Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2010-01-27
This topic explains how to use the Exchange Management Shell to configure the Availability service for cross-forest topologies. The Availability service improves information workers' free/busy data by providing secure, consistent, and up-to-date free/busy information to computers that are running Microsoft Office Outlook 2007. By default, this service is installed with Microsoft Exchange Server 2007. In cross-forest topologies where all connecting client computers are running Outlook 2007, the Availability service is the only method of retrieving free/busy data.
Note: |
---|
You cannot use the Exchange Management Console to configure the Availability service for cross-forest topologies. |
You can use the Availability service in cross-forest topologies across trusted or untrusted forests. The kind of free/busy information is determined by whether the cross-forest free/busy data is configured as a per-user or an organization-wide service. Per-user free/busy information is only possible in a trusted cross-forest topology and makes it possible for the Availability service to make cross-forest requests on behalf of a particular user. This also enables a user in a remote forest to grant detailed free/busy information to a cross-forest user.
However, with organization-wide free/busy data, the Availability service can make cross-forest requests only on behalf of a particular organization. With organization-wide free/busy data, a user's default free/busy information is returned, and it is not possible to control the level of free/busy information that is returned to users in the other forest.
Configuring Windows for Cross-Forest Topologies
Depending on the scenario, you must also consider the following requirements:
- You must sync the global address list (GAL) between
forests.
- The Autodiscover service must be working between forests.
- All Exchange 2007 Client Access servers must validate the
certificate on the target forest.
To configure Microsoft Windows for a cross-forest topology, you must install and configure GAL Synchronization (GALSync). For complete information about how to install and configure the GALSync feature in Microsoft Identity Integration Server (MIIS) 2003, see the following resources:
This feature creates mailbox-enabled contacts that represent recipients from other forests. This lets users view the contacts in the GAL and add them as attendees to meetings.
In an Exchange 2007 cross-forest scenario, the only method for sharing free/busy information between forests is the Availability service. Because legacy Outlook clients or users who have mailboxes homed on earlier versions of Exchange cannot use the Availability service, they cannot retrieve free/busy information for users outside their forest unless the information that is stored in public folders is somehow replicated between the forests.
Therefore, if you are running Office Outlook 2003 or earlier, you must use the Microsoft Exchange Inter-Organization Replication tool to synchronize free/busy data across multiple forests. For more information about the Microsoft Exchange Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication.
You must also run the following cmdlet from the Exchange Management Shell to set public folder free/busy availability:
Copy Code | |
---|---|
Add-AvailabilityAddressSpace -ForestName "target.forest.com" -AccessMethod PublicFolder |
Permission that Is Required to Run the Cmdlets
- To run the Get-ClientAccessServer cmdlet, the account
that you use must be delegated the following:
Exchange View-Only Administrator role
- To run the Add-ADPermission cmdlet, the account that you
use must be delegated the following:
Exchange Organization Administrator role
- To run the Add-AvailabilityAddressSpace cmdlet, the
account that you use must be delegated the following:
Exchange Organization Administrator role
- To run the Set-AvailabilityConfig cmdlet, the account
that you use must be delegated the following:
Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Cross-Forest Availability and Autodiscover Service
The Autodiscover service provides information for the Availability service by locating and providing the external and internal URLs for the Outlook 2007 client and Exchange 2007 Client Access server for cross-forest availability. That means the Client Access servers must be able to connect to the Autodiscover service on the target forest to return the Availability service URL.
In a cross-forest availability scenario, there are basically two options to configure the Autodiscover service.
- Export the Service Connection Point (SCP) from the target to
the source forest if there is trust relationship between the
forests.
- Use DNS to resolve the autodiscover.targetforest.com Web
site address.
Note: |
---|
DNS Service Location (SRV) records do not work to locate the Autodiscover service to an Exchange 2007 Client Access server in a cross-forest scenario. |
The cross-forest Availability service has a time limit when the service performs an Autodiscover service request for cross-forest users in the Active Directory directory service. By default, this time-out value is 10 seconds. If the Autodiscover request does not finish in 10 seconds, the Availability service request for the cross-forest user may time out. For more information, see the following topics:
Cross-Forest Availability and Certificates
When you install Exchange 2007 with the Client Access server role, a self-signed certificate is created. The self-signed certificate has two Subject Alternative Name (SAN) entries: one for the NetBIOS name of the Client Access server and one for the fully qualified domain name (FQDN) of the Client Access server. Therefore, if you plan to use the default self-signed certificate installed on the Client Access server, you have only one option to make Autodiscover work between both forests; you must export the SCP from the target forest to the source forest. In this scenario, you must have a trust relationship between both forests. For more information, see the following topics:
- Exchange 2007 Autodiscover Service White
Paper
- Configuration tips and common troubleshooting steps
for multiple forest deployment of Autodiscover service
If there is no trust relationship between forests, and you still want to use a self-signed certificate, you must reissue a new self-signed certificate and include the Subject Alternative Name for autodiscover.targetforest.com. You can use the New-ExchangeCertificate cmdlet to reissue a new self-signed certificate. For more information, see New-ExchangeCertificate (RTM).
Although the self-signed certificate can be used to encrypt communications between a Client Access server and other Exchange 2007 server roles, we do not recommend the self-signed certificate for use with client applications and devices. Because of the limitations of a self-signed certificate, we recommend that you replace the self-signed certificate with either a trusted third-party certificate or a certificate signed by a Windows PKI. For more information, see the following Exchange Help topics:
Procedure
To use the Exchange Management Shell to configure the Availability service for cross-forest topologies
-
In a Windows trust relationship scenario, run the following cmdlets in the source and target forest:
Source Forest:
Copy Code Add-AvailabilityAddressSpace -ForestName "xyz.com" -AccessMethod PerUserFB -UseServiceAccount $true
Target Forest:
Copy Code Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Sourceforest\Exchange Servers"
-
If a trust relationship does not exist, you must run the following cmdlets in the source and target forest. In this scenario, a service account with low permissions is required in the target domain. For example, use a regular account without administrative permissions.
Source Forest:
Copy Code $a = Get-Credential (Type the credential "TargetForest\User" for organization-wide user) Add-AvailabilityAddressSpace -ForestName "xyz.com" -AccessMethod OrgWide -Credential $a
Target Forest:
Copy Code Set-AvailabilityConfig -OrgWideAccount "TargetForest\User"
-
In a trust relationship scenario, there are two methods to configure the Autodiscover service. Either export the SCP from the target forest or use DNS to query the host record "autodiscover.targetforest.com."
- In a trust relationship scenario, export the SCP from the
target forest to the source forest by using the following
cmdlet:
Copy Code $a = Get-Credential (Type "SourceForest\Administrator") Export-AutodiscoverConfig -TargetDomainController "dc.sourceforest.com" -TargetForestCredential $a -MultipleExchangeDeployments $true
Note: After you import the SCP from a remote domain, the Autodiscover service may not work correctly, and Outlook 2007 clients may not be able to query Out of Office and Free/Busy information. A software update is currently under development for this issue and is scheduled to be released in an upcoming Cumulative Rollup for Outlook 2007. - In a trusted or untrusted scenario, the Exchange 2007
Client Access server is configured to query DNS to resolve
"autodiscover.targetforest.com." In this case, create a host
record for "autodiscover.targetforest.com."
Note: Autodiscover will return the Availability InternalURL to the Exchange 2007 Client Access server.
- In a trust relationship scenario, export the SCP from the
target forest to the source forest by using the following
cmdlet:
-
Whether you have a trusted or untrusted forest, the Exchange 2007 Client Access server in the source forest must validate the certificate installed on each Exchange 2007 Client Access server in the target forest. To make sure that you are using a valid certificate, follow these steps:
- If a self-signed certificate is installed on the
Exchange 2007 Client Access server in the target forest, you
must export it. The same concept applies if there is an internal
root CA and a private certificate is installed. Exchange 2007
is installed with a default self-signed Secure Sockets Layer (SSL)
certificate. You can use this certificate when enabling SSL for
Exchange ActiveSync, Office Outlook Web Access,
and the Availability service. However, users will receive a prompt
because the certificate is considered invalid by most client
applications. Exchange ActiveSync and
Office Outlook Web Access support proxying from one
Client Access server to another Client Access server. For the proxy
process to be successful when a self-signed certificate is used,
you must configure the following registry keys as shown:
Copy Code HKLM\System\CurrentControlSet\Services\MSExchangeOWA\AllowInternalUntrustedCerts = 1 HKLM\System\CurrentControlSet\Services\MSExchangeOWA\AllowExternalUntrustedCerts = 1
- After you export the self-signed certificate or the root CA
certificate, you will import it into the computer account store on
each Exchange 2007 Client Access server.
- If a self-signed certificate is installed on the
Exchange 2007 Client Access server in the target forest, you
must export it. The same concept applies if there is an internal
root CA and a private certificate is installed. Exchange 2007
is installed with a default self-signed Secure Sockets Layer (SSL)
certificate. You can use this certificate when enabling SSL for
Exchange ActiveSync, Office Outlook Web Access,
and the Availability service. However, users will receive a prompt
because the certificate is considered invalid by most client
applications. Exchange ActiveSync and
Office Outlook Web Access support proxying from one
Client Access server to another Client Access server. For the proxy
process to be successful when a self-signed certificate is used,
you must configure the following registry keys as shown:
-
To successfully test the Autodiscover service and Availability service, use one of the following methods:
- Exported SCP: From the Exchange 2007 Client Access
server, in the source forest, go to the Autodiscover Web site, and
then run the following cmdlet in the target forest:
Copy Code Get-ClientAccessServer | fl name, AutoDiscoverServiceInternaluri Get-WebServiceVirtualDirectory | fl name, InternalUrl
- DNS: From the Exchange 2007 Client Access server in
the source forest, go to the Autodiscover Web site, and then run
the following cmdlet in the target forest:
Copy Code Get-WebServicesVirtualDirectory | fl name, ExternalUrl
- Exported SCP: From the Exchange 2007 Client Access
server, in the source forest, go to the Autodiscover Web site, and
then run the following cmdlet in the target forest:
For More Information
For detailed syntax and parameter information, see the following cmdlet reference topics: