GAL Access on a separate forest

jbaello

How can a separate forest hosting it's own Exchange 2007 access another forest GC\GAL via Exchange 2007 if there's no trust exists, even if there's a 2 way trust can forest 1 access forest 2 GC\GAL? to query smtp enabled AD objects?

royal

Connect the Availability Address using the Organization Wide Setting. You don't need a trust for this.

http://technet.microsoft.com/en-us/library/bb125182.aspx

jbaello

Damn it Royal what would I do without you? I'll get fired...

jbaello

royal wrote:

Connect the Availability Address using the Organization Wide Setting. You don't need a trust for this.

http://technet.microsoft.com/en-us/library/bb125182.aspx

Royal any detailed resource/books that will explain this stuff more in-depth?

royal

Not well documented. You know what's funny about this... is that I was just at a bar with the Unified Communications architect for our company and we were talking about connecting the Availability Address space across our two forests we have using a non-trusted and trusted forest and how it's not well documented and all of a sudden I see your post. Talk about timing eh...?

royal

jbaello wrote:

Damn it Royal what would I do without you? I'll get fired...

Does that mean I get some type of royalty then?

jbaello

You should be Mr. MVP I didn't knew this thing exists, which is a very cool, I gotta check if it's dependent on MSIIS.

blargoe

If you're just needing the list of addresses to sync, all you need is GalSync, the feature pack for that is free. There's a link in the article royal linked

royal

Ah yes, I forgot to link about the actual GAL contact building. The problem with using MIIS or IIFP for GalSync is that it wasn't built for Exchange 2007 and no Service Pack was created for Exchange 2007 support. In Exchange 2003, the Recipient Update Service took care of the Recipient provisioning. In Exchange 2007, the Update-Recipient command has replaced RUS.

So how can you use MIIS/IIFP to provision a user? Microsoft has provided a script you can run should you feel the need to stay with MIIS/IIFP instead of upgrading to ILM Feature Pack 1 (the new version that supports the update-recipient command).

So if you look at the following article, it will give you the PowerShell scripts you can run to provision your users manually after GalSync with MIIS/IIFP:
http://technet.microsoft.com/en-us/library/aa998597.aspx

blargoe

Why was I thinking he was using 2003.

For 2007 I wish they'd just make the ILM feature pack free.

jbaello

It will be Exchange 2007 accessing Exchange 2003 GAL, vice versa, I will need to read more on this, but I need to test this on a test environment before the project is rollout.

jbaello

Installed the following on ESX:

VM1 - Windows Server 2003 32/Domain Controller/Forest 1
VM2 - Windows Server 2003 32/Exchange2003/Forest1

VM3 - Windows Server 2008 64/Domain Controller/Forest2
VM4 - Windows Server 2003 64/Exchange 2007/Forest2

I will be testing ILM/Galsync on both Exchange Servers the contact list need to be populated on both Exchange Servers on 2 separate forests GAL.

I had to download the following separately, I am not sure if ILM is integrated on Exchange 2007 SP1.

Identity Integration Server 2003 (MSIIS)
Identity Lifecycle Manager 2007 (ILM 2007)

jbaello

Her's a good resource on 2 AD synchronization using MSIIS 2003

http://technet.microsoft.com/en-us/library/cc720550.aspx

jbaello

This was quite an annoying task, since the lab requires so much and not to mention SQL Server on the box that hosts MSIIS, I have configured the 1st Forest so far that is hosting Exchange 2003, I am just a little curious if MSIIS 2003 will be 100 % compatible with Exchange 2007 as a requirement for this project.

By the look of it, I think it is, since the only thing getting replicated is LDAP AD objects, such as users/objects/groups, and it doesn't look like it's touching Exchange 2007 internal system at all (if I remember correctly GAL resides in GC which is AD) I will fire up the synchronization tomorrow, so far I have not seen a requirement for a forest trust, will keep you guys updates, any advise on this scenario please let me know so I can have it seamless.

I also need to find out info about free/busy, since this was mentioned with this test.

royal

jbaello wrote:

This was quite an annoying task, since the lab requires so much and not to mention SQL Server on the box that hosts MSIIS, I have configured the 1st Forest so far that is hosting Exchange 2003, I am just a little curious if MSIIS 2003 will be 100 % compatible with Exchange 2007 as a requirement for this project.

You're asking a question I already answered. And it's MIIS not MSIIS.

jbaello wrote:

By the look of it, I think it is, since the only thing getting replicated is LDAP AD objects, such as users/objects/groups, and it doesn't look like it's touching Exchange 2007 internal system at all (if I remember correctly GAL resides in GC which is AD) I will fire up the synchronization tomorrow, so far I have not seen a requirement for a forest trust, will keep you guys updates, any advise on this scenario please let me know so I can have it seamless.

I also need to find out info about free/busy, since this was mentioned with this test.

Interorg Replication Tool. The whole Availability thing in the beginning doesn't apply here since you initially said it was all Exchange 2007. Having Exchange 2003 was a key missing part you didn't include in your initial post. :P

jbaello

The problem with interorg is it's not a supported product specially if it's deployed on a production environment, ughh...

It looks like it's going to be both.

MIIS + Interorg
ILM + Interorg

We can either upgrade our Exchange 2003 server or back to the old QCS solution which I believe costs alot of money I heard it's in the million.

If I can make a decision I would centralize all messaging to the headquarters and setup hub transport or outlook anywhere something along those lines, this politics.

It's all yours now Royal, okay I'm going to run away now bye lawl...

jbaello

You're asking a question I already answered. And it's MIIS not MSIIS.

I forgot to scroll up again my bad...

jbaello

http://www.quest.com/collaboration-services/

I'm setting up this stuff now on a VM test environment, I will be implementing this solution, so I thought share it while I'm at it.

royal

Ya, that product is good. Doesn't require a trust, doesn't require accounts, and takes care of both the GAL and Public Folder Data. I'd definitely recommend that for production depending on the environment if you have the $$$ to spend. Only thing I'd be weary about is that Microsoft provides a free way to do it (IIFP with a script to run after for provisioning) and IORepl. Plus if you have issues, all the tools are from MS and there'd be no finger pointing.

jbaello

royal wrote:

Ya, that product is good. Doesn't require a trust, doesn't require accounts, and takes care of both the GAL and Public Folder Data. I'd definitely recommend that for production depending on the environment if you have the $$$ to spend. Only thing I'd be weary about is that Microsoft provides a free way to do it (IIFP with a script to run after for provisioning) and IORepl. Plus if you have issues, all the tools are from MS and there'd be no finger pointing.

How much is it? I am hearing alot of $$$

jbaello

royal wrote:

Ya, that product is good. Doesn't require a trust, doesn't require accounts, and takes care of both the GAL and Public Folder Data. I'd definitely recommend that for production depending on the environment if you have the $$$ to spend. Only thing I'd be weary about is that Microsoft provides a free way to do it (IIFP with a script to run after for provisioning) and IORepl. Plus if you have issues, all the tools are from MS and there'd be no finger pointing.

It's M$ why are you pointing your finger at me rofl...

royal

jbaello wrote:

royal wrote:

Ya, that product is good. Doesn't require a trust, doesn't require accounts, and takes care of both the GAL and Public Folder Data. I'd definitely recommend that for production depending on the environment if you have the $$$ to spend. Only thing I'd be weary about is that Microsoft provides a free way to do it (IIFP with a script to run after for provisioning) and IORepl. Plus if you have issues, all the tools are from MS and there'd be no finger pointing.

How much is it? I am hearing alot of $$$

If it's by Quest, A LOT. Give them a call.

jbaello

royal wrote:

jbaello wrote:

royal wrote:

Ya, that product is good. Doesn't require a trust, doesn't require accounts, and takes care of both the GAL and Public Folder Data. I'd definitely recommend that for production depending on the environment if you have the $$$ to spend. Only thing I'd be weary about is that Microsoft provides a free way to do it (IIFP with a script to run after for provisioning) and IORepl. Plus if you have issues, all the tools are from MS and there'd be no finger pointing.

How much is it? I am hearing alot of $$$

If it's by Quest, A LOT. Give them a call.

It's by Quest Software.

royal

You apparently didn't get my point.

jbaello

royal wrote:

You apparently didn't get my point.

Lol I did, I don't want to worry about the cost, they'll have to foot the bill either way I heard it's per user basis.

royal

jbaello wrote: »

Lol I did, I don't want to worry about the cost, they'll have to foot the bill either way I heard it's per user basis.

Granted you're not paying for it, but helping out a company save costs especially if they're hurting in this economy is not a bad thing. Looking out for the best interests of others isn't a bad thing. So while the Quest product is excellent, I would talk to the client about both solutions and see which one best fits their needs and budget.