add-mailboxpermission doesn`t work cross forest
Hi All,
I have a domain called comainA where exchange 2010 is installed.
I have another domain called domainB where there is all users accounts.
As the migration procedure I did the this:
1. I use Prepare-moverequest to migrate users account domainB
to domainA as DISABLED MAILBOX ACCOUNT
2. I run admt to migrate users accounts from domainB to
domainA to patch SID history.
I deployed linked mailboxes and that is working fine. However when I run this comand to share mailbox:
Add-MailboxPermission -Identity user01-User DOMAINB\USERB -AccessRights FullAccess
the result show
Identity User AccessRights
IsInherited Deny
-------- ---- ------------
----------- ----
domaina\users\... DOMAINA\USERB {FullAccess}
False False
As you can see it doesn`t appears DOMAINB\USERB that's why shared mailbo doesn't work.
Any ideas?
Regards.
Regards. Jos Osorio.
October 19th, 2011 12:16pm
Hi Jose,
Based on my research, it is by design that we are not able to share mailbox across forests. We need to move all the users that have access to a shared mailbox to the new forest if they still want to have access to the shared mailbox.
For Free/busy related issue, you may consider share free/busy across forests--When the Availability service is configured to retrieve free/busy information on a per-user basis, the service can make cross-forest requests on behalf of a particular user. This
allows a user in a remote forest to retrieve detailed free/busy information for someone who is not in the same forest.
Refer to:
http://technet.microsoft.com/en-us/library/bb125182.aspx?ppud=4
http://blogs.technet.com/b/exchange/archive/2011/03/04/3412075.aspx
Hope it is helpful.Fiona
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:14am
Hi Fiona,
I was searching about my issue and I found that i could be the ADMT.
When I add permission to users from other forest it works when i didn't migrate it with ADMT. So, I think that there is one or more attributes that shouldn`t be migrated with ADMT.
Regards. Jos Osorio.
October 21st, 2011 10:38am
Hi Jose,
Can you share the method you used to add permission? I tried to involved a next level engineer and your information would help us research.
THanks.Fiona
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 5:38am
Hi Fiona,
This is command line:
Add-MailboxPermission -Identity user01-User DOMAINB\USERB -AccessRights FullAccess
As I mentioned if the UserB was migrated with ADMT that doesn`t work. However, is so strange because with users who were no migrated with ADMT that works.
Regards. Jos Osorio.
October 24th, 2011 1:16pm
Hi Jose,
Sorry for the confusion, I would like to know how did you migrate the user without ADMT?
Thanks again.Fiona
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2011 2:43am
Hi Fiona,
I've just ran Preparemoverequest.ps1 against some users. That script create a disabled account on exchange forest and enabled as a Contact.
For other users as i want to migrate SID history. I ran Preparemoverequest.ps1 and then run ADMT.Regards. Jos Osorio.
October 25th, 2011 11:02am
Hello Jose,
Just to make sure we are on the same page, what you have noticed is, when users are migrated from one forest to another along with their SID history (I.e. using admt),
and then the corresponding users mailbox was moved, you are unable to apply and manage mailbox permissions. It does seem to apply, but to a wrong user DomainA\USERB in your case
This is because of the SIDHistory on the account. It restricts the ability to properly lookup the correct user account. I can explain why this happens, but could you
please remove / delete the SIDHistory from the user account and check the behavior ?
Free Windows Admin Tool Kit Click here and download it now
October 30th, 2011 8:35am
Hi Sunesh,
I thought that SID history was the root of that issue. However, if I remove SID history then users from other forest can`t log automatically with Outlook.
Regards.Regards. Jos Osorio.
November 1st, 2011 3:38pm
Hi Sunesh,
I'm worry about that behavior. You mean that I should migrate account without SID history, right?. Doing that user from other forest can't log in (single sign on) automatically on Outlook. That's a huge issue.Regards. Jos Osorio.
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2011 11:32am
SID... If you add a user in Domain\user format, it needs to look up the SID, which it probably can't do because it lacks permissions in the "other" forest... The user won't resolve. If you add a SID, there is no lookup. If you remove the
SID history, and it fails, this absolutly is the issue.
Whatever account you are using to modify the permissions needs the ability to resolve the SID in the *other forest.
J
November 15th, 2011 2:02pm
What permissions I need?
what do you mean when you said "If you add a SID, there is no lookup"?Regards. Jos Osorio.
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2011 10:24pm
Hello Jose,
As you indicated, the sidhistory seems to be the root of the issue. Cross forest migration related issues demand some testing (depending on tools utilized for migration) in the live environemnt.
Please open a case with Microsoft PSS to expedite the solution.
December 28th, 2011 11:41pm