Cross Forest Mail Flow

Similar Messages

• Cross-Site Mail Flow Through Internet

  Hi,
  I have typical Exchange 2013 servers deployed in 2 AD sites. Currently, mail flow between the 2 sites are going through our WAN. Is there a way to force mail flow between the 2 sites to go through the internet?

  Hi Chester,
  Create send connector pointing to the internet gateway or edge server for each AD site Exchange server separately and on the default receive connector instead of all ip address ..customize to the exchange server specific ip address that are located in the
  same site...this will not allow the mail flow across the WAN and it uses the internet route for mail routing across the site..
  Exchange Queries

• Gal Sync and group member sync cross forest. Not working together

    I am finalizing a cross forest migration. The End client needs an extended period of time with both domains up and running. I have been working with an advisory engineer and we are having a hard time.
    We started by setting up GAL sync and that works as expected. Then we tried to setup group provisioning, and I have that working. I can create a groups and add members, as long as those users are in FIM and the Target forest the membership information
  is preserved. During the process we removed the GAL sync agents for ease of troubleshooting. Now when I run the GAL sync agents and I search the connector space I am showing connector false on both sides. I am not sure how to correct that. The other objects
  were created by the DS agents and FIM.  If I sync a new object it will create a contact cross forest. 
    What I want it to do is run the GAL sync without group contacts. Synchronize the GAL on both sides. (Groups have been created on both sides of the domain and ADMT has moved the group membership with the user) After the GAL is synchronized I need FIM
  to synchronize the group membership adding the contacts from the missing users that have moved. I am not sure how to get that logic in the system.
    I am not sure I am going about this the right way. It may be easier to use the FIM and AD DS agents to provision users cross forest as contacts and the group membership would be preserved.  If that is the case, I am not sure how to pull
  that off.
  Does anyone have recommendations?
  Thank You

   
  This is an overview of basically how it works. 
  The Group sync is pretty much out of the box, the real key here is the User is imported to FIM and that 'Person' is then provisioned outbound as a contact. 
  Membership synchronizes with the Group and FIM maintains group membership cross forest as the source user, and the target contact are the same 'Person'. 
  Precedence is important.  The OU structure is the same on both forests and needs to be initialized.  The Groups Sync is ahead of the users and then the users sync, and the group membership
  syncs. 
  The attribute flow is a long list.  It includes all of the exchange information for the contact, and it provisions the contact as mail enabled on both sides.  There is no VB it’s all
  done in sync rules. 
  Next Ill post the attribute flow and precedence diagram, I’ll get that together this week (I hope).  I intend to put this up in a lab and get screen shots on the whole configuration. 
  I will do that as soon as I can.
  Let me know if you have questions.

• Exchange 2007 to Exchange 2010 Cross Forest

  Hi
  We have a scenario where we have an Exchange 2007 organization (Org A - Source) and a separate Exchange 2010 organization (Org B - Target). Both the organizations (AD Forests) have two way trusts between them.
  We want to have our Exchange 2007 users have their mailboxes hosted on Exchange 2010 organization. Meaning that the user (AD) accounts of Org A will remain in Forest A but there mailboxes will be available on Exchange 2010 servers in Org B. So we don’t need
  a user / group migration stuff here and mailbox data on Exchange 2007 servers is also not critical (not required to be migrated) so we will be creating new disabled accounts and mailboxes in Org B for each user in Org A and connect the mailboxes. There will
  be a brief period of co-existence between two Orgs (to enable mail-flow) until all the users have their mailboxes active in Org B. Need to figure out a way to achieve this.
  We are planning to follow the steps below:
  Setup name resolution between the forests (although basic connectivity is there and we can ping servers in one forest using IP Addresses from other forest) –
  Please suggest if this is necessary or we can get away with it?
  Setup SMTP namespace sharing for Exchange 2007 SMTP Domain name
  Add Exchange 2007 SMTP domain as authoritative domain to E2K10
  Create EAP for new SMTP Domain
   SMTP Connector Creation for Direct E-mail Routing (Co-exist) Between Forests
  Create disabled Mail Enabled (not Mailbox Enabled) User or Mail Enabled Contact in Org B.
  Can we use Prepare-MoveRequest.ps1 script to create these?
  Once a mail enabled user / contact is created in Org B for all the users, change incoming traffic from Internet for Org A SMTP domain to hit HT server in Org B
  Make changes to Exchange 2010 certificate and install new certificate
  Select a batch of users every day, create new mailbox for them using scripts in Org B and delete the corresponding contact in Org B
  Can someone please confirm if this is correct and point out something I am missing?
  Is there any other way to achieve the same goal?
  Thanks
  Taranjeet Singh
  zamn

  Hi Everyone
  Thanks for the inputs so far. I need to confirm some steps to establish direct email flow unless all the mailboxes are created in target organization, can somebody have a look at the steps below and confirm if they are correct or add something that
  I missed here:
  Setup source Exchange organization:
  a) Add unique SMTP domain for source organization, like @source.local. This domain will be added to all mail enabled objects in this organization and will be used for internal routing only
       i) Add to Accepted Domains list
       ii) Create EAP to add domain to existing objects
  b) Use manual means to stamp SMTP domain to objects in source organization on objects that don’t have EmailAddressPolicyEnabled set to False
  c) Create Send Connector to target forest. The target domain should also have a unique e-mail address, like @target.company.com (in our case 19 SMTP domains including JUBL.COM)
       i) Include the valid SMTP domains and the unique one for internal routing
           (source.local)
       ii) Point to a smart host in the target forest
  d) Set existing SMTP domain (JubilantRetail.com) as “Internal Relay Domain”. The target Exchange org will be authoritative for this domain
  Setup target Exchange organization
  a) Create Send Connector to unique SMTP domain in source forest. Includes shared name space (source.local) and @JubilantRetail.com
  b) Set Default receiver connector, being used by source forest, to allow anonymous connections
  c) Add shared SMTP domain (source.local) to Accepted Domains list as authoritative
  d) Create EAPs to replicate the SMTP domains (e:g JubilantRetail.com and source.local) in the source environment
  Thanks
  Taranjeet Singh
  zamn

• Cross forest migration Exchange 2010 SP2 to Exchange 2010 SP2

  Hi,
  We are planning cross forest migration Exchange 2010 SP2 to Exchange 2010 SP2.
  Requesting you to please help us out for below scenario.
  Source Exchange 2010 SP2:- abc.com
  2AD, 2CAS & 2 MBX servers
  Database:- 4
  Total Users :- 3500
  Accepted Domains :- 8
  Total Data:- 5TB +
  Target Exchange 2010 SP2:- xyz.com
  Resource allocated same as above.
  Now we have to migrate users along with data to target forest xyz.com keeping both setup live, as moving 5TB + data will be a ongoing process and the same will take some time.
  With the guidelines mentioned in
  http://careexchange.in/cross-forest-migration-guide-exchange-2010-to-exchange-2010/#comment-14203 we are able to migrate test users along with data, but after migration the migrated user is not able to connect through MS Outlook even not able to login into
  OWA. It gives error “The Outlook Web App address
  https://mail.abc.com/owa is out of date.”
  Kindly let us know how to solve this issue.
  Kindly let me know if you want any more information from our end.
  Thanks in advance.
  Thanks and Regards, Shashank Kudi

  Hi Shashank,
  Do you have certificates properly installed and configured in the target Exchange?
  If not, Please configure certificate and import the certificate to the trusted root CA if you are using internal CA cert.
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Exchange 2010 to 2003 mail flow failing

  Scenario: Just installed exchange 10 to coexist with an existing exchange 03 organization with two 03 servers
  Problem: Mail flow fails from 10 to 03 but for just one of the 03 servers (slave). Mail flow works from 10 to 03 (master) just fine.
  Variables:
  Single forest, single domain
  Exchange 2003 master – Ex03A (AD site A)
  Exchange 2003 slave – Ex03B (AD site B)
  Exchange 2010 – Ex10Z (AD site A)
  Current mail flow:
  Ex03A <-> Ex03B
  Ex03A <-> Ex10Z
  Ex03B -> Ex10Z
  Ex10Z -fails> Ex03B
  Output from get-routinggroupconnector | fl ran from Ex10Z
  RunspaceId : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  TargetRoutingGroup : First Routing Group
  Cost : 1
  TargetTransportServers : {Ex03A}
  ExchangeLegacyDN : /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuratio
  n/cn=Connections/cn=Ex10Z-Ex03A
  PublicFolderReferralsEnabled : True
  SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
  SourceTransportServers : {Ex10Z}
  HomeMTA : Microsoft MTA
  HomeMtaServerId : Ex10Z
  MaxMessageSize : unlimited
  AdminDisplayName :
  ExchangeVersion : 0.1 (8.0.535.0)
  Name : Ex10Z-Ex03A
  DistinguishedName : CN=Ex10Z-Ex03A,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routin
  g Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=
  First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=c
  om
  Identity : Ex10Z-Ex03A
  Guid : ae599ccb-bdfb-4765-b846-a9066ad8dcfb
  ObjectCategory : company.com/Configuration/Schema/ms-Exch-Routing-Group-Connector
  ObjectClass : {top, msExchConnector, msExchRoutingGroupConnector}
  WhenChanged : 2/7/2015 7:40:30 AM
  WhenCreated : 2/7/2015 7:40:30 AM
  WhenChangedUTC : 2/7/2015 3:40:30 PM
  WhenCreatedUTC : 2/7/2015 3:40:30 PM
  OrganizationId :
  OriginatingServer : DC.company.com
  IsValid : True
  RunspaceId : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  TargetRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
  Cost : 1
  TargetTransportServers : {Ex10Z}
  ExchangeLegacyDN : /o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Connections/cn=G
  JL2-Ex10Z
  PublicFolderReferralsEnabled : True
  SourceRoutingGroup : First Routing Group
  SourceTransportServers : {Ex03A}
  HomeMTA : Microsoft MTA
  HomeMtaServerId : Ex03A
  MaxMessageSize : unlimited
  AdminDisplayName :
  ExchangeVersion : 0.1 (8.0.535.0)
  Name : Ex03A-Ex10Z
  DistinguishedName : CN=Ex03A-Ex10Z,CN=Connections,CN=First Routing Group,CN=Routing Groups,CN=First Adm
  inistrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,C
  N=Services,CN=Configuration,DC=company,DC=com
  Identity : Ex03A-Ex10Z
  Guid : 382fae0f-beed-4003-adaf-237a2dddd91b
  ObjectCategory : company.com/Configuration/Schema/ms-Exch-Routing-Group-Connector
  ObjectClass : {top, msExchConnector, msExchRoutingGroupConnector}
  WhenChanged : 2/7/2015 7:40:30 AM
  WhenCreated : 2/7/2015 7:40:30 AM
  WhenChangedUTC : 2/7/2015 3:40:30 PM
  WhenCreatedUTC : 2/7/2015 3:40:30 PM
  OrganizationId :
  OriginatingServer : DC.company.com
  IsValid : True
  Output from get-message | fl on Ex10Z where the queue is filling up:
  RunspaceId        : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  Subject           : Test
  InternetMessageId : <[email protected]>
  FromAddress       : [email protected]
  Status            : Ready
  Size              : 5.982 KB (6,126 bytes)
  MessageSourceName : FromLocal
  SourceIP          : 255.255.255.255
  SCL               : -1
  DateReceived      : 2/7/2015 3:57:10 PM
  ExpirationTime    : 2/9/2015 3:57:10 PM
  LastError         : There is currently no route to the mailbox database.
  RetryCount        : 0
  Recipients        : 
  ComponentLatency  : 
  MessageLatency    : 15:52:27.3487757
  DeferReason       : None
  Priority          : Normal
  MessageIdentity   : ex10Z\Unreachable\103
  Queue             : ex10Z\Unreachable
  Identity          : ex10Z\Unreachable\103
  IsValid           : True
  Proposed solution:
  In order to fix mail flow from Ex10Z -> Ex03B, run the following command in Ex10Z EMS
  New-RoutingGroupConnector -Name "Ex10Z-Ex03B" -SourceTransportServers "Ex10Z.company.com" -TargetTransportServers
  "Ex03B.company.com" -Cost 100 -Bidirectional $true
  Restart transport service on Ex10Z, restart smtp service on Ex03A and Ex03B
  Will this proposed solution work or should I be looking elsewhere?

  That didnt work.
  Here is the new get-routinggroupconnector | fl. Interesting that it created two Ex10Z-Ex03B identities despite
  me issuing the Bidirectional flag. Shouldnt there be one for Ex03B-Ex10Z?
  RunspaceId : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  TargetRoutingGroup : First Routing Group
  Cost : 1
  TargetTransportServers : {Ex03A}
  ExchangeLegacyDN : /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuratio
  n/cn=Connections/cn=Ex10Z-Ex03A
  PublicFolderReferralsEnabled : True
  SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
  SourceTransportServers : {Ex10Z}
  HomeMTA : Microsoft MTA
  HomeMtaServerId : Ex10Z
  MaxMessageSize : unlimited
  AdminDisplayName : 
  ExchangeVersion : 0.1 (8.0.535.0)
  Name : Ex10Z-Ex03A
  DistinguishedName : CN=Ex10Z-Ex03A,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routin
  g Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=
  First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,D C=c
  om
  Identity : Ex10Z-Ex03A
  Guid : ae599ccb-bdfb-4765-b846-a9066ad8dcfb
  ObjectCategory : company.com/Configuration/Schema/ms-Exch-Routing-Group-Connector
  ObjectClass : {top, msExchConnector, msExchRoutingGroupConnector}
  WhenChanged : 2/7/2015 7:40:30 AM
  WhenCreated : 2/7/2015 7:40:30 AM
  WhenChangedUTC : 2/7/2015 3:40:30 PM
  WhenCreatedUTC : 2/7/2015 3:40:30 PM
  OrganizationId : 
  OriginatingServer : DC.company.com
  IsValid : True
  RunspaceId : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  TargetRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
  Cost : 1
  TargetTransportServers : {Ex10Z}
  ExchangeLegacyDN : /o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Connections/cn=G
  JL2-Ex10Z
  PublicFolderReferralsEnabled : True
  SourceRoutingGroup : First Routing Group
  SourceTransportServers : {Ex03A}
  HomeMTA : Microsoft MTA
  HomeMtaServerId : Ex03A
  MaxMessageSize : unlimited
  AdminDisplayName : 
  ExchangeVersion : 0.1 (8.0.535.0)
  Name : Ex03A-Ex10Z
  DistinguishedName : CN=Ex03A-Ex10Z,CN=Connections,CN=First Routing Group,CN=Routing Groups,CN=First Adm
  inistrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,C
  N=Services,CN=Configuration,DC=company,DC=com
  Identity : Ex03A-Ex10Z
  Guid : 382fae0f-beed-4003-adaf-237a2dddd91b
  ObjectCategory : company.com/Configuration/Schema/ms-Exch-Routing-Group-Connector
  ObjectClass : {top, msExchConnector, msExchRoutingGroupConnector}
  WhenChanged : 2/7/2015 7:40:30 AM
  WhenCreated : 2/7/2015 7:40:30 AM
  WhenChangedUTC : 2/7/2015 3:40:30 PM
  WhenCreatedUTC : 2/7/2015 3:40:30 PM
  OrganizationId : 
  OriginatingServer : DC.company.com
  IsValid : True
  RunspaceId : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  TargetRoutingGroup : First Routing Group
  Cost : 100
  TargetTransportServers : {Ex03B}
  ExchangeLegacyDN : /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuratio
  n/cn=Connections/cn=Ex10Z-Ex03B
  PublicFolderReferralsEnabled : True
  SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
  SourceTransportServers : {Ex10Z}
  HomeMTA : Microsoft MTA
  HomeMtaServerId : Ex10Z
  MaxMessageSize : unlimited
  AdminDisplayName : 
  ExchangeVersion : 0.1 (8.0.535.0)
  Name : Ex10Z-Ex03B
  DistinguishedName : CN=Ex10Z-Ex03B,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Rout
  ing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,C
  N=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,D C
  =com
  Identity : Ex10Z-Ex03B
  Guid : 37a9f53c-2166-440c-b54b-23b165323ae3
  ObjectCategory : company.com/Configuration/Schema/ms-Exch-Routing-Group-Connector
  ObjectClass : {top, msExchConnector, msExchRoutingGroupConnector}
  WhenChanged : 2/8/2015 8:09:08 AM
  WhenCreated : 2/8/2015 8:09:08 AM
  WhenChangedUTC : 2/8/2015 4:09:08 PM
  WhenCreatedUTC : 2/8/2015 4:09:08 PM
  OrganizationId : 
  OriginatingServer : DC.company.com
  IsValid : True
  RunspaceId : 4d5dc855-1b62-4d39-9aa7-fb027f25edda
  TargetRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
  Cost : 100
  TargetTransportServers : {Ex10Z}
  ExchangeLegacyDN : /o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Connections/cn=G
  JLSRVLVMX1-Ex03B
  PublicFolderReferralsEnabled : True
  SourceRoutingGroup : First Routing Group
  SourceTransportServers : {Ex03B}
  HomeMTA : Microsoft MTA
  HomeMtaServerId : Ex03B
  MaxMessageSize : unlimited
  AdminDisplayName : 
  ExchangeVersion : 0.1 (8.0.535.0)
  Name : Ex10Z-Ex03B
  DistinguishedName : CN=Ex10Z-Ex03B,CN=Connections,CN=First Routing Group,CN=Routing Groups,CN=First A
  dministrative Group,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange
  ,CN=Services,CN=Configuration,DC=company,DC=com
  Identity : Ex10Z-Ex03B
  Guid : c8cd8eea-4ad6-47b4-bef5-9fb93288bca3
  ObjectCategory : company.com/Configuration/Schema/ms-Exch-Routing-Group-Connector
  ObjectClass : {top, msExchConnector, msExchRoutingGroupConnector}
  WhenChanged : 2/8/2015 8:09:08 AM
  WhenCreated : 2/8/2015 8:09:08 AM
  WhenChangedUTC : 2/8/2015 4:09:08 PM
  WhenCreatedUTC : 2/8/2015 4:09:08 PM
  OrganizationId : 
  OriginatingServer : DC.company.com
  IsValid : True

• ACTIVE DIRECTORY TRUST CONFLICT AND INTERDOMAIN MAIL FLOW

  Old AD Forest: abc.com Win 2003 R2
  Existing Exchange: Exch 2007 SP3
  Exchange Server contains the domains like aaa.com, bbb.com, ccc.com so on and so forth
  Created new AD Domain ccc.com
  Deployed Exchange 2013 SP1
  Trust created with conflict. the conflicting object is ccc.com in both ADs
  I can send emails from new exchange organization to aaa.com, bbb.com, etc except to ccc.com user in abc.com
  Kindly suggest how to enable mail flow
  Regards

  Exchange e-mail domains don't have to be the same as active directory domains.  Exchange processes mail based on accepted domains, connector address spaces, and recipient addresses.  Just creating a domain doesn't do anything to create recipients
  in Exchange with the domain's address.  It sounds like you need to add ccc.com as an accepted domain, and maybe create an e-mail address policy for the recipients in that domain and/or manually add ccc.com addresses to recipients.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2013 Untrusted Cross-Forest Availability Intermittently Working

  Goal:
  I’m attempting to configure cross-forest availability for Exchange 2013 using the instructions here:
  http://technet.microsoft.com/en-us/library/bb125182%28v=exchg.150%29.aspx
  At the very bottom of the page are three different methods.  I have tried the first (per-user) and the third (untrusted) methods, with identical results.  For various unfortunate reasons, I am unable to use the Microsoft Federated Gateway for availability
  information (although that is configured in the production domain and I would use it if it were possible). 
  Situation:
  When attempting to view availability information in either OWA or Outlook, the free/busy information typically isn’t visible.  If you open and close Outlook a few times, creating meetings with the users in other domains, sometimes the other user’s information
  will be visible, and sometimes it will not.  When it is not, the area is filled with diagonal lines and hovering over it says “No Information”.  The situation is the same in both Adatum trying to access Contoso, and in Contoso trying to access either
  Adatum or Fabrikam.
  I’m currently close to finishing up my third week with Microsoft Support on this issue, and am starting over with a third first level support person.  They are quickly eroding what little confidence I had in them already.  I’m posting here because
  I’m desperate, and web searches for my errors turn up zero results.  I fear this method of availability sharing doesn’t actually work correctly in Exchange 2013 as Microsoft is pushing organizations to use the Microsoft Federated Gateway, but I’d love
  to heave about anyone getting this to work, or not.
  Setup:
  There are three separate domains I am working with (names changed to protect the innocent).  Contoso.local is the production domain, containing Exchange 2007 and Exchange 2013 SP1 servers.  Adatum.local is a test domain set up fresh with Exchange
  2013 SP1.  Fabrikam.com is a remote Exchange system that I others are connecting to without issue using Exchange 2010.
  The Contoso and Adatum domain controllers are running Windows Server 2008 R2 SP1 and are running at a 2008 R2 functional levels.  The Exchange 2013 servers are all at SP1 (results were the same prior to SP1), and the OS is Windows Server 2012. 
  Contoso has two sites, connected via 10Gbps links, and ~10ms latency, with Exchange 2013 CAS and mailbox servers in both sites.  Adatum has a single site, and has two CAS and two mailbox servers.  Fabrikam has one internet facing server to connect
  to.  A handful of contacts have been created in both Contoso and Adatum for the other domains, to select to view availability.
  Contoso and Adatum domains sit on different subnets, but there is no firewall or filtering between their subnets.  Routing between them is completely unimpeded.  The Fabrikam server sits on another network across the internet, but firewalls have
  been configured and I can browse the availability website from the Contoso CAS servers.
  The CAS servers were originally set up to be load balanced, but working with Microsoft they’ve had me specify a single CAS server for autodiscover/EWS/ECP/OWA/etc in both Contoso and Adatum.  The number of actual users on Exchange 2013 in Contoso is
  ~10.  In Adatum, there are only a handful of mailboxes configured.  The Exchange 2007 servers in Contoso are using Public Folders for free/busy replication for other domains right now, and we don’t care at the moment if they can use the 2013 availability. 
  None of our testing/configurations have involved the Exchange 2007 servers.  There are no SPNs configured for the other domains in AD.
  Errors:
  There are three basic errors that are returned in Outlook diagnostics.  The first is the timeout error.  For a given mailbox server, the first time it is queried for availability information for a remote domain (after some amount of time of being
  idle) it might not respond for 70 seconds (actually somewhere between 69 and 70 seconds each time when viewing the IIS logs), and eventually fails with the timeout error.  If it doesn’t timeout, then it will respond with the Correct Response.
  Once a particular mailbox server has timed out, it will typically immediately return the first Availability Error for all subsequent calls.  Less frequently, it will return Availability Error 2.  If a mailbox server returns the first Availability
  Error, then it will continue to return that error until it times out again or starts working.  Similarly, if a mailbox server returns the second Availability Error, then it will continue to return that error until it times out again or starts working.
  If an IISRESET is performed on a mailbox server, then it will either timeout at the next cross-forest availability request, or work.  There is never an issue accessing availability information for users in the same domain as the request.
  If the remote Exchange is in an errored state, then the response includes the error.  For example, if the mailbox servers in the remote domain are turned off, and the local mailbox server that you are querying happens to be responding correctly
  for the remote domain, then it will return an error about how no mailbox servers are available in adatum.local to service the request.
  There are no Event Log errors that correspond to failed requests of any type.  IIS logs don’t show anything beyond what is shown in the Outlook diagnostics.  There are no DNS or Active Directory Replication errors in the Event Logs.
  Timeout error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorTimeoutExpired
  ErrorMessage         : Microsoft.Exchange.InfoWorker.Common.Availability.TimeoutExpiredException: Request could not be processed in time. Timeout occurred during 'LookupRecipientsBatchBegin'.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException:
  AvailabilityAddressSpace 'adatum.local' couldn't be used because the Autodiscover endpoint couldn't be discovered.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error 2:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AddressSpaceNotFoundException:
  Configuration information for forest/domain swelab.wayad.corp.wayport.net could not be found in Active Directory.
                            at Microsoft.Exchange.InfoWorker.Common.Availability.TargetForestConfigurationCache.FindByDomain(OrganizationId
  organizationId, String domainName)
                            at Microsoft.Exchange.InfoWorker.Common.Availability.QueryGenerator.GetTargetForestConfiguration(EmailAddress
  emailAddress)
                         . Name of the server where exception originated: Mailbox02
  ErrorDetails         : {}
  ErrorProperties      : {}
  Working:
  CalendarEvents       : {Microsoft.Exchange.WebServices.Data.CalendarEvent}
  ViewType             : FreeBusyMerged
  MergedFreeBusyStatus : {Free, Free, Free, Free...}
  WorkingHours         : Microsoft.Exchange.WebServices.Data.WorkingHours
  Result               : Success
  ErrorCode            : NoError
  ErrorMessage         :
  ErrorDetails         : {}
  ErrorProperties      : {}
  Start : 04/09/2014 00:00:00
  End : 04/12/2014 00:00:00
  Subject :
  Location :
  Testing Methodologies:
  While it is possible to dig through Outlook diagnostics and OWA, we ended up scripting out these requests to save time.  Microsoft support refuses to use the scripts, but they produce the same output that it takes them days to find in the logs, so I’ll
  post them here to help anyone in the future.
  Through reading the documentation and experimenting, it appears that the Exchange 2013 CAS servers really do just proxy availability requests from the client to the mailbox servers.  At least by default, it seems to pick a mailbox server in the same
  site, but which mailbox server in the site appears to be random.  It will typically pick the same one repeatedly for a while.
  The first script uses the Microsoft Exchange Web Services Managed API 2.1.
  http://www.microsoft.com/en-us/download/details.aspx?id=42022
  You specify a source email address, and a target address in the remote domain, and it creates a SOAP request that it sends to a CAS server of the source email address.  The CAS proxies the request to the mailbox server which either responds with a failure
  or the free/busy data.
  The second script takes the XML SOAP request generated by the first script, and uses that to query a mailbox server directly.  That allows you to test specific mailbox servers that are working or failing, instead of randomly using whichever mailbox
  server the CAS happens to select.  I generated a SOAP request with the first script that I knew had some data, and then copy/pasted it into the second script to verify if data was being returned.
  I’ve deleted and recreated the availability address spaces in Contoso and Adatum for each other and Fabrikam multiple times.  I’ve reset the password in the OrgWideAccount in both Adatum and Contoso, and viewed the lastBadPassword attribute in both
  ADs to verify it wasn’t failing authentication.  (A failed authentication also generates a 401 error that is returned to the client.)  I can access the availability site of the other domain using the credentials of the OrgWideAccount without any
  errors ever.
  First Script:
  # Import the Exchange Web Services module
  Import-Module -Name "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
  # Create the services object used to connect to Exchange
  # You can specify a specific Exchange version, which I had to do to connect to 2007
  # Exchange2007_SP1
  # Exchange2010
  # Exchange2010_SP1
  # Exchange2010_SP2
  # Exchange2013
  # $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1
  # $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
  $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
  $Service.UseDefaultCredentials = $true
  # Specify an SMTP address. The autodiscover URL from the associated mailbox will be used to connect to Exchange
  # This is used to distinguish resolving from the 2007 server versus 2013
  #$Service.AutodiscoverUrl("[email protected]") # For Exchange 2007
  $Service.AutodiscoverUrl("[email protected]") # For Exchange 2013
  # Increase the amount output at the end to include the SOAP commands
  $Service.TraceEnabled = $true
  # Specify time frame to get free/busy for
  $StartTime = [DateTime]::Parse([DateTime]::Now.ToString("yyyy-MM-dd 0:00"))
  $EndTime = $StartTime.AddDays(7)
  # Create the various objects needed to perform the EWS request
  $drDuration = new-object Microsoft.Exchange.WebServices.Data.TimeWindow($StartTime,$EndTime)
  $AvailabilityOptions = new-object Microsoft.Exchange.WebServices.Data.AvailabilityOptions
  $AvailabilityOptions.RequestedFreeBusyView = [Microsoft.Exchange.WebServices.Data.FreeBusyViewType]::DetailedMerged
  $Attendeesbatch = New-Object "System.Collections.Generic.List[Microsoft.Exchange.WebServices.Data.AttendeeInfo]"
  $attendee = New-Object Microsoft.Exchange.WebServices.Data.AttendeeInfo($userSMTPAddress)
  # Specify SMTP addresses of accounts to request availability for
  #$Attendeesbatch.Add("[email protected]")
  $Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  # Clear out old results so that a failed request doesn't show information still
  $availresponse = ""
  # Request the availability information from Exchange
  $availresponse = $service.GetUserAvailability($Attendeesbatch,$drDuration,[Microsoft.Exchange.WebServices.Data.AvailabilityData]::FreeBusy,$AvailabilityOptions)
  # Show summary information that would include errors
  $availresponse.AttendeesAvailability
  # Show all of the appointments in the requested time period
  foreach($avail in $availresponse.AttendeesAvailability){
  foreach($cvtEnt in $avail.CalendarEvents){
  "Start : " + $cvtEnt.StartTime
  "End : " + $cvtEnt.EndTime
  "Subject : " + $cvtEnt.Details.Subject
  "Location : " + $cvtEnt.Details.Location
  Second Script:
  # Change the server in this URL to specify which mailbox server to access
  $url = 'https://mailbox01.contoso.local:444/EWS/Exchange.asmx'
  # Uncomment the below lines if you want to query EWS using credentials other than
  # the ones used to run the script.
  #If(!(Test-Path variable:global:cred))
  # $cred = Get-Credential
  function Execute-SOAPRequest
  [Xml] $SOAPRequest,
  [String] $URL
  write-host "Sending SOAP Request To Server: $URL"
  $soapWebRequest = [System.Net.WebRequest]::Create($URL)
  # These appear to be the only things needed in the headers when making the request
  $soapWebRequest.ContentType = 'text/xml;charset="utf-8"'
  $soapWebRequest.Accept = "text/xml"
  $soapWebRequest.Method = "POST"
  If(Test-Path variable:global:cred)
  $soapWebRequest.Credentials = $cred
  Else
  $soapWebRequest.UseDefaultCredentials = $true
  write-host "Initiating Send."
  $requestStream = $soapWebRequest.GetRequestStream()
  $SOAPRequest.Save($requestStream)
  $requestStream.Close()
  write-host "Send Complete, Waiting For Response."
  $resp = $soapWebRequest.GetResponse()
  $responseStream = $resp.GetResponseStream()
  $soapReader = [System.IO.StreamReader]($responseStream)
  $ReturnXml = [Xml] $soapReader.ReadToEnd()
  $responseStream.Close()
  write-host "Response Received."
  return $ReturnXml
  # The specing and line returns in the below variable are important for some reason
  # For example, there must be a line return after the @' on the first line, or it's invalid...
  # Change the line with this:
  # <t:Address>[email protected]</t:Address>
  # to the email address in the domain you want to query
  $soap = [xml]@'
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <t:RequestServerVersion Version="Exchange2013_SP1" />
  <t:TimeZoneContext>
  <t:TimeZoneDefinition Name="(UTC-06:00) Central Time (US &amp; Canada)" Id="Central Standard Time">
  <t:Periods>
  <t:Period Bias="P0DT6H0M0.0S" Name="Standard" Id="Std" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/1" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/2007" />
  </t:Periods>
  <t:TransitionsGroups>
  <t:TransitionsGroup Id="0">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/1</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>4</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>10</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>-1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  <t:TransitionsGroup Id="1">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/2007</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>3</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>2</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>11</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  </t:TransitionsGroups>
  <t:Transitions>
  <t:Transition>
  <t:To Kind="Group">0</t:To>
  </t:Transition>
  <t:AbsoluteDateTransition>
  <t:To Kind="Group">1</t:To>
  <t:DateTime>2007-01-01T06:00:00.000Z</t:DateTime>
  </t:AbsoluteDateTransition>
  </t:Transitions>
  </t:TimeZoneDefinition>
  </t:TimeZoneContext>
  </soap:Header>
  <soap:Body>
  <m:GetUserAvailabilityRequest>
  <m:MailboxDataArray>
  <t:MailboxData>
  <t:Email>
  <t:Address>[email protected]</t:Address>
  </t:Email>
  <t:AttendeeType>Required</t:AttendeeType>
  <t:ExcludeConflicts>false</t:ExcludeConflicts>
  </t:MailboxData>
  </m:MailboxDataArray>
  <t:FreeBusyViewOptions>
  <t:TimeWindow>
  <t:StartTime>2014-04-03T00:00:00</t:StartTime>
  <t:EndTime>2014-04-10T00:00:00</t:EndTime>
  </t:TimeWindow>
  <t:MergedFreeBusyIntervalInMinutes>30</t:MergedFreeBusyIntervalInMinutes>
  <t:RequestedView>DetailedMerged</t:RequestedView>
  </t:FreeBusyViewOptions>
  </m:GetUserAvailabilityRequest>
  </soap:Body>
  </soap:Envelope>
  $ret = Execute-SOAPRequest $soap $url
  # Uncomment out one of the below two lines to get output in different alternative formats
  #$ret | Export-Clixml c:\temp\1.xml;Get-Content c:\temp\1.xml
  #$ret.InnerXml
  # If the request is successful, show the appointments, otherwise show the failure message
  If ($ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage.ResponseClass -eq 'Success')
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.FreeBusyView.CalendarEventArray.CalendarEvent
  Else
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage

  In this case, the SMTP domain is the same as the AD domain.  If the wrong domain were configured then the connection would never work, as opposed to sometimes work.
  RunspaceId            : abb30c12-c578-4770-987f-41fe6206a463
  ForestName            : adatum.local
  UserName              : adatum\availtest
  UseServiceAccount     : False
  AccessMethod          : OrgWideFB
  ProxyUrl              :
  TargetAutodiscoverEpr :
  ParentPathId          : CN=Availability Configuration
  AdminDisplayName      :
  ExchangeVersion       : 0.1 (8.0.535.0)
  Name                  : adatum.local
  DistinguishedName     : CN=adatum.local,CN=Availability Configuration,CN=Wayport,CN=Microsoft
                          Exchange,CN=Services,CN=Configuration,DC=contoso,DC=local
  Identity              : adatum.local
  Guid                  : 3e0ebc2c-0ebc-4be8-83d2-077746180d66
  ObjectCategory        : contoso.local/Configuration/Schema/ms-Exch-Availability-Address-Space
  ObjectClass           : {top, msExchAvailabilityAddressSpace}
  WhenChanged           : 4/15/2014 12:33:53 PM
  WhenCreated           : 4/15/2014 12:33:35 PM
  WhenChangedUTC        : 4/15/2014 5:33:53 PM
  WhenCreatedUTC        : 4/15/2014 5:33:35 PM
  OrganizationId        :
  OriginatingServer     : dc01.contoso.local
  IsValid               : True
  ObjectState           : Unchanged

• Cross Forest Migration from Exchange 2007 to Exchange 2013

  Hi
  Could anybody advice me the steps also the  pros and cons for below mentioned environment if we are going for the cross forest migration.
  Source 
  Domain -   test.local
  Active Directory -  Windows 2003
  Exchange Server - 2007
  Target
  Domain -   test.net
  Active Directory -  Windows 2012
  Exchange Server - 2013
  Also if it is possible ,
  How could I remove the source environment including the exchange servers. after the migration ?
  Regards
  Muralee

  Hi Oliver ,
  Please suggest us.               
   In my environment we are in a plan to migrate from exchange 2007 to exchange 2013 (cross forest migration).
  Source : Exchange 2007 with sp3 ru 10 
  Target : Exchange 2013 with cu2 ( new environment yet to be created).
  Trust : Forest trust in place (two way )
  Domain and forest functional level : 2003 in both target and source  
  Migration Steps :
  Step1 :
  We are in a plan to execute 'preparemoverequest.ps1' first in the target forest ,so that we will get the disable MEU
  in the target forest.
  Step2:
  Then we are going to use ADMT to migrate users SID'S and password .
  Step3:
  Then we are going to move the mailboxes with New-moverequest  
  Please have a look in to our steps and suggest us ,whether we are going to proceed the migration in a right way or not
  .Is anything needs to be changed please intimate me .
  Thanks 
  S.Nithyanandham 
  Hey there,
  Sorry for taking a little while to get back to you, i've been busy working on Hosted Lync deployments!
  Use ADMT first, then when using preparemoverequest.ps1 script using the -uselocalobject cmdlet. This will then tie it up to the ADMT migrated account.
  More info in this thread here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/2916e931-36a0-4ba4-8c04-196dbe792b44/preparemoverequestps1-and-admt?forum=winserverMigration
  Oliver
  Oliver Moazzezi | Exchange MVP, MCSA:M, MCITP:Exchange 2010,MCITP:Exchange 2013, BA (Hons) Anim | http://www.exchange2010.com | http://www.cobweb.com | http://twitter.com/OliverMoazzezi

• Establish mail flow from Exchange 2007 to Exchange 2013

  I am currently using Exchange 2007 into three sites in three cities and two of the sites are connected to Internet sending and receiving emails via Edge transport servers.
  Now I am planning to upgrade to exchange 2013 CU1. I don't find any documentation on how to establish mail flow between Exchange 2007 and Exchange 2013. Will it be automatic or do i need to create specific connectors between them?

  Was this question answered.  We're in the same situation now as we're upgrading to Exchange 2013 from 2007. The latest CU certainly helped.   Initially the test mailboxes on Exchange 2013 couldn't email each other - This was resolved with CU7 and
  using "Custom Settings" - manually entered IPs for DNS in the Exchange  Admin Center "DNS Lookups".
  Issue at the moment Test mailboxes on Exchange 2013 cannot email mailboxes on 2007 or visa-versa and mail from external sources queues on the 2007 box.  
  Any assistance will be greatly appreciated.  

• Iphone mail app regularly requires restart to get mail flowing???

  Anyone seeing this issue?  Advice re how to fix? 
  My iphone mail app regularly requires restart to get mail flowing.  That is it is running (doesn't crash) but will at time just stop getting email updates.  I then have to force close the mail app (i.e. kill it) and then restart it.  After restarting it the mail flows again.
  Notes:
  a) I do connect to Gmail for my mail - I'm using the IMAP facility for gmail currently (i.e. not the "Exchange" method)
  b) I do also have the Google "Gmail" app running on my device too
  c) on iPhone 3GS, latest version of IOS

  I have this same problem too.  I have both a hotmail and work Microsoft Exchange account setup on my iPhone and have intermitent issues with both.  Sometimes the hotmail push works, but my work email doesn't push, other times it's backwards, and sometimes neither work.  I can't figure it out.  Usually restarting the app (closing out of the multitasking bar), and/or going into settings and disabling the affected mail account works.  And to top it, I have an iPad, I'll hear the mail chime go off on my iPad, expecting it to go off on my phone....and it never does, not until I manually fetch it.
  Very frustrating.

• Exchange 2010 to Exchange 2013 mail flow?

  We are planning to migrate Exchange 2010 to Exchange 2013.
  I understand that we need to upgrade the CAS to 2013 for Internet Facing.
  What about mail flow. Currently, Internet mail flows to Exchange 2010 (single site). Can I keep it for sometime after introducing 2013 and do the cutover of HUB once all the mailboxes are moved to 2013? Or I have to get the mail flow to 2013 first.
  Also, how does HUB 2010 transfer mail or receive mail from 2013? Does it get from the CAS proxy in 2013 or from HUB?
  Thanks!!!

  Yes, you can.  But my preference is to move the mail routing early in the migration, usually even before moving mailboxes, because I believe it reduces the risk of a service interruption.
  I believe it goes through the front-end transport on the CAS, since that is the TCP port 25 service.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2013 Mail Flow Through VPN

  I have 2 Exchange servers in 2 different AD sites. Is it possible to route mail flow between the 2 sites through a VPN tunnel? I want to force mail flow between the 2 servers to route externally through the internet.
  Appreciate any feedback.

  Hi Chester,
  we have a DNS record for mail and this record is pointing to our private IP address of CAS server. Network team has done network configuration for that particular IP to route the traffic through VPN tunnel to the Exchange servers in other site. Another thing
  for you to think is Private IP request won't go to internet and will go to DNS server in that site and once the DNS server will resolve that request against IP address the traffic will be routed to that server.
  Kindly mark this as answer if found helpful. Thanks.
  Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

• Exchange 2013 upgrade from 2010 and no mail flow and cannot move mailboxes

  I am in the process of moving to Ex 2013 from 2010. I have installed Ex 2013 SP1 on a new server 2012 R2. All of my Ex 2010 servers are SP3 RU 5. Ex 2013 is running and I can connect through the EAC and see all other Exchange servers and connectors that
  were already in existence. Several puzzling things are happening now that the servers are in coexistence:
  1) As soon as Ex 2013 was installed on the network, many Outlook users are continuously being prompted to enter their domain credentials.  They can cancel the prompt and Outlook still sends/receives email.  No user mailboxes are on Ex 2013 yet. 
  Why is this happening?
  2) I am following the Ex 2013 Deployment Assistant and I get to the step to move the Ex 2010 Arbitration mailbox to Ex 2013 and the move does not happen--it just says "syncing" and never completes.  I tried moving a test mailbox from Ex 2010
  to the 2013 database and I get the same result.  I created the move request on the Ex2013 server and I see it as queued on the Ex2010 server, so I know they are "talking" to each other.  However, when reviewing the status of the move I
  see "MapiExceptionNoAccess: Unable to open message store".
  3) There seems to be no mail flow on the same Ex2013 server or between the Ex 2010 and 2013 servers.  I created two new test user mailboxes in Ex 2013.  The Ex2013 mailboxes cannot send/receive to each other or to Ex 2010 users.  This
  seems strange, unless I am completely missing something in the Ex 2013 install?
  I know this is a lot in one post, but following the Deployment assistant, I was hoping this would be something that others have faced.  Thanks for any input here.

  Does the below points already fit for you.
  Exchange 2013 Supported with the following minimum versions of Exchange:
  1) Exchange*** 2010 SP3 on all Exchange 2010 servers in the organization, including Edge Transport servers.
  2) Exchange 2013 CU2 or later on all Exchange 2013 servers in the organization.
  *** If you want to create an EdgeSync Subscription between an Exchange 2010 Hub Transport server and an Exchange 2013 SP1 Edge Transport
  server, you need to install Exchange 2010 SP3 Update Rollup 5 or later on the Exchange 2010 Hub Transport server.
  Thanks Prem P Rana MCSA Messaging 2003 MCSE 2003 Server MCTS MCITP Exchange 2007, 2010 Gurgaon, India http://blogs.msexchange-experts.com

• What are the recommended methods to keep CA Certs and CRLs updated in Account Forests for a Cross Forest Enrollment implementation?

  Hello,
  We have 1 resource Forest and multiple account Forests. We've reviewed the Cross-Forest Cert Enrollment with Windows Server 2008 R2 doc and followed steps 8 and 9 under the 'Deploying AD CS for Cross Forest Cert enrollment' regarding publishing
  the root CA Cert and Enterprise CA certs.  We run PKISync.psi to copy objects from the resource to the account Forest, and understand Certs and CRLs are not copied from the resource to the account Forests.  We are trying to figure out the best way
  of keeping the Root and SubCA Certs and CRLs updated in the account Forests.
  1. Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  2. Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  3. Any other suggestions/references regarding best practices on how to do this?
  Thanks for your help! SdeDot

  > Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  yes. Though, we do not bother with CRL copy as it published to HTTP location only.
  > Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  I would suggest to not use LDAP URLs in favor to HTTP.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.