Deep dive into rich coexistence between Exchange Forests (Part 11)

by [Published on 24 April 2012 / Last Updated on 24 April 2012]

In this multi-part article, we will take a deep dive into how you configure rich coexistence between Exchange forests with different versions of Exchange deployed.

If you would like to read the other parts in this article series please go to:

Introduction

In part 10, we began on the configuration steps necessary to establish free/busy sharing between Exchange forest 2 (Exchange 2007 forest) and Exchange forest 1 (Exchange 2010 forest). We decided to use the per-user free/busy method so that users in each org can see detailed free/busy information for mail users cross-forest.

In this part 11, we will continue where we left off in part 10. We will export the Exchange certificate from the CAS server in Exchange forest 1 (Exchange 2010) and import it on the CAS server in Exchange forest 2 (Exchange 2007). Finally, we will test cross-forest free/busy requests and calendar sharing using OWA 2007 and Outlook 2007.

Exporting Certificates from Exchange Forest 1 (Exchange 2010)

Since the Exchange 2007 CAS server in Exchange forest 2 needs to trust the certificate installed on the Exchange 2007 CAS server in Exchange forest 2 and because the certificate for Exchange 2007 has been issued by an internal PKI, we need to export the root and intermediate certifcate from Exchange forest 1 (Exchange 2010) and import it on the CAS server in Exchange forest 2 (Exchange 2007).

To export the root and intermidate certificates log on to a server in Exchange forest 1 (Exchange 2010) and click Start > Run and type “MMC”. In the empty MMC click File > Add/Remove Snap-in.


Figure 1: Opening an empty MMC Snap-in

In the Add o Remove Snap-ins windows, select “Certificates” and click Add.


Figure 2: Adding the Certificates snap-in

In the Certifcates snap-in dialog box select “Computer account” and click Next.


Figure 3: Selecting computer account store

Leave the defaults and click Finish.


Figure 4: Selecting the computer the snap-in should manage

With the certificates snap-in added, now expand Trusted Root Certification Authorities and select Certificates. In the right pane right-click on the root certifcate you wish to export and select All Tasks > Export in the context menu.


Figure 5: Selecting export in the certificate context menu

The Certificate Export Wizard launches. Click Next.


Figure 6: Certificate Export Wizard welcome page

On the Export File Format page select DER encoded binary X.509 (.CER) or Base-64 encoded  X.509 (.CER) then click Next.


Figure 7: Selecting the export file format

Now specify the path and name for the certificate to be exported and click Next.


Figure 8: Specifying the path and name for the certificate to be exported

Click Finish.


Figure 9: Completing the certificate export wizard

Now expand the Intermediate Certification Authorities container and repeat the above steps so that the respective intermediate certificate for the internal PKI is exported as well.

Importing Certificates to Exchange Forest 2 (Exchange 2007)

Okay now it’s time to import those two certificates into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on the CAS server in Exchange forest 2 (Exchange 2007). To do so log on to the Exchange 2007 CAS server in Exchange forest 2 (Exchange 2007 forest). Then open an empty MMC and add the Certificates snap-in just like we did in the previous section.

Expand the Trusted Root Certification Authorities container then right-click Certificates and select All Tasks > Import.


Figure 10: Selecting import in the certificate context menu

Click Next.


Figure 11: Certificate Import Wizard welcome page

Now specify the path to root certificate we exported from Exchange forest 2 (Exchange 2007) and click Next.


Figure 12: Specifying the path and name to the certificate to be imported

On the Certificate Store page make sure the certificate will be placed in the trusted Root Certification Authorities store and click Next.


Figure 13: Specifying the store where the certificate will be placed

On the completing wizard page, click Finish.


Figure 14: Completing the certificate import wizard

Again repeat the above steps but this time import the intermediate certificate into the Intermediate Certification Authorities store.

After having imported the certificates I recommend you reboot the Exchange 2010 CAS server to make sure it picks up the two new certificates.

Modifying the EWS Web.config File on the CAS Server in Exchange Forest 1

Unlike Exchange 2007, we do not need to modify the EWS web.config file on the Exchange 2010 CAS server as the maximumQueryIntervalDays value now match between the two Exchange CAS servers.

Testing Cross-Forest Free/busy Queries from Exchange 2007 to Exchange 2010

Okay we have once again reached an exciting moment. More specifically, we now need to test whether an Exchange 2007 user in Exchange forest 2 can lookup free/busy information for an Exchange 2010 user in Exchange forest 1.

Let’s first try this using OWA 2007. Below we have logged on to OWA 2007 using an Exchange user in Exchange forest 2. The two persons added by the meeting organizer are mail user objects replicated via FIM 2010 from Exchange forest 1 to Exchange forest 2. As you can see free/busy lookups work just fine.


Figure 15: Cross-forest free/busy lookups using OWA 2007

Now let’s open an Outlook 2007 client and create a new meeting request with same Exchange 2010 users added to the meeting. Again we retrieve the requested free/busy information just fine. Also note that we do not see detailed free/busy information for any of the Exchange 2010 users. As you probably recall back when we set up the Exchange forest 1 (Exchange 2010) availability address space in Exchange forest 2 (Exchange 2007), we used the per-user free/busy method which allows us to also see detailed cross-forest free/busy information for users.


Figure 16: Cross-forest free/busy lookups using Outlook 2007

By default users only have non-detailed free/busy access to another user’s mailbox (see Figure 18), but when configuring directory synchronization using a product such as FIM 2010 (which support cross-forest delegation) we can assign mail users from one forest to the calendar permission list on a mailbox in another Exchange forest.


Figure 17: Default free/busy permissions for all users

In this case we added the mail user object that represents Andreas Berglund (who have a mailbox in Exchange forest 2) in Exchange forest 1 to the calendar permission list of Andreas Berglund who’s got a mailbox in Exchange forest 1.


Figure 18: User specific free/busy permissions

Users can be assigned permissions by adding them specifically to the permission list, but since we have established SMTP mail flow between the forests, we can of course also use the “Share my Calendar” feature Outlook feature to accomplish this.


Figure 19: Sharing calendar with a mail user representing user in another forest

It doesn’t stop there. Because of the cross-forest delegation support in FIM 2010, you can also open the calendar of a user in the other forest.


 Figure 20: Opening calendar for user in other forest

This concludes part 11 of this articles series. See you soon.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links