There are some special cases in which you want to separate your Active Directory Forest from your Exchange configuration. Without a separate Forest, the separation of administration from Exchange and Windows objects could be very difficult. So it is possible to create a dedicated Exchange Forest, called the Resource Forest. An Exchange Resource Forest is a Forest running Exchange and hosting mailboxes. With a Resource Forest you place only Exchange resources in this Forest and the user accounts, groups and so on resists in the normal Active Directory Forest, called the Account Forest. To establish this scenario you must create a Windows Trust between the Exchange Resource Forest and the Windows Account Forest. In most environments you will also need a provisioning process that synchronizes created Active Directory Accounts in the Account Forest to the Exchange Resource Forest. The provisioning process creates a disabled user with an Exchange Mailbox in the Resource Forest.
One other reason for the implementation of an Exchange Resource Forest is the sharing of FreeBusy information and the possibility to enable the delegation features in Exchange between two different Active Directory Forests which don’t trust the other in all ways.
If you only need to share FreeBusy information, you can use the InterOrg replication tool which is free from Microsoft. For more information about the InterOrg Replication tool, read the following article.
If any Account in the Account Forest has an SID History, you must turn off SID Filtering in the Trust between the Account Forest and the Resource Forest. The question is: When does a user account have a SID History? The answer is simple. If you migrate from Exchange 5.5 to Exchange 2003 with an external migration method each new Active Directory Account retains its old SID in the SIDHistory attribute. With SID History it is possible that the new created accounts have access to the resources in Exchange 5.5 organization. One other reason for a SID History attribute is the use of ADMT – Active Directory Migration Tool when you move Accounts from one Forest to another Forest.
Advantages / Disadvantages of a Resource Forest
The main reason why you should deploy a dedicated Exchange Resource Forest is for Security reasons because it is possible to separate Exchange and Active Directory Administration.
The primary disadvantage is the significant Administration overhead and the investment in additional Domain Controllers, Global Catalog Servers and Exchange Servers. You will also need a provisioning process if you don’t want to create every account manually in both the Account and Resource Forest.
The External Associated Account
You can associate an Account with the External Associated Account attributes. Although it is displayed in the list of permissions in Active Directory, the Associated External Account attribute is not a true permission. The External Associated Account attribute is only associated with a disabled user account in the Exchange Resource Forest and this disabled User Account is associated with a User Account in the Active Directory Account Forest. Figure 1 gives you more information about the External associated Account. In Forest A there are users – for example USER01. In Forest B there are associated User Accounts from Forest A. These accounts are disabled but have an Exchange Mailbox in the dedicated Exchange Forest. Forest B trusts Forest A so that User Accounts in Forest A can access their Exchange Mailboxes in Forest B.
Figure 1: Resource and Account Forest with Trust relationship
- The external account must be a Windows NT User or a User in an Active Directory that is in a different forest from where the Exchange 200x server resides.
- There must be a trust relationship between the domain in the Active Directory Forest where the real accounts exist and the Exchange Resource Forest where the Exchange user object resides. The Exchange Resource Forest must trust the Active Directory Account Forest.
- Create a Mail enabled User Account in the Exchange Resource Forest and disable this Account.
- Create a User Account in the trusted Windows 200x Active Directory Account Forest.
- Set the msExchMasterAccountSID attribute of the Mailbox to enabled User Accounts in the Exchange Resource Forest to the Security Identifier of the Active Directory User Account of the Active Directory Account Forest. Some Third Party tools allow you to automatically set the msEXchMasterAccountSID. You can also set the msEXchMasterAccountSID with tools like ADSIEDIT.
Figure 2: msEXchMasterAccountSID in ADSIEDIT
- On the Mailbox enabled User Account that you created, modify the Security Descriptor to add an Access Control Entry (ACE) with the trustee set to the User Account from the Active Directory Account Forest with the rights to Read, Associated External Account and Full Mailbox Access.
Figure 3: Associate the External Associated Account
Don’t use the External Associated Account attribute for a enabled Active Directory Account with an associated Mailbox because this can cause odd behaviour such as lost permissions and some other problems.
To give you complete information about the provisioning process is out of the scope of this article but I will give you some basic information. If you don’t want to create every Account in the Active Directory Account Forest and in the Exchange Resource Forest you must use some scripts to automate this process or use Third Party Software which automates this process for you.
Other ways to assign the EAA
There are two ways to assign the EAA:
- Using the Active Directory Users and Computers (assigning the MAPI permission (EAA and Full Mailbox right) and the Send As right (directory permission)).
- In Exchange 2003 SP1 Microsoft added this task to the Exchange Tasks (right click account in AD Users and Computers, select Exchange Tasks).
Thanks to Michael Vorbeck who gave me this additional information.
In this article I tried to give you an overview about the External Associated Account and how to implement a separate Exchange Resource Forest and an Active Directory Account Forest.
Granting Access to External Accounts
How to associate an external account with an existing Exchange 2000 mailbox
The NoMAS Tool