Deep dive into rich coexistence between Exchange Forests (Part 9)

If you would like to read the other parts in this article series please go to:

 

 

 

Introduction

 

In part 8, we began on the configuration steps necessary to establish free/busy sharing between Exchange forest 1 (Exchange 2010 forest) and Exchange forest 2 (Exchange 2007 forest). We decided to use the per-user free/busy method so that users in each org can see detailed free/busy information for mail users cross-forest.

 

In this part 9, we will continue where we left off in part 8. We will export the Exchange certificate from the CAS server in Exchange forest 2 (Exchange 2007) and import it on the CAS server in Exchange forest 1 (Exchange 2010). In addition, we will modify the EWS web.config file on the CAS in Exchange forest 2. Finally, we will test cross-forest free/busy requests and calendar sharing using OWA 2010 and Outlook 2010.

 

Exporting Certificates from Exchange Forest 2 (Exchange 2007)

 

Since the Exchange 2010 CAS server in Exchange forest 1 needs to trust the certificate installed on the Exchange 2007 CAS server in Exchange forest 2 and because the certificate for Exchange 2007 has been issued by an internal PKI, we need to export the root and intermediate certifcate from Exchange forest 2 (Exchange 2007) and import it on the CAS server in Exchange forest 1 (Exchange 2010).

 

To export the root and intermidate certificates log on to a server in Exchange forest 2(Exchange 2007) and click Start > Run and type “MMC”. In the empty MMC click File > Add/Remove Snap-in.

 


Figure 1: Opening an empty MMC Snap-in

 

In the Add o Remove Snap-ins windows, select “Certificates” and click Add.

 


Figure 2: Adding the Certificates snap-in

 

In the Certifcates snap-in dialog box select “Computer account” and click Next.

 


Figure 3: Selecting computer account store

 

Leave the defaults and click Finish.

 


Figure 4: Selecting the computer the snap-in should manage

 

With the certificates snap-in added, now expand Trusted Root Certification Authorities and select Certificates. In the right pane right-click on the root certifcate you wish to export and select All Tasks > Export in the context menu.

 


Figure 5: Selecting export in the certificate context menu

 

The Certificate Export Wizard launches. Click Next.

 


Figure 6: Certificate Export Wizard welcome page

 

On the Export File Format page select DER encoded binary X.509 (.CER) or Base-64 encoded  X.509 (.CER) the click Next.

 


Figure 7: Selecting the export file format

 

Now specify the path and name for the certificate to be exported and click Next.

 


Figure 8: Specifying the path and name for the certificate to be exported

 

Click Finish.

 


Figure 9: Completing the certificate export wizard

 

Now expand the Intermediate Certification Authorities container and repeat the above steps so that the respective intermediate certificate for the internal PKI is exported as well.

 

Importing Certificates to Exchange Forest 1 (Exchange 2010)

 

Okay now it’s time to import those two certificates into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on the CAS server in Exchange forest 1 (Exchange 2010). To do so log on to the Exchange 2010 CAS server in Exchange forest 1 (Exchange 2010 forest). Then open an empty MMC and add the Certificates snap-in just like we did in the previous section.

 

Expand the Trusted Root Certification Authorities container then right-click Certificates and select All Tasks > Import.

 


Figure 10: Selecting import in the certificate context menu

 

Click Next.

 


Figure 11: Certificate Import Wizard welcome page

 

Now specify the path to the root certificate we exported from Exchange forest 2 (Exchange 2007) and click Next.

 


Figure 12: Specifying the path and name to the certificate to be imported

 

On the Certificate Store page make sure the certificate will be placed in the trusted Root Certification Authorities store and click Next.

 


Figure 13: Specifying the store where the certificate will be placed

 

On the completing wizard page, click Finish.

 


Figure 14: Completing the certificate import wizard

 

Again repeat the above steps but this time import the intermediate certificate into the Intermediate Certification Authorities store.

 

After having imported the certificates, I recommend you reboot the Exchange 2010 CAS server to make sure it picks up the two new certificates.

 

Modifying the EWS Web.config File on the CAS Server in Exchange Forest 2

 

When configuring cross-forest availability, there’s a known issue revolving around cross-forest free/busy queries done against users in an Exchange 2007. They simply fail and if you look in the Application log on the Exchange 2007 CAS server, you see an Event ID 4002 logged. Below is a snippet from the information pane of such an Event ID:

 

Microsoft.Exchange.InfoWorker.Common.Availability.TimeIntervalTooBigException: The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 61 days. —> The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 61 days.

 

As you can see the Exchange 2007 CAS server says the allowed limit for free/busy queries is 42 days, but the incoming request tries to get free/busy info 61 days.

 

So before we beging testing whether free/busy quieries from Exchange forest 1 (Exchange 2010) to Exchange forest 2 (Exchange 2007) works as expected, we should fix this issue. We can do so by adding the following to the EWS Web.config file located under C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Exchweb\EWS:

 

<appSettings>

 

            <add key=”maximumQueryIntervalDays” value=”62” />

 

</appSettings>

 


Figure 15: Modifying the EWS Web.config file

 

It’s important you add the above to the right section of the Web.config file otherwise you will see other errors in the App log when the Web.config file is used.

 

After you have saved the Web.config file make sure to perform an IISReset in order to apply the changes.

 

Testing Cross-Forest Free/busy Queries from Exchange 2010 to Exchange 2007

 

Okay we have reached the exciting moment. We now need to test whether an Exchange 2010 user in Exchange forest 1 can look up free/busy information for an Exchange 2007 user in Exchange forest 2.

 

Let’s first try this using OWA 2010. Below we have logged on to OWA 2010 using an Exchange user in Exchange forest 1. The three persons added by the meeting organizer are maul user objects replicate via FIM 2010 from Exchange forest 2 to Exchange forest 1. As you can see free/busy lookups works just fine.

 


Figure 16: Cross-forest free/busy lookups using OWA 2010

 

Now let’s open an Outlook 2010 client and create a new meeting request with same Exchange 2007 users added to the meeting. Again we retrieve the requested free/busy information just fine. Also note that we actually can see detailed free/busy information for one of these users. As you probably recall back when we set up the Exchange forest 2 (Exchange 2007) availability address space in Exchange forest 1 (Exchange 2010), we used the per-user free/busy method which allows us to also see detailed cross-forest free/busy information for users.

 


Figure 17: Cross-forest free/busy lookups using Outlook 2010

 

By default a user only has non-detailed free/busy access to another user’s mailbox (see Figure 18), but when configuring directory synchronization using a product such as FIM 2010 (which support cross-forest delegation) we can assign mail users from one forest to the calendar permission list on a mailbox in another Exchange forest.

 


Figure 18: Default free/busy permissions for all users

 

In this case we added the mail user object that represents Alan Shen (who have a mailbox in Exchange forest 1) in Exchange forest 2 to the calendar permission list of Andreas Berglund who’s got a mailbox in Exchange forest 2.

 


Figure 19: User specific free/busy permissions

 

Users can be assigned permissions by adding them specifically to the permission list, but since we have established SMTP mail flow between the forests, we can of course also use the “Share my Calendar” feature Outlook feature to accomplish this.

 


Figure 20: Sharing calendar with a mail user representing user in another forest

 

It doesn’t there. Because of the cross-forest delegation support in FIM 2010, you can also open the calendar of a user in the other forest.

 


Figure 21: Opening calendar for user in other forest

 

This concludes part 9 of this articles series. See you soon.

 

If you would like to read the other parts in this article series please go to:

 

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top