June 12, 2013

How to create a trust between Two Exchange Forests and enable free/busy

This question came up in an interview I had recently. If you have federation trust in place and a forest trust in place, how would you enable Free Busy Access between the two forests? The two forests both had Exchange 2010 environments, one was an acquisition. The full answer to this question has about 3 parts to it. You need to have: 

1: A forest trust in place (Already in place)
2: An organizational relationship
3: Sharing policy
Create a forest trust
  1. Open Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain node for the forest root domain, and then click Properties.
  3. On the Trust tab, click New Trust, and then click Next.
  4. On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next.
  5. On the Trust Type page, click Forest trust, and then click Next.
  6. On the Direction of Trust page, do one of the following:
    • To create a two-way, forest trust, click Two-way.
      Users in this forest and users in the specified forest can access resources in either forest.
    • To create a one-way, incoming forest trust, click One-way:incoming.
      Users in the specified forest will not be able to access any resources in this forest.
    • To create a one-way, outgoing forest trust, click One-way:outgoing.
      Users in this forest will not be able to access any resources in the specified forest.
  7. Continue to follow the wizard.

Create an Organizational Relationship
To enable the Free/busy to be used between the two forests using the EMC console:

1. Click on Organization Configuration, and select the Organization Relationships Tab on the right hand side. Right click and choose “New Organization Relationship....”



2.  In the Name field, type in a name for the organization relationship. 
Select the check boxes for "Enable this Organization relationship" and "Enable free/busy information access".
From the drop down menu, select which level of access you would like between the two forests. in this example "Free/Busy access with time, plus subject and location".


 3. Enter the forest domain name in the "Automatically discover configuration information" text box, and press Next.


4. When satisfied with the entries, select finish.

NB: Alternatively you can use a powershell cmdlet to set up  an organizational relationship with free/busy:

[PS] Get-FederationInformation -domainname <domainname> | New-organizationrelationship -Name '<relationshipname>' -enabled:$true -FreeBusyAccessEnabled:$true -FreeBusyAccessLevel 'LimitedDetails' -FreeBusyAccessScope:$null

5: The new organization relationship will be listed as so.



Create a Sharing policy
Next you need to create a sharing policy between the two environments in order to share information between the 2 Exchange environments.

 1: Using the EMC console, click on Organization Configuration, Mailbox. Click on the Sharing Policies tab, right click on the Default Sharing Policy, then choose Properties.


 2: In the next window "Default Sharing Policy Properties", click on Add.

3 :Type in your domain eg"contoso.com", then from the drop down menu, select the level of permission you wish to grant between the two forests. in this example "Calendar Sharing with free/busy information plus subject, location, and body, contacts sharing" is selected.


click ok and ok again when finished with your selections.
Alternatively you can set this in Powershell using the following cmdlet

[PS] Set-SharingPolicy 'Default Sharing policy' -Domains '*:CalendarSharingFreeBusySimple', '<yourdomain>:CalendarSharingFreeBusyReviewer, ContactsSharing'

In order to complete the full process, log into the 2nd exchange environment and create an organizational relationship and a sharing policy back to exchange environment 1, following the steps above.

1 comment:

  1. Thanks man. Great article for almost zero information. Greatly appreciated.

    ReplyDelete