Whitepaper Cross-Forest Free/Busy Delegation

Whitepaper Cross-Forest Free/Busy Delegation
CROSS-FOREST-FREE/BUSY
AND
CROSS-FOREST-DELEGATION
Whitepaper v2
NETsec
20. February 2015
NETsec GmbH & Co.KG | Schillingsstrasse 117 | DE - 52355 Düren
Introduction .................................................................................. 5
Used Terms ................................................................................... 5
GALsync and Free/Busy .................................................................. 6
*** General Troubleshooting *** ..................................................... 8
Common Tools ............................................................................ 8
Common Precedures .................................................................... 8
Deployment Guide ......................................................................... 9
Matrix - Overview ........................................................................... 9
Exchange 2003 ............................................................................ 10
Exchange On Premise <-> Exchange On Premise ............................. 10
Exchange On Premise <-> Office 365 ............................................. 10
Office 365 <-> Office 365 ............................................................. 10
Technical Modules........................................................................ 11
Readiness Analyzer....................................................................... 11
Environment ................................................................................ 12
Description ............................................................................... 12
*** Troubleshooting Checklist *** ............................................... 13
Required Permissions .................................................................... 13
Administrative Permissions ......................................................... 13
Default Calendar permissions ...................................................... 13
*** General Troubleshooting *** ................................................ 13
Connecting .................................................................................. 14
General Name Resolution ............................................................ 14
Exchange SMTP Connectors ........................................................ 16
Autodiscover Name Resolution .................................................... 20
Certificates .................................................................................. 22
Create Certificates ..................................................................... 22
Bind Certificates ........................................................................ 23
Trust Certificates ....................................................................... 24
Screenshots .............................................................................. 26
Web Services ............................................................................... 29
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Screenshots .............................................................................. 12
2
Description ............................................................................... 29
Screenshots .............................................................................. 30
*** Troubleshooting Checklist *** ............................................... 31
Synchronize With GALsync ............................................................ 32
Description ............................................................................... 32
Policies (1 example per forest) .................................................... 33
Additional configuration when using Cross-forest delegation ............ 36
*** Troubleshooting Checklist *** ............................................... 36
Cross-Forest ................................................................................ 37
AvailabilityConfig ....................................................................... 37
AvailabilityAddressSpace ............................................................ 38
Cross-Forest-Delegation ............................................................. 41
Domain Trust ............................................................................ 42
AvailabilityAddressSpace ............................................................ 43
Final Result ................................................................................. 48
Cross-Forest-Free/Busy .............................................................. 48
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
HowTo...................................................................................... 48
3
Screenshots .............................................................................. 49
Cross-Forest-Delegation ............................................................. 50
HowTo...................................................................................... 50
Screenshots .............................................................................. 50
Troubleshooting ........................................................................... 51
Help ......................................................................................... 51
Description ............................................................................... 51
Tools ........................................................................................ 52
Appendix...................................................................................... 53
querySchema.ps1......................................................................... 53
Free/Busy and Shared Namespace ................................................. 53
Cross-Forest-Free/Busy and Cross-Forest-Delegation between dedicated
Exchange Online (only) / Office 365 organizations ............................ 54
Cross-Forest-Free/Busy .............................................................. 54
Cross-Forest-Delegation ............................................................. 55
Cross-Forest Free/Busy with MS-Federation ..................................... 55
Errors (Support)........................................................................... 56
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Document tags ............................................................................. 56
4
Introduction
This whitepaper helps you to configure and to troubleshoot getting
Free/Busy information from your partners’ organization(s) and to work
with delegated calendars in a cross-forest environment - without using the
Microsoft Federation Gateway. It can be used additionally to the manual of
the software GALsync from NETsec, which provides an easy
synchronization of directory objects.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Used Terms
5
Cross-Forest-Free/Busy: with this technology your people can see
free/busy information of people in another Exchange organization (you
don’t need an Active Directory domain trust). This technique is based on
Exchange Web Services (EWS). Outlook Anywhere and published
Autodiscover are prerequisites for this technology. You need a TCP/IP
connection on port 443 (https) between the organizations.
Cross-Forest-Delegation: if you use this technology your people can see
free/busy information of another Exchange organization. Additionally your
people can manage calendars of people in the other organization in the
same way they use delegated calendars internally. In that case you need
a domain trust between the Active Directory domains. Technically quite a
range of TCP/IP ports are required for communication between the
organizations (see chapter
Ports Required for Trusts in Domain and Forest Trust Tools and Settings,
http://technet.microsoft.com/En-Us/Library/Cc756944(V=Ws.10).Aspx).
MS Federation / Federated Sharing: This technique uses the Microsoft
Federation Gateway, a free cloud-based service, as the trust broker
between two federated organizations. To enable federated sharing, each
organization must establish a one-time federation trust with the Microsoft
Federation Gateway and configure either an organization relationship or
sharing policies with each other.
GALsync and Free/Busy
In Exchange 2003 to Exchange 2010 you could use system public folders
for a free/busy query. We implemented this architecture in GALsync up to
version 4.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Since Exchange 2007 natively the Exchange Availability Service as a Web
Service is used for Free/Busy queries. Since Exchange 2013 and Exchange
Online there are no system public folders for Free/Busy information
available anymore.
GALsync 5 offers cross-forest directory synchronization. Additionally we
can support you with our consulting services to configure cross-forestFree/Busy or cross-forest-delegation.
6
How it works (high-level)
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Step 1: The client in the remote forest picks a galsynched contact from
the GAL and makes an F/B request.
7
Step 2: The Availability Service at the remote site checks if there is an
availabilityaddressspace entry regarding the SMTP domain based on the
primary SMTP address of the contact.
Step 3: The Availability Service tries to contact the Autodiscover service of
the source forest to get the address of the source Availability service.
Step 4: The availability service in the source forest gets the required
Free/Busy information from the given mailbox and sends the answer back
to the remote forest.
*** General Troubleshooting ***
Common Tools
These are some additional tools and resources for diagnosing issues with
Free/busy:




Hybrid Environment Free/busy Troubleshooter
http://support.microsoft.com/common/survey.aspx?scid=sw%3ben%3b3526&sho
wpage=1
Remote Connectivity Analyzer
https://testconnectivity.microsoft.com/
Outlook Connectivity Guided Walkthrough
http://support.microsoft.com/common/survey.aspx?scid=sw;en;3601&showpage
=1
The Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit
http://www.microsoft.com/download/en/details.aspx?id=626

Office 365
Video: Troubleshooting Issues with Free/Busy Information in Office Outlook Clients for
Office 365
Common Precedures





Increase the eventlog level at Exchange servers:
Get-EventLogLevel | Set-EventLogLevel -Level expert
If you do not want to get a lot of results you should reduce the services to the following:
Set-EventLogLevel "MSExchange Autodiscover\Core" -Level expert
Set-EventLogLevel "MSExchange Autodiscover\Web" -Level expert
Set-EventLogLevel "MSExchange Autodiscover\Provider" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service General" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service Authentication" -Level expert
Set-EventLogLevel "MSExchange Availability\Availability Service Authorization" -Level expert
Open Outlook in protocol mode
http://support.microsoft.com/kb/300479?wa=wsignin1.0
Note: Outlook 2013 seems not to use the fblog*.log as in earlier versions like in Outlook 2010, so
troubleshooting with OLK13 is much more difficult. Use 2010 or 2007!
Run your Outlook clients in online mode, not in cached mode to keep your testing results "clean".
Outlook together with the /cleanfreebusy switch
Run E-mail AutoConfiguration tool to determine whether Outlook can connect to the Autodiscover service
To run the test:
- While Outlook is running, hold down the CTRL key, right-click the Outlook icon in your system tray or
notification area (lower right corner of computer screen), and then select Test E-mail AutoConfiguration.
- Enter your email address and password.
- Clear the checkboxes next to Use Guessmart and Secure Guessmart Authentication. Make sure that Use
AutoDiscover is selected.
- Click the Test button. It may take up to a minute before the test is complete.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation

8
Deployment Guide
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Matrix - Overview
9
Source Org
2003
2003
2003
2003
2003
2007
2007
Target Org
2003
2007
2010
2013
Exchange Online
2003
2007
2007
2010
2007
2013
2007
Exchange Online
2010
2010
2003
2007
2010
2010
2010
2013
2010
Exchange Online
2013
2013
2003
2007
2013
2010
2013
2013
2013
Exchange Online
Exchange Online
Exchange Online
2003
2007
Exchange Online
2010
Exchange Online
2013
Exchange Online
Exchange Online
Technique to get Free/Busy
Public folders
Public folders
Public folders
Not supported
Not supported
Public folders
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Public folders
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Not supported
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Not supported
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
Cross-Forest Free/Busy 2 or MS
Federation 3
supported 4
version to sync GAL
GALsync v4 0
GALsync v4 0
GALsync v4 0
GALsync v4 0 + GALsync v5
GALsync v4 0 + GALsync v5
GALsync v4 0
GALsync v5 1
GALsync v5
1
GALsync v5
1
GALsync v5
1
GALsync v4
GALsync v5
0
GALsync v5
GALsync v5
GALsync v5
1
GALsync v5
1
GALsync v4
GALsync v5
0
GALsync v5
1
GALsync v5
1
GALsync v5
1
GALsync v4
GALsync v5
0
GALsync v5
1
GALsync v5
1
GALsync v5
1
1
1
1
1
1
+ GALsync v5
1
+ GALsync v5
1
1
1
Legend:
0
GALsync v4 provides an optional feature which copies all free/busy information from Exchange public folder
store.
1
Free/Busy queries can be performed by using GALsync v5 to sync the objects and using Cross-Forest
Free/Busy or MS Federation to get free/busy information
2
This technique is based on Exchange Web Services (EWS). Outlook Anywhere and published Autodiscover are
prerequisites for this technology.
3
This technique is based on Exchange Web Services (EWS). Additionally you have to configure a trust to a
Microsoft Trust Center.
4
described below
Exchange 2003
Scenarios with dedicated Exchange 2003 environments are not covered in
this Whitepaper.
If you use Exchange 2003 (or Exchange 2007) combined with Exchange
2010 SP1 the Exchange 2010 SP1 mailbox server must host a Public
Folder database and is the ONLY replica server for Free/Busy folder.

Cross Org Availability using Federation Trust and Organization Relationship
http://blogs.technet.com/b/exchange/archive/2011/06/28/cross-org-availability-using-federationtrust-and-organization-relationship.aspx

free/busy sharing between Exchange 2003 and Exchange 2010 organizations
http://technet.microsoft.com/en-us/library/hh310374(v=exchg.141).aspx

Understanding Shared Free/Busy in Exchange 2003 Hybrid Deployments
http://technet.microsoft.com/en-us/library/hh779664(v=exchg.141).aspx
Exchange On Premise <-> Exchange On Premise
All scenarios between any Exchange organization using 2007/2010 or
2013 are covered in this whitepaper.
Exchange On Premise <-> Office 365
Read in the appendix of this document the chapter Cross-Forest Free/Busy
with MS-Federation
Office 365 <-> Office 365
Read in the appendix of this document the chapter Cross-ForestFree/Busy and Cross-Forest-Delegation between dedicated Exchange
Online (only) / Office 365 organizations
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
To enable the shared free/busy feature in a hybrid deployment we
recommend the technique MS Federation.
10
Technical Modules
This chapter provides you with more details considering the different
requirements.
Readiness Analyzer
In a first step you should validate if your environments are ready. Simply
follow these questions:
Topic
General
Network
Webservices
and
Certificates
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
GALsync
11
Availability
Validate
Does the Exchange and Domain Controllers eventlogs
indicate any critical errors?
Does the Exchange Best Practice Analyzer indicate any
critical errors?
Does dcdiag on the domain controllers indicate any critical
errors?
Are you able to nslookup the local and remote
environment from both sides?
Are you able to nslookup
autodiscover.<remoteSMTP>.<domain>
Are you able to send SMTP-Messages between the
different environments?
Can you connect to the Autodiscover service by using the
E-mail AutoConfiguration tool in Outlook?
Can you run test-outlookwebservice using a local account
without errors?
Can you run test-outlookwebservice using a remote
account without errors?
Do your environment (i.e. the CAS servers trust the rootcertificate of the remote forest?
Can you synchronize objects from source environment to
the remote forest. Are the objects created as contacts
there?
Can Outlook / OWA clients in remote forest see the
synchronized objects in GAL?
Did you configure AvailabilityAddressSpace and
AvailabilityConfig correctly?
On error . . .
Read chapter environment
Read chapter Connecting
Read chapter Webservices and
certificates
Read chapter Synchronize with
GALsync
Read chapter Cross-Forest
Environment
Description
This step must be performed


If you are working in an internal Test-Lab or if your organizations are connected by
internet.
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
In this step you collect some information about your own and your
partners’ environment. Please note








Name of the forest
Name of the domains in the forest
Name of sites
Name of Domain Controllers and Global Catalogs
Version of the Active Directory Schema
Names of all Exchange CAS Servers
Exchange Server versions (see possible values in appendix or run PS script
querySchema.ps1)
Local firewall-rules on the Exchange servers
Get-Exchangeserver | fl name, edition, admindisplayversion,
serverrole, site
2007a
2010a
2010b
2013a
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Screenshots
12
*** Troubleshooting Checklist ***




Does dcdiag on your DCs or does Exchange Best Practice Analyzer (exbpa) on your Exchange servers
indicate any errors, which could be related to your issue?
Are the clients in both forests able to get free/busy information of other clients in the same domain?
Are the clients in both forests able to send mails to clients in the remote domain by inserting their SMTPaddress into the TO: field of the message?
Are all required ports open?
Read article “Exchange, Firewalls, and Support”
http://blogs.technet.com/b/exchange/archive/2013/02/18/exchange-firewalls-and-support-oh-my.aspx
Required Permissions
This step must be performed


If you are working in an internal Test-Lab.
If you want to realize Cross-Forest-Free/Busy or Cross-Forest Delegation
Administrative Permissions
You must be prepared to run some of the steps as a user with sufficient
privileges. Some configurations you have to make require an account
which is member of the Exchange Organization Management and/or Active
Directory Domain Administrators group.
Please note the account you want to use.
Default Calendar permissions
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
The permissions should be set to Free/Busy time to be displayed.
13
*** General Troubleshooting ***

Check the Default Calendar permissions for the mailbox(es) you would like to view Free/Busy information
for.
Right-click on a Calendar > Properties > Permissions. The permissions should be set to Free/Busy time to
be displayed.
Connecting
General Name Resolution
Description
This step must be performed


If you are working in an internal Test-Lab or if your organizations are connected by
internet.
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
You must have name resolution working so that the Exchange servers
know where to get information from.
Your environment must be able to get a path to your partners’ domain.
Usually this is implemented in your own internal DNS server as a
conditional forwarder (if you use an internal test environment) or it is
configured in the public DNS of your partner.
If you use an internal Test-LAB
1.
2.
3.
4.
5.
Open DNS Manager.
In the console tree, click the applicable DNS server.
On the Action menu, click Properties.
On the Forwarders tab, under DNS domain,
click a domain name.
Under Selected domain's forwarder IP address list, type the IP
address of a forwarder, and then click Add.
To configure a DNS server to use forwarders using the Windows interface
(Windows 2008)
1.
2.
3.
4.
Open DNS Manager.
In the console tree, click the applicable DNS server, then
select node Conditional Forwarders
Right click the node and select New Conditional Forwarder
Follow the wizard
Check by
C:\Nslookup <partnersdomain>
If your organizations are connected by internet
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
To configure a DNS server to use forwarders using the Windows interface
(Windows 2003)
14
Your CAS servers (respective the ISA/TMG which publishes the Web
Services) must be able to resolve public DNS records of your partners’
organization.
Check by
Nslookup <partnersdomain>
Note: If name resolution against your partners’ site is not possible, you
have to solve this issue before continuing.
Screenshots
Zones
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2007a
15
2010a
2010b
*** Troubleshooting Checklist ***




Can you resolve the internal names of the Domains?
Run DCDiag /test:DNS /e /v
Can you resolve the external published names of the Domains?
Can you resolve the external published MX records of the Domains?
Exchange SMTP Connectors
Description
This step must be performed


If you are working in an internal Test-Lab or if your organizations are connected by
internet.
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2013a
16
You must have all appropriate Send Connectors and Accepted Domains in
place
Exchange CAS servers must have a route to send SMTP messages to the
partners’ organizations. Like you configure DNS Forwarding or public DNS
on TCP/IP level, you configure Send Connectors on Exchange level.
Sreenshots
Accepted Domains
2007a
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2010a
17
2010b
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2013a
Send Connectors (multiple scopes)
2007a
18
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2010a
2010b
19
2013a
*** Troubleshooting Checklist ***


Are clients able to send/receive mails (between the 2 forests) by sending mail using the SMTP address of
the recipient
Are clients able to send/receive/accept/decline meeting invitations (between the 2 forests) by sending mail
using the SMTP address of the recipient
Autodiscover Name Resolution
Description
This step must be performed


If you are working in an internal Test-Lab or if your organizations are connected by
internet.
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
You must have an autodiscover A-record in DNS
Clients discover other Exchange services by getting information which are
offered in the file autodiscover.xml and published by a CAS server’s virtual
directory autodiscover.
There must be an autodiscover A-record present in your internal DNS
which points to the IP representing your Exchange Web Services, i.e. your
Exchange CAS server. Usually you have a DNS zone integrated into Active
Directory. This zone name represents your Active Directory domain, but
not necessarily your SMTP domain. If your Active Directory domain name
is different from your SMTP domain name you have to configure an
additional zone which represents this SMTP domain.
To configure a new zone in DNS using the Windows interface
1.
2.
3.
Open DNS Manager.
In the console tree, right-click a DNS server, and then click
New Zone to open the New Zone Wizard.
Follow the instructions to create a new primary, secondary, or
stub zone.
If your organizations are connected by internet
There must be an autodiscover A-record present in your public DNS where
your MX record is hosted too. The autodiscover record points to the IP
which represents your Exchange Web Services, i.e. your Exchange CAS
server, your Exchange array or your mail gateway (i.e. ISA/TMG).
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
If you use an internal Test-LAB
20
Note: If you use a mail-gateway or ISA/TMG, autodiscover must be
explicitly published to the Internet.
Execute nslookup autodiscover.yoursmtp.domain
Note: If no autodiscover record can be found, you have to solve this
issue before continuing.
Screenshots
Additional SMTP-Domains
2007a
2010a
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2010b
21
2013a
*** Troubleshooting Checklist ***



Is autodiscover for every SMTP domain configured in DNS
nslookup autodiscover.remote.domain
ipconfig /DisplayDNS | find "autodiscover"
Certificates
If you already published your certificates externally (i.e. by using an
official 3rd-party SAN certificate) you do not need to create, bind and trust
new certificates. Validate this by using the Remote Connectivity Analyzer.
If you do not publish your certificates externally but you activated Outlook
Anywhere (i.e. using ActiveSync) and deployed certificates through your
own CA you do not need to create, bind and trust new certificates. But
you have to deploy the Exchange certificates in the remote environment.
Create Certificates
This step must be performed



If you are working in an internal Test-Lab
You do not use SAN certificates on the test Exchange CAS server
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
Exchange servers of different organizations communicate in a trusted
manner with each other by validating their SSL certificates. So all CAS
servers have to use a SAN certificate (containing special subjects) and
they must be able to trust the certificates of the other side.
We propose to create one certificate which can be used by all CASservers. This should include the FQDN of the CAS Servers, their
Hostnames and the autodiscover FQDN. You can use SelfSSL.exe on a
32Bit system or alternatively the makecert.exe tool to create a self-signed
certificate.
Selfssl: http://blog.exchange-addict.com/2012/11/cross-forest-freebusysimple-version_13.html
makecert: http://social.msdn.microsoft.com/Forums/enUS/netfxnetcom/thread/162a1ab6-23ae-4616-bebc-bbe225407b78/
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Your organization now must be prepared to use the appropriate SANcertificates on all Exchange CAS servers.
22
Run the software selfssl from the command line like:
1. selfssl7.exe /N
cn=autodiscover.forest2010a.com;cn=autodiscover.f2010a.com;cn=m2010a.fore
st2010a.com;cn=m2010a /K 1024 /V 18250 /X /F c:\forest2010a_2nd.pfx /W
Pass1Word /Q
2. selfssl7.exe /N
cn=autodiscover.forest2010b.com;cn=autodiscover.f2010b.com;cn=m2010b.fore
st2010b.com;cn=m2010b /K 1024 /V 18250 /X /F c:\forest2010b_2nd.pfx /W
Pass1Word /Q
Note: If you do not have valid SAN certificates present on both sides,
you have to solve this issue before continuing.
Bind Certificates
This step must be performed



If you are working in an internal Test-Lab
You do not use SAN certificates on the test Exchange CAS server
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Your Exchange CAS Servers must bind the newly created SAN certificate
to the IIS services of all CAS Servers.
23
Certificates are bound to specific services. Because Availability Service
which provides Free/Busy information is done by the IIS, the SSL
certificate must be bound to that service. All other services will preserve
their bound certificates.
Import an Exchange certificate (2010)
1. In the console tree, click Server Configuration.
2. From the action pane, click Import Exchange Certificate to open the Import
Exchange Certificate wizard.
3. This wizard helps you import a certificate with a valid private key to your
Exchange server. You must enter the password of the private key for a
successful import.
4. On the Introduction page, click Browse to select the file that contains the
exported certificate, and then enter the password for the certificate.
5. On the Exchange Server Selection page, select the Exchange server that you
want to import the certificate to.
6. On the Completion page, verify that all previously selected options are correct.
7. On the final page, follow the steps listed to complete your request. This page
also displays the Shell cmdlet syntax necessary to import the certificate.
Assign this Exchange 2010 certificate to the IIS service














In the console tree, select Server Configuration.
In the action pane, click Assign Services to Certificate to open the Assign Services to
Certificate wizard. This wizard helps you assign the appropriate services to your
certificate for your Exchange organization.
On the Assign Services page, use the check boxes in the Assign Services section to
choose IIS as service you want to assign to your certificate. Click Assign.
On the Completion page, verify that all of the services were assigned properly.
Import and assign Exchange certificate (2007)
Open IIS Manager and navigate to the level you want to manage.
In Features View, double-click Server Certificates.
In the Actions pane, click Import.
In the Import Certificate dialog box, do the following:
Type a file name in the Certificate file box or click the browse button (…) to navigate
to the name of a file where the exported certificate is stored.
Type a password in the Password box if the certificate was exported with a password.
Select Allow this certificate to be exported if you want to be able to export the
certificate, or clear Allow this certificate to be exported if you do not want to allow
additional exports of this certificate.
Click OK.
Run Powershell to bind the cert to services
Enable-ExchangeCertificate -Services "IIS"
To verify that your certificate is running and enabled run the following command:
Get-ExchangeCertificate -DomainName server.domain.com
Now restart IIS on CAS servers (i.e. c:\iisreset)
Note: If the Exchange Web Services (respective IIS) do not use the SAN
certificates you have to solve this issue before continuing.
Trust Certificates
This step must be performed



If you are working in an internal Test-Lab
You do not use SAN certificates on the test Exchange CAS server
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
Your Exchange CAS Servers must trust the SAN certificate of your
partners Exchange CAS servers.
Certificates are bound to specific services. Because the CAS servers only
communicate if they can trust each other the have to know something
about the certificate of the partners side. So, your Exchange CAS Servers
must include the certificate of your partners’ side in the store for root
certificates.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation


24
Add certificates to the Trusted Root Certification Authorities store for a
local computer









Click Start, click Start Search, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
Under Available snap-ins, click Certificates, and then click Add.
Under This snap-in will always manage certificates for, click Computer account, and
then click Next.
Click Local computer, and click Finish.
If you have no more snap-ins to add to the console, click OK.
In the console tree, double-click Certificates.
Right-click the Trusted Root Certification Authorities store.
Click Import to import the certificates and follow the steps in the Certificate Import
Wizard.
You may also deploy certificates by using Group Policy. Keep in mind that
the certificate for Exchange Server itself must be imported directly to the
local store.
http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation


25






Open Group Policy Management Console.
Find an existing or create a new GPO to contain the certificate settings. Ensure that
the GPO is associated with the domain, site, or organizational unit whose
users/machines you want affected by the policy.
Right-click the GPO, and then select Edit.
Group Policy Management Editor opens, and displays the current contents of the
policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security
Settings\Public Key Policies\Trusted Publishers.
Click the Action menu, and then click Import.
Follow the instructions in the Certificate Import Wizard to find and import the
certificate.
If the certificate is self-signed, and cannot be traced back to a certificate that is in the
Trusted Root Certification Authorities certificate store, then you must also copy the
certificate to that store. In the navigation pane, click Trusted Root Certification
Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that
store.
Note: If your Exchange CAS servers do not trust the SAN certificates of
the partners’ side, you have to solve this issue before continuing.
Screenshots
Create Certificates (with selfssl.exe)
2007a selfssl7.exe /N
cn=autodiscover.forest2007a.com;cn=autodiscover.f2007a.com;cn
=m2007a.forest2007a.com;cn=m2007a /K 1024 /V 18250 /X /F
c:\forest2007a_2nd.pfx /W Pass1Word /Q
2010a selfssl7.exe /N
cn=autodiscover.forest2010a.com;cn=autodiscover.f2010a.com;cn
=m2010a.forest2010a.com;cn=m2010a /K 1024 /V 18250 /X /F
c:\forest2010a_2nd.pfx /W Pass1Word /Q
2010b selfssl7.exe /N
cn=autodiscover.forest2010b.com;cn=autodiscover.f2010b.com;cn
=m2010b.forest2010b.com;cn=m2010b /K 1024 /V 18250 /X /F
c:\forest2010b_2nd.pfx /W Pass1Word /Q
2013a selfssl7.exe /N
cn=autodiscover.forest2013a.com;cn=autodiscover.f2013a.com;cn
=m2013a.forest2013a.com;cn=m2013a /K 1024 /V 18250 /X /F
c:\forest2013a_2nd.pfx /W Pass1Word /Q
Import Certificates
2010a
2010b
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2007a
26
2013a
Assign certificate to the IIS/Exchange service
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2007a
27
2010a
Imported remote Certificates for trust
2007a
2010a
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2010b
2013a
28
2010b
2013a
Web Services
Description
This step must be performed

Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation

29
If you are working in an internal Test-Lab or if your organizations are connected by
internet.
If you want to realize Cross-Forest-Free/Busy or Cross-Forest-Delegation
You want to validate the certificates of your own side and of your partners
side.
If a client like Outlook or OWA tries to connect to its own Exchange
servers it must trust the certificates of these servers. So, the client must
store the certificates root in the certificate store of that person who is
running the application. If an Exchange CAS server tries to connect to the
partners Exchange servers it must trust the certificates of these servers.
So, you want to validate this too.
If you use an internal Test-LAB
If you want to test F/B with Outlook, your Outlook client must trust the
certificates of your own CAS servers. So the OWA machine must include
the SAN certificates of your own CAS servers in its personal store for root
certificates (of the logged in GALsync account).
Additionally run the Microsoft Remote Connectivity Analyzer at
https://www.testexchangeconnectivity.com/. Download the Client tools, run the
Connectivity Diagnostic issue “I can’t log on with Office Outlook”
The test should confirm that Outlook Autodiscover is functional.
Note: If you Outlook client machine does not trust the SAN certificates of
the CAS servers in your own side, you have to solve this issue before
continuing.
If your organizations are connected by internet
Run the Microsoft Remote Connectivity Analyzer at
https://www.testexchangeconnectivity.com/ and confirm that Outlook
Autodiscover and Exchange Web Services are functional.
Note: If the Analyzer indicates errors which prevent from working, you
have to solve this issue before continuing.
Check:
https://autodiscover.your.domain/autodiscover/autodiscover.xml
Check health of Web Services
test-outlookwebservices -targetaddress [email protected]
| fl
Note: If you receive errors which prevent from working, you have to solve
these issues before continuing.
Screenshots
2007a test-outlookwebservices
test-outlookwebservices
test-outlookwebservices
2010a test-outlookwebservices
test-outlookwebservices
test-outlookwebservices
2010b test-outlookwebservices
test-outlookwebservices
test-outlookwebservices
2013a test-outlookwebservices
test-outlookwebservices
test-outlookwebservices
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
-targetaddress
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
|
|
|
|
|
|
|
|
|
|
|
|
fl
fl
fl
fl
fl
fl
fl
fl
fl
fl
fl
fl
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
If you try the access the Autodiscover URL for the target forest via IE with
the orgwideAccount, can you open it receiving error code 600? Can you
open the availability URL?
30
*** Troubleshooting Checklist ***
After you confirm that the Autodiscover service works externally for your organization, determine whether the
Autodiscover service works correctly from the local computer. Use the Test E-mail AutoConfiguration tool to
determine whether the Autodiscover service and the Availability service are working from Outlook. To do this,
follow these steps:






Start Outlook.
Hold down the Ctrl key, right-click the Outlook icon in the notification area, and then click Test E-mail
AutoConfiguration.
Verify that the correct email address is in the E-mail Address box.
In the Test E-mail AutoConfiguration window, click to clear the Use Guessmart check box and the Secure
Guessmart Authentication check box.
Click to select the Use AutoDiscover check box, and then click Test.
Make sure that this test is successful and that Outlook can retrieve the correct URLs for the Availability
service. Successful results resemble the following.
If this test isn't successful, the local computer may be unable to connect to the Autodiscover service. The
following are some common reasons that may cause this issue:
A local firewall blocks Outlook from connecting to the Autodiscover service.
Increase the Log Level of Exchange Services


Get-EventLogLevel "MSExchange Availability\Availability Service*" | Set-EventLogLevel -Level Expert
Get-EventLogLevel "MSExchange Autodiscover\*" | Set-EventLogLevel -Level Expert
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Look at http://www.testexchangeconnectivity.com
31
General


Are you able to connect to the target mailbox by using OWA Client (i.e. without getting certificate errors)?
Are the internal and external URLs for autodiscover configured?
Get-autodiscoverVirtualDirectory| fl name,server,InternalURL,ExternalURL
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –InternalURL
https://adc.foresta.com/autodiscover/autodiscover.xml –ExternalURL
https://adc.foresta.com/autodiscover/autodiscover.xml
Please wait 15 MS-Minutes after configuring the value
Connection test










Exchange 2010: test-outlookwebservice -targetaddress [email protected] | fl
Exchange 2013: $cred=get-credentials
test-outlookwebservice -id:[email protected] -mailboxcredential $cred| fl
Get-WebServicesVirtualDirectory | fl name,server,InternalURL,ExternalURL
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory –ExternalURL
https://mobile.forestC.com/EWS/Exchange.asmx
Are the CAS Servers ot the source able to perform nslookup/ping to autodiscover.targetdomain.xx?
Can you query the autodiscover URL with Internet Explorer and check if you get an certificate issue?
If you get an authentication request then insert a valid user name and password. Getting error 600 then this
is the expected result and means: everything ok.
Is the certificate of the source domains CAS servers present in the target domains CAS servers certificate
store?
Is the certificate of the target domains CAS servers present in the source domains CAS servers certificate
store?
Is the certificate of the CAS server assigned to IIS?
Are the correct alternate names configured in the certificates?





https://autodiscover.remote.domain /autodiscover/autodiscover.xml -> use the remote proxy account to
authenticate
Link: If the Autodiscover request does not finish in 10 seconds, the Availability service request for the crossforest user may time out; http://technet.microsoft.com/en-us/library/bb125182(EXCHG.80).aspx
test-outlookwebservices -targetaddress [email protected] | fl
NOTE: If you receive an error “mailbox is missing”:
Log on to a MAILBOX SERVER | Open the Exchange Shell | Navigate to the script directory by typing cd
$exscripts | Type .\New-TestCasConnectivityUser.ps1 -OU Users
Renew your autodiscover virtual directories
To re-create your Autodiscover VDir on CAS Servers (2007) follow this:



Take a backup of IIS
##As simple as a right click backup in IIS 6
##To backup IIS 7, you need to follow this:
To add a backup, run this command:
%windir%\system32\inetsrv\appcmd.exe add backup ” IISbkp_Date ”
To restore a backup, run this command:
%windir%\system32\inetsrv\appcmd.exe restore backup ” IISbkp_Date ”
To delete a backup, run this command:
%windir%\system32\inetsrv\appcmd.exe delete backup ” IISbkp_Date ”
To list all backup’s, run this command:
%windir%\system32\inetsrv\appcmd.exe list backup
Remove-AutodiscoverVirtualDirectory –Identity “CAS-servername\Autodiscover (Default Web Site)”
New-AutodiscoverVirtualDirectory -WebsiteName “Default Web Site” -WindowsAuthentication $true BasicAuthentication $true
Perform an IISReset
These are the basic troubleshooting for if AutoDiscover stops functioning. Understanding the concepts are
extremely important as they drive resolution further.
Wait 15 mins.
To re-create your Autodiscover VDir on CAS Servers (2007) follow this:



EMC | Server Configuration | Client Access | Actions | Reset Virtual Directory
Server Configuration | Client Access | Actions | Reset Virtual Directory
Wait 15 mins.
White Paper: Exchange 2007 Autodiscover Service
http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx
Synchronize With GALsync
Description
Have the GALsync v5 software installed in each organization and
synchronize the directories successfully (full or partial).
Basically you configure export and import policies. In case of CrossForest-Delegation you have to configure an additional setting called
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation













32
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Policies (1 example per forest)
2007a
2010a
2010b
33
2013a
Object Configuration
all
All objects have a value in extension attribute 1 which is the
organization name. So, using GALsync import policy settings we
can give them different display names to distinguish between the
sending forests. Example:
Import Configuration
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
all
34
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Synchronized objects
2007a
2010a
2010b
35
2013a
Additional configuration when using Cross-forest delegation
Export Policies
*** Troubleshooting Checklist ***



Are the mailboxes from source created as contacts in the target by using GALsync?
Are clients able to send/receive mails (between the 2 forests) by sending mail using the GAL to address the
recipient
Are clients able to send/receive/accept/decline meeting invitations (between the 2 forests) by sending mail
using the GAL to address the recipient
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Import
Policies
36
Cross-Forest
AvailabilityConfig
Description
This step must be performed


If you want another organization to be able to query the Free/Busy information of
people in your organization.
If you do not want this, then skip this step.
If you are working in an internal Test-Lab or if your organizations are connected by
internet.
Your organization now must be prepared to accept incoming free/busy
requests proxied through a special user account.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
If you want to allow someone of your partners’ organization to query
Free/Busy information of people in your organization, then your partners
Exchange servers will contact the availability service of your Exchange
servers. In your partners organization the recipient type of the object
from your organization must be a custom recipient (mail enabled contact).
After a user on your partners’ side picked the object from his GAL and
makes a meeting request, the request is proxied to an Availability Service
in your forest. To do this, a special (proxy-) account on your side is
required.
37
Please create a user account in Active Directory without special
permissions. Place the object in an OU where no GPOs prevent it from
working (recommended: put the object into the container users).
Configure it with a permanent password.
You may use this Powershell query to get your current values or to set a
new value
Get-AvailabilityConfig | fl orgwideaccount
Set-AvailabilityConfig -OrgwideAccount <ProxyAccount>
Note: If there are any errors indicated while performing this step, you
have to solve this issue before continuing.
Perform the same procedure at your partners’ side!
Screenshots
At first we created an user fbp in each forest (no mailbox, no special
priveleges)
2007a Set-AvailabilityConfig -OrgwideAccount
iisreset
Get-AvailabilityConfig | fl
2010a Set-AvailabilityConfig -OrgwideAccount
iisreset
Get-AvailabilityConfig | fl
2010b Set-AvailabilityConfig -OrgwideAccount
iisreset
Get-AvailabilityConfig | fl
2013a Set-AvailabilityConfig -OrgwideAccount
iisreset
Get-AvailabilityConfig | fl
"forest2007a.com\fbp"
"forest2010a.com\fbp"
"forest2010b.com\fbp"
"forest2013a.com\fbp"
*** Troubleshooting Checklist ***



Are the proxy accounts on both sides present?
If you want only a uni-directional f/b query the proxy account must be present in the target domain which will
be queried.
Analyze IIS-Log and check if a client using the proxy account logs in
Do a remove-availabilityaddressspace (followed by an iisreset) and a re-adding (followed by an iisreset)
Use Security Event Log to check, if the proxy account logs on or if the local site sends wrong logon
information
AvailabilityAddressSpace
Description
This step must be performed


If you want that your people can query Free/Busy information of people in another
organization.
If you do not want this, then skip this step.
If you are working in an internal Test-Lab or if your organizations are connected by
internet.
Your organization now must be prepared to forward appropriate Free/Busy
requests to your partners’ side.
If someone of your organization wants to query Free/Busy information of
people in your partners’ organization, he will pick the contact from your
“GALsynced” GAL. The picked objects has a special “SMTP target address”
which refers to the real mail-address in the other organization. Because
you do not want to send an SMTP mail but only to query Free/Busy, the
availability services of your Exchange servers have to forward this query
to the availability services of the appropriate SMTP domain at your
partners’ side. To do this, the availability services of your Exchange
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation

38
servers must know the name of this SMTP domain. This is similar to the
concept of “send connectors”. The ForestName parameter specifies the
SMTP domain name of the target forest for users whose free/busy data
must be retrieved. The Credentials parameter specifies the credentials for
an account that has permission to access the availability services in the
target forest (configured by Set-AvailabilityConfig in the remote side).
Note: In most environments the mail suffix is not the same as the Active
Directory domain names. If your users are distributed among multiple
SMTP domains in the target forest, run the Add-AvailabilityAddressSpace
cmdlet once for each SMTP domain. Do not forget to configure the
appropriate DNS-zones, autodiscover A-records and SAN-certificates! With
AvailabilityAddressSpace you can specify a forest but that won't work
when mail suffix is different.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Screenshots
39
2007a
#Get-AvailabilityAddressSpace | remove-AvailabilityAddressSpace
2010a
$cred2010a = Get-Credential # forest2010a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2010a.com -AccessMethod OrgWideFB -credential
$cred2010a
Add-AvailabilityAddressSpace -ForestName f2010a.com -AccessMethod OrgWideFB -credential
$cred2010a
$cred2010b = Get-Credential # forest2010b.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2010b.com -AccessMethod OrgWideFB -credential
$cred2010b
Add-AvailabilityAddressSpace -ForestName f2010b.com -AccessMethod OrgWideFB -credential
$cred2010b
$cred2013a = Get-Credential # forest2013a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2013a.com -AccessMethod OrgWideFB -credential
$cred2013a
Add-AvailabilityAddressSpace -ForestName f2013a.com -AccessMethod OrgWideFB -credential
$cred2013a
Get-AvailabilityAddressSpace | fl forestname
iisreset
#Get-AvailabilityAddressSpace | remove-AvailabilityAddressSpace
$cred2007a = Get-Credential # forest2007a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2007a.com -AccessMethod OrgWideFB -credential
$cred2007a
Add-AvailabilityAddressSpace -ForestName f2007a.com -AccessMethod OrgWideFB -credential
$cred2007a
$cred2010b = Get-Credential # forest2010b.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2010b.com -AccessMethod OrgWideFB -credential
$cred2010b
Add-AvailabilityAddressSpace -ForestName f2010b.com -AccessMethod OrgWideFB -credential
$cred2010b
$cred2013a = Get-Credential # forest2013a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2013a.com -AccessMethod OrgWideFB -credential
$cred2013a
Add-AvailabilityAddressSpace -ForestName f2013a.com -AccessMethod OrgWideFB -credential
$cred2013a
2010b
Get-AvailabilityAddressSpace | fl forestname
iisreset
#Get-AvailabilityAddressSpace | remove-AvailabilityAddressSpace
$cred2007a = Get-Credential # forest2007a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2007a.com -AccessMethod OrgWideFB -credential
$cred2007a
Add-AvailabilityAddressSpace -ForestName f2007a.com -AccessMethod OrgWideFB -credential
$cred2007a
$cred2010a = Get-Credential # forest2010a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2010a.com -AccessMethod OrgWideFB -credential
$cred2010a
Add-AvailabilityAddressSpace -ForestName f2010a.com -AccessMethod OrgWideFB -credential
$cred2010a
$cred2013a = Get-Credential # forest2013a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2013a.com -AccessMethod OrgWideFB -credential
$cred2013a
Add-AvailabilityAddressSpace -ForestName f2013a.com -AccessMethod OrgWideFB -credential
$cred2013a
2013a
Get-AvailabilityAddressSpace | fl forestname
iisreset
#Get-AvailabilityAddressSpace | remove-AvailabilityAddressSpace
You may use this Powershell query to query the current domains for which
availabilityaddresspace is configured or set the value with
Get-AvailabilityAddressSpace | fl
$cred = Get-Credential # <domain\account : the Free Busy proxy
account at your partners Active Directory side>
Add-AvailabilityAddressSpace -ForestName <your partners SMTP
domain> -AccessMethod OrgWideFB -credential $cred
Note: If there are any errors indicated while performing this step, you
have to solve this issue before continuing.
Perform the same procedure at your partners’ side!
* * *  At this point you should take a cup of tea and . . .
wait for at least 15 mins  * * *
Note: If you use a shared namespace see chapter Free/Busy and Shared
Namespace in the appendix of this document.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
$cred2007a = Get-Credential # forest2007a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2007a.com -AccessMethod OrgWideFB -credential
$cred2007a
Add-AvailabilityAddressSpace -ForestName f2007a.com -AccessMethod OrgWideFB -credential
$cred2007a
$cred2010a = Get-Credential # forest2010a.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2010a.com -AccessMethod OrgWideFB -credential
$cred2010a
Add-AvailabilityAddressSpace -ForestName f2010a.com -AccessMethod OrgWideFB -credential
$cred2010a
$cred2010b = Get-Credential # forest2010b.com\fbp
Add-AvailabilityAddressSpace -ForestName forest2010b.com -AccessMethod OrgWideFB -credential
$cred2010b
Add-AvailabilityAddressSpace -ForestName f2010b.com -AccessMethod OrgWideFB -credential
$cred2010b
Get-AvailabilityAddressSpace | fl forestname
Iisreset
40
*** Troubleshooting Checklist ***



Did you configure the AddressSpace in the source domain correctly?
Get-AvailabilityAddressSpace
Add-AvailabilityAddressSpace –Forestname "ForestB.com" -AccessMethod OrgWideFB –Credential (getCredential)
please use the credentiasl of the proxyaccount, which was configured in the target forest
Did you configure –OrgWideAccount <proxyaccount> in the target forest?
Get-AvailabilityConfig
Set-AvailabilityConfig –OrgWideAccount freebusy
Do a set-availabilityconfig –orgwideaccount $null and a re-adding the orgwideaccount followed by an iisrest
Cross-Forest-Delegation
This step must be performed


If you want another organization to be able to query the Free/Busy information of
people in your organization and to work with delegated calendars.
If you are working in an internal Test-Lab or if your organizations are connected by
internet (i.e. VPN tunnel).
GALsync Specification
Description
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
You have to configure a special setting in GALsync export and import
policy:
41
Policy | Directory | Settings | Support Cross-Forest Delegation ->
selected
Note: If this configuration is not present at export AND import policies
you have to solve this issue before continuing.
*** Troubleshooting Checklist ***
Check GALsync Synch - the synchronized objects should have these attribute values (check with AttributeEditor) Legend: Attribute | Source | Target










legacyExchangeDN | Not significant | Must be set
mailNickname | Not significant | Must be set
objectSid (i.e) | S-1-5-21-3511955210-643191710-2064615621-5187 | Not significant
mAPIRecipient | Not significant | Not Set
msExchMasterAccountSid | Not significant | Must have the same value like the objectSid of the source object
msExchOriginatingForest | Not significant | Must have the same value like the Forest FQDN of the source object
msExchRecipientDisplayType | Not significant | Must have the value -1073741818
msExchRecipientTypeDetails | Not significant | Must have the value 32768
proxyAddresses | The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the
targetdomain | Not significant
targetAddress | Not Set | The primary SMTP-Address from the source object should be the value of attribute
targetaddress
RECIPIENT TYPE

Is the RECIPIENT TYPE of the target contact in Exchange Management Console displayed as CROSSFOREST MAIL CONTACT?
Domain Trust
Description
To configure a Cross-Forest-Delegation a trust between the
domains/forests is required.
Check if the trusts are in place and if they are working (validate them at
all!)
Note: To Check Trust Follow This Article: How To Determine Trust
Relationship Configurations At
Http://Support.Microsoft.Com/Kb/228477/En-Us Or Domain And Forest
Trust Tools And Settings At Http://Technet.Microsoft.Com/EnUs/Library/Cc756944(V=Ws.10).Aspx
Note: If the trust is not working you have to solve this issue before
continuing.

Check if the trusts are in place and if they are working. Follow the article How To Determine Trust
Relationship Configurations at Http://Support.Microsoft.Com/Kb/228477/En-Us
or Domain And Forest Trust Tools And Settings at Http://Technet.Microsoft.Com/EnUs/Library/Cc756944(V=Ws.10).Aspx
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
*** Troubleshooting Checklist ***
42
AvailabilityAddressSpace
Description
Your organization now must be prepared to forward appropriate requests
to your partners’ side.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
If someone of your organization wants to query Free/Busy information of
people in your partners’ organization or manage the delegated calendar,
he will pick the contact from your “GALsynced” GAL. The picked objects
has a special “SMTP target address” which refers to the real mail-address
in the other organization. Because you do not want to send an SMTP mail
but only to query Free/Busy, the availability services of your Exchange
servers have to forward this query to the availability services of the
appropriate Web Services of the SMTP domain at your partners’ side. To
do this, the availability services of your Exchange servers must know the
name of this SMTP domain. This is similar to the concept of “send
connectors”. The ForestName parameter specifies the SMTP domain name
of the target forest for users whose free/busy data must be retrieved.
With $true as value for the UseServiceAccount parameter the local
availability service account is used for authorization in the remote forest.
43
Note: If your users are distributed among multiple SMTP domains in the
target forest, run the Add-AvailabilityAddressSpace cmdlet once for each
SMTP domain. Do not forget to configure the appropriate DNS-zones,
autodiscover A-records and SAN-certificates!
You may use this Powershell query to query the current domains for which
availabilityaddresspace is configured
Get-AvailabilityAddressSpace | fl
Remove all existing Availability configurations
1. Remove-AvailabilityAddressSpace <name>
2. Set-AvailabilityConfig -OrgwideAccount $null
3. Iisreset
Set permissions on all CAS Servers for each forest. So, the Availability
Services of the remote Exchange Servers can authorize at your local side.
Get-ClientAccessServer | Add-AdPermission -AccessRights
ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" User "<Remote.Forest.Domain.Name>\Exchange Servers"
Recreate corresponding AvailabilityAddressSpace for all needed external
domains.
Add-AvailabilityAddressSpace -ForestName
"<Remote.SMTP.Domain.Name>" -AccessMethod PerUserFB UseServiceAccount $true
Export each SCP (Service connection point) into corresponding remote
forest: this will add a pointer record in the configuration partition of the
remote forest with an ldap url to the local forest. If the parameter
MultipleExchangeDeployments is set to TRUE you export all the accepted
domains which are defined in your Exchange environment. So, when
adding an extra accepted domain you will need to execute this command
again to update the SCP object.
Note: If there are any errors indicated while performing this step, you
have to solve this issue before continuing.
Perform the same procedure at your partners’ side!
* * *  At this point you should take a cup of tea and . . . wait for at
least 15 mins  * * *
Note: If you use a shared namespace see chapter Free/Busy and Shared
Namespace in the appendix of this document.
*** Troubleshooting Checklist ***


Did you configure the AddressSpace in the source domain correctly?
Get-AvailabilityAddressSpace
Add-AvailabilityAddressSpace –Forestname "ForestB.com" -AccessMethod OrgWideFB –Credential (getCredential)
please use the credentials of the proxyaccount, which was configured in the target forest
Did you configure –OrgWideAccount <proxyaccount> in the target forest?
Get-AvailabilityConfig
Set-AvailabilityConfig –OrgWideAccount freebusy
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
$cred = Get-Credential # <Enter Administrator credentials in the
remote forest when prompted>
Export-AutodiscoverConfig -DomainController
<local.Domain.Controller> -TargetForestDomainController
<Remote.Domain.Controller> -TargetForestCredential $cred MultipleExchangeDeployments $true
44

Do a set-availabilityconfig –orgwideaccount $null and a re-adding the orgwideaccount followed by an iisrest
Screenshots
Cross-Forest Delegation: TrustRemoteExchangeServers
2007a
2010a
2010b
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2013a
45
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2010a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2010b\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2013a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2007a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2010b\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2013a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2007a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2010a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2013a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2007a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2010a\Exchange Servers"
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight
exch-epi-token-serialization" -User "forest2010b\Exchange Servers"
-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-ExtendedRights "ms-
Cross-Forest Delegation: AvailabilityAddressSpace
2010a
2010b
2013a
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
Add-AvailabilityAddressSpace
UseServiceAccount $true
-ForestName forest2010a.com -AccessMethod PerUserFB -ForestName f2010a.com -AccessMethod PerUserFB -ForestName forest2010b.com -AccessMethod PerUserFB -ForestName f2010b.com -AccessMethod PerUserFB -ForestName forest2013a.com -AccessMethod PerUserFB -ForestName f2013a.com -AccessMethod PerUserFB -ForestName forest207a.com -AccessMethod PerUserFB -ForestName f2007a.com -AccessMethod PerUserFB -ForestName forest2010b.com -AccessMethod PerUserFB -ForestName f2010b.com -AccessMethod PerUserFB -ForestName forest2013a.com -AccessMethod PerUserFB -ForestName f2013a.com -AccessMethod PerUserFB -ForestName forest2007a.com -AccessMethod PerUserFB -ForestName f2007a.com -AccessMethod PerUserFB -ForestName forest2010a.com -AccessMethod PerUserFB -ForestName f2010a.com -AccessMethod PerUserFB -ForestName forest2013a.com -AccessMethod PerUserFB -ForestName f2013a.com -AccessMethod PerUserFB -ForestName forest2007a.com -AccessMethod PerUserFB -ForestName f2007a.com -AccessMethod PerUserFB -ForestName forest2010a.com -AccessMethod PerUserFB -ForestName f2010a.com -AccessMethod PerUserFB -ForestName forest2010b.com -AccessMethod PerUserFB -ForestName f2010b.com -AccessMethod PerUserFB -
Cross-Forest Delegation: AutodiscoverConfig
2007a
$cred2010a = Get-Credential # <Enter Administrator credentials in the remote forest when
prompted>
Export-AutodiscoverConfig -DomainController m2007a.forest2007a.com TargetForestDomainController
m2010a.forest2010a.com -TargetForestCredential $cred2010a -MultipleExchangeDeployments $true
$cred2010b = Get-Credential # <Enter Administrator credentials in the remote forest when
prompted>
Export-AutodiscoverConfig -DomainController m2007a.forest2007a.com TargetForestDomainController
m2010b.forest2010b.com -TargetForestCredential $cred2010b -MultipleExchangeDeployments $true
$cred2013a = Get-Credential # <Enter Administrator credentials in the remote forest when
prompted>
Export-AutodiscoverConfig -DomainController m2007a.forest2007a.com TargetForestDomainController
m2013a.forest2013a.com -TargetForestCredential $cred2013a -MultipleExchangeDeployments $true
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2007a
46
iisreset
2010a
$cred2007a = Get-Credential # forest2007a\administrator
Export-AutodiscoverConfig -DomainController m2010a.forest2010a.com TargetForestDomainController m2007a.forest2007a.com -TargetForestCredential $cred2007a MultipleExchangeDeployments $true
$cred2010b = Get-Credential # forest2010b\administrator
Export-AutodiscoverConfig -DomainController m2010a.forest2010a.com TargetForestDomainController m2010b.forest2010b.com -TargetForestCredential $cred2010b MultipleExchangeDeployments $true
$cred2013a = Get-Credential # forest2013a\administrator
Export-AutodiscoverConfig -DomainController m2010a.forest2010a.com TargetForestDomainController m2013a.forest2013a.com -TargetForestCredential $cred2013a MultipleExchangeDeployments $true
iisreset
2010b
$cred2007a = Get-Credential # forest2007a\administrator
Export-AutodiscoverConfig -DomainController m2010b.forest2010b.com TargetForestDomainController m2007a.forest2007a.com -TargetForestCredential $cred2007a MultipleExchangeDeployments $true
$cred2010a = Get-Credential # forest2010a\administrator
Export-AutodiscoverConfig -DomainController m2010b.forest2010b.com TargetForestDomainController m2010a.forest2010a.com -TargetForestCredential $cred2010a MultipleExchangeDeployments $true
$cred2013a = Get-Credential # forest2013a\administrator
Export-AutodiscoverConfig -DomainController m2010b.forest2010b.com TargetForestDomainController m2013a.forest2013a.com -TargetForestCredential $cred2013a MultipleExchangeDeployments $true
iisreset
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2013a
47
$cred2007a = Get-Credential # forest2007a\administrator
Export-AutodiscoverConfig -DomainController m2013a.forest2013a.com TargetForestDomainController m2007a.forest2007a.com -TargetForestCredential $cred2007a MultipleExchangeDeployments $true
$cred2010a = Get-Credential # forest2010a\administrator
Export-AutodiscoverConfig -DomainController m2013a.forest2013a.com TargetForestDomainController m2010a.forest2010a.com -TargetForestCredential $cred2010a MultipleExchangeDeployments $true
$cred2010b = Get-Credential # forest2010b\administrator
Export-AutodiscoverConfig -DomainController m2013a.forest2013a.com TargetForestDomainController m2010b.forest2010b.com -TargetForestCredential $cred2010b MultipleExchangeDeployments $true
iisreset
In the local configuration partition of Active Directory all received remote
Service Connection Points for autodiscover services are listed. All accepted
domains per forest are available in attribute keywords.
Final Result
HowTo
1. Open Outlook
2. Make an invitation by picking a synchronized contact of your partner from your
GAL.
3. Check if his free/busy information is displayed (give some secs)
1. Open Outlook Web Access
2. Make an invitation by picking a synchronized contact of your partner from your
GAL.
3. Check if his free/busy information is displayed (give some secs)
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Cross-Forest-Free/Busy
48
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Screenshots
2007a
<–>
2013a
49
Cross-Forest-Delegation
HowTo
1. Open Outlook on your local side
2. Delegate your calendar to someone from the remote side by picking a
synchronized contact of your partner from your GAL.
3. Contact this person and check if he is able to manage your calendar
4. Do this vice versa
Screenshots
2013a [email protected] opens the all calendars it has access to. It
can manage the remote calendar following the access rights beeing
which have been granted.
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
2007a [email protected] shares its calendar with certain people
from other organization(s)
50
Troubleshooting
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Help
51
Short descriptions you can find in Technet: i.e.
Configure the Availability Service for Cross-Forest Topologies,
http://technet.microsoft.com/en-us/library/bb125182.aspx
Note: regarding troubleshooting we propose to install an Outlook 2007
client at each side (may be on the same machine GALsync v5 is installed).
Run Outlook in logging mode and also use online mode (not cached). You
will find the log files (*.fb) in the %temp% directory. Log files are stored
in %TEMP%\... (This folder is by default not visible).
Description
The expected result should display the free/busy information of the
remote user with its status information.
If you do not receive the expected result, follow this troubleshooting
guide. Please keep in mind that troubleshooting this issue is a quite
difficult job in our experience.
Note: If you are missing Free/Busy information you may be confused with
Outside of working hours. If you see Free/Busy displayed in light-grey
blocks, check the working Hours in Outlook.
Tools
1. Use an Outlook 2007 client and activate protocol logging. For testing purposes do
NOT use cached mode.
1. Turn on logging
2. On the Tools menu, click Options.
3. On the Other tab, click Advanced Options.
4. Select the Enable logging (troubleshooting) check box, and then click OK two
times.
5. Restart Outlook.
2. Install the Office Configuration Analyzer Tool (OffCAT)
(http://support.microsoft.com/kb/2812744/EN-US) and run a Fullscan for Outlook.
Are there any errors indicated?
3. Search for the official Microsoft documentation Availability Web Service Protocol
Specification [MS-OXWAVLS] - v1.04. It contains a lot of error codes and
descriptions.
4. Troubleshooting Free/Busy Information for Outlook 2007
http://technet.microsoft.com/en-us/library/bb397225(EXCHG.80).aspx
5. How to Troubleshoot the Microsoft Exchange Server 2007 Availability Service By
Using Microsoft Office Outlook Logging
http://technet.microsoft.com/en-us/library/ff597979(EXCHG.80).aspx
6. Diagnose Availability Service Issues
http://technet.microsoft.com/en-us/library/bb124805.aspx
7. How to Diagnose Availability Service Issues
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
http://technet.microsoft.com/en-us/library/bb124805(EXCHG.80).aspx
52
Appendix
querySchema.ps1
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Import-Module ActiveDirectory
$ADInfo = Get-ADDomain
$PDC = $ADInfo.PDCEmulator
$ADDomainDistinguishedName = $ADInfo.DistinguishedName
write-output “Active Directory Schema version ($PDC)” `r
$ADSchema = repadmin /showattr $PDC
“cn=Schema,cn=Configuration,$ADDomainDistinguishedName”
/atts:ObjectVersion
$ADSchemaArray = $ADSchema -split “:”
[int]$ADSchemaNum = $ADSchemaArray[4] ## -replace(” “,”")
[int]$ADSchemaNum
write-output “Exchange Schema version ($PDC)” `r
$ExchangeSchemaVer = repadmin /showattr $PDC “cn=ms-exch-schemaversion-pt,cn=Schema,cn=Configuration,$ADDomainDistinguishedName”
/atts:rangeupper
$ExchangeSchemaArray = $ExchangeSchemaVer -split (“rangeUpper: “)
$ExchangeSchemaVersion = $ExchangeSchemaArray[3]
$ExchangeSchemaVersion
53
Free/Busy and Shared Namespace
Assumed you have two forests using the same PRIMARY SMTP ADDRESS you
can synchronize with GALSYNC.
Free/Busy lookups are different from mail routing: no SMTP traffic is
required. F/B lookups are performed by the Availability Service which is
part of the Exchange Web Services. So port 443 (HTTPS) is used. Basically
a user picks the synchronized contact and tries to get Free/Busy
information, then the Availability Service takes the contact’s domain-part
of the PRIMARY SMTP ADDRESS and looks if there is an
AVAILABILITYADDRESSSPACE configuration for this mail domain. If found it
sends the F/B-request via HTTPS to the remote Availability Service (of the
Exchange organization which hosts the mailbox-enabled user object).
If you use a shared namespace at both sides it will not work by default
because it is based on different AVAILABILITYADDRESSSPACE namespaces. But
if the synchronized contact uses a secondary SMTP address instead you
can configure a unique AVAILABILITYADDRESSSPACE.
GALSYNC allows you to modify the PRIMARY SMTP ADDRESS at import site.
Example
Exchange organization A
Exchange organization B
Primary SMTP Address
(Exchange-Configuration)
Common.com
Common.com
Secondary SMTP Address
(Exchange- Configuration)
One.com
Two.com
Add-AvailabilityAddressSpace
(Exchange- Configuration)
Two.com
One.com
Configuration of the import-policy
(GALsync-Software)
MODIFY PRIMARY SMTP ADDRESS
WITH DOMAIN: TWO.COM
MODIFY PRIMARY SMTP ADDRESS
WITH DOMAIN: ONE.COM
Cross-Forest-Free/Busy and Cross-Forest-Delegation between dedicated
Exchange Online (only) / Office 365 organizations
Usually people are able to send individual requests to share calendars, but
you want to implement an enterprise-wide configuration. If you want that
all the mail objects of your partner-organization are present in your own
GLOBAL ADDRESS LIST (GAL) then you can use a tool like GALsync. Between
2 Exchange Online Partners you do not need to establish a Federation
Trust or configure AUTODISCOVER records because this is already present
(by default).
In the following example we have two Exchange Online organizations
named OrgA and OrgB.
Regarding organization a.onmicrosoft.com execute in Windows Powershell
the set of commands described below using the credential of an admin in
OrgA (i.e. [email protected])
Set-ExecutionPolicy RemoteSigned
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Enable-OrganizationCustomization (has an error as result in my experiences but it does not impact the total
result)
Get-FederationInformation –DomainName orgb.onmicrosoft.com | New-OrganizationRelationship –Name orgb FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails
After that users from organization OrgB can take users from OrgA through
picking the object from GAL (done by GALsync) and they can query
free/busy information.
Regarding organization orgb.onmicrosoft.com execute in Windows
Powershell the set of commands described below using the credential of
an admin in OrgB (i.e. [email protected])
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Cross-Forest-Free/Busy
54
Set-ExecutionPolicy RemoteSigned
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Enable-OrganizationCustomization (has an error as result in mz experiences but it does not impact the total
result)
Get-FederationInformation –DomainName orga.onmicrosoft.com | New-OrganizationRelationship –Name orga FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails
After that users from organization OrgA can take users from OrgB through
picking the object from GAL (done by GALsync) and they can query
free/busy information.
http://maso.dk/2011/07/26/federation-in-the-cloud-enable-freebusy/
http://help.outlook.com/en-us/140/ff383252.aspx
Cross-Forest-Delegation
http://support.microsoft.com/kb/2872167
http://technet.microsoft.com/en-us/library/dd638083(v=exchg.150).aspx
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Cross-Forest Free/Busy with MS-Federation
55
You can also use GALsync to provide contacts with Directory
Synchronization and using MS-Federation to get Free-Busy information.
Henrik Walter has written a great post about this subject. Although he
describes FIM as DIRSYNC tool you may read this article and simply
replace MICROSOFT FIM with NETSEC’S GALSYNC.
Links
http://www.expta.com/2011/07/how-to-configure-exchange-2010-sp1.html
http://www.msexchange.org/articles-tutorials/exchange-server-2010/migration-deployment/deep-dive-intorich-coexistence-between-exchange-forests-part1.html
http://blogs.technet.com/b/exchange/archive/2012/10/30/managing-federated-sharing-with-the-eac.aspx
http://technet.microsoft.com/en-us/library/bb125182(v=exchg.80).aspx
http://technet.microsoft.com/en-us/library/bb125182(v=exchg.141).aspx
Cross Org Availability using Federation Trust and Organization Relationship
http://blogs.technet.com/b/exchange/archive/2011/06/28/cross-org-availability-using-federation-trust-andorganization-relationship.aspx
Sharing in Exchange Online
http://technet.microsoft.com/en-us/library/jj916670(v=exchg.150).aspx
Federation (Exchange 2013)
http://technet.microsoft.com/en-us/library/dd335047.aspx
Understanding Federation (Exchange 2010)
http://technet.microsoft.com/en-us/library/dd335047(v=exchg.141).aspx
(Hybrid) Free Busy Troubleshooting between Office 365 and on-premise
http://blogs.technet.com/b/exchange/archive/2013/06/03/the-hybrid-free-busy-troubleshooter-nowavailable.aspx
http://help.outlook.com/en-us/140/gg263350.aspx
http://technet.microsoft.com/en-us/library/dd638083(v=exchg.150).aspx
Exchange Federation – part I
http://johanveldhuis.nl/en/exchange-federation-deel-i/
http://johanveldhuis.nl/en/exchange-federation-deel-ii/
Troubleshooting Federated Sharing – part I - III
http://johanveldhuis.nl/en/troubleshooting-federared-sharing/
How to Configure Exchange 2010 SP1 Federation
http://www.expta.com/2011/07/how-to-configure-exchange-2010-sp1.html
Configure Free/Busy Sharing Between Exchange Organizations
http://technet.microsoft.com/en-us/library/hh310374(v=exchg.141).aspx


ID:1011
When querying Availability for the recipient e-mail address [email protected],
the following error code and message were received:
ErrorProxyRequestProcessingFailed:Unableto send cross-forest request for
mailbox because of invalid configuration., inner exception: Configuration
information for forest/domain domain.com could not be found in Active Directory.
ID: 4002
ProxyWebRequest CrossForest from SID to
https:/mail.domain.com/ews/exchange.asmx failed. A connectoin attempt failed
because the connected party did not properly respond after a period of time or
established connection failed because connected host as failed to respond
(PublicIP).
Document tags
GALsync, DIRsync, Cross-Forest Online Free/Busy, GetAvailabilityAddressSpace, Set-AvailabilityAddressSpace, RemoveAvailabilityAddressSpace, Set-AvailabilityConfig, Get-AvailabilityConfig,
federated Free/Busy, Federation, FreeBusy Proxy account, cross-forest
delegation, cross-forest calendaring, Office Configuration Analyzer Tool
(OffCAT), New-OrganizationRelationship, Get-FederationInformation,
FreeBusyAccessEnabled, FreeBusyAccessLevel, TargetApplicationUri,
federation trust, federated delegation, rich coexistence between Exchange
Forests, InterOrg, Replicate free/busy, ms-Exch- EPI-Token-Serialization,
autodiscover endpoint couldn't be discovered,
ErrorProxyRequestProcessingFailed, Federated sharing
Whitepaper Cross-Forest Free/Busy and Cross-Forest Delegation
Errors (Support)
56
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement