Troubleshooting Cross Forest Delegation

3 Mar

Setting up a untrusted  cross-forest environment supports a simple Free/Busy query between two the forests using „galsynced“ contacts.  This feature I described in article  Cross-Forest Free/Busy without Federation and its corresponding troubleshooting guide.

In this article I want to share some experiences with troubleshooting the Cross-Forest Delegation feature. Cross-Forest Delegation allows completly to manage a delegated calendar even if people are placed in different mail-organizations. But there must be a domain-trust in place.

To synchronize objects I prefer NETsec's GALsync, which is much easier to use than Microsofts FIM etc.

Topology
cfd.png
 

Summary

Basically the following prerequisites must be met…

  • Network and Messaging availability
  • Forest Trust between Forests
  • Cross-Forest Availability Configured
  • Outlook 2007 SP1+
  • Exchange Server 2007 SP1+
  • GALsync configured with option CROSS-FOREST-DELEGATION

NOTE: WE STRONGLY RECOMMEND TO TROUBLESHOOT WITH OUTLOOK FIRST SET TO ONLINE-MODE.

Troubleshooting Level 1

At this level you check the ability to set up a simple mail communication between two forests. The „galsynced“ contacts of your partner are available in your Global Address Book.

Network

Ensure that you can communicate over the network by using DNS. Assumed you have a DNS Forwarder at FORESTA.COM side to FORESTX.COM and vice versa:
Can you nslookup / ping the Domain Controller and the Exchange Server at the other site? 

Simple Mail-Communication

Assumed you have mailbox-enabled user JANE at FORESTA.COM and JOHN at FORESTX.COM:

  • Is JANE able to send an email to JOHN by inserting JOHN@FORESTX.COM into her TO-Line of the message? 
  • Is JOHN able to send an email to JANE by inserting JANE@FORESTA.COM into his TO-Line of the message? 

GALsync

Synchronize all mailbox-enabled users with GALSYNC from your domain to the other domain. They are created as mail-enabled contacts. Export JANE from FORESTA TO FORESTX and import her at FORESTX: Export JOHN from FORESTX TO FORESTA and import him at FORESTA.
If you do not want to configure Cross-Forest Delegation you can use the default configurations setting of GALsync. A synchronized object should have these attribute values (check with Attribute-Editor):

    Source Mailbox Attributes Cross-forest mail contact attributes in the target forest
legacyExchangeDN Must be set  Must be set 
2 proxyAddresses The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the targetdomain Not significant
3 targetAddress Not Set  The primary SMTP-Address from the source object should be the value of attribute targetaddress
  • Are the values of the attributes as expected?

If you want to configure Cross-Forest Delegation you must tick a box in the appropriate export policy and appropriate import policy
cfd2.png

  • Is there any warning or error by running the export policy?
  • Is there any warning or error by running the import policy?

The synchronized objects should have these attribute values (check with Attribute-Editor):
 

    Source Mailbox Attributes Cross-forest mail contact attributes (target forest)
 
1 legacyExchangeDN Not significant  Must be set
2 mailNickname  Not significant  Must be set
3 objectSid  (i.e)
S-1-5-21-3511955210-643191710-2064615621-5187 
Not significant
4 mAPIRecipient  Not significant  Not Set
5 msExchMasterAccountSid  Not significant  Must have the same value like the objectSid of the source object
6 msExchOriginatingForest Not significant  Must have the same value like the Forest FQDN  of the source object
 
7 msExchRecipientDisplayType Not significant   Must have the value
-1073741818
8 msExchRecipientTypeDetails  Not significant  Must have the value 32768
9 proxyAddresses   The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the targetdomain  Not significant
10 targetAddress  Not Set  The primary SMTP-Address from the source object should be the value of attribute targetaddress
  • Are the values of the attributes as expected?
  • Is the RECIPIENT TYPE of JOHN in Exchange Management Console displayed as CROSS-FOREST MAIL CONTACT?

Mail-Communication supported by GALsync

After objects are synchronized endusers can pick the names from the Global Address List.

  • Is JANE able to send an email to JOHN by picking the contact of JOHN from the GLOBAL ADDRESS BOOK? 
  • Is JOHN able to send an email to JANE by picking the contact of JANE from the GLOBAL ADDRESS BOOK?

cfd4.png

Troubleshooting Level 2

At this level you check the ability to setup a cross-forest environment with a simple Free/Busy query between two untrusted forests using „galsynced“ contacts of your partner. To configure this have a look at the note below.
NOTE: FOR SETTING UP AN TEST-LAB FOR CROSS-FOREST FREE/BUSY WITHOUT FEDERATION SEE HTTP://WWW.TOOLS4EXCHANGE.COM/2012/11/CROSS-FOREST-FREEBUSY-WITHOUT-FEDERATION.HTML
 

Trust

To configure a Cross-Forest Delegation a trust is required. Check if the trusts are in place and if they are working.
 
NOTE: TO CHECK TRUST FOLLOW THIS ARTICLE:  HOW TO DETERMINE TRUST RELATIONSHIP CONFIGURATIONS AT HTTP://SUPPORT.MICROSOFT.COM/KB/228477/EN-US OR DOMAIN AND FOREST TRUST TOOLS AND SETTINGS AT HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/CC756944(V=WS.10).ASPX

cfd5.png

Certificates

  • In FORESTA.COM: are you able to log into OWA (by https) or Outlook (by Outlook Anywhere) as JANE without any certificate error indicated? 
  • In FORESTX.COM: are you able to log into OWA (by https) or Outlook (by Outlook Anywhere) as JOHN without any certificate error indicated? 

NOTE: IF YOU EXPERIENCE ANY ERROR, PLEASE LOOK AT TROUBLESHOOTING CERTIFICATE VALIDATION ERRORS AT HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/BB331963(V=EXCHG.141).ASPX
 

Autodiscover

Cross-forest free/busy queries and cross-forest delegation requires a working autodiscover.

  1. If  FORESTA and FORESTX are internetfacing use MICROSOFT REMOTE CONNECTIVITY ANALYZER at https://www.testexchangeconnectivity.com/.
  2. If  FORESTA and FORESTX are intranet-based then use MICROSOFT CONNECTIVITY ANALYZER TOOL at http://technet.microsoft.com/library/feba32b0-b7eb-4b1b-ba3d-99e20ba82a8c

If you experience issues with autodiscover, reset the virtual directory for autodiscover in Exchange Management Console. This was often the solution for me!

Availability Adressspace

We assume that you have configured Availability Adressspace similar as shown below

  • Add-AvailabilityAddressSpace -ForestName "TargetSMTPnamespace.com" -AccessMethod PerUserFB -UseServiceAccount $true
  • Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Remote Forest\Exchange Servers"
  • $a = Get-Credential <Enter Administrator credentials in the remote forest when prompted>
    Export-AutoDiscoverConfig -DomainController <Local GC> -TargetForestDomainController <Target GC> -TargetForestCredential $a -MultipleExchangeDeployments $true

Check GET-AVAILABILITYADDRESSSPACE and GET-AVAILABILITYCONFIG and GET-AUTODISCOVERCONFIG.
NOTE: SEE ALSO FREE/BUSY INFORMATION WITHOUT FEDERATION – TROUBLESHOOTING GUIDE AT HTTP://WWW.TOOLS4EXCHANGE.COM/2012/12/FREEBUSY-INFORMATION-WITHOUT-FEDERATION—TROUBLESHOOTING-GUIDE.HTML

A simple cross-forest Free/Busy Query

  • Is JANE able to create an new meeting request by inviting JOHN (by picking the contact of JOHN from the GLOBAL ADDRESS BOOK) and have a lookup to his F/B information? 

The best place to collect logging data is in the Outlook client. Enable this in Outlook’s OPTIONS (either via the Tools menu in Outlook 2007 or backstage in Outlook 2010) -> ADVANCED. Tick the ENABLE TROUBLESHOOTING LOGGING box and restart Outlook. Logfiles are stored in %TEMP%\… (note: this folder is by default not visible)
 

cfd6.png

cfd7.png

Troubleshooting Level 3

At this level you check the ability to setup a cross-forest delegation. This enables you to configure a so called delegate access. So JOHN from FORESTX  grants JANE from FORESTA access to his calendar.

Delegation

  • Is JOHN able to delegate access to JANE?

 cfd8.png

  • Is JANE able to open the delegated calendar of JOHN BY PICKING JOHN FROM GAL?

 cfd9.png

  • Is JANE able to insert a new appointment directly to JOHNS calendar?

 cfd10.png

 

Leave a Reply

Your email address will not be published. Required fields are marked *