Deep dive into rich coexistence between Exchange Forests (Part 11)

If you would like to read the other parts in this article series please go to:

 

 

 

Introduction

 

In part 10, we began on the configuration steps necessary to establish free/busy sharing between Exchange forest 2 (Exchange 2007 forest) and Exchange forest 1 (Exchange 2010 forest). We decided to use the per-user free/busy method so that users in each org can see detailed free/busy information for mail users cross-forest.

 

In this part 11, we will continue where we left off in part 10. We will export the Exchange certificate from the CAS server in Exchange forest 1 (Exchange 2010) and import it on the CAS server in Exchange forest 2 (Exchange 2007). Finally, we will test cross-forest free/busy requests and calendar sharing using OWA 2007 and Outlook 2007.

 

Exporting Certificates from Exchange Forest 1 (Exchange 2010)

 

Since the Exchange 2007 CAS server in Exchange forest 2 needs to trust the certificate installed on the Exchange 2007 CAS server in Exchange forest 2 and because the certificate for Exchange 2007 has been issued by an internal PKI, we need to export the root and intermediate certifcate from Exchange forest 1 (Exchange 2010) and import it on the CAS server in Exchange forest 2 (Exchange 2007).

 

To export the root and intermidate certificates log on to a server in Exchange forest 1 (Exchange 2010) and click Start > Run and type “MMC”. In the empty MMC click File > Add/Remove Snap-in.

 


Figure 1: Opening an empty MMC Snap-in

 

In the Add o Remove Snap-ins windows, select “Certificates” and click Add.

 


Figure 2: Adding the Certificates snap-in

 

In the Certifcates snap-in dialog box select “Computer account” and click Next.

 


Figure 3: Selecting computer account store

 

Leave the defaults and click Finish.

 


Figure 4: Selecting the computer the snap-in should manage

 

With the certificates snap-in added, now expand Trusted Root Certification Authorities and select Certificates. In the right pane right-click on the root certifcate you wish to export and select All Tasks > Export in the context menu.

 


Figure 5: Selecting export in the certificate context menu

 

The Certificate Export Wizard launches. Click Next.

 


Figure 6: Certificate Export Wizard welcome page

 

On the Export File Format page select DER encoded binary X.509 (.CER) or Base-64 encoded  X.509 (.CER) then click Next.

 


Figure 7: Selecting the export file format

 

Now specify the path and name for the certificate to be exported and click Next.

 


Figure 8: Specifying the path and name for the certificate to be exported

 

Click Finish.

 


Figure 9: Completing the certificate export wizard

 

Now expand the Intermediate Certification Authorities container and repeat the above steps so that the respective intermediate certificate for the internal PKI is exported as well.

 

Importing Certificates to Exchange Forest 2 (Exchange 2007)

 

Okay now it’s time to import those two certificates into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on the CAS server in Exchange forest 2 (Exchange 2007). To do so log on to the Exchange 2007 CAS server in Exchange forest 2 (Exchange 2007 forest). Then open an empty MMC and add the Certificates snap-in just like we did in the previous section.

 

Expand the Trusted Root Certification Authorities container then right-click Certificates and select All Tasks > Import.

 


Figure 10: Selecting import in the certificate context menu

 

Click Next.

 


Figure 11: Certificate Import Wizard welcome page

 

Now specify the path to root certificate we exported from Exchange forest 2 (Exchange 2007) and click Next.

 


Figure 12: Specifying the path and name to the certificate to be imported

 

On the Certificate Store page make sure the certificate will be placed in the trusted Root Certification Authorities store and click Next.

 


Figure 13: Specifying the store where the certificate will be placed

 

On the completing wizard page, click Finish.

 


Figure 14: Completing the certificate import wizard

 

Again repeat the above steps but this time import the intermediate certificate into the Intermediate Certification Authorities store.

 

After having imported the certificates I recommend you reboot the Exchange 2010 CAS server to make sure it picks up the two new certificates.

 

Modifying the EWS Web.config File on the CAS Server in Exchange Forest 1

 

Unlike Exchange 2007, we do not need to modify the EWS web.config file on the Exchange 2010 CAS server as the maximumQueryIntervalDays value now match between the two Exchange CAS servers.

 

Testing Cross-Forest Free/busy Queries from Exchange 2007 to Exchange 2010

 

Okay we have once again reached an exciting moment. More specifically, we now need to test whether an Exchange 2007 user in Exchange forest 2 can lookup free/busy information for an Exchange 2010 user in Exchange forest 1.

 

Let’s first try this using OWA 2007. Below we have logged on to OWA 2007 using an Exchange user in Exchange forest 2. The two persons added by the meeting organizer are mail user objects replicated via FIM 2010 from Exchange forest 1 to Exchange forest 2. As you can see free/busy lookups work just fine.

 


Figure 15: Cross-forest free/busy lookups using OWA 2007

 

Now let’s open an Outlook 2007 client and create a new meeting request with same Exchange 2010 users added to the meeting. Again we retrieve the requested free/busy information just fine. Also note that we do not see detailed free/busy information for any of the Exchange 2010 users. As you probably recall back when we set up the Exchange forest 1 (Exchange 2010) availability address space in Exchange forest 2 (Exchange 2007), we used the per-user free/busy method which allows us to also see detailed cross-forest free/busy information for users.

 


Figure 16: Cross-forest free/busy lookups using Outlook 2007

 

By default users only have non-detailed free/busy access to another user’s mailbox (see Figure 18), but when configuring directory synchronization using a product such as FIM 2010 (which support cross-forest delegation) we can assign mail users from one forest to the calendar permission list on a mailbox in another Exchange forest.

 


Figure 17: Default free/busy permissions for all users

 

In this case we added the mail user object that represents Andreas Berglund (who have a mailbox in Exchange forest 2) in Exchange forest 1 to the calendar permission list of Andreas Berglund who’s got a mailbox in Exchange forest 1.

 


Figure 18: User specific free/busy permissions

 

Users can be assigned permissions by adding them specifically to the permission list, but since we have established SMTP mail flow between the forests, we can of course also use the “Share my Calendar” feature Outlook feature to accomplish this.

 


Figure 19: Sharing calendar with a mail user representing user in another forest

 

It doesn’t stop there. Because of the cross-forest delegation support in FIM 2010, you can also open the calendar of a user in the other forest.

 


 Figure 20: Opening calendar for user in other forest

 

This concludes part 11 of this articles series. See you soon.

 

If you would like to read the other parts in this article series please go to:

 

 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top