Setting up a untrusted cross-forest environment supports a simple Free/Busy query between two the forests using „galsynced“ contacts. This feature I described in article Cross-Forest Free/Busy without Federation and its corresponding troubleshooting guide.
In this article I want to share some experiences with troubleshooting the Cross-Forest Delegation feature. Cross-Forest Delegation allows completly to manage a delegated calendar even if people are placed in different mail-organizations. But there must be a domain-trust in place.
To synchronize objects I prefer NETsec's GALsync, which is much easier to use than Microsofts FIM etc.
Basically the following prerequisites must be met…
- Network and Messaging availability
- Forest Trust between Forests
- Cross-Forest Availability Configured
- Outlook 2007 SP1+
- Exchange Server 2007 SP1+
- GALsync configured with option CROSS-FOREST-DELEGATION
NOTE: WE STRONGLY RECOMMEND TO TROUBLESHOOT WITH OUTLOOK FIRST SET TO ONLINE-MODE.
Troubleshooting Level 1
At this level you check the ability to set up a simple mail communication between two forests. The „galsynced“ contacts of your partner are available in your Global Address Book.
Ensure that you can communicate over the network by using DNS. Assumed you have a DNS Forwarder at FORESTA.COM side to FORESTX.COM and vice versa:
Can you nslookup / ping the Domain Controller and the Exchange Server at the other site?
Assumed you have mailbox-enabled user JANE at FORESTA.COM and JOHN at FORESTX.COM:
- Is JANE able to send an email to JOHN by inserting JOHN@FORESTX.COM into her TO-Line of the message?
- Is JOHN able to send an email to JANE by inserting JANE@FORESTA.COM into his TO-Line of the message?
Synchronize all mailbox-enabled users with GALSYNC from your domain to the other domain. They are created as mail-enabled contacts. Export JANE from FORESTA TO FORESTX and import her at FORESTX: Export JOHN from FORESTX TO FORESTA and import him at FORESTA.
If you do not want to configure Cross-Forest Delegation you can use the default configurations setting of GALsync. A synchronized object should have these attribute values (check with Attribute-Editor):
|Source Mailbox Attributes||Cross-forest mail contact attributes in the target forest|
|1||legacyExchangeDN||Must be set||Must be set|
|2||proxyAddresses||The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the targetdomain||Not significant|
|3||targetAddress||Not Set||The primary SMTP-Address from the source object should be the value of attribute targetaddress|
- Are the values of the attributes as expected?
- Is there any warning or error by running the export policy?
- Is there any warning or error by running the import policy?
The synchronized objects should have these attribute values (check with Attribute-Editor):
|Source Mailbox Attributes||
Cross-forest mail contact attributes (target forest)
|1||legacyExchangeDN||Not significant||Must be set|
|2||mailNickname||Not significant||Must be set|
|4||mAPIRecipient||Not significant||Not Set|
|5||msExchMasterAccountSid||Not significant||Must have the same value like the objectSid of the source object|
Must have the same value like the Forest FQDN of the source object
Must have the value
|8||msExchRecipientTypeDetails||Not significant||Must have the value 32768|
|9||proxyAddresses||The primary SMTP-Address from the source object will be the value of the attribute targetaddress in the targetdomain||Not significant|
|10||targetAddress||Not Set||The primary SMTP-Address from the source object should be the value of attribute targetaddress|
- Are the values of the attributes as expected?
- Is the RECIPIENT TYPE of JOHN in Exchange Management Console displayed as CROSS-FOREST MAIL CONTACT?
Mail-Communication supported by GALsync
After objects are synchronized endusers can pick the names from the Global Address List.
- Is JANE able to send an email to JOHN by picking the contact of JOHN from the GLOBAL ADDRESS BOOK?
- Is JOHN able to send an email to JANE by picking the contact of JANE from the GLOBAL ADDRESS BOOK?
Troubleshooting Level 2
At this level you check the ability to setup a cross-forest environment with a simple Free/Busy query between two untrusted forests using „galsynced“ contacts of your partner. To configure this have a look at the note below.
NOTE: FOR SETTING UP AN TEST-LAB FOR CROSS-FOREST FREE/BUSY WITHOUT FEDERATION SEE HTTP://WWW.TOOLS4EXCHANGE.COM/2012/11/CROSS-FOREST-FREEBUSY-WITHOUT-FEDERATION.HTML
To configure a Cross-Forest Delegation a trust is required. Check if the trusts are in place and if they are working.
NOTE: TO CHECK TRUST FOLLOW THIS ARTICLE: HOW TO DETERMINE TRUST RELATIONSHIP CONFIGURATIONS AT HTTP://SUPPORT.MICROSOFT.COM/KB/228477/EN-US OR DOMAIN AND FOREST TRUST TOOLS AND SETTINGS AT HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/CC756944(V=WS.10).ASPX
- In FORESTA.COM: are you able to log into OWA (by https) or Outlook (by Outlook Anywhere) as JANE without any certificate error indicated?
- In FORESTX.COM: are you able to log into OWA (by https) or Outlook (by Outlook Anywhere) as JOHN without any certificate error indicated?
NOTE: IF YOU EXPERIENCE ANY ERROR, PLEASE LOOK AT TROUBLESHOOTING CERTIFICATE VALIDATION ERRORS AT HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/BB331963(V=EXCHG.141).ASPX
Cross-forest free/busy queries and cross-forest delegation requires a working autodiscover.
- If FORESTA and FORESTX are internetfacing use MICROSOFT REMOTE CONNECTIVITY ANALYZER at https://www.testexchangeconnectivity.com/.
- If FORESTA and FORESTX are intranet-based then use MICROSOFT CONNECTIVITY ANALYZER TOOL at http://technet.microsoft.com/library/feba32b0-b7eb-4b1b-ba3d-99e20ba82a8c
If you experience issues with autodiscover, reset the virtual directory for autodiscover in Exchange Management Console. This was often the solution for me!
We assume that you have configured Availability Adressspace similar as shown below
- Add-AvailabilityAddressSpace -ForestName "TargetSMTPnamespace.com" -AccessMethod PerUserFB -UseServiceAccount $true
- Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User "Remote Forest\Exchange Servers"
$a = Get-Credential <Enter Administrator credentials in the remote forest when prompted>
Export-AutoDiscoverConfig -DomainController <Local GC> -TargetForestDomainController <Target GC> -TargetForestCredential $a -MultipleExchangeDeployments $true
Check GET-AVAILABILITYADDRESSSPACE and GET-AVAILABILITYCONFIG and GET-AUTODISCOVERCONFIG.
NOTE: SEE ALSO FREE/BUSY INFORMATION WITHOUT FEDERATION – TROUBLESHOOTING GUIDE AT HTTP://WWW.TOOLS4EXCHANGE.COM/2012/12/FREEBUSY-INFORMATION-WITHOUT-FEDERATION—TROUBLESHOOTING-GUIDE.HTML
A simple cross-forest Free/Busy Query
- Is JANE able to create an new meeting request by inviting JOHN (by picking the contact of JOHN from the GLOBAL ADDRESS BOOK) and have a lookup to his F/B information?
The best place to collect logging data is in the Outlook client. Enable this in Outlook’s OPTIONS (either via the Tools menu in Outlook 2007 or backstage in Outlook 2010) -> ADVANCED. Tick the ENABLE TROUBLESHOOTING LOGGING box and restart Outlook. Logfiles are stored in %TEMP%\… (note: this folder is by default not visible)
Troubleshooting Level 3
At this level you check the ability to setup a cross-forest delegation. This enables you to configure a so called delegate access. So JOHN from FORESTX grants JANE from FORESTA access to his calendar.
- Is JOHN able to delegate access to JANE?
- Is JANE able to open the delegated calendar of JOHN BY PICKING JOHN FROM GAL?
- Is JANE able to insert a new appointment directly to JOHNS calendar?