SCCM 2012SP1 - Cross Forest Scenario

Similar Messages

• Cross Forest - SCCM 2012SP1

  Hi All - I've re-posted this as I put it in the wrong thread initially under 2007.
  I've configured a cross forest SCCM scenario, with all the SCCM config in one Forest and a single Windows XP SP3 desktop in the other. There is a trust between both Forests/2-way external but I haven't added Forests/Domain to SCCM to enable searching
  etc. I deployed the agent manually in the external Forest using a mapped drive and ccmsetup /mp:........ this all works fine.
  After installation, after the client is approved, when I click on the client in the SCCM console and try to initiate any of the "right-click" features, I just get a stack of access denied errors back "0x80070005". I've tried rebuilding
  WMI, re-installing the client to no avail. Im thinking that its related to the cross forest config but I see no provision for setting up external credentials for the other forest - am I right in thinking that the only account that needs to be configured is
  the "Network Access Account" that the agent uses to make network connections (the rest being run under the guise of the "Local System" account) if so - this is already done too.
  I'm not seeing any access denied entries on the XP desktop and I've been through the DCOM config and local policy to make adjustments/slacken off the permissions...still no dice.
  Am I chasing my tail with this? can I manage a client from the console that actually sits outside of the Forest where the SCCM installation is actually installed?
  The installation is pretty much inline with scenario 1 from the following blog:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  -a

  http://social.technet.microsoft.com/Forums/systemcenter/en-US/a64548eb-11dd-441f-95d7-097c70c96f17/sccm-2012sp1-cross-forest-scenario?forum=configmgrgeneral
  is the original thread. You shouldn't cross post -- you should wait for a mod to move the thread as now we have multiple people answering the same question without the benefit of seeing what others have answered.
  As mentioned there, this really has nothing to do with ConfigMgr and stems from the use of right-click tools.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2012 - Network requirements for Client communication to primary in a Cross Forest Environment

  Hello, I have been trying to get some definitive answers on what network traffic is required between a client and a primary site versus a secondary in a cross forest scenario.
  Here is the scenario:
  Company A has an existing SCCM 2012 primary Site. Company B (Separate Forest) has now been brought in. One subnet on each side can route to each other and using that one subnet a two way forest
  trust has been setup. But the remote offices have IP address overlaps between companies. At some point in the future all assets on company B will be re-IP and brought over to Company A domain. But in the interim it would be nice to get SCCM cross forest clients
  working. Upgrading to a CAS model with two Primaries would not be preferred here as this is a temporary solution. 
  My questions are as follows.
  If a secondary site is deployed into Company B Forest/Network. I have seen people online elude to that clients will still need to communicate to the Primary located at Company A, even though they
  are assigned to a secondary on Company B’s network. Is this true? Is there any workarounds for this? Is a NAT back to the primary acceptable, or is reverse lookup required?
  Will the Primary need to communicate directly to the clients in Company B? If this is in fact a requirement, then this would be a show stopper. But if its only needed for things like client pushes,
  then we could work around it.
  Thanks

  "But the remote offices have IP address overlaps between companies"
  Technically, this is unsupported because clients, depending upon your boundaries, will not be able to find a local DP since they use IP addresses for this. The only way to work around this is to use AD Site boundaries.
  "though they are assigned to a secondary"
  Clients are *never* assigned to a secondary site -- that's not what secondary sites are for. Yes, clients require communication with an MP in the primary site where they are assigned. There is no way to change this or work-around this except to put
  an MP from the primary site closer to those clients and use the new MP affinity option in R2 CU3.
  Reverse lookups are only used to verify names by applications that wish to have this type of functionality (which are very few in number) and have nothing to do with true network traffic. NATing is an issue for the reason I gave above -- DP location.
  Remote control, client push, and WoL won't work either because there is no way for the traffic to reach the destination behind the NAT.
  All client *agent* communication in ConfigMgr is client initiated in ConfigMgr (remote control, client push, and WoL -- as just mentioned -- are sort of exceptions to this but they don't really involve the client *agent*.)
  Jason | http://blog.configmgrftw.com | @jasonsandys

• SCCM 2012 R2 cross forest with one-way trust feasible?

  We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
  Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
  in Domain A the same as our current SMS 2003 server.
  What we want to do, at a minimum, using SCCM is:
  Client inventory (hardware, software, user) and package distribution.
  Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
  I have made the below diagram to better illustrate the scenario:
  Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

  Hi,
  The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
  Quote:
  Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
  In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
  two way trust with the forest of the parent (CAS or primary).
  Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
  The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
  Most of these items were taken from this TechNet article – please refer to the article for more information -
  Planning for Communications in Configuration Manager .
  For more information:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
  Not sure which is correct...

• SCCM 2012 & SCOM 2012 - Cross Forest

  My current environment is running Operations Manager and Configuration Manager 2007, I am planning an upgrade them to the 2012 version.
  I need to know whether my upgrade to 2012 will support cross forest support ?
  Cheers

  And, there is no 'upgrade' of Configuration Manager 2007 to Configuration Manager 2012 (if you mean Configuration Manager 2007 instead of "SCCM 2008"). You would need to do a side-by-side migration. There are docs, webcasts, webinars (in fact I just did
  one a couple of weeks ago), and TechNet virtual labs on migration to help you gain understanding on how it would work.
  However, yes, Configuration Manager (both 2007 and 2012) do support cross forest environments.
  Wally Mead

• Cross forest migration Exchange 2010 SP2 to Exchange 2010 SP2

  Hi,
  We are planning cross forest migration Exchange 2010 SP2 to Exchange 2010 SP2.
  Requesting you to please help us out for below scenario.
  Source Exchange 2010 SP2:- abc.com
  2AD, 2CAS & 2 MBX servers
  Database:- 4
  Total Users :- 3500
  Accepted Domains :- 8
  Total Data:- 5TB +
  Target Exchange 2010 SP2:- xyz.com
  Resource allocated same as above.
  Now we have to migrate users along with data to target forest xyz.com keeping both setup live, as moving 5TB + data will be a ongoing process and the same will take some time.
  With the guidelines mentioned in
  http://careexchange.in/cross-forest-migration-guide-exchange-2010-to-exchange-2010/#comment-14203 we are able to migrate test users along with data, but after migration the migrated user is not able to connect through MS Outlook even not able to login into
  OWA. It gives error “The Outlook Web App address
  https://mail.abc.com/owa is out of date.”
  Kindly let us know how to solve this issue.
  Kindly let me know if you want any more information from our end.
  Thanks in advance.
  Thanks and Regards, Shashank Kudi

  Hi Shashank,
  Do you have certificates properly installed and configured in the target Exchange?
  If not, Please configure certificate and import the certificate to the trusted root CA if you are using internal CA cert.
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Integration of SCCM in another forest

  Hi,
  I have a standalone primary SCCM 2012  in Forest A with 10k clients assigned to it. Now my company is planning to aquire another company which is having 5K clients reporting to a different standalone primary SCCM 2012 in Forest B.  My
  question is, I wanted these two sccm setup to be managed from one single heirarchy preferable from Forest A. How can i merge them? Do i need to re-install the clients here or can I setup a CAS in forest A, make the primaries in both forest report to them.
  If this is the case, do i need to do any changes to the clients in Forest B?
  Regards
  AKP

  Hi,
  No you cannot merge them, you cannot migrate two primary sites to a new CAS. what you can do in ConfigMgr 2012 SP1 in add a CAS to and existing primary but not migrate an existing primary to that CAS.
  So the scenario you face is to use the bulitin Migration feature in Configuration Manager 2012 Sp1 (it requires sp1) and migrate packages/programs and all the objects you need to either a new Primary site or one of the existing ones and use that in the future.
  After that you reassign the clients to the new site.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Permissions error during Cross-Forest Cert enrollment

  Hello,
  When attempting to manually enroll for a Cert on a 2012 R2 server, I get the 'Certificate types are not available' msg with the 'You cannot request a cert at this time because no certificate types are available' msg.  When I click the 'Show all templates'
  box, all the cert types are shown with a Status: Unavailable and the msg 'The permissions on the certificate template do not allow the current user to enroll for this type of cert'.
  In this instance, the CA infrastructure is in the Resource forest with the server attempting a cert enroll in the Account forest.  Both Forests are 2008 R2 with a two-way Forest Trust.  We followed all steps in the 'Cross-forest Certificate Enrollment
  with Windows Server 2008 R2' doc published by Microsoft with no issues.  The PKISync worked fine and we do see the Root and SubCA1 certs on the machine we are trying to manually enroll a cert on.  We implemented all the steps to ensure this machine
  receives a cert the same way machines in the Resource forest receive certs.  We've validated the base Trust/Network infrastructure and all checks out.  However, the Resource root forest and domain is all one and on the same domain controllers whereas
  the Account forest has the classical Forest root with two separate domain controllers and then a child domain with a number of domain controllers.  The child domain is where the server lives which we are trying to manually enroll a cert.
  As a point of clarification, the server computer account was added to a Global Security group in the Account Forest.  This group was added to a Domain Local Security group in the Resource Forest which has the Read/Enroll/AutoEnroll permissions on the
  Cert Template.
  Any suggestions on what could be causing the permissions errors?
  Thanks for your help! SdeDot

  Certificate Template permissions can never be assigned to a Domain Local group, only to Universal or Global groups.
  The correct strategy in a multi-forest scenario is the following:
  1) Create a universal group for the certificate template in the account forest (say
  Accountdomain\pki-authcert-u)
  2) Create a universal group for the certificate template in the resource forest (say Resourcedomain\pki-authcert-u)
  3) Create multiple global groups in each domain in the account forest (if three domains in the forest, create three global groups - one in each domain). Then add the user accounts to the global group in the same domain)
  4) Create multiple global groups in each domain in the resource forest (if three domains in the forest, create three global groups - one in each domain). Then add the user accounts to the global group in the same domain)
  5) On the certificate template, assign the two universal groups Read, Enroll, (and Autoenroll) permissions. That is both Accountdomain\pki-authcert-u and Resourcedomain\pki-authcert-u
  6) Run the pkisync.ps script again to replicate the new permissions
  The reason you cannot use domain local groups is that the certificate template is stored in the Configuration naming context which is replicated to each domain in the forest (account or resource in your case).
  A domain local group can only be used in the domain where the group exists (not good for PKI objects in the configuration NC.
  Brian

• Migrating a mailbox cross forest from exchange 2013 Sp1 to exchange 2010 SP2 Update rollup 8

  I can migrate a mailbox fine from exchange 2010 sp2 update rollup 8 to exchange 2013 sp1 or Cu2.
  I was testing today migrating cross forest from 2010 sp2 udpate rollup 8 back to exchange 2010 sp2 but I get the below error.  Is this even possible?  I cannot find any documentation on this scenario yet.
  VERBOSE: [21:52:47.622 GMT] New-MoveRequest : The remote server doesn't support client 'casservername.domain.com'
  version (14.2.341.0 caps:05FEFF). Missing functionality: 'TenantHint'.
  VERBOSE: [21:52:47.637 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
  The remote server doesn't support client 'casservername.domain.com' version (14.2.341.0 caps:05FEFF). Missing functionality: 'TenantHint'.
      + CategoryInfo          : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
      + FullyQualifiedErrorId : 782D22F0,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

  Hi Steve,
  I'm a little confused what you are saying. Here is my understanding:
  When you migrate mailboxes from Exchange 2013 back to Exchange 2007, the above error occurs.
  If I have misunderstood your concern, please let me know.
  For migrating mailboxes back to Exchange 2007, there is a simple and straightforward method. Please use the New-MailboxExportRequest cmdlet to convert all mailboxes into pst files. And then use the Import-Mailbox cmdlet to import all pst files into Exchange
  2007.
  Hope it helps.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support

• Exchange 2013 Untrusted Cross-Forest Availability Intermittently Working

  Goal:
  I’m attempting to configure cross-forest availability for Exchange 2013 using the instructions here:
  http://technet.microsoft.com/en-us/library/bb125182%28v=exchg.150%29.aspx
  At the very bottom of the page are three different methods.  I have tried the first (per-user) and the third (untrusted) methods, with identical results.  For various unfortunate reasons, I am unable to use the Microsoft Federated Gateway for availability
  information (although that is configured in the production domain and I would use it if it were possible). 
  Situation:
  When attempting to view availability information in either OWA or Outlook, the free/busy information typically isn’t visible.  If you open and close Outlook a few times, creating meetings with the users in other domains, sometimes the other user’s information
  will be visible, and sometimes it will not.  When it is not, the area is filled with diagonal lines and hovering over it says “No Information”.  The situation is the same in both Adatum trying to access Contoso, and in Contoso trying to access either
  Adatum or Fabrikam.
  I’m currently close to finishing up my third week with Microsoft Support on this issue, and am starting over with a third first level support person.  They are quickly eroding what little confidence I had in them already.  I’m posting here because
  I’m desperate, and web searches for my errors turn up zero results.  I fear this method of availability sharing doesn’t actually work correctly in Exchange 2013 as Microsoft is pushing organizations to use the Microsoft Federated Gateway, but I’d love
  to heave about anyone getting this to work, or not.
  Setup:
  There are three separate domains I am working with (names changed to protect the innocent).  Contoso.local is the production domain, containing Exchange 2007 and Exchange 2013 SP1 servers.  Adatum.local is a test domain set up fresh with Exchange
  2013 SP1.  Fabrikam.com is a remote Exchange system that I others are connecting to without issue using Exchange 2010.
  The Contoso and Adatum domain controllers are running Windows Server 2008 R2 SP1 and are running at a 2008 R2 functional levels.  The Exchange 2013 servers are all at SP1 (results were the same prior to SP1), and the OS is Windows Server 2012. 
  Contoso has two sites, connected via 10Gbps links, and ~10ms latency, with Exchange 2013 CAS and mailbox servers in both sites.  Adatum has a single site, and has two CAS and two mailbox servers.  Fabrikam has one internet facing server to connect
  to.  A handful of contacts have been created in both Contoso and Adatum for the other domains, to select to view availability.
  Contoso and Adatum domains sit on different subnets, but there is no firewall or filtering between their subnets.  Routing between them is completely unimpeded.  The Fabrikam server sits on another network across the internet, but firewalls have
  been configured and I can browse the availability website from the Contoso CAS servers.
  The CAS servers were originally set up to be load balanced, but working with Microsoft they’ve had me specify a single CAS server for autodiscover/EWS/ECP/OWA/etc in both Contoso and Adatum.  The number of actual users on Exchange 2013 in Contoso is
  ~10.  In Adatum, there are only a handful of mailboxes configured.  The Exchange 2007 servers in Contoso are using Public Folders for free/busy replication for other domains right now, and we don’t care at the moment if they can use the 2013 availability. 
  None of our testing/configurations have involved the Exchange 2007 servers.  There are no SPNs configured for the other domains in AD.
  Errors:
  There are three basic errors that are returned in Outlook diagnostics.  The first is the timeout error.  For a given mailbox server, the first time it is queried for availability information for a remote domain (after some amount of time of being
  idle) it might not respond for 70 seconds (actually somewhere between 69 and 70 seconds each time when viewing the IIS logs), and eventually fails with the timeout error.  If it doesn’t timeout, then it will respond with the Correct Response.
  Once a particular mailbox server has timed out, it will typically immediately return the first Availability Error for all subsequent calls.  Less frequently, it will return Availability Error 2.  If a mailbox server returns the first Availability
  Error, then it will continue to return that error until it times out again or starts working.  Similarly, if a mailbox server returns the second Availability Error, then it will continue to return that error until it times out again or starts working.
  If an IISRESET is performed on a mailbox server, then it will either timeout at the next cross-forest availability request, or work.  There is never an issue accessing availability information for users in the same domain as the request.
  If the remote Exchange is in an errored state, then the response includes the error.  For example, if the mailbox servers in the remote domain are turned off, and the local mailbox server that you are querying happens to be responding correctly
  for the remote domain, then it will return an error about how no mailbox servers are available in adatum.local to service the request.
  There are no Event Log errors that correspond to failed requests of any type.  IIS logs don’t show anything beyond what is shown in the Outlook diagnostics.  There are no DNS or Active Directory Replication errors in the Event Logs.
  Timeout error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorTimeoutExpired
  ErrorMessage         : Microsoft.Exchange.InfoWorker.Common.Availability.TimeoutExpiredException: Request could not be processed in time. Timeout occurred during 'LookupRecipientsBatchBegin'.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException:
  AvailabilityAddressSpace 'adatum.local' couldn't be used because the Autodiscover endpoint couldn't be discovered.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error 2:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AddressSpaceNotFoundException:
  Configuration information for forest/domain swelab.wayad.corp.wayport.net could not be found in Active Directory.
                            at Microsoft.Exchange.InfoWorker.Common.Availability.TargetForestConfigurationCache.FindByDomain(OrganizationId
  organizationId, String domainName)
                            at Microsoft.Exchange.InfoWorker.Common.Availability.QueryGenerator.GetTargetForestConfiguration(EmailAddress
  emailAddress)
                         . Name of the server where exception originated: Mailbox02
  ErrorDetails         : {}
  ErrorProperties      : {}
  Working:
  CalendarEvents       : {Microsoft.Exchange.WebServices.Data.CalendarEvent}
  ViewType             : FreeBusyMerged
  MergedFreeBusyStatus : {Free, Free, Free, Free...}
  WorkingHours         : Microsoft.Exchange.WebServices.Data.WorkingHours
  Result               : Success
  ErrorCode            : NoError
  ErrorMessage         :
  ErrorDetails         : {}
  ErrorProperties      : {}
  Start : 04/09/2014 00:00:00
  End : 04/12/2014 00:00:00
  Subject :
  Location :
  Testing Methodologies:
  While it is possible to dig through Outlook diagnostics and OWA, we ended up scripting out these requests to save time.  Microsoft support refuses to use the scripts, but they produce the same output that it takes them days to find in the logs, so I’ll
  post them here to help anyone in the future.
  Through reading the documentation and experimenting, it appears that the Exchange 2013 CAS servers really do just proxy availability requests from the client to the mailbox servers.  At least by default, it seems to pick a mailbox server in the same
  site, but which mailbox server in the site appears to be random.  It will typically pick the same one repeatedly for a while.
  The first script uses the Microsoft Exchange Web Services Managed API 2.1.
  http://www.microsoft.com/en-us/download/details.aspx?id=42022
  You specify a source email address, and a target address in the remote domain, and it creates a SOAP request that it sends to a CAS server of the source email address.  The CAS proxies the request to the mailbox server which either responds with a failure
  or the free/busy data.
  The second script takes the XML SOAP request generated by the first script, and uses that to query a mailbox server directly.  That allows you to test specific mailbox servers that are working or failing, instead of randomly using whichever mailbox
  server the CAS happens to select.  I generated a SOAP request with the first script that I knew had some data, and then copy/pasted it into the second script to verify if data was being returned.
  I’ve deleted and recreated the availability address spaces in Contoso and Adatum for each other and Fabrikam multiple times.  I’ve reset the password in the OrgWideAccount in both Adatum and Contoso, and viewed the lastBadPassword attribute in both
  ADs to verify it wasn’t failing authentication.  (A failed authentication also generates a 401 error that is returned to the client.)  I can access the availability site of the other domain using the credentials of the OrgWideAccount without any
  errors ever.
  First Script:
  # Import the Exchange Web Services module
  Import-Module -Name "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
  # Create the services object used to connect to Exchange
  # You can specify a specific Exchange version, which I had to do to connect to 2007
  # Exchange2007_SP1
  # Exchange2010
  # Exchange2010_SP1
  # Exchange2010_SP2
  # Exchange2013
  # $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1
  # $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
  $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
  $Service.UseDefaultCredentials = $true
  # Specify an SMTP address. The autodiscover URL from the associated mailbox will be used to connect to Exchange
  # This is used to distinguish resolving from the 2007 server versus 2013
  #$Service.AutodiscoverUrl("[email protected]") # For Exchange 2007
  $Service.AutodiscoverUrl("[email protected]") # For Exchange 2013
  # Increase the amount output at the end to include the SOAP commands
  $Service.TraceEnabled = $true
  # Specify time frame to get free/busy for
  $StartTime = [DateTime]::Parse([DateTime]::Now.ToString("yyyy-MM-dd 0:00"))
  $EndTime = $StartTime.AddDays(7)
  # Create the various objects needed to perform the EWS request
  $drDuration = new-object Microsoft.Exchange.WebServices.Data.TimeWindow($StartTime,$EndTime)
  $AvailabilityOptions = new-object Microsoft.Exchange.WebServices.Data.AvailabilityOptions
  $AvailabilityOptions.RequestedFreeBusyView = [Microsoft.Exchange.WebServices.Data.FreeBusyViewType]::DetailedMerged
  $Attendeesbatch = New-Object "System.Collections.Generic.List[Microsoft.Exchange.WebServices.Data.AttendeeInfo]"
  $attendee = New-Object Microsoft.Exchange.WebServices.Data.AttendeeInfo($userSMTPAddress)
  # Specify SMTP addresses of accounts to request availability for
  #$Attendeesbatch.Add("[email protected]")
  $Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  # Clear out old results so that a failed request doesn't show information still
  $availresponse = ""
  # Request the availability information from Exchange
  $availresponse = $service.GetUserAvailability($Attendeesbatch,$drDuration,[Microsoft.Exchange.WebServices.Data.AvailabilityData]::FreeBusy,$AvailabilityOptions)
  # Show summary information that would include errors
  $availresponse.AttendeesAvailability
  # Show all of the appointments in the requested time period
  foreach($avail in $availresponse.AttendeesAvailability){
  foreach($cvtEnt in $avail.CalendarEvents){
  "Start : " + $cvtEnt.StartTime
  "End : " + $cvtEnt.EndTime
  "Subject : " + $cvtEnt.Details.Subject
  "Location : " + $cvtEnt.Details.Location
  Second Script:
  # Change the server in this URL to specify which mailbox server to access
  $url = 'https://mailbox01.contoso.local:444/EWS/Exchange.asmx'
  # Uncomment the below lines if you want to query EWS using credentials other than
  # the ones used to run the script.
  #If(!(Test-Path variable:global:cred))
  # $cred = Get-Credential
  function Execute-SOAPRequest
  [Xml] $SOAPRequest,
  [String] $URL
  write-host "Sending SOAP Request To Server: $URL"
  $soapWebRequest = [System.Net.WebRequest]::Create($URL)
  # These appear to be the only things needed in the headers when making the request
  $soapWebRequest.ContentType = 'text/xml;charset="utf-8"'
  $soapWebRequest.Accept = "text/xml"
  $soapWebRequest.Method = "POST"
  If(Test-Path variable:global:cred)
  $soapWebRequest.Credentials = $cred
  Else
  $soapWebRequest.UseDefaultCredentials = $true
  write-host "Initiating Send."
  $requestStream = $soapWebRequest.GetRequestStream()
  $SOAPRequest.Save($requestStream)
  $requestStream.Close()
  write-host "Send Complete, Waiting For Response."
  $resp = $soapWebRequest.GetResponse()
  $responseStream = $resp.GetResponseStream()
  $soapReader = [System.IO.StreamReader]($responseStream)
  $ReturnXml = [Xml] $soapReader.ReadToEnd()
  $responseStream.Close()
  write-host "Response Received."
  return $ReturnXml
  # The specing and line returns in the below variable are important for some reason
  # For example, there must be a line return after the @' on the first line, or it's invalid...
  # Change the line with this:
  # <t:Address>[email protected]</t:Address>
  # to the email address in the domain you want to query
  $soap = [xml]@'
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <t:RequestServerVersion Version="Exchange2013_SP1" />
  <t:TimeZoneContext>
  <t:TimeZoneDefinition Name="(UTC-06:00) Central Time (US &amp; Canada)" Id="Central Standard Time">
  <t:Periods>
  <t:Period Bias="P0DT6H0M0.0S" Name="Standard" Id="Std" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/1" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/2007" />
  </t:Periods>
  <t:TransitionsGroups>
  <t:TransitionsGroup Id="0">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/1</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>4</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>10</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>-1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  <t:TransitionsGroup Id="1">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/2007</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>3</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>2</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>11</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  </t:TransitionsGroups>
  <t:Transitions>
  <t:Transition>
  <t:To Kind="Group">0</t:To>
  </t:Transition>
  <t:AbsoluteDateTransition>
  <t:To Kind="Group">1</t:To>
  <t:DateTime>2007-01-01T06:00:00.000Z</t:DateTime>
  </t:AbsoluteDateTransition>
  </t:Transitions>
  </t:TimeZoneDefinition>
  </t:TimeZoneContext>
  </soap:Header>
  <soap:Body>
  <m:GetUserAvailabilityRequest>
  <m:MailboxDataArray>
  <t:MailboxData>
  <t:Email>
  <t:Address>[email protected]</t:Address>
  </t:Email>
  <t:AttendeeType>Required</t:AttendeeType>
  <t:ExcludeConflicts>false</t:ExcludeConflicts>
  </t:MailboxData>
  </m:MailboxDataArray>
  <t:FreeBusyViewOptions>
  <t:TimeWindow>
  <t:StartTime>2014-04-03T00:00:00</t:StartTime>
  <t:EndTime>2014-04-10T00:00:00</t:EndTime>
  </t:TimeWindow>
  <t:MergedFreeBusyIntervalInMinutes>30</t:MergedFreeBusyIntervalInMinutes>
  <t:RequestedView>DetailedMerged</t:RequestedView>
  </t:FreeBusyViewOptions>
  </m:GetUserAvailabilityRequest>
  </soap:Body>
  </soap:Envelope>
  $ret = Execute-SOAPRequest $soap $url
  # Uncomment out one of the below two lines to get output in different alternative formats
  #$ret | Export-Clixml c:\temp\1.xml;Get-Content c:\temp\1.xml
  #$ret.InnerXml
  # If the request is successful, show the appointments, otherwise show the failure message
  If ($ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage.ResponseClass -eq 'Success')
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.FreeBusyView.CalendarEventArray.CalendarEvent
  Else
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage

  In this case, the SMTP domain is the same as the AD domain.  If the wrong domain were configured then the connection would never work, as opposed to sometimes work.
  RunspaceId            : abb30c12-c578-4770-987f-41fe6206a463
  ForestName            : adatum.local
  UserName              : adatum\availtest
  UseServiceAccount     : False
  AccessMethod          : OrgWideFB
  ProxyUrl              :
  TargetAutodiscoverEpr :
  ParentPathId          : CN=Availability Configuration
  AdminDisplayName      :
  ExchangeVersion       : 0.1 (8.0.535.0)
  Name                  : adatum.local
  DistinguishedName     : CN=adatum.local,CN=Availability Configuration,CN=Wayport,CN=Microsoft
                          Exchange,CN=Services,CN=Configuration,DC=contoso,DC=local
  Identity              : adatum.local
  Guid                  : 3e0ebc2c-0ebc-4be8-83d2-077746180d66
  ObjectCategory        : contoso.local/Configuration/Schema/ms-Exch-Availability-Address-Space
  ObjectClass           : {top, msExchAvailabilityAddressSpace}
  WhenChanged           : 4/15/2014 12:33:53 PM
  WhenCreated           : 4/15/2014 12:33:35 PM
  WhenChangedUTC        : 4/15/2014 5:33:53 PM
  WhenCreatedUTC        : 4/15/2014 5:33:35 PM
  OrganizationId        :
  OriginatingServer     : dc01.contoso.local
  IsValid               : True
  ObjectState           : Unchanged

• Cross Forest Migration from Exchange 2007 to Exchange 2013

  Hi
  Could anybody advice me the steps also the  pros and cons for below mentioned environment if we are going for the cross forest migration.
  Source 
  Domain -   test.local
  Active Directory -  Windows 2003
  Exchange Server - 2007
  Target
  Domain -   test.net
  Active Directory -  Windows 2012
  Exchange Server - 2013
  Also if it is possible ,
  How could I remove the source environment including the exchange servers. after the migration ?
  Regards
  Muralee

  Hi Oliver ,
  Please suggest us.               
   In my environment we are in a plan to migrate from exchange 2007 to exchange 2013 (cross forest migration).
  Source : Exchange 2007 with sp3 ru 10 
  Target : Exchange 2013 with cu2 ( new environment yet to be created).
  Trust : Forest trust in place (two way )
  Domain and forest functional level : 2003 in both target and source  
  Migration Steps :
  Step1 :
  We are in a plan to execute 'preparemoverequest.ps1' first in the target forest ,so that we will get the disable MEU
  in the target forest.
  Step2:
  Then we are going to use ADMT to migrate users SID'S and password .
  Step3:
  Then we are going to move the mailboxes with New-moverequest  
  Please have a look in to our steps and suggest us ,whether we are going to proceed the migration in a right way or not
  .Is anything needs to be changed please intimate me .
  Thanks 
  S.Nithyanandham 
  Hey there,
  Sorry for taking a little while to get back to you, i've been busy working on Hosted Lync deployments!
  Use ADMT first, then when using preparemoverequest.ps1 script using the -uselocalobject cmdlet. This will then tie it up to the ADMT migrated account.
  More info in this thread here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/2916e931-36a0-4ba4-8c04-196dbe792b44/preparemoverequestps1-and-admt?forum=winserverMigration
  Oliver
  Oliver Moazzezi | Exchange MVP, MCSA:M, MCITP:Exchange 2010,MCITP:Exchange 2013, BA (Hons) Anim | http://www.exchange2010.com | http://www.cobweb.com | http://twitter.com/OliverMoazzezi

• What are the recommended methods to keep CA Certs and CRLs updated in Account Forests for a Cross Forest Enrollment implementation?

  Hello,
  We have 1 resource Forest and multiple account Forests. We've reviewed the Cross-Forest Cert Enrollment with Windows Server 2008 R2 doc and followed steps 8 and 9 under the 'Deploying AD CS for Cross Forest Cert enrollment' regarding publishing
  the root CA Cert and Enterprise CA certs.  We run PKISync.psi to copy objects from the resource to the account Forest, and understand Certs and CRLs are not copied from the resource to the account Forests.  We are trying to figure out the best way
  of keeping the Root and SubCA Certs and CRLs updated in the account Forests.
  1. Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  2. Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  3. Any other suggestions/references regarding best practices on how to do this?
  Thanks for your help! SdeDot

  > Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
  yes. Though, we do not bother with CRL copy as it published to HTTP location only.
  > Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
  I would suggest to not use LDAP URLs in favor to HTTP.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Auto-mapping of shared mailboxes in a resource forest scenario

  In a resource forest scenario you assign full access to a shared mailbox using:
  Add-MailboxPermission -Identity SharedMailbox -User AccountForestDomain\UserID -AccessRights FullAccess
  This provides the user in the account forest full access, but it will NOT auto-map the shared mailbox in Outlook.
  If you use the command:
  Add-MailboxPermission -Identity SharedMailbox -User UserID -AccessRights FullAccess
  and UserID is the disabled account of the linked mailbox in the resource forest then the user in the account forest does not have the necessary permission to
  open the mailbox, but the auto-mapping of the mailbox in Outlook works.
  You have to use both commands to have the auto-mapping feature and have access to the shared mailbox.
  This looks like another issue of the auto-mapping feature. The intention of the feature is good, but the way it was implemented can be improved.
  How do you configure full access to shared mailboxes in a resource forest scenario?

  Hi J-H,
  Because i don’t have such a lab environment, so I am unable to do a test.
  Now let’s separate the issue.
  1. The first issue is
  [email protected]
  unable to auto configure outlook profile.
  I suggest you
  changing the user’s attributes in the account forest, does it work?
   2. The second issue is
  [email protected] unable to open a shared mailbox in the resource
  forest.
  At first, I suggest you create a shared mailbox in resource forest with this command.
  New-Mailbox -name
  <name> -Database <Database name> -OrganizationalUnit Users –UserPrincipalName
  <UPN value, example: [email protected]> -<ResourceType: Room, Equipment or Shared>
  Managing
  Resource Mailboxes in Exchange Server 2007 (Part 1)
  Then test if you can log on the shared mailbox via outlook.
  If yes, then grant full access right for
  [email protected]
  to [email protected]
  Resource:
  Shared mailbox
  permission in resource forest with linked users
  Manage Full Access Permissions
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Need help on Cross Forest Exchange 2007 - 2013 with Linked Mailboxes

  Hey all,
  So I'm in a bit of a pickle with my Exchange design and am trying to figure out if there's a way to migrate mailboxes across forests where Linked mailboxes are being used. I've done a bit of reading and have noted stuff like preparing the move request in
  AD, etc. But I'm wondering if someone can break it down for me.
  http://1drv.ms/1lWjLqG
  The above is a OneNote diagram of how we have moved over time. Please forgive my sloppy handwriting but I hope it gets the point across. I will text it out here as well:
  Original Design
  The original design of the domains when I joined the company were fabrikam and contoso. Contoso is a domain that sits entirely in the "DMZ". Fabrikam was the internal AD forest where most services and users authenticated to. In Contoso, there
  are 2 domain controllers, the "Front End" Exchange Server (Edge Transport), and the "Back End" server, which is CAS/Mailbox.
  There is a forest trust between contoso and fabrikam where "Linked Mailboxes" are created in Contoso, and then the LinkedMasterAccount is set to Fabrikam.
  Migration/Hybrid Design
  Due to the fact that these two domains were configured massively inappropriately, riddled with security holes as well as strange permissions configurations, the decision was made to create a new internal AD domain. In my OneNote, I've labeled this 'specialbank.com'.
  A long while ago we migrated users from Fabrikam to SpecialBank via trusts. To facilitate access to Exchange, a new trust was created between Contoso and SpecialBank to allow us to update the LinkedMasterAccount parameter to the new Specialbank domain.
  We have most of our users authenticating to their mailboxes via SpecialBank, while the mailboxes still reside in Contoso.
  Migration from Exchange 2007 to Exchange 2013
  I am attempting to now figure out the best way to migrate the mailboxes from Contoso to a new set of Mailbox servers in SpecialBank. This will also be an upgrade from Exchange 2007 (Current) to an Exchange 2013 installation.
  The latest Service Packs and CUs are installed in both.
  What would be the best procedure to move these mailboxes? To my knowledge, the current best practice/recommended way is to perform a user/SID migration from Contoso to SpecialBank. But I already have accounts in
  SpecialBank that users are actively using.
  I'm not opposed to doing a simple PST export from Contoso to SpecialBank, but we're looking at around 120 mailboxes. So I'm trying to make my life a little easier instead of spending a weekend here.
  If I try to do it in batches, I need to figure out how to handle autodiscover and CAS. Since I'm creating an entirely new Exchange environment, I'm trying to limit what I place in the existing configuration. But I'm not opposed to setting up something temporarily
  if I need to in order to make the migration transparent to users.
  Can anyone help?

  Hi ,
  From you description i came to know contoso is the resource forest and special bank is the account forest .
  You just wanted to migrate the linked mailboxes from resource forest to account forest and also you would want the migrated mailboxes to get merged to the respective user accounts in the account forest to become as a normal user mailbox.Am i right ?
  Please correct me if i am wrong . I have found some blogs in internet please have a look in to that especially the first one.
  http://www.outlookforums.com/threads/60210-cross-forest-mailbox-move-and-linked-mailbox/
  http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27974905.html
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• Cross-forest access to public folders Exchange 2013-2007

  Dear.
  We have an Exchange 2007 org in one forest and an Exchange 2013 org in another forest.
  User accounts remain in the 2007 AD, mailbox moved to Exchange 2013 in the other forest, so a linked mailbox.
  What do I need to do in the Exchange 2007 public folders to give the migrated mailboxes (not migrated users) access to these public folders?
  Thanks for the support.
  Regards.
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Stephen,<o:p></o:p>
  <o:p> </o:p>
  Do you have trust between Exchange 2007 forest and Exchange 2013 forest? Please set up a trust between the two forests. Then set the public folder client  permission
  to see if we can access the
  public folders.<o:p></o:p>
  <o:p> </o:p>
  If not, since Public folder cross forest migration is not supported in from an Exchange 2007/2010 forest to an exchange 2013 forest, refer to forum:
  http://social.technet.microsoft.com/Forums/office/en-US/51da1b97-fbb1-4f81-87da-c3370960c4ab/crossforest-public-folder-migration?forum=exchangesvrdeploy
  http://social.technet.microsoft.com/Forums/office/en-US/663f0dc3-a977-408a-93c7-94584fbefc62/public-folder-issue-cross-forest-migration-exchange-2010-to-2013?forum=exchangesvrdeploy
  <o:p></o:p>
  Title: Migrate Public Folders to Exchange 2013 From Previous Versions<o:p></o:p>
  Link:
  http://technet.microsoft.com/en-us/library/jj150486(v=exchg.150).aspx<o:p></o:p>
  <o:p> </o:p>
  So for public folder migration,
  the only supported path is cross forest 2007/2010 to 2007/2010 and then inter forest 2007/010 to 2013. Or
  we can first export all the public folder to PST from the Exchange 2007 forest, then import the PST to the Exchange 2013 forest.
  <o:p></o:p>
  Regards, Eric Zou