Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-09-15

As its name implies, a complex Exchange organization represents the most intricate topology into which Microsoft Exchange Server 2007 is deployed. Of the four defined organization models for Exchange 2007, the complex Exchange organization is the only model that includes multiple Active Directory directory service forests or the use of synchronization technology.

The deployment of multiple Active Directory forests that host Exchange servers and mailbox-enabled accounts is becoming a common scenario. A major driver of these deployments is the need to segregate administration of user environments and trusted security contexts. Because the forest represents the security boundary of Active Directory in deployments where security and controlling access to resources is the primary concern, it is common to find multiple Active Directory forests deployed in parallel.

Note:
All multiple forest topologies require directory servers in each forest that are running Windows Server 2003 with Service Pack 1 or later.

Examples of Complex Exchange Organizations

There are a variety of reasons for implementing multiple Active Directory forests. Some of these reasons include:

  • You have multiple business units that require data and service isolation.

  • You have multiple business units that have separate schema requirements.

  • You are confronted with a merger, acquisition, or divestiture.

Exchange Resource Forest Topology

The only way to establish strict boundaries between business units is to create a separate Active Directory forest for each business unit. If this is your Active Directory configuration, we recommend that you use an Exchange resource forest.

Figure 1 illustrates an example of a complex Exchange organization that contains an Exchange resource forest.


Complex Exchange Organization with Resource Forest

In Figure 1, Forest B contains Exchange servers, and Forest A contains the user accounts. Forest B also contains identical user accounts, but those accounts are disabled, and mailbox-enabled users log on to Active Directory using their account in Forest A.

If you deploy Exchange 2007 in a resource forest, the administrator in the forest that only contains the user accounts does not have permission to create mailboxes in the Exchange forest by default. Although the administrator in the forest that contains user accounts can create user accounts, in a resource forest topology, this administrator cannot perform any mailbox management tasks without delegating special permissions to the account administrator. An administrator in the Exchange forest must manually create mailboxes separately from the user accounts and link the mailboxes back to existing user accounts. In addition, you must also add any additional information (such as telephone number or office location) to the Exchange forest separately, even though that information may already exist with the associated user account.

Multiple Exchange Forest Topology

In the case of mergers and acquisitions, it is not uncommon to have multiple Active Directory forests and multiple Exchange organizations. When running Exchange in a multiple forest environment, system architects and Exchange administrators generally encounter the same design issues found in the simple, standard, and large Exchange organization models. However, unique to the complex Exchange organization is the need to synchronize directory objects across disparate forests, and to replicate free/busy data. Microsoft provides two solutions for directory synchronization:

  • Identity Integration Feature Pack for Microsoft Windows Server Active Directory (IIFP) with Service Pack 2 (SP2)

  • Microsoft Identity Integration Server (MIIS)

Both solutions are based upon MIIS. IIFP is a freely available, simpler version of MIIS. MIIS is a feature-rich, though more costly, solution.

In addition to synchronizing the directory, a frequent requirement is that free/busy data or public folders be made available between the Exchange organizations that are hosted in each forest. In previous versions of Exchange Server, this required the use of the Microsoft Exchange Server Inter-Organization Replication (IORepl) tool, which allowed for the coordination of meeting, appointments, contacts, and public folder information between disjointed Exchange organizations. To share free/busy and calendaring information between Exchange 2007 organizations that are hosted in separate forests, you can:

  • If both organizations use Microsoft Office Outlook 2007, the Availability Service in Exchange 2007 can be used to share free/busy and calendaring information between the organizations. However, this solution does not share public folder data between the organizations.

  • If earlier versions of Outlook are being used, you can use IORepl to share free/busy and calendaring information between the organizations. It is supported to install IORepl on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles or on a server that is running Exchange Server 2003 or Exchange 2000 Server. This solution would also allow you to share public folder data between the organizations. If you install the tool on a computer that has the Exchange 2007 management tools installed, you must also install the Exchange MAPI client libraries. For more information about the Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication. For more information about downloading the Exchange MAPI client libraries, see Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1.

Note:
Functionality that is required by IORepl may be missing. By default, Exchange Server 2007, and later versions, do not include the Messaging API (MAPI) client libraries or Collaboration Data Objects (CDO), version 1.2.1 as a part of the base product installation. You must install Microsoft Exchange MAPI and CDO 1.2.1 to provide access to the contents of MAPI stores. If Office Outlook is installed on the server, you must uninstall Outlook before you install Exchange MAPI and CDO 1.2.1.

For more information about how to use IORepl with Exchange 2007, see the Inter-Organization Replication Tool topic in Exchange Help.

Figure 2 illustrates an example of a complex Exchange organization that contains multiple Exchange forests.


Complex Exchange Organization with Multiple Forest

Exchange Cross-Forest Topology

In a cross-forest environment, Exchange Server runs in separate Active Directory forests, but mail functionality is available across forests. Deploying Exchange 2007 in a cross-forest environment with directory synchronization has the following limitations:

  • Inability to view distribution list membership, if members have mailboxes in a different forest

  • Inability to add users in a different forest to a distribution list

  • Inability to nest distribution lists across forests

  • No tool to move distribution lists to another forest

  • Inability to retain delegation properties, if you move a mailbox across forests

  • No tool to move public folders to another forest

  • Inability to send signed or encrypted messages across forests, if you use a Microsoft Windows public key infrastructure (PKI) self-signed certificate

Planning Considerations for Complex Exchange Organizations

During the planning phase of your deployment, and before you deploy any Exchange 2007 servers in a complex Exchange organization, we recommend that you consider the following points:

  • Multiple Exchange organizations sharing a common global address list (GAL) introduces the need for some form of GAL synchronization, and the need for replication of calendaring resources across forests.

  • Complex Exchange organizations often have multiple points of egress and ingress to the Internet. As the number of types of services that are exposed to the Internet increases, the firewall systems that are deployed become more advanced as well. Microsoft Internet Security and Acceleration (ISA) Server is an application-level firewall that can be used to publish Exchange services such as Outlook Web Access, Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4), ActiveSync, and Outlook Anywhere. We recommend that you deploy ISA Server, or an array of servers running ISA Server, on the boundary between the perimeter network and the private corporate network.

  • When deploying a complex Exchange organization, it is often necessary to provide high availability. In Exchange 2007, there are multiple solutions that can be used to provide high availability for each server role. For more information about high availability strategies and features for Exchange 2007, see High Availability.

  • The use of multiple Active Directory forests also means that multiple namespaces are in use. In Exchange 2007, the Client Access server requires the use of a unique URL namespace within each forest in a cross-forest environment.

Transitioning a Complex Exchange Organization

If you are transitioning from an existing Exchange Server 2003 or Exchange 2000 Server organization to an Exchange 2007 organization, be aware that you cannot perform an in-place upgrade of your servers. You must add one or more Exchange 2007 servers to your existing organization, move mailboxes and other data to Exchange 2007, and then remove the Exchange 2003 or Exchange 2000 server from the organization.

For more information about deploying and transitioning to a complex Exchange 2007 organization, see Deploying a Complex Exchange Organization.



Figure 2   Example of a complex Exchange organization with multiple Exchange forests
Figure 1   Example of a complex Exchange organization with an Exchange resource forest