Exchange permissions between 2 domains, separate forests

We have a partner division on our network, they have thier own domain(s) but we provide email for them. We have no control over thier domain at all, we have a two-way trust and thats as far as our connection and access goes.
Our Domain (A) has accounts and mailboxes, we add thier users to the mailboxes using associate external account permissions (Exchange 2003).
Domain (B) is thier users accessing mail using outlook. Working well at the moment.
Exchange 2010 migration - from Exchange 2003,  some accounts were not migrated as Linked Mailboxes, we need to convert them.
Here is the question:  What permissions do we need on Domain B if any, to be able to carry out mailbox additions (linked mailboxes) and conversions of the few that need it.   Domain B owners are reluctant to give us any rights other than a basic
user (AD read).

We setup a domain user on both partner domains, when using the create mailbox and the linked conversion powershell commands this was enough permission to do what we needed.  Least is best!  just a read only account needed in their AD to create
mailboxes in our domain.
Perfect!

Similar Messages

  • How can someone add servers and computers to a separate domain in a separate forest without having permissions to the other forest?

    Hello Community
        On an existing network I added separate domain in a separate forest using WS2012.
        Lets call it "MyDomain" and "MyForest" on WS2012.
        In MyDomain and MyForest I am the only domain administrator.
        The problem is if you go to "File Explorer" and click on "Network" in MyDomain in MyForest,
    I see that other server administrators have added their servers and workstations to
    MyDomain in MyForest but I never added them as users or administrators to my domain in my forest.
        So the question is how can a someone from a separate domain in
    a separate forest add servers and computers to MyDomain in Myforest
    when I haven't added them as user or administrators or given them
    any permission in MyDomain in MyForest?
        Thank you
        Shabeaut

    Using the network in file explorer, this shows machines that the computer has automatically detected using built in Microsoft processes. All this means is that you have other computers on the same physical network as yourself. These are no necessarily part
    of your domain. If the machines are set to respond, then so long as they receive a discovery request from your PC they will respond and populate that list. This does not mean they are part of your domain, or that they have access to any of your computers (
    apart from low level stuff like ping which does not rely on domain membership.)
    Apart from a Domain Admin, the only other people who can make changes to your domain are whoever is an Enterprise Admins. Domain Admins have control over their domains but Enterprise Admin have full permissions to the entire Active Directory infrastructure,
    no matter which forest or domain it is.

  • USMT between separate domains and forests

    Hi!
    I have a problem with migrating profiles from an old domain to a new one when doing OSD on them. Usernames is the same in both domain an SidHistory is migrated. The domains are in two separate forests and a one-way trust exists from the old domain to the
    new one.
    I'm running the following command on a test VM in the new domain after saving the user state from a VM in the old domain:
    loadstate.exe C:\USMTShare /c /l:C:\logs\loadstate.log /progress:C:\logs\loadstateprogress.log /i:C:\USMT6.3\migdocs.xml /v:5 /i:C:\USMT6.3\migapp.xml /md:olddomain.com:newdomain.org
    This gives me the following output in the loadstate.log:
    2014-02-13 18:03:30, Info [0x000000] User olddomain\Mig.Test0001 maps to S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198
    2014-02-13 18:03:30, Info [0x000000] Adding domain account newdomain\Mig.Test0001 (S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198)
    2014-02-13 18:03:30, Info [0x0803b2] Adding user S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001
    2014-02-13 18:03:30, Info [0x0803b3] User S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001 added successfully
    2014-02-13 18:03:30, Status [0x000000] Activity: 'MIGACTIVITY_PROFILE_CREATE'
    2014-02-13 18:03:30, Info [0x000000] Entering MigGetRealPlatform method
    2014-02-13 18:03:30, Info [0x000000] Leaving MigGetRealPlatform method
    2014-02-13 18:03:30, Info [0x000000] Creating profile for target user newdomain\Mig.Test0001 (source user olddomain\Mig.Test0001)
    2014-02-13 18:03:30, Info [0x080000] Mig::COnlineWinNTPlatform::CreateProfileForUser: Called for user newdomain\Mig.Test0001 with ProfileSuffix: (NULL)
    2014-02-13 18:03:30, Info [0x080000] Creating profile for user S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198, newdomain\Mig.Test0001 ((NULL)). Using existent SID
    2014-02-13 18:03:31, Info [0x080000] Adding indirect mapping for HKCU (C:\Users\Mig.Test0001\NTUSER.DAT) to 0x80000003, S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198
    2014-02-13 18:03:31, Info [0x0803e2] Adding indirect mapping from HKCU to <C:\Users\Mig.Test0001\NTUSER.DAT> loaded at HKEY_USERS\S-1-5-21-8915387-1198066105-xxxxxxxxxx-19198 (R/W)
    So the profile is restored, the profile name looks fine in System Properties -> User Profiles (Changes from "Account Unknown" to "NEWDOMAIN\Mig.Test0001" after the loadstate.exe command.) The Problem is, when this user logs in a new
    profile is created anyway and a new folder is created (c:\users\Mig.Test0001.NEWDOMAIN).
    When taking a look at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, I can see that the sid for Mig.Test0001 from OLDDOMAIN is present and are corresponding to the migrated profile. When I'm logging in
    as NEWDOMAIN\Mig.Test0001, the new sid is created here. If I replace the old SID with the new SID before logging in with NEWDOMAIN\Mig.Test0001, the migrated profile is used.
    So it looks like loadstate.exe finds the corresponding account in OLDDOMAIN for the SID it finds in the StateStore, and instead of finding the corresponding user account in the NEWDOMAIN and use the SID for that, it uses the SidHistory attribute.
    Is there a way to change this behavior so that the new accounts Sid is being used instead of the old ones, even if using SidHistory?

    Hi,
    How about using "/mu" instead of "/md"?
    If this cannot work, I suggest you that writing a script to replace the SID.
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • One way trust relationship between different domain windows server 2012 in different forest

    I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
    connected to the same LAN. The forest level in A.local
    machine is Windows Server 2008 and The forest level in B.int
    is Windows server 2012.
    I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
    my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
     The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
    NOTE : Recently I
    UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
    it is ping by name and IP but from b.int ping by IP JUST >>>
    ihab

    Hi,
    yes i already do it the setup conditional forwarding between the 2 domains and
    the firewall it is off 
    ihab

  • Pre-requisites for upgrading exchange server 2007 to 2013(Multiple domain, single forest scenario)

    Hi,
    We have a forest with multiple Domains in it. Each domain has exchange servers installed in it. & All are installed in Single EXCAHNGE Organization.
    One of the domain from the same respective forest has decided to upgrade their exchange server from 2007 to 2013.
    So my basic query is, do we require to upgrade the service pack on all exchange servers(which is a pre-requisite) in the organisation forest wide or can we just upgrade the service pack on the exchange server in that specific Domain where this activity is
    planned ?
    As my organization has around 30 Exchange servers running across 10 Geo locations and are running exchange 2007 Sp1 & exchange 2010 SP1, So immediately installation of service pack in all servers would require additional time and approvals. 
    Is this possible to just upgrade exchange servers of My domain with latest service pack and install exchange 2013 in domain ????

    Hi,
    You will not be able to install Exchange 2013, until all of the Exchange Servers in your ORG has been brought up to a supported level.
    In other words, your servers should be at:
    * Exchange 2010 SP3 + RU5
    * Exchange 2007 SP3 + RU13
    So No, upgrading the servers only in Y"OUR" domain is not enough.
    Martina Miskovic

  • What difference between a domain trust and a forest trust?

    What difference between a domain trust and a forest trust?

    Greetings!
    The answer is right on the question! :)
    I think it is best to distinguish properly between forest and domain. This article is a good one:
    What Are Domains and Forests?
    But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
    be one-way or two-way depending on your needs.
    Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
    What Are Domain and Forest Trusts?
    I hope you got the answer.
    Regards.
    Mahdi Tehrani   |  
      |  
    www.mahditehrani.ir
    Please click on Propose As Answer or
    to mark this post as
    and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.
    How to query members of 'Local Administrators' group in all computers?

  • Migration from Exchange 2007 to 2013 between different domain

    Hi,
    Our company have two domains controller (AD1 and AD2) but it is not trusted. Due to company change, we need to plan merge two domains to new domain (AD3). Under the plan, we will user ADMT for user object migration and password.
    For Exchange, we will plan to use Exchange 2013 on new domain. I want to know that what is the best way to migrate all mailboxes from AD1 and AD2 to AD3's new exchange server. We need to migrate over 500+ mailboxes.
    Please anyone to suggest what is the best way to do it ?
    thanks

    Hello,
    You can use the New-MigrationBatch cmdlet to move more than one mailbox at a time. When you create a migration batch, I recommend you use the LargeItemLimit parameter specifies the number of large items to skip if the move request encounters such items
    in the mailbox.
    If you have any feedback on our support, please click
    here
    Cara Chen
    TechNet Community Support

  • Deploy Exchange 2013 in multiple domain scenario

    I currently have an AD forest abc.com under which there are 2 domains def.abc.com and ghi.abc.com. Exchange 2013 is deployed in domain ghi.abc.com. Now I want to add a third domain jkl.abc.com and use exchange 2013 for it. I want to use the same exchange
    which is currently deployed in ghi.abc.com by adding  new servers and use the same namespace etc. Do I need to do anything special for it or just add servers and start creating mailboxes.

    Hi Gaurav,
    You need to prepare the domain to accept the exchange organization into it. (Note you can't have a seperate exchange org, it will be conencted to the existing org, but with different user scope)
    Make sure to follow the full preparation steps as in for the first exchange deployment.
    Prepare Active Directory domains
    The final step to get Active Directory ready for Exchange is to prepare each of the Active Directory domains where Exchange will be installed or where mail-enabled users will be located. This step creates additional containers and security groups, and sets
    permissions so that Exchange can access them.
    The account you use needs permissions depending on when the domain was created:
    Domain created after PrepareAD was run   If the domain was created
    after you ran the PrepareAD command in step 2 above, then the account you use needs to 1) be a member of the Organization Management role group and 2) be a member of the Domain Admins group in the domain you want to prepare.
    Wait until Active Directory has replicated the changes made in step 2 to all of your domain controllers. If you don't, you might get an error when you try to prepare the domain.
    When you're ready, do the following to prepare an individual domain in your Active Directory forest for Exchange.
    Open a Windows Command Prompt window and go to where you downloaded the Exchange installation files.
    Run the following command. Include the FQDN of the domain you want to prepare. If you want to prepare the domain you're running the command in, you don't have to include the FQDN.
    Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
    Repeat the steps for each Active Directory domain where you'll install an Exchange server or where mail-enabled users will be located.
    Below info is bit old, but should still hold true:
    To install Exchange on a server in a child domain:  
    Log on to the server in the child domain using the account that has been granted the Exchange Full Administrator role for the organization.
    Run Setup from your Exchange CD-ROM. The Setup.exe file is located in the Setup\i386 folder on the Exchange CD-ROM.
    Note If you are joining an existing Exchange site, the account   that you use to log on must have the following permissions to access the   Exchange Server directory:  
    Exchange must recognize the site services account name and password.
    The Exchange Server site naming context for the Exchange Server site you want to join.
    Admin role on the Exchange Server configuration naming context for the Exchange Server site that you want to join.
    A two-way trust is required between the domain where you are installing Exchange and the domain where the Exchange Server computer exists.
    https://social.technet.microsoft.com/Forums/exchange/en-US/c9c11765-0d2c-4dd2-9258-5fc8c5015570/installing-exchange-2010-for-the-child-domain-only
    Regards,
    Satyajit
    Please “Vote As Helpful”
    if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

  • Re: File sync across servers different domains and forests

    I don't see why that would be an issue however I have only ever used it in exchange 2013

    Hey Guys
    Just seeing if anyone had any idea for software to sync drives/folders between 2 servers over the internet. We 2 separate domains and forests running. 1 location uses 1 domain and then 3 locations use the second domain. However we need to be able to sync some folders between the 2 domains as staff are all technically running under the single organization name (very confusing). I wanted to use DFS but obviously cant due to the forest restraints here.
    The staff all use a terminal server and have a mapped drive with directory structure and need so basically have that syncing both ways as each side will have their own structure that needs to sync back to the other site.
    Sorry if that's confusing
    Thanks
    This topic first appeared in the Spiceworks Community

  • Sync of passwords between members of a forest trust

    I am needing to sync passwords between 2 separate forests. Want I am hoping to do is have any changes made in Forest A (primary) be transferred to Forest B.
    This is for a separation project separating to colleges into separate entities but we need to share access capabilities between the two colleges in an ongoing basis.
    Forest A is the parent school running server 2008r2 AD's
    Forest B is the my side running server 2012r2 AD's

    Hi,
    You need to install PCNS(Password Change Notification Services) on all of your Domain Controllers in the two forests to achieve this. 
    For more detailed information, please refer to the threads below:
    Password sync forest to forest
    http://social.technet.microsoft.com/Forums/en-US/9bcbea29-424f-470f-b0c1-26149aea36e4/password-sync-forest-to-forest?forum=identitylifecyclemanager
    Password sync between 2 forests
    http://social.technet.microsoft.com/Forums/en-US/94e4b333-0864-400b-8956-9b420aed0a43/password-sync-between-2-forests?forum=identitylifecyclemanager
    Regards,
    Mandy
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Exchange setup for multiple domains

    We are planning to deploy Exchange server 2013, We have two companies and would like to create Email box for both the companies with same name.
    Example : [email protected], [email protected]
    We would like to have separte email boxes for the both companies. Please suggest us accordingly.

    That should be simple enough. Exchange can handle having multiple domains for sending / receiving and users can have multiple mailboxes configured in Outlook. The name field in Exchange doesn't need to be unique (the account name does obviously), so for
    instance there's no issue having "Fred Bloggs" <[email protected]> and "Fred Bloggs" <[email protected]> both setup.
    In a way the trickier part is setting it up in Outlook since different versions react differently. If you're using Outlook 2013 it should be quite straight forward. As you can see here
    http://technet.microsoft.com/en-us/library/ee815819.aspx the manual setup is easy enough for multiple exchange mailboxes, though auto mapping should work as well. If you're in a network AD
    environment (eg connecting using your local password), then realistically you'll want one mailbox to be primary which is associated to your network login, and then that login to have full access and send as permissions on the second mailbox.
    You may also need to deploy a reg key change to enable saving sent items from the second mailbox into that mailboxes sent items folder rather then the primary mailboxes (assuming you want to keep messages two and from both domains separate and in their own
    mailboxes). The reg key is listed here
    http://support.microsoft.com/kb/2843677 and is definitely needed in Outlook 2007 and 2010 but I'm not sure if it's still an issue if you're using Outlook 2013.

  • How to force Outlook's Junk email fitler to not filter Exchange 2010 SP1 accepted domains?

    Hello,
    I wonder if there really is no way how to reach the result described in the title question. Because
    http://support.microsoft.com/kb/2458522 says:
    This issue occurs because of a functionality change that is introduced in Exchange Server 2010 SP1. In Exchange Server 2010 SP1, domains that are configured as accepted domains are no longer allowed in the junk email lists of a mailbox.
    So please tell us Microsoft how can we force Outlook to accept internal domain as a trusted senders and not apply Junk email filter on it?
    There was already a long discussion about the steps here
    http://social.technet.microsoft.com/Forums/en-US/outlook/thread/15f857c6-0ed4-4004-9d90-cb5d16361752 so please don't offer anything described there.
    Thank you,

    Trying to deal with the Outlook Junk Email Filter is not very easy and had been a pain in the butt.
    The ONLY way to ensure the Outlook 2010 Junk Email filter honors "white listed" emails is to stamp the email with SCL -1. Setting a transport rule will do that but it is not very flexible. 
    I was able to resolve these issues by simply enabling the Exchange 2010 Anti-Spam agents on each hub transport server. We have no Edge Server but we use a couple of Ironports at the gateway which provide the bulk of AntiSpam. We didn't think we would
    need the Exchange AntiSpam so we hadn't initially enabled. After months of trying to resolve people's complaints of emails from internal system ending up in Junk, this solution worked for us.
    This is the order in which it was done.
    1. We set the receive connectors for the internal systems for bypassing Anti Spam. We basically have 2 receive connectors, one for internal system with no relay, and one for internal systems who are allowed external relay.
    Get-ReceiveConnector "server\name of the recieve connector" | Add-ADPermission -User "“NT Authority\Anonymous Logon”  -AccessRights ExtendedRight
    -ExtendedRights ms-exch-bypass-anti-spam
    Note: If you use SMTP Authentication, Exchange will only mark the emails as "Internal" and not assign a SCL of -1. It can only be on anonymous connections.
    Note: We have a separate receive connector for the Ironports delivering external email that will not bypass Anti-Spam. These emails will receive a SCL rating of 0-9
    2. We set the global SCL to 6 (default is 4). You can set it to whatever you want.
    Set-OrganizationConfig -SCLJunkThreshold 6
    So basically, any email tagged with SCL 7-9 will be moved to Junk by Exchange.
    3. Set-ContentFilterConfig -SCLQuarantineEnabled $False -SCLDeleteEnabled $False -SCLRejectEnabled $False
    We don't want delete, reject or quarantine anything on Exchange. Just move email to Junk folder if SCL 7-9 and have user deal with it.
    4. Set the Internal SMTP Servers by adding each Exchange server's IP Address to the Global Transport Settings. I used EMC, Organization Config, Global Settings, Transport Settings properties, Message Delivery tab. Do NOT add any other "internal" servers
    here, only the Exchange servers.
    5. Then we installed the AS agents on each HT Server.
    Starting with the first server
    Stop MSExchange Transport service
    D:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\install-AntispamAgents.ps1
    After installation, disable all the agents except for Content Filtering Agent. This agent has to be enabled for Exchange to stamp the email with SCL -1. I used EMC, Organization Config, Hub Transport. You will see a new tab called Anti-Spam. Disable everything
    except Content Filtering.
    Start MSExchange Transport service.
    Repeat on each HT server. (You won't have to repeat the disabling of the agents as that is a global setting)
    6. You can add global safe senders by doing the following.
    $list = (Get-ContentFilterConfig).BypassedSenders
    $list
    $list.add("[email protected]")
    $list.add("[email protected]")
    Set-ContentFilterConfig -BypassedSenders $list
    The message headers are stamped with
    For emails sent through the Internal connector
    X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
    X-MS-Exchange-Organization-SCL: -1
    OR
    For external emails from a safe sender
    X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedSender
    X-MS-Exchange-Organization-SCL: -1
    OR
    For all other external emails
    X-MS-Exchange-Organization-SCL: 0
    Good Luck. This has basically stopped all the calls about "legitimate" email in Junk Email folder.

  • Multiple AD FS Instances/independent AD FS Servers in one domain or forest

    Hello together,
    Is it possible to install multiple AD FS Instances on independent AD FS Server in one Domain or Forest? If yes, is that supported from Microsoft or best practice?
    Best regards
    Ulrich Greshake

    Hi Ulrich,
    Is it possible to install multiple AD FS Instances on independent AD FS Server in one Domain or Forest?
    Yes, it is possible. Actually, multiple instances in a single ADFS farm are very useful for fail-over.
    Here are some references below for you:
    Active Directory federation Services Question - Can I run two seperate ADFS instances in my domain?
    https://social.msdn.microsoft.com/Forums/exchange/en-US/3c8903c8-d6d6-471d-9966-b23c83172a40/active-directory-federation-services-question-can-i-run-two-seperate-adfs-instances-in-my-domain
    ADFS Deployment Topology/Architecture
    https://social.msdn.microsoft.com/Forums/vstudio/en-US/e85b1b06-9559-4028-b7cf-eed6582fe60d/adfs-deployment-topologyarchitecture?forum=Geneva
    ADFS High Availability – Quick Reference Guide for Administrators. Implement Single sign-on for Office 365.
    http://blogs.technet.com/b/ucando365talks/archive/2014/04/15/adfs-high-availability-quick-reference-guide-for-administrators-implement-single-sign-on-for-office-365.aspx#.VMnxiXkfpes
    In addition, here is a dedicated ADFS forum below:
    Claims based access platform (CBA), code-named Geneva Forum
    http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Things to be considered before AD - domain and forest functional level upgrade (win 2003 to 2008 R2)

    Hi
    Recently we introduced Windows 2008 R2 DCs and decommissioned old Windows 2003 domain controllers. Since we are not sure about the application compatibility (both MS and 3rd party) many times we postponed the plan to upgrade the DFL and FFLs. We found Jonathan's
    blog (http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx),
    whcih clearly says the upgrade won't affect any applications. But just to confirm this with the experts we are posting this concern once again. We have Exchange 2010 / Shrepoint / SQL / SAP etc..(also 2 X windows 2000 servers)
    Please let us know from your real experiance - in production environment how a upgrade from 2003 to 2008 R2 (belive we can able to upgarde both FFL and DFLs from Win 2003 to Win 2008 R2) affects existing applications.
    Thanks in advance
    LMS

    I might be able to help with Exchange. What service pack?
    Most likely, there should be no problem. The Exchange compability matrix shows that (with SP2 and SP3) it is compatible with Windows 2008 R2 domain controllers and 2008 R2 domain and forest functional levels.
    I'm *working on* an Exchange 2010 migration but if you want someone who *has* such a combination (2008 R2 DFL/FFL and Exchange 2010), you could ask in the Exchange forum.
    I'm sure, though, that such a combination is actually quite common.
    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

  • How to share/exchange songs between two iPods?

    Hi,
    I would like to know of a way(s) to share/exchange songs between two iPods (synced to two separate computers).
    Thanks,
    Apu

    Apu,
    It's possible to share between two computers but not two iPods, change the settings for the pod to manual > Edit > Preferences > iPod.

Maybe you are looking for