Deploying an Exchange Resource Forest (Part 1)

If you would like to read the next part in this article series please go to Deploying an Exchange Resource Forest (Part 2)

 

There are many companies that have separated forests and do not intend to merge these forests again. This might occur due to:

 

 

  • Multiple businesses that require data and service isolation
  • Different schema requirements
  • Company merger or acquisition process

 

We still have the traditional way of deploying Exchange Server 2007, that is the single forest, but in Exchange Server 2007, we can play with multiple forests and in those scenarios we have two possible topologies to work with:

 

Cross-forest

 

This topology uses multiple Exchange forests. Each forest has an Exchange Server 2007 and a tool to synchronize the recipients between them, since we should use the same GAL for all forests.

 


Figure 1: Cross-forest scenario

 

Resource forest

 

In the Resource forest topology, there is a forest with Exchange Server 2007 installed and one or more account forests. The users will be hosted in the Account forest and the Mailbox-enabled users will be hosted in the other forest. We will associate these mailboxes with the users from the account mailbox.

 

In this kind of scenario, we do not have problems related to GAL because all the users are in the same forest (Resource Forest), but we might need more hardware and infrastructure to deploy a new forest to host all mailboxes.

 


Figure 2: Resource forest scenario

 

The Scenario

 

Let us take a scenario where we have two account forests called: apatricio.local and other.local. We will also have a new forest that will be our Resource forest. This forest will be called msexchange.local. In this article we will start a resource forest using Exchange Server 2007 from scratch. Right now we have two account forests without any installed messaging system.

 

From the security viewpoint, only the users with exchange permissions in the Resource Forest will be able to create users, even the Account Forest Administrators will not be able to manage accounts and mailboxes in the resource forest.

 

We will use a scenario (Figure 3), where we have two companies from different segments but from the same group, wanting to share the same message infrastructure.

 


Figure 3:
Two account forests which contain all users and a resource forest that will receive Exchange Server 2007

 

We will then install Exchange Server 2007 in this Resource Forest to host all the mailboxes of both account forests. We should create this new forest according to Microsoft Best Practices, and if possible create a Disaster Recovery Plan with a high availability solution for this resource forest, including Domain Controllers and Exchange Server roles.

 

Now that we know what kind of topology we are going to deploy, we have to adjust some settings in this fictitious scenario.

 

Installing Exchange Server 2007

 

First of all, we have to install Exchange Server 2007 in the Resource Forest. This is a normal installation process which we can see how to accomplish in the article series written by fellow MVP Rodney Buike: Installing Exchange 2007 (Part 1). For this article scenario we will install a single Exchange Server 2007 with the Client Access, Hub Transport and Mailbox Server roles.

 

Although we are working on a Resource Forest scenario, there are no special steps to follow during the setup process. The installation process of Exchange Server 2007 is the same independent type of Exchange topology.

 

Adjusting the DNS Servers to resolve to the resource forest

 

Before starting to create the trusts, we have to configure the correct name resolution among forests; let us configure the DNS Server in the two account forests (Apatricio.local and Other.local). We have to perform the tasks below in each account forest:

 

 

  1. Log on to the account forest Domain Controller server
  2. Click on Start and Run
  3. Type dnsmgmt.msc and click OK
  4. Right-click on <Server Name> and click on Properties
  5. Click on Forwarders tab
  6. Click on New button and in the new box, insert this information: msexchange.local (name of our resource forest), then click OK
  7. Click on the resource domain in the DNS domain and add the IP address of the DNS Server of the Resource Forest, as shown in figure 4

 


Figure 4:
In the account DNS Servers we are setting up the resolution for the msexchange.local (Resource Forest) to the specified DNS Server

 

Now, we have to configure the DNS resolution in the resource forest. To do that we can follow the following steps:

 

 

  1. Log on to the resource forest Domain Controller server
  2. Click on Start / Run
  3. Type dnsmgmt.msc and click OK
  4. Right-click on <Server Name> and click on Properties
  5. Click on Forwarders tab
    For each account forest follow these steps:
  6. Click on New… button, and add the account forest domain name (Ex.: apatricio.local)
  7. Click on the recently created new zone in DNS Domain box, and add the IP address of the respective DNS Server in the field bellow and click Add

 


Figure 5: Setting up the DNS resolution in the Resource Forest DNS Server

 

Now we can reach all our forest servers using DNS resolution.

 

Establishing trust among the Forest

 

Now that we have set up DNS resolution, we can establish trust among the forests. We need to execute the procedures listed below from the Resource Forest. An administrative account is needed for each account forest to create the trusts.

 

 

  1. Log in to the Resource Forest server
  2. Click on Start, Programs, Administrative Tools and Active Directory Domains and Trusts
  3. Right-click on Resource Forest domain (msexchange.local) and click on Properties
  4. Click on Trusts Tab
    Now repeat these steps for each Account Forest:
  5. Click on New Trust…
  6. Welcome to the New Trust Wizard. First screen to create the trust, click on Next.
  7. Trust Name. Fill out the Account Forest name in the box called Name, as shown in Figure 6. Click Next.

 


Figure 6: Specifying the trust name between Account Forest and Resource Forest

 

 

  1. Trust Type. Click on Forest Trust and click Next.
    Note:
    If this option does not appear it is because the Forest is not in 2003 mode.
  2. Direction of Trust. Click on One-way: outgoing and click Next.
  3. Sides of Trust. Click on Both this domain and the specified domain, and click Next. This option allows us to create a trust relationship in the local domain and in the Account Forest.
  4. User Name and Password. Fill out the User name and Password of the Account Forest, and then click Next.
  5. Outgoing Trust Authentication Level—Local Forest. Click on Forest-wide authentication, click Next.
  6. Trust Selections Complete. A summary of our last steps will be shown, then click Next.
  7. Trust Creation Complete. A figure similar to Figure 7 will appear, just click Next.

 


Figure 7: The outgoing trust was successfully completed

 

 

  1. Confirm Outgoing Trust. Select Yes, confirm the outgoing trust and click Next.
  2. Completing the new Trust Wizard. The final screen of the wizard will appear, as shown in Figure 8.

 


Figure 8: The final screen of the New Trust Wizard informing us that we have created the outgoing trust between Resource Forest and Account Forest

 

We now have created a one-way outgoing trust for each Account Forest where the Resource Forest trusts the Account Forest. Let us validate the configuration in the Active Directory Domain and the Resource Forest Trusts which should be similar to Figure 9.

 

.
Figure 9: Resource Forest Trusts

 

Now looking at the Active Directory Domain and Trusts in the Account Forest, we should have a result similar to Figure 10.

 


Figure 10: The Active Directory Domain and Trusts in one of the Account Forests

 

We now have a new Resource forest setup with Exchange Server 2007 and we have created one-way outgoing trusts for the Account Forests.

 

Conclusion

 

In this article, we have just seen the two types of multi-forest implementations that we are able to deploy in Exchange Server 2007. We also started the process of implementing a resource forest from scratch using two existent account forests and building a new resource forest to host the mailboxes. We also worked on the infrastructure to use the Exchange Server 2007 Resource Forest. In the next article, we are going to get more action working on Exchange 2007.

 

More Information:
How to create a forest Trust

 

Checklist to create a forest trust

 

Installing Exchange Server 2007

 

If you would like to read the next part in this article series please go to Deploying an Exchange Resource Forest (Part 2)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top