 2003 or Exchange 2000 Server. In these versions of Microsoft Exchange, the Recipient Update Service performs the tasks that are required to finish provisioning recipients. The Recipient Update Service is not available in Exchange 2007. Therefore, you must manually finish provisioning the mail-enabled contacts that are created by the MIIS 2003 GALSync process.

Additionally, Exchange 2007 recipients have some attributes that are not present in recipients from previous versions of Exchange. GALSync in MIIS 2003 does not synchronize these new attributes. As a result, if you use GALSync in MIIS 2003 to synchronize recipients across forests, you will experience the following limitations:

  • If a user is delegated access to another user's mailbox, and then that mailbox or the mailbox of the delegate is moved to another forest, delegation is lost.

  • The contact that represents the room or equipment mailbox in the other forest will not have the detailed information about these resources.

  • Microsoft Office Outlook does not recognize that a synchronized contact represents a mailbox in another Exchange forest. Outlook displays the contact as a normal contact.

Note:
Synchronizing Exchange 2007 GALs by using MIIS 2003 is supported only as a custom solution. The recommended solution for synchronizing Exchange 2007 GALs is to use Exchange 2007 Service Pack 1 (SP1) and Identity Lifecycle Manager (ILM) 2007 Feature Pack 1

New in Exchange 2007 SP1

Microsoft Exchange 2007 SP1 provides the Update-Recipient cmdlet to finish provisioning recipients that are created by GALSync.

To synchronize the GALs in Exchange 2007 SP1, we recommend that you use ILM 2007 Feature Pack 1 instead of MIIS 2003. The GAL synchronization management agent in ILM 2007 Feature Pack 1 will call the Update-Recipient cmdlet automatically. To finish provisioning recipients that are created by ILM 2007 Feature Pack 1 GAL synchronization, you do not need to perform additional steps.

Note:
To use ILM 2007 Feature Pack 1 to synchronize GALs, you must have Exchange 2007 SP1 installed.

If you use ILM 2007 Feature Pack 1, all the recipient attributes for Exchange 2007 recipients are synchronized. As a result, you will not experience limitations regarding:

  • Cross-forest delegation.

  • Synchronization of room and equipment information.

  • Outlook failing to recognize contacts as synchronized contacts.

To learn more about ILM 2007, see Microsoft Identity Lifecycle Manager 2007 Product Overview.

Before You Begin

Before you perform the following procedure, you must perform the actions in one of the following sections based on whether you are working with the release to manufacturing (RTM) version of Exchange 2007 or Exchange 2007 SP1.

Permissions and Prerequisites Exchange 2007 SP1

To perform the following procedure in Exchange 2007 SP1, confirm the following:

  • You understand the supported scenarios for transitioning to Exchange 2007. For more information about supported upgrade scenarios, see Upgrading to Exchange 2007.

  • You have planned your Exchange 2007 messaging system. For more information about planning an Exchange 2007 messaging system, see Planning and Architecture.

  • All multiple forest topologies containing Exchange 2007 require directory servers in each forest running Windows Server 2003 with Service Pack 1 or later.

  • If you will continue to use any features from Exchange 2003 that are not supported in Exchange 2007, you have planned to keep at least one Exchange 2003 server in your organization. The following Exchange 2003 features are not supported in Exchange 2007:

    • Novell GroupWise connector

    • Network News Transfer Protocol (NNTP)

  • If you will continue to use any features from Exchange 2000 that are not supported in Exchange 2007, you have planned to keep at least one Exchange 2000 server in your organization. The following Exchange 2000 features are not supported in Exchange 2007:

    • Microsoft Mobile Information Server

    • Instant Messaging service

    • Exchange Chat Service

    • Exchange 2000 Conferencing Server

    • Key Management Service

    • cc:Mail connector

    • MS Mail connector

  • You have installed ILM 2007 Feature Pack 1. For information about deploying ILM 2007 Feature Pack 1, see Identity Lifecycle Manager.

Permissions and Prerequisites for Exchange 2007 RTM

To perform the following procedures in Exchange 2007 RTM, confirm the following:

  • You understand the supported scenarios for transitioning to Exchange 2007. For more information about supported upgrade scenarios, see Upgrading to Exchange 2007.

  • You have planned your Exchange 2007 messaging system. For more information about planning an Exchange 2007 messaging system, see Planning and Architecture.

  • If you will continue to use any features from Exchange 2003 that are not supported in Exchange 2007, you have planned to keep at least one Exchange 2003 server in your organization. The following Exchange 2003 features are not supported in Exchange 2007:

    • Novell GroupWise connector

    • Network News Transfer Protocol (NNTP)

  • If you will continue to use any features from Exchange 2000 that are not supported in Exchange 2007, you have planned to keep at least one Exchange 2000 server in your organization. The following Exchange 2000 features are not supported in Exchange 2007:

    • Microsoft Mobile Information Server

    • Instant Messaging service

    • Exchange Chat Service

    • Exchange 2000 Conferencing Server

    • Key Management Service

    • cc:Mail connector

    • MS Mail connector

  • You have installed MIIS 2003 or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2. For more information about deploying MIIS 2003, see the Microsoft Identity Integration Server 2003 TechCenter. For more information about downloading Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2 see Identity Integration Feature Pack for Microsoft Windows Server Active Directory with Service Pack 2 (SP2).

  • If you are using MIIS 2003, you have installed SP2 for MIIS 2003. For more information about deploying MIIS 2003 SP2, see Microsoft Identity Integration Server 2003 SP2 Update.

  • If you are using Microsoft Office Outlook 2007 to access e-mail, you can use the Availability service to share free/busy data across forests. The Availability service is supported only for Office Outlook 2007 clients. If you are using earlier versions of Outlook, you must use the Microsoft Exchange Inter-Organization Replication tool to synchronize free/busy data across multiple forests. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles or on an Exchange 2003 or Exchange 2000 server. If you install the tool on a computer that has the Exchange 2007 management tools installed, you must also install the Exchange MAPI client libraries. For more information about the Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication. For more information about downloading the Exchange MAPI client libraries, see Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1.

Procedure


Transitioning from Single Forest to Cross-Forest

Exchange 2007 SP1 and ILM 2007 Feature Pack 1

To transition from a single Exchange forest to a cross-forest coexistence topology

  1. Create a new Active Directory forest, into which you will install Exchange 2007 in a later step. For more information about creating a Windows Server 2003 forest, see Deploying the Windows Server 2003 Forest Root Domain.

  2. (Optional) Create a two-way forest trust relationship between the Exchange 2003 forest and the Exchange 2007 forest. Depending on your usage scenario, you may need a two-way trust relationship for folder sharing or delegation. For detailed steps, see Create a two-way, forest trust for both sides of the trust.

    Note:
    Be sure that the trust type is Forest, not External.
  3. (Optional) If you are using any version of Outlook other than Outlook 2007, and if you want to share free/busy information across the forests, make sure that you have installed the Inter-Organization Replication tool in each forest. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles or on an Exchange 2003 or Exchange 2000 server. For more information, see Microsoft Exchange Server Inter-Organization Replication.

  4. In the new forest, install Exchange 2007 SP1. Install Exchange the same way that you would in a single forest scenario. For detailed steps about how to install Exchange 2007, see one of the following topics:

  5. In each forest, use Active Directory Users and Computers to create a container in which ILM will create contacts for each mailbox from the other forest. We recommend that you name this container FromILM. To create the container, select the domain in which you want to create the container, right-click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromILM, and then click OK.

  6. Create a GALSync management agent for each forest by using ILM 2007 Feature Pack 1. This allows you to synchronize the users in each forest, and create a common GAL. For detailed steps, see "To configure a GAL Synchronization management agent with ILM 2007 Feature Pack 1" later in this topic.

  7. Enable GALSync. To do this, in the main ILM Identity Manager window, click Tools, click Options, and then select the Enable Provisioning Rules Extension check box. Click OK.


    Options page, Enable Prov Rules Extension selected
    Options page
  8. If you do not plan to immediately move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers, you must complete Steps 9 and 10 so that you can send mail across forests from Exchange 2003 or Exchange 2000 mailboxes to Exchange 2007 mailboxes.

    If you plan to immediately move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers, go directly to Step 11.

  9. Configure connectors in each forest that will have an Exchange server. For detailed steps, see "Exchange 2007 to Exchange 2003" in Configuring Cross-Forest Connectors.

    Note:
    If you use Basic authentication, we recommend that you use Transport Layer Security (TLS) encryption to help improve security. By default, Exchange 2007 servers are set to use TLS, but you must configure your Exchange 2003 or Exchange 2000 servers to use TLS. If you do not configure your Exchange 2003 or Exchange 2000 servers to use TLS, you will not be able to send mail between Exchange 2007 servers and Exchange 2003 or Exchange 2000 servers. For more information about using TLS in Exchange 2003 or Exchange 2000, see Microsoft Knowledge Base article 829721, How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server.
  10. If you require that mail can be relayed through any forest in your organization, you must configure a domain in that forest as an authoritative domain. For detailed steps, see How to Configure Authoritative Domains for the Exchange Organization.

  11. Move user accounts from the Exchange 2003 or Exchange 2000 forest to the Exchange 2007 forest by using the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about ADMT v3, see Active Directory Migration Tool v3.0.

  12. Move mailboxes from the Exchange 2003 or Exchange 2000 forest to the Exchange 2007 forest. For detailed steps, see How to Move a Mailbox Across Forests.

    Note:
    You can use the SourceMailboxCleanupOptions parameter and specify CreateSourceContact to create a contact for the moved mailbox in the source forest at the time of the move, instead of waiting for GALSync to create a contact in the source forest.
    Note:
    To move contacts or distribution groups from one forest to another, you must use a tool such as the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about ADMT v3, see Active Directory Migration Tool v3.0.
    Note:
    If you have any Exchange 2003 or Exchange 2000 recipient policies that have not been applied, moving the mailboxes to an Exchange 2007 server will force the recipient policies to be evaluated again and applied. Before you move mailboxes, make sure that you want to apply all of the existing recipient policies. If you have an existing recipient policy that you do not want to apply, clear the Automatically update e-mail address based on e-mail address policy check box in Active Directory Users and Computers. For more information, see the Exchange Server Team Blog article Yes, Exchange 2007 really enforces Email Address Policies. (Note: The content of each blog and its URL are subject to change without notice.)
  13. Update the user's Outlook profile to access the new mailbox in the new forest.

  14. (Optional) Remove your old Exchange 2003 or Exchange 2000 servers from the organization. For more information about how to remove Exchange 2003 servers, see How to Uninstall Exchange Server 2003 in the Exchange Server 2003 Deployment Guide. For more information about how to remove Exchange 2000 servers, see How to Uninstall Exchange 2000 Server in the Exchange Server 2003 Deployment Guide.

    Note:
    To remove the last Exchange 2003 or Exchange 2000 server from an organization, you must perform special steps to move public folder replicas, remove the public folder database, move the public folder hierarchy, move the offline address book (OAB) generation server, delete routing group connectors, delete the Recipient Update Service, and verify mail flow, protocols, and recipient policies. For detailed steps, see How to Remove the Last Legacy Exchange Server from an Organization.

To configure a GAL Synchronization management agent with ILM 2007 Feature Pack 1

  1. In ILM 2007 Feature Pack 1, select Management Agents from the toolbar, and then under Actions, click Create.


    MIIS Management page, Management Agents selected
    Management Agents pane in ILM
  2. On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).

  3. In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.

  4. In the Description box, type a description for this management agent, and then click Next.

  5. On the Connect to Active Directory Forest page, complete the following fields:

    • Forest name   Name of the source forest.

    • User name and Password   User name and password of an account that has permission to read schema information from the source forest.

    • Domain   Domain for the specified account.

      Note:
      You can also enter the user name as <user>@<domain> and leave the domain field blank.
  6. Click Next.

  7. On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.


    Create MA, Config Directory Partitions page
    Configure Directory Partitions page
  8. On the Configure Directory Partitions page, click Containers.


    Config Directory Partitions page Containers button
    Containers button on the Configure Directory Partitions page
  9. On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which ILM will create contacts for each mailbox from the other forest, such as the FromILM container.

  10. On the Configure Directory Partitions page, click Next.

  11. On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.


    Configure Gal page, Target button
    Target button on the Configure GAL page
  12. On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.


    Configure GAL page, Source button
    Source button on the Configure GAL page
  13. Under Exchange configuration, click Edit to specify at least one SMTP e-mail suffix that is managed in the source forest. Click Next.


    Configure GAL page, Edit button
    Edit button on the Configure GAL page
  14. On the Select Object Types page, click Next.

  15. On the Select Attributes page, click Next.

  16. On the Configure Connector Filter page, click Next.

  17. On the Configure Join and Projection Rules page, click Next.

  18. On the Configure Attributes Flow page, click Next.

  19. On the Configure Deprovisioning page, click Next.

  20. On the Configure Extensions page, select Enable Exchange 2007 provisioning, and then click Finish.


    ConfigureExtensions page, enable E2K7 provisioning
    Note:
    To validate the connection parameters, run a Full Import (Stage Only) on the management agent. (To run a Full Import (Stage Only), in Identity Manager, select the management agent you want, and then under Actions, click Run.) A Full Import (Stage Only) does not populate the ILM metaverse. However, it is useful for validation and troubleshooting. If running the Full Import (Stage Only) causes any errors, you should resolve those errors before synchronizing users and groups.
    Enable Exchange 2007 provisioning on the Configure Extensions page

Exchange 2007 RTM

To transition from a single Exchange forest to a cross-forest coexistence topology

  1. Create a new Active Directory forest, into which you will install Exchange 2007 in a later step. For more information about creating a Windows Server 2003 forest, see Deploying the Windows Server 2003 Forest Root Domain.

  2. (Optional) Create a two-way forest trust relationship between the Exchange 2003 forest and the Exchange 2007 forest. Depending on your usage scenario, you may need a two-way trust relationship for folder sharing or delegation. For detailed steps, see Create a two-way, forest trust for both sides of the trust.

    Note:
    Be sure that the trust type is Forest, not External.
  3. (Optional) If you are using any version of Outlook other than Office Outlook 2007, and if you want to share free/busy information across the forests, install the Inter-Organization Replication tool. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles, or on an Exchange 2003 or Exchange 2000 server. For more information, see Microsoft Exchange Inter-Organization Replication.

  4. In the new forest, install Exchange 2007. Install Exchange the same way that you would in a single forest scenario. For detailed steps about how to install Exchange 2007, see one of the following topics:

  5. In each forest, use Active Directory Users and Computers to create a container in which MIIS will create contacts for each mailbox from the other forest. We recommend that you name this container FromMIIS. To create the container, select the domain in which you want to create the container, right-click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromMIIS, and then click OK.

  6. Create a GAL synchronization management agent for each forest using MIIS 2003 or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2. This will allow you to synchronize the users in each forest, and create a common GAL. For detailed steps, see "To configure a GAL Synchronization management agent" later in this topic.

  7. Enable GALSync. To do this, in the main MIIS Manager window, click Tools, click Options, and then select Enable Provisioning Rules Extension. Click OK.


    Options page, Enable Prov Rules Extension selected
    Options page
  8. If you do not plan to move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers immediately, you must complete Steps 9 and 10 so that you can send mail across forests from Exchange 2003 or Exchange 2000 mailboxes to Exchange 2007 mailboxes.

    If you plan to move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers immediately, go directly to Step 11.

  9. Configure connectors in each forest that will have an Exchange server. For detailed steps, see "Exchange 2007 to Exchange 2003" in Configuring Cross-Forest Connectors.

    Note:
    If you use Basic authentication, we strongly recommend that you use Transport Layer Security (TLS) encryption for more security. By default, Exchange 2007 servers are set to use TLS, but you must configure your Exchange 2003 or Exchange 2000 servers to use TLS. If you do not configure your Exchange 2003 or Exchange 2000 servers to use TLS, you will not be able to send mail between Exchange 2007 servers and Exchange 2003 or Exchange 2000 servers. For more information about using TLS in Exchange 2003 or Exchange 2000, see Microsoft Knowledge Base article 829721, How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server.
  10. If you require relaying mail through any forest in your organization, you must configure a domain in that forest as an authoritative domain. For detailed steps, see How to Configure Authoritative Domains for the Exchange Organization.

  11. Move user accounts from the Exchange 2003 or Exchange 2000 forest to the Exchange 2007 forest by using the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about the ADMT v3, see Active Directory Migration Tool v3.0.

  12. Move mailboxes from the Exchange 2003 or Exchange 2000 forest to the Exchange 2007 forest. For detailed steps, see How to Move a Mailbox Across Forests.

    Note:
    You can use the SourceMailboxCleanupOptions parameter and specify CreateSourceContact to create a contact for the moved mailbox in the source forest at the time of the move, instead of waiting for GALSync to create a contact in the source forest.
    Note:
    To move contacts or distribution groups from one forest to another, you must use a tool such as the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about ADMT v3, see Active Directory Migration Tool v3.0.
    Note:
    If you have any Exchange 2003 or Exchange 2000 recipient policies that have not been applied, moving the mailboxes to an Exchange 2007 server will force the recipient policies to be evaluated again and applied. Before you move mailboxes, make sure that you want to apply all of the existing recipient policies. If you have an existing recipient policy that you do not want to apply, clear the Automatically update e-mail address based on e-mail address policy check box in Active Directory Users and Computers. For more information, see the Exchange Server Team Blog article Yes, Exchange 2007 really enforces Email Address Policies. (Note: The content of each blog and its URL are subject to change without notice.)
  13. Update the user's Outlook profile to access the new mailbox in the new forest.

  14. (Optional) Remove your old Exchange 2003 or Exchange 2000 servers from the organization. For more information about how to remove Exchange 2003 servers, see How to Uninstall Exchange Server 2003 in the Exchange Server 2003 Deployment Guide. For more information about how to remove Exchange 2000 servers, see How to Uninstall Exchange 2000 Server in the Exchange Server 2003 Deployment Guide.

    Note:
    To remove the last Exchange 2003 or Exchange 2000 server from an organization, you must perform special steps to move public folder replicas, remove the public folder database, move the public folder hierarchy, move the offline address book (OAB) generation server, delete routing group connectors, delete the Recipient Update Service, and verify mail flow, protocols, and recipient policies. For detailed steps, see How to Remove the Last Legacy Exchange Server from an Organization.
  15. To create a script that finishes provisioning the recipients that were created by the GALSync process, perform one of the following steps:

    • Create an Exchange Management Shell script called MyScript.ps1 that updates all the e-mail address policies, address lists, and GALs for all the recipients in your organization. The script should contain the following lines:

      Copy Code
      Get- EmailAddressPolicy | Update-EmailAddressPolicy
      Get- AddressList | Update-AddressList
      Get- GlobalAddressList  | Update-GlobalAddressList
      
      Note:
      This script updates all recipients in your organization. This is a costly update and can take several minutes depending on the complexity of your environment.
    • Create an Exchange Management Shell script called MyScript.ps1 that updates specific e-mail address policies, address lists, and GALs for all the recipients in your organization. The script should contain the following lines:

      Copy Code
      Update-EmailAddressPolicy -Identity AddressPolicy01
      Update-AddressList -Identity "All Contacts\AddressList01"
      Update-GlobalAddressList -Identity "My Global Address List"
      
      If you customized your GALSync management agent to create other types of objects, such as mailboxes, you must add additional lines to update the corresponding address lists, such as "All Users\AddressList01."

      Note:
      This script updates all recipients in your organization. This is a costly update and can take several minutes depending on the complexity of your environment.
    • Create an Exchange Management Shell script called MyScript.ps1 that updates only the recipients that are in the FromMIIS organizational unit (OU). The script should contain the following line:

      Copy Code
      Get-MailContact -OrganizationalUnit "FromMIIS" | Where-Object  { $_.legacyexchangedn -eq "" }  | Set-MailContact
      
  16. (Optional) In each forest, use either the Microsoft Windows At.exe command or Windows Scheduled Tasks to schedule the script that you created in Step 15 to run at least once per day. To schedule Exchange Management Shell commands, you must run Microsoft Windows PowerShell (PowerShell.exe) with the PsConsolFile parameter to load the Exchange Console Extensions, and with the Command parameter to run the specific Exchange Management Shell command. The command that you will use is the script that you created in Step 15. For example, schedule the following command:

    Copy Code
    PowerShell.exe -PsConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command d:\scripts\MyScript.ps1
    

To configure a GAL synchronization management agent with MIIS 2003

  1. In MIIS or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2, select Management Agents from the toolbar, and then under Actions, click Create.


    MIIS Management page, Management Agents selected
    Management Agents pane in MIIS
  2. On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).

  3. In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.

  4. In the Description box, type a description for this management agent, and then click Next.

  5. On the Connect to Active Directory Forest page, complete the following fields:

    • Forest name   Name of the source forest.

    • User name and Password   User name and password of an account that has permission to read schema information from the source forest.

    • Domain   Domain for the specified account.

      Note:
      You can also enter the user name as <user>@<domain> and leave the domain field blank.
  6. Click Next.

  7. On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.


    Create MA, Config Directory Partitions page
    Configure Directory Partitions page
  8. On the Configure Directory Partitions page, click Containers.


    Config Directory Partitions page Containers button
    Containers button on the Configure Directory Partitions page
  9. On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which MIIS will create contacts for each mailbox from the other forest, such as the FromMIIS container.

  10. On the Configure Directory Partitions page, click Next.

  11. On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.


    Configure Gal page, Target button
    Target button on the Configure GAL page
  12. On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.


    Configure GAL page, Source button
    Source button on the Configure GAL page
  13. Under Exchange configuration, click Edit to specify at least one SMTP e-mail suffix that is managed in the source forest. Click Next.


    Configure GAL page, Edit button
    Edit button on the Configure GAL page
  14. On the Select Object Types page, click Next.

  15. On the Select Attributes page, click Next.

  16. On the Configure Connector Filter page, click Next.

  17. On the Configure Join and Projection Rules page, click Next.

  18. On the Configure Attributes Flow page, click Next.

  19. On the Configure Deprovisioning page, click Next.

  20. On the Configure Extensions page, click Finish.

    Note:
    To validate the connection parameters, run a Full Import (Stage Only) on the management agent. (To run a Full Import (Stage Only), in Identity Manager, select the management agent you want, and then under Actions, click Run.) A Full Import (Stage Only) does not populate the MIIS or Identity Integration Feature Pack metaverse. However, it is useful for validation and troubleshooting. If running the Full Import (Stage Only) causes any errors, you should resolve those errors before synchronizing users and groups.

For More Information

For more information about features that you can configure after you have installed Exchange 2007, see Post-Installation Tasks.

For more information about Windows Server 2003 trusts, see Administering Domain and Forest Trusts.

For more information about how to administer Exchange 2007 in one forest by using an account in a different forest, see How to Configure Cross-Forest Administration.



Transitioning from single forest to cross-forest