Is Inter-Forest Exchange mailbox creation possible?
I have a two way forest trust from forest A to forest B. Both forest's have their own Exchange servers. I need to be able to create a new AD user account in forest A using ADUC on forest B's Exchange server so that those account's mailboxes get put into the Exchange server in forest B's mailstores. The ultimate goal is to elimnate the need for Forest A's Exchange Server. Is this possible with just a two way forest trust. This is all Windows/Exchange 2003.When I attempt to do this now using Exchange tasks for a new AD account I create for Forest A using Forest B's Exchange server, I get an error. Here is the error from the end of the xml output: ....<progress code="-4" milliseconds="391">Saving changes to the directory</progress> <summary isWarning="false" errorCode="0x8007202f">A constraint violation occurred.</summary> </item> </items> </taskWizardRun>
August 19th, 2008 10:11pm
I am almost 100% positive this is not possible with "out of the box" tools. The mailbox in Forest B MUST have a user account in Forest B.
In my experience, resource forests are a PITN (pain in the neck).
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2008 12:38am
Jim McBee - Exchange MVP wrote:
I am almost 100% positive this is not possible with "out of the box" tools. The mailbox in Forest B MUST have a user account in Forest B.
In my experience, resource forests are a PITN (pain in the neck).
I had a feeling that was the case. Can anyone confirm?
August 20th, 2008 12:58am
You might be able to automate some of the account creation in ForestB by implementing something like Microsoft's MIIS/IIFP. That way, you could create the account in ForestA and have the MIIS/IIFP (sorry, now known as Identity Lifecycle Management)) create the account in ForestB and provision the mailbox. This might not be a simple solution since MIIS can be a bit like rocket science to do things beyond basic GAL sync.
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2008 3:33am
I found MIIS in some researching and thought it sounded hopeful. Then researched it more and found it is VERY expensive. We don't have the justification to spend that type of money. Thanks again though for the suggestion.
August 20th, 2008 3:39am
MIIS is very cool and very expensive. However, Microsoft "gives" away a solution called IIFP (Identify Integration Feature Pack) that does a lot of the basics of MIIS. The only catch is that you must use SQL Server and IIFP must run on Windows Server 2003 Enterprise Edition.
I use IIFP frequently to do "GAL syncs" between 2 Active Directory forests. It is pretty easy to do.
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2008 10:51am
I'll take a look at IIFP. It'll be tough since it requires w2k3 Ent.
Any idea if it would be possible for me to merge/convert Forest A into being a Tree Domain in Forest B? Essentially, leaving me with just 1 large Forest? Is that possible?
August 21st, 2008 2:18am
Unfortunately, there are not "prune and graft" tools for Active Directory trees/forest. If you did in to the AD configuration and schema, though, you would begin to see why that would be so difficult. Merging the configuration and schemas between 2 AD forests would be beyond just a bit hard and would probably leave the forest in a somewhat "unstable" mode.
Your best bet (and a lot of work) would be to create a new child domain in ForestB, then use a migration tool like the Microsoft Active Directory Migration Tool (ADMT) or Quest's migration suite to migrate the users from ForestA to ForestB.
In my opinion, you are on the right track, though, getting rid of one of your forests. Reducing complexity is usually a good thing. A forest (even a single domain) canbe very large. I have seen single AD domains with over 300,000 users.
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2008 3:05am
Per my research, inter-forest exchange mailbox creation isnt possible
Explanation: We got this error because you are trying to forwarding the mailbox address for an object that doesn't exist in the same forest as the original recipient. When you use ADUC to perform exchange-related object modifications, you are actually calling for exadmin.dll to query and write AD to modify attributes on the forwardee and forwarder. Then, in this case, exadmin.dll tries to write the attributes on the user object (forwarder). Exadmin.dll also tries to populate attributes on the user object (forwardee). But this exadmin.dll is under the context of one user in one forest, it's unable to write attributes to another forest. The to-be modified attributes must reside in same forest as original user object. Different forests' GC don't replicate with each other
You may try Jims solution, migrate AD object to one forest
ADMT v3.0
ADMT with Exchange 2003
August 21st, 2008 9:54am
Hi, paesan, I assume your question has been answered, and I'd like to change the status to "Marked as answer", please feel free to post here if you have any update
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2008 4:05am