Deep dive into rich coexistence between Exchange Forests (Part 12)

If you would like to read the other parts in this article series please go to:


In part 11, we exported the Exchange certificate from the CAS server in Exchange forest 1 (Exchange 2010) and imported it on the CAS server in Exchange forest 2 (Exchange 2007). Then we verified cross-forest free/busy requests and calendar sharing using OWA 2007 and Outlook 2007 worked from Exchange forest 2 (Exchange 2007) against Exchange forest 1 (Exchange 2010).

In this part 12, we will begin setting up cross-forest availability between Exchange forest 1 (Exchange 2010) and Exchange forest 3 (Exchange 2003). Since Exchange 2003, unlike Exchange 2007/2010, doesn’t include the availability service, we need to use the InterOrg tool to replicate free/busy information from Exchange 2003 to Exchange 2010 and vice versa.

As I mentioned earlier on in this article series, there are two other approaches to get free/busy requests to work between an Exchange 2003 and Exchange 2010 forest. Both require that you deploy an Exchange 2010 server in the Exchange 2003 forest and then either use the availability service or the Microsoft Federation Gateway (MFG) to get free/busy to work cross-forest. However these approaches are outside the scope of this articles series.

Preparing the Exchange 2003 Forest

So we already have contact and Mail-enabled User (MEU) objects replicated between Exchange forest 1 and 3. But before we can configure the InterOrg tool, we need to do quite a few preparation steps.

First we need to create a mailbox-enabled service account required by the InterOrg tool. To do so logon to an Exchange 2003 server and then open the Active Directory Users and Computers (ADUC) MMC snap-in. Here launch the New User wizard.

Give the service account a meaningful name then click “Next”.

Figure 1:
Giving the new service account a meaningful name

Now give the account a password and tick “Password never expires” then click “Next”.

Figure 2: Setting a password and ticking Password never expires

Since InterOrg requires the service account to have a mailbox, make sure to tick “Create an Exchange Mailbox” and click “Next”.

Make sure you create the mailbox on the server that holds the public folder database or more precisely the server on which you create the public folder required by InterOrg.

Figure 3: Creating a mailbox for the service account

Now click “Finish” to exit the “New User” wizard.

Figure 4: Finishing the New User wizard

Now that we have created the service account, let’s move on and create a new public folder also required by InterOrg. To do so open the Exchange 2003 System Manager and then expand “Folders”.

Now right-click on “Public Folders” and select “New” > “Public Folder” in the context menu as shown in Figure 5.

Figure 5:
Creating the public folder required by IORepl

Name the new public folder “ExchsyncSecurityFolder”. Although optional you can also enter a description for the public folder.

The public folder must be named “ExchsyncSecurityFolder” as this name is hardcoded in InterOrg.

Click “OK” to complete the creation of the public folder.

Figure 6: Naming the new public folder

Now open the property page for the new public folder. On the property page, click the “Permissions” tab.

Figure 7: Client Permissions for Public Folder

Click “Add” and then add the IORepl service account we created earlier.

Figure 8: Adding the InterOrg service account to the permission list

The service account only needs “Folder Visible” permissions as shown in Figure 9.

Figure 9: Assigning the service account Folder Visible permissions

Also make sure you remove the “Default” user from the permissions list then click “OK”.

Ok we have now prepared the Exchange forest 3 (Exchange 2003) for the configuration of the InterOrg tool.

Preparing the Exchange 2010 Forest

It’s time to prepare the Exchange 2010 side of things, so let’s switch to Exchange forest 1 (Exchange 2010). Here we pretty much need to go through the same steps as we did in Exchange forest 3. However since we’re dealing with different Exchange version the steps differ a bit.

Log on to an Exchange 2010 server and then launch the Exchange 2010 Management console. Expand “Organization Configuration” and click “Mailbox”. Under the “Database Management” tab. If one doesn’t already exist, we need to create a Public Folder database. If one is already in place, you can skip this step.

The public folder database that is to hold the public folder required by InterOrg must be stored on the Client Access server and not the Mailbox server. In addition, the InterOrg service account mailbox must also be stored in a mailbox database on this CAS server. Because of this you need install the Mailbox server role on the CAS server.

Figure 10:
Creating a Public Folder database on the Exchange 2010 CAS server

Launch the “New Public Folder Database” wizard, then give the public folder database a meaningful name. Since the public folder required by InterOrg must be stored on the CAS server, make sure to specify the server holding the CAS server role and Mailbox server roles.

Figure 11:
Selecting the Exchange 2010 CAS server as source server

Change the database and log folder path accordingly and click “Next”.

Figure 12: Changing the Database and log folder path for the new Public Folder database

Click “New” to create the public folder database.

Figure 13:
Creating the new Public Folder database

Finally click “Finish” to exit the wizard.

Figure 14:
Finishing the New Public Folder Database wizard

If you only have one Exchange 2010 server in the Exchange 2010 forest, you must also disable the SSL requirement for the Public virtual directory in the IIS Manager.

Figure 15: Disabling SSL requirement on the public virtual directory

Now let’s create the InterOrg service account/mailbox. To do so click on the “Recipient Configuration” work center node then launch the “New Mailbox” wizard. When the wizard appears, select “User Mailbox” and click “Next”.

Figure 16:
Selecting User Mailbox on the Introduction page

Make sure “New user” is selected then click “Next”.

Figure 17:
Selecting New User on the User Type page

Click “Browse” and specify the organizational unit in which the service account should be created, then fill out the require fields as shown in Figure 18. When done click “Next”.

Figure 18:
Filling out the User Information page

On the “Mailbox Settings” page, tick “Specify the mailbox database rather than using a database automatically selected” then click “Browse”. Select the database stored on the CAS server (now also holding the mailbox server role) and click “Next”.

Figure 19:
Selecting the mailbox database stored on the Exchange 2010 CAS server

Click “Next”.

Figure 20:
Archive Settings page

Click “New” to create the mailbox.

Figure 21:
New Mailbox page

Click “Finish” to exit the “New Mailbox” wizard.

Figure 22:
New Mailbox Completion page

If you have more than one CAS server in the Exchange 2010 forest, chances are you also created a CAS array and set this CAS array as the RPC Client Access server endpoint on all mailbox databases in the forest. In order to make sure clients use the CAS server on which the public folder database used by InterOrg is stored, you should make sure the mailbox database hosting the InterOrg service account mailbox is configured to point to the server FQDN of the respective CAS server and not the FQDN associated with the CAS array as shown in Figure 23.

Figure 23: Making sure the mailbox database on the CAS server points to the server FQDN

 With the service account mailbox created and mailbox database configured properly, we can move on to creating the “ExchsyncSecurityfolder” public folder required by InterOrg. To create the public folder click the “Toolbox” in the Exchange Management Console. In the toolbox launch the “Public Folder Management Console”.

Figure 24:
Launching the Public Folder Management Console

Make sure the PF Management console is connected to the public folder database stored on the Exchange 2010 CAS server (now also running the Mailbox server role) and then right-click “Default Public Folders”. In the context menu select “New Public Folder”.

Figure 25:
Creating a new public folder

Name the public folder “ExchsyncSecurityFolder” and click “Next”.

Figure 26:
Naming the new public folder

On the “Completion” page click “Finish”.

Figure 27:
Completion page

With the public folder created, let’s open the property page so that we can assign the required permissions to the IORepl service account.

Figure 28: Opening the property page for the public folder

On the property page, select the “permissions” tab.

Figure 29: Property page for the public folder

Remove the “Default” and “Anonymous” accounts from the permission list.

Figure 30: Default permissions

Now add the InterOrg service account to the list and assign it “Folder visible” permissions just like you did in the Exchange 2003 forest.

Figure 31: Adding the IORepl service account to the permissions list

The last thing we need to do in the Exchange 2010 forest is to add the SMTP domain used in the Exchange 2003 forest to the availability address space list. To do so, open the Exchange Management Shell and type the following command:

Add-AvailabilityAddressSpace –ForestName “” –AccessMethod Publicfolder

Figure 32:
Adding the SMTP domain used in the Exchange 2003 forest to the Availability Address Space list

Unlike when adding an Exchange 2007 or 2010 forest to the list, we specify PublicFolder as the access method since all free/busy requests need to go through public folders.

This concludes part 12.

If you would like to be notified of when Henrik Walther releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top