John
15 years ago
Hi All!
Appologise for the wall-of-text but I'm really hoping someone out there can
help me with some of these issues I'm seeing trying to set this up. Heres my
scenario:
I have 2 forests. "A.local" and "B.local". Company A has purchased company B
and we need to see free/busy info across the forest while we work on
consolodating the sites. I have Exchange 2007 in both forests.
There is a 2 way trust between the forests that works well. To make things
easier, the primary SMTP domains for both forests have been set up to be the
exact name of the forest (A.local and B.local - this is for testing as I saw
issues where the SMTP mail domain was different to the forest name in one of
the domains)
I set up the IIFP and used identity manager (Galsync) to sync a set of
contacts for each domain to the other. The sync worked fine but the newly
created contacts contained x400 and x500 addresses. Sending mail to these
contacts therefore failed as the imported x400/x500 addresses made no sense
to each exchange server. I manually deleted the x400/x500 addresses and mail
stared working fine as the mail servers were now just using the SMTP address.
I then ran the following commands:
In A.local I run the following command with no errors:
Add-AvailabilityAddressSpace -Forestname B.local -AccessMethod
PerUserFB -UseServiceAccount:$true
Same in B.local with A.local as the -forestname
I then tried:
Get-ClientAccessServer | Add-ADPermission -Accessrights Extendedright
-Extendedrights "ms-Exch-EPI-Token-Serialization" -User "b.local\CASServer"
NOTE: "b.local\CASServer" is the actual name of the CAS server.
That command fails (when run on both domains) with the error: "user or group
"b.local\CASserver" was not found" (remember CASserver is the actual server
name of the CAS server in the trusted forest). I have tried using the netbios
name for the domain too but that doesn't work. The strange thing is that if i
replace "b.local\CASServer" with "b.local\Exchange servers", then the command
works fine. Also, the computer account for "b.local\CASServer" is actually a
member of that group. I have therefore run this command using the
"forestname\exchange servers" group in both forests. Ive tested my trust/DNS
and it all works great. i can add the computer account of "A.local\cas
server" to "B.local\cas server`s" local admins group even.
I then moved on troubleshooting the Autodiscover service which lead me to a
possible issue with certificates. My cert for "B.local" pops up a
RemoteCertificateNameMismatch error when running the Test-OutlookwebServices
cmdlet. This is cause the cert is for the external name "Mail.B.Local" and
not the internal name which is "casserver.b.local.
So I guess I have a few questions here:
Will removing the X400/500 addresses render AS useless?
Any ideas why I cant use the actual machine account of my CAS server in in
AD-ADpermission command?
Can AS still work if autodiscover has a name mismatch in the cert in one of
the domains?
Many Thanks for any help you can give guys!
John
Appologise for the wall-of-text but I'm really hoping someone out there can
help me with some of these issues I'm seeing trying to set this up. Heres my
scenario:
I have 2 forests. "A.local" and "B.local". Company A has purchased company B
and we need to see free/busy info across the forest while we work on
consolodating the sites. I have Exchange 2007 in both forests.
There is a 2 way trust between the forests that works well. To make things
easier, the primary SMTP domains for both forests have been set up to be the
exact name of the forest (A.local and B.local - this is for testing as I saw
issues where the SMTP mail domain was different to the forest name in one of
the domains)
I set up the IIFP and used identity manager (Galsync) to sync a set of
contacts for each domain to the other. The sync worked fine but the newly
created contacts contained x400 and x500 addresses. Sending mail to these
contacts therefore failed as the imported x400/x500 addresses made no sense
to each exchange server. I manually deleted the x400/x500 addresses and mail
stared working fine as the mail servers were now just using the SMTP address.
I then ran the following commands:
In A.local I run the following command with no errors:
Add-AvailabilityAddressSpace -Forestname B.local -AccessMethod
PerUserFB -UseServiceAccount:$true
Same in B.local with A.local as the -forestname
I then tried:
Get-ClientAccessServer | Add-ADPermission -Accessrights Extendedright
-Extendedrights "ms-Exch-EPI-Token-Serialization" -User "b.local\CASServer"
NOTE: "b.local\CASServer" is the actual name of the CAS server.
That command fails (when run on both domains) with the error: "user or group
"b.local\CASserver" was not found" (remember CASserver is the actual server
name of the CAS server in the trusted forest). I have tried using the netbios
name for the domain too but that doesn't work. The strange thing is that if i
replace "b.local\CASServer" with "b.local\Exchange servers", then the command
works fine. Also, the computer account for "b.local\CASServer" is actually a
member of that group. I have therefore run this command using the
"forestname\exchange servers" group in both forests. Ive tested my trust/DNS
and it all works great. i can add the computer account of "A.local\cas
server" to "B.local\cas server`s" local admins group even.
I then moved on troubleshooting the Autodiscover service which lead me to a
possible issue with certificates. My cert for "B.local" pops up a
RemoteCertificateNameMismatch error when running the Test-OutlookwebServices
cmdlet. This is cause the cert is for the external name "Mail.B.Local" and
not the internal name which is "casserver.b.local.
So I guess I have a few questions here:
Will removing the X400/500 addresses render AS useless?
Any ideas why I cant use the actual machine account of my CAS server in in
AD-ADpermission command?
Can AS still work if autodiscover has a name mismatch in the cert in one of
the domains?
Many Thanks for any help you can give guys!
John