Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-11-24
This topic explains how to use Setup.com to enable cross-forest administration. You can use this procedure if you have a user account in one forest that must administer Microsoft Exchange Server 2007 in a different forest. Use this procedure in the following scenarios:
- The resource forest is a common scenario in which you have one
forest (the user accounts forest) that does not contain any
Exchange servers and a separate forest for the
Exchange organization.
- The classic cross-forest scenario with multiple Exchange
forests is a scenario in which you might want a user in one forest
to administer Exchange in both forests. Alternatively, you
might want a user in one forest to administer Exchange in the
other forest, but not in both forests.
To administer Exchange servers, properties, and recipients, an administrator must be delegated membership in one of the following Exchange administrator roles:
- Exchange Organization Administrator
- Exchange Public Folder Administrator
- Exchange Recipient Administrator
- Exchange View-Only Administrator
Note: |
---|
The Exchange Public Folder Administrator role does not exist in the release to manufacturing (RTM) version of Exchange 2007. It was introduced in Exchange 2007 Service Pack 1 (SP1). |
However, you cannot add a user from a different forest to an Exchange administrator role. To administer Exchange 2007 servers in Forest B by using a user account in Forest A, you must perform the following steps:
- If they do not already exist, create parallel
Exchange administrator roles in Forest A.
- Use Setup.com with the ForeignForestFQDN parameter to
grant permissions on objects in Forest B to the Forest A
roles.
- Add users in Forest A to the newly created parallel
Exchange administrator roles in Forest A.
Important: |
---|
After you configure cross-forest administration, it is not supported to perform any Exchange Setup actions in one forest by using a user account in another forest. For example, it is not supported to add server roles, remove server roles, or recover a server in one forest by using a user account in another forest, even if you configured that user account for cross-forest administration. |
Note: |
---|
To create the Exchange administrator roles, you must use Active Directory Users and Computers to create groups. You will select Universal for the group scope and Security for the group type. For more information, see Permission Considerations. |
Before You Begin
Make sure the forest functional level of both of your forests is Microsoft Windows Server 2003. For more information about Active Directory functional levels, see Functional Levels Background Information.
Create a two-way forest trust relationship between the two forests. For detailed steps, see Create a two-way forest trust for both sides of the trust. You need this trust to configure cross-forest administration. If you are in a resource forest scenario, after you complete this procedure to configure cross-forest administration, you can downgrade the trust to a one-way trust so that the Exchange forest trusts the user accounts forest. Be aware that you may still need the two-way trust for folder sharing.
Note: |
---|
Make sure that the trust type is Forest, not External. |
In the following procedure, Forest A is the forest with a user account that needs to administer Exchange 2007 servers in a different forest. Forest B is the forest with Exchange 2007 servers that a user in Forest A will administer.
To perform the steps of this procedure in Forest A, the account you use must be delegated the following:
- Membership in the Enterprise Admins group in Forest A
To perform the steps of this procedure in Forest B, the account you use must be delegated the following:
- Membership in the Enterprise Admins group in Forest B
Note: |
---|
If you have an account that has Enterprise Admin-level rights
in both Forest A and Forest B, running the command
Setup /PrepareAD
/ForeignForestFQDN:ForestA.contoso.com will perform Steps 2
through 7 automatically. However, because it is not likely that you
will have a user that has Enterprise Admin-level rights in both
forests, we recommend that you perform Steps 2 through 7
manually to first create the Exchange universal security
groups and assign permissions for those groups in Forest A,
with an account that is a member of the Enterprise Admins group in
only Forest A. Then you can run Setup /PrepareAD
/ForeignForestFQDN:ForestA.contoso.com in Forest B with
an account that is a member of the Enterprise Admins group in only
Forest B. |
Procedure
Exchange 2007 SP1
To configure cross-forest administration in Exchange 2007 SP1
-
If you are in a classic cross-forest scenario, you have Exchange installed in both Forest A and Forest B, and if you do not want the user in Forest A who will administer Exchange in Forest B to also be an administrator in Forest A, you must rename, move to a different organizational unit, or move to a different domain the following organizational unit and groups in Forest A:
- Microsoft Exchange Security Groups
- Exchange Organization Administrators
- Exchange Public Folder Administrators
- Exchange Recipient Administrators
- Exchange View-Only Administrators
After you rename or move these groups, they will still have the same membership and permissions, and you will still be able to administer Exchange in Forest A by using accounts that are members of these groups.
If you are in a classic cross-forest scenario, you have Exchange installed in both Forest A and Forest B, and you want the user in Forest A to administer Exchange in both Forest A and Forest B, continue to Step 9.
If you are in a resource forest scenario, continue to Step 2.
- Microsoft Exchange Security Groups
-
In the root domain of Forest A, create a new organizational unit called Microsoft Exchange Security Groups. For more information about creating an organizational unit, see Create a New Organizational Unit.
-
In the Microsoft Exchange Security Groups organizational unit in Forest A, create the following universal security groups:
- Exchange Organization Administrators
- Exchange Public Folder Administrators
- Exchange Recipient Administrators
- Exchange View-Only Administrators
For more information, see Create a new group.
Note: Be sure to select Universal for the group scope and Security for the group type. - Exchange Organization Administrators
-
In Forest A, perform the following steps to add the Exchange Organization Administrators group to the Exchange Recipient Administrators group:
- Right-click the Exchange Recipient Administrators group,
and then click Properties.
- On the Members tab, click Add.
- In Select Users, Computers, or Groups, type Exchange
Organization Administrators, and then click OK.
- Click OK on the Exchange Recipient Administrators
Properties page.
- Right-click the Exchange Recipient Administrators group,
and then click Properties.
-
In Forest A, perform the following steps to add the Exchange Organization Administrators group to the Exchange Public Folder Administrators group:
- Right-click the Exchange Public Folders Administrators
group, and then click Properties.
- On the Members tab, click Add.
- In Select Users, Computers, or Groups, type Exchange
Organization Administrators, and then click OK.
- Click OK on the Exchange Public Folder Administrators
Properties page.
- Right-click the Exchange Public Folders Administrators
group, and then click Properties.
-
In Forest A, perform the following steps to add the Exchange Recipient Administrators group to the Exchange View-Only Administrators group:
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
- On the Members tab, click Add.
- In Select Users, Computers, or Groups, type Exchange
Recipient Administrators, and then click OK.
- Click OK on the Exchange View-Only Administrators
Properties page.
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
-
In Forest A, perform the following steps to add the Exchange Public Folder Administrators group to the Exchange View-Only Administrators group:
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
- On the Members tab, click Add.
- In Select Users, Computers, or Groups, type Exchange
Public Folder Administrators, and then click OK.
- Click OK on the Exchange View-Only Administrators
Properties page.
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
-
In Active Directory Users and Computers in Forest A, on the View menu, click Advanced Features, and then follow these steps:
- Right-click the Microsoft Exchange Security Groups
organizational unit, and then click Properties.
- On the Security tab, click Advanced.
- On the Permissions tab, select Exchange Organization
Administrators in the Permission entries list, and then
click Edit.
- On the Object tab, in the Apply to list, select
This object and all child objects.
- In the Permissions list, locate Full Control, and
then click to select the Allow check box.
- Click OK.
- On the Permissions tab, select Exchange Recipient
Administrators, and then click Edit.
- On the Object tab, in the Apply to list, select
This object and all child objects.
- In the Permissions list, locate Full Control, and
then click to select the Allow check box.
- Click OK.
- On the Permissions tab, select Exchange Public Folder
Administrators, and then click Edit.
- On the Object tab, in the Apply to list, select
This object and all child objects.
- In the Permissions list, locate Full Control, and
then click to select the Allow check box.
- Click OK.
- On the Permissions tab, select Exchange View-Only
Administrators, and then click Edit.
- On the Object tab, in the Apply to list, select
This object and all child objects.
- In the Permissions list, locate Full Control, and
then click to select the Allow check box.
- Click OK two times.
- Right-click the Microsoft Exchange Security Groups
organizational unit, and then click Properties.
-
Log on to Forest B by using an account that is a member of the Enterprise Admins group in Forest B, and then run the following command from a Command Prompt window:
Copy Code Setup /prepareAD /ForeignForestFQDN:ForestA.contoso.com
This command verifies that the Exchange universal security groups in Forest A are created and that permissions are assigned correctly. In Forest B, the command configures access control entries (ACEs) in Active Directory on the Exchange configuration objects so that the newly created Exchange universal security groups in Forest A have rights to the Exchange configuration in Forest B. When you run
Setup /PrepareAD
without the ForeignForestFQDN parameter, the command creates the Exchange universal security groups in the local forest and sets permissions on these groups. Adding the ForeignForestFQDN parameter specifies that you want to give the Exchange universal security groups in a foreign forest permission to the Exchange configuration in the forest where you run the command. -
To verify that Setup completed successfully, perform the following steps:
- In Forest B, right-click the Exchange Servers
universal security group, and then click Properties.
- On the Security tab, under Group or user names,
select Exchange Organization Administrators (<Forest A
domain\Exchange Organization Administrators>).
- Verify that Allow is selected for the Full
Control permission.
Note: If Setup fails because of insufficient access rights, verify that you created the universal security groups correctly in Forest A, that the groups are nested correctly, and that the Exchange Organization Administrators group has full control of the new organizational unit and all three new universal security groups, and then perform Step 9 again. - In Forest B, right-click the Exchange Servers
universal security group, and then click Properties.
-
To administer Exchange in Forest B by using an account in Forest A, add the account in Forest A to one or more of the Exchange universal security groups that you created in Forest A.
-
(Optional) Change the trust from a two-way to a one-way forest trust. To do this, delete the existing two-way incoming trust with Forest A. For detailed steps, see Remove a manually created trust.
Note: Be sure to select Yes, remove the trust from both the local domain and the other domain. Note: You must retain the outgoing trust. -
In Active Directory Users and Computers in Forest B, on the View menu, click Advanced Features.
-
(Optional) If you want recipient administrators in Forest A to administer users in Forest B, you must manually assign them permissions. Perform the following steps:
- In Active Directory Users and Computers in
Forest B, right-click the Users container, and then
click Properties.
- On the Security tab, click Advanced.
- Under Permissions entries, select the entry where
Type is Allow, Name is Exchange Recipient
Administrators (<Forest A domain\Exchange Recipient
Administrators>), and Permission is Special,
and then click Edit.
- On the Permission Entry for Users page, on the
Objects tab under Permissions, select Allow
for the following permissions: List Contents, Read All
Properties, Write All Properties, Read
Permissions, Create User Objects, Delete User
Objects.
- Click OK.
- On the Advanced Security Settings for Users page, select
the Allow inheritable permissions from the parent to propagate
to this object and all child objects check box, and then click
OK.
Note: This step provides the permissions necessary for members of the Exchange Recipient Administrators group in Forest A to modify objects in the User container in Forest B. Running Setup /ForeignForestFQDN in Forest B (in Step 9) granted users in the Exchange security groups in Forest A permission to Exchange properties in Forest B, but not to Windows user properties in Forest B.
To provide permissions to other groups in Forest A so they can modify objects in the User container in Forest B, select a different group on the Advanced Security Settings for Users page. - In Active Directory Users and Computers in
Forest B, right-click the Users container, and then
click Properties.
-
(Optional) If you want administrators in Forest A to have permission to use the Exchange Management Console and the Exchange Management Shell on an Exchange server in Forest B, you must manually grant permissions on the Bin, Public, and Scripts directories in the Exchange Server directory to the user. Perform the following steps:
- Navigate to the Exchange Server directory where
Exchange is installed. (By default the directory is
%programfiles%\Microsoft\Exchange Server.)
- Right-click the Bin directory, and then click
Properties.
- On the Security tab, click Add, and then enter
the user or group to which you want to give permission.
- Under Permissions for <user or group>,
select Allow for the Read & Execute permission,
and then click OK.
- Right-click the Public directory, and then click
Properties.
- On the Security tab, click Add, and then enter
the user or group to which you want to give permission.
- Under Permissions for <user or group>,
select Allow for the Read & Execute permission,
and then click OK.
- Right-click the Scripts directory, and then click
Properties.
- On the Security tab, click Add, and then enter
the user or group to which you want to give permission.
- Under Permissions for <user or group>,
select Allow for the Read & Execute permission,
and then click OK.
Note: To administer Exchange in Forest B, users in Forest A must also be able to log on to a server in Forest B that has Exchange or the Exchange management tools installed. If you add users in Forest A to the Domain Admins group or to the local Administrators group on the server in Forest B so that they can log on to a server in Forest B, they will already have Read & Execute permissions on the Bin, Public, and Scripts directories. Alternatively, you can give users in Forest A specific permissions to log on to a server remotely by using the Terminal Services component of Windows Server 2003. - Navigate to the Exchange Server directory where
Exchange is installed. (By default the directory is
%programfiles%\Microsoft\Exchange Server.)
Exchange 2007 RTM
To configure cross-forest administration in the RTM version of Exchange 2007
-
If you are in a classic cross-forest scenario, you have Exchange installed in both Forest A and Forest B, and if you do not want the user in Forest A who will administer Exchange in Forest B to also be an administrator in Forest A, you must rename, move to a different organizational unit, or move to a different domain the following organizational unit and groups in Forest A:
- Microsoft Exchange Security Groups
- Exchange Organization Administrators
- Exchange Recipient Administrators
- Exchange View-Only Administrators
After you rename or move these groups, they will still have the same membership and permissions, and you will still be able to administer Exchange in Forest A by using accounts that are members of these groups.
If you are in a classic cross-forest scenario, you have Exchange installed in both Forest A and Forest B, and you want the user in Forest A to administer Exchange in both Forest A and Forest B, continue to Step 7.
If you are in a resource forest scenario, continue to Step 2.
- Microsoft Exchange Security Groups
-
In the root domain of Forest A, create a new organizational unit called Microsoft Exchange Security Groups. For more information about creating an organizational unit, see Create a New Organizational Unit.
-
In the Microsoft Exchange Security Groups organizational unit in Forest A, create the following universal security groups:
- Exchange Organization Administrators
- Exchange Recipient Administrators
- Exchange View-Only Administrators
For more information, see Create a new group.
Note: Be sure to select Universal for the group scope and Security for the group type. - Exchange Organization Administrators
-
In Forest A, perform the following steps to add the Exchange Organization Administrators group to the Exchange Recipient Administrators group:
- Right-click the Exchange Recipient Administrators group,
and then click Properties.
- On the Members tab, click Add.
- In Select Users, Computers, or Groups, type Exchange
Organization Administrators, and then click OK.
- Click OK on the Exchange Recipient Administrators
Properties page.
- Right-click the Exchange Recipient Administrators group,
and then click Properties.
-
In Forest A, perform the following steps to add the Exchange Recipient Administrators group to the Exchange View-Only Administrators group:
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
- On the Members tab, click Add.
- In Select Users, Computers, or Groups, type Exchange
Recipient Administrators, and then click OK.
- Click OK on the Exchange View-Only Administrators
Properties page.
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
-
In Active Directory Users and Computers in Forest A, on the View menu, click Advanced Features, and then perform the following steps:
- Right-click the Microsoft Exchange Security Groups
organizational unit, and then click Properties.
- On the Security tab, under Group or user names,
select Exchange Organization Administrators.
- Under Permissions for Exchange Organization
Administrators, select Full Control, and then click
OK.
- Right-click the Exchange Organization Administrators
group, and then click Properties.
- On the Security tab, under Group or user names,
select Exchange Organization Administrators.
- Under Permissions for Exchange Organization
Administrators, select Full Control, and then click
OK.
- Right-click the Exchange Recipient Administrators group,
and then click Properties.
- On the Security tab, under Group or user names,
select Exchange Organization Administrators.
- Under Permissions for Exchange Organization
Administrators, select Full Control, and then click
OK.
- Right-click the Exchange View-Only Administrators group,
and then click Properties.
- On the Security tab, under Group or user names,
select Exchange Organization Administrators.
- Under Permissions for Exchange Organization
Administrators, select Full Control, and then click
OK.
- Right-click the Microsoft Exchange Security Groups
organizational unit, and then click Properties.
-
Log on to Forest B by using an account that is a member of the Enterprise Admins group in Forest B, and then run the following command from a Command Prompt window:
Copy Code Setup /prepareAD /ForeignForestFQDN:ForestA.contoso.com
This command verifies that the Exchange universal security groups in Forest A are created and that permissions are assigned correctly. In Forest B, the command configures access control entries (ACEs) in Active Directory on the Exchange configuration objects so that the newly created Exchange universal security groups in Forest A have rights to the Exchange configuration in Forest B. When you run
Setup /PrepareAD
without the ForeignForestFQDN parameter, the command creates the Exchange universal security groups in the local forest and sets permissions on these groups. Adding the ForeignForestFQDN parameter specifies that you want to give the Exchange universal security groups in a foreign forest permission to the Exchange configuration in the forest where you run the command. -
To verify that Setup completed successfully, perform the following steps:
- In Forest B, right-click the Exchange Servers
universal security group, and then click Properties.
- On the Security tab, under Group or user names,
select Exchange Organization Administrators (<Forest A
domain\Exchange Organization Administrators>).
- Verify that Allow is selected for the Full
Control permission.
Note: If Setup fails because of insufficient access rights, verify that you created the universal security groups correctly in Forest A, that the groups are nested correctly, and that the Exchange Organization Administrators group has full control of the new organizational unit and all three new universal security groups, and then perform Step 7 again. - In Forest B, right-click the Exchange Servers
universal security group, and then click Properties.
-
To administer Exchange in Forest B by using an account in Forest A, add the account in Forest A to one or more of the Exchange universal security groups that you created in Forest A.
-
(Optional) Change the trust from a two-way to a one-way forest trust. To do this, delete the existing two-way incoming trust with Forest A. For detailed steps, see Remove a manually created trust.
Note: Be sure to select Yes, remove the trust from both the local domain and the other domain. Note: You must retain the outgoing trust. -
In Active Directory Users and Computers in Forest B, on the View menu, click Advanced Features.
-
(Optional) If you want recipient administrators in Forest A to administer users in Forest B, you must manually assign them permissions. Perform the following steps:
- In Active Directory Users and Computers in
Forest B, right-click the Users container, and then
click Properties.
- On the Security tab, click Advanced.
- Under Permissions entries, select the entry where
Type is Allow, Name is Exchange Recipient
Administrators (<Forest A domain\Exchange Recipient
Administrators>),
and Permission is Special, and then
click Edit.
- On the Permission Entry for Users page, on the
Objects tab under Permissions, select Allow
for the following permissions: List Contents, Read All
Properties, Write All Properties, Read
Permissions, Create User Objects, Delete User
Objects.
- Click OK.
- On the Advanced Security Settings for Users page, select
the Allow inheritable permissions from the parent to propagate
to this object and all child objects check box, and then click
OK.
Note: This step provides the permissions necessary for members of the Exchange Recipient Administrators group in Forest A to modify objects in the User container in Forest B. Running Setup /ForeignForestFQDN in Forest B (in Step 7) granted users in the Exchange security groups in Forest A permission to Exchange properties in Forest B, but not to Windows user properties in Forest B.
To provide permissions to other groups in Forest A so they can modify objects in the User container in Forest B, select a different group on the Advanced Security Settings for Users page. - In Active Directory Users and Computers in
Forest B, right-click the Users container, and then
click Properties.
-
(Optional) If you want administrators in Forest A to have permission to use the Exchange Management Console and the Exchange Management Shell on an Exchange server in Forest B, you must manually grant permissions on the Bin, Public, and Scripts directories in the Exchange Server directory to the user. Perform the following steps:
- Navigate to the Exchange Server directory where
Exchange is installed. (By default the directory is
%programfiles%\Microsoft\Exchange Server.)
- Right-click the Bin directory, and then click
Properties.
- On the Security tab, click Add, and then enter
the user or group to which you want to give permission.
- Under Permissions for <user or group>,
select Allow for the Read & Execute permission,
and then click OK.
- Right-click the Public directory, and then click
Properties.
- On the Security tab, click Add, and then enter
the user or group to which you want to give permission.
- Under Permissions for <user or group>,
select Allow for the Read & Execute permission,
and then click OK.
- Right-click the Scripts directory, and then click
Properties.
- On the Security tab, click Add, and then enter
the user or group to which you want to give permission.
- Under Permissions for <user or group>,
select Allow for the Read & Execute permission,
and then click OK.
Note: To administer Exchange in Forest B, users in Forest A must also be able to log on to a server in Forest B that has Exchange or the Exchange management tools installed. If you add users in Forest A to the Domain Admins group or to the local Administrators group on the server in Forest B so that they can log on to a server in Forest B, they will already have Read & Execute permissions on the Bin, Public, and Scripts directories. Alternatively, you can give users in Forest A specific permissions to log on to a server remotely by using the Terminal Services component of Windows Server 2003. - Navigate to the Exchange Server directory where
Exchange is installed. (By default the directory is
%programfiles%\Microsoft\Exchange Server.)
For More Information
For more information about installing Exchange 2007 by using Setup.com from a Command Prompt window, see How to Install Exchange 2007 in Unattended Mode.