How to Configure Cross-Forest Administration
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how to use Setup.com to enable cross-forest administration. You can use this procedure if you have a user account in one forest that must administer Microsoft Exchange Server 2007 in a different forest. Use this procedure in the following scenarios:
The resource forest is a common scenario in which you have one forest (the user accounts forest) that does not contain any Exchange servers and a separate forest for the Exchange organization.
The classic cross-forest scenario with multiple Exchange forests is a scenario in which you might want a user in one forest to administer Exchange in both forests. Alternatively, you might want a user in one forest to administer Exchange in the other forest, but not in both forests.
To administer Exchange servers, properties, and recipients, an administrator must be delegated membership in one of the following Exchange administrator roles:
Exchange Organization Administrator
Exchange Public Folder Administrator
Exchange Recipient Administrator
Exchange View-Only Administrator
Note
The Exchange Public Folder Administrator role does not exist in the release to manufacturing (RTM) version of Exchange 2007. It was introduced in Exchange 2007 Service Pack 1 (SP1).
However, you cannot add a user from a different forest to an Exchange administrator role. To administer Exchange 2007 servers in Forest B by using a user account in Forest A, you must perform the following steps:
If they do not already exist, create parallel Exchange administrator roles in Forest A.
Use Setup.com with the ForeignForestFQDN parameter to grant permissions on objects in Forest B to the Forest A roles.
Add users in Forest A to the newly created parallel Exchange administrator roles in Forest A.
Start State
Phase 1: Creating parallel Exchange administrator roles in Forest A
Phase 2: Granting permissions
Phase 3: Add user to Exchange roles in Forest A
Important
After you configure cross-forest administration, it is not supported to perform any Exchange Setup actions in one forest by using a user account in another forest. For example, it is not supported to add server roles, remove server roles, or recover a server in one forest by using a user account in another forest, even if you configured that user account for cross-forest administration.
Note
To create the Exchange administrator roles, you must use Active Directory Users and Computers to create groups. You will select Universal for the group scope and Security for the group type. For more information, see Permission Considerations.
Before You Begin
Make sure the forest functional level of both of your forests is Microsoft Windows Server 2003. For more information about Active Directory functional levels, see Functional Levels Background Information.
Create a two-way forest trust relationship between the two forests. For detailed steps, see Create a two-way forest trust for both sides of the trust. You need this trust to configure cross-forest administration. If you are in a resource forest scenario, after you complete this procedure to configure cross-forest administration, you can downgrade the trust to a one-way trust so that the Exchange forest trusts the user accounts forest. Be aware that you may still need the two-way trust for folder sharing.
Note
Make sure that the trust type is Forest, not External.
In the following procedure, Forest A is the forest with a user account that needs to administer Exchange 2007 servers in a different forest. Forest B is the forest with Exchange 2007 servers that a user in Forest A will administer.
To perform the steps of this procedure in Forest A, the account you use must be delegated the following:
- Membership in the Enterprise Admins group in Forest A
To perform the steps of this procedure in Forest B, the account you use must be delegated the following:
- Membership in the Enterprise Admins group in Forest B
Note
If you have an account that has Enterprise Admin-level rights in both Forest A and Forest B, running the command Setup /PrepareAD /ForeignForestFQDN:ForestA.contoso.com
will perform Steps 2 through 7 automatically. However, because it is not likely that you will have a user that has Enterprise Admin-level rights in both forests, we recommend that you perform Steps 2 through 7 manually to first create the Exchange universal security groups and assign permissions for those groups in Forest A, with an account that is a member of the Enterprise Admins group in only Forest A. Then you can run Setup /PrepareAD /ForeignForestFQDN:ForestA.contoso.com
in Forest B with an account that is a member of the Enterprise Admins group in only Forest B.
Important
Administrators must log on to servers in the resource forest by using user principal name (UPN) authentication. Administrators must also make sure that any unusual UPN suffixes are registered on the forest trust so that they have a Kerberos ticket when they log on. The Kerberos ticket is required to enable the Exchange management tools to connect to the configuration naming context in the resource forest. If NTLM authentication is used (DOMAIN\USERNAME), the LDAP bind in the management tools may fail if a cached connection to the account forest domain does not exist.
Procedure
Exchange 2007 SP1
To configure cross-forest administration in Exchange 2007 SP1
If you are in a classic cross-forest scenario, if you have Exchange installed in both Forest A and Forest B, and if you do not want the user in Forest A who will administer Exchange in Forest B to also be an administrator in Forest A, rename or move the following organizational unit and groups in Forest A:
Microsoft Exchange Security Groups
Exchange Organization Administrators
Exchange Public Folder Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
To do this, you must use one of the following methods:
Rename the unit or group
Move the unit or group to a different organizational unit
Move the unit or group to a different domain
After you rename or move these groups, they will still have the same membership and permissions, and you will still be able to administer Exchange in Forest A by using accounts that are members of these groups.
If you are in a classic cross-forest scenario, if you have Exchange installed in both Forest A and Forest B, and if you want the user in Forest A to administer Exchange in both Forest A and Forest B, go to step 9.
If you are in a resource forest scenario, continue to Step 2.
In the root domain of Forest A, create a new organizational unit named Microsoft Exchange Security Groups. For more information about how to create an organizational unit, see Create a New Organizational Unit.
In the Microsoft Exchange Security Groups organizational unit in Forest A, create the following universal security groups:
Exchange Organization Administrators
Exchange Public Folder Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
For more information, see Create a new group.
Note
Be sure to select Universal for the group scope and Security for the group type.
In Forest A, perform the following steps to add the Exchange Organization Administrators group to the Exchange Recipient Administrators group:
Right-click the Exchange Recipient Administrators group, and then click Properties.
On the Members tab, click Add.
In Select Users, Computers, or Groups, type Exchange Organization Administrators, and then click OK.
Click OK on the Exchange Recipient Administrators Properties page.
In Forest A, perform the following steps to add the Exchange Organization Administrators group to the Exchange Public Folder Administrators group:
Right-click the Exchange Public Folders Administrators group, and then click Properties.
On the Members tab, click Add.
In Select Users, Computers, or Groups, type Exchange Organization Administrators, and then click OK.
Click OK on the Exchange Public Folder Administrators Properties page.
In Forest A, perform the following steps to add the Exchange Recipient Administrators group to the Exchange View-Only Administrators group:
Right-click the Exchange View-Only Administrators group, and then click Properties.
On the Members tab, click Add.
In Select Users, Computers, or Groups, type Exchange Recipient Administrators, and then click OK.
Click OK on the Exchange View-Only Administrators Properties page.
In Forest A, perform the following steps to add the Exchange Public Folder Administrators group to the Exchange View-Only Administrators group:
Right-click the Exchange View-Only Administrators group, and then click Properties.
On the Members tab, click Add.
In Select Users, Computers, or Groups, type Exchange Public Folder Administrators, and then click OK.
Click OK on the Exchange View-Only Administrators Properties page.
In Active Directory Users and Computers in Forest A, on the View menu, click Advanced Features, and then follow these steps:
Right-click the Microsoft Exchange Security Groups organizational unit, and then click Properties.
On the Security tab, click Advanced.
On the Permissions tab, select Exchange Organization Administrators in the Permission entries list, and then click Edit.
On the Object tab, in the Apply to list, select This object and all child objects.
In the Permissions list, locate Full Control, and then click to select the Allow check box.
Click OK.
On the Permissions tab, select Exchange Recipient Administrators, and then click Edit.
On the Object tab, in the Apply to list, select This object and all child objects.
In the Permissions list, locate Full Control, and then click to select the Allow check box.
Click OK.
On the Permissions tab, select Exchange Public Folder Administrators, and then click Edit.
On the Object tab, in the Apply to list, select This object and all child objects.
In the Permissions list, locate Full Control, and then click to select the Allow check box.
Click OK.
On the Permissions tab, select Exchange View-Only Administrators, and then click Edit.
On the Object tab, in the Apply to list, select This object and all child objects.
In the Permissions list, locate Full Control, and then click to select the Allow check box.
Click OK two times.
Log on to Forest B by using an account that is a member of the Enterprise Admins group in Forest B, and then run the following command from a Command Prompt window:
Setup /prepareAD /ForeignForestFQDN:ForestA.contoso.com
This command verifies that the Exchange universal security groups in Forest A are created and that permissions are assigned correctly. In Forest B, the command configures access control entries (ACEs) in Active Directory on the Exchange configuration objects so that the newly created Exchange universal security groups in Forest A have rights to the Exchange configuration in Forest B. When you run
Setup /PrepareAD
without the ForeignForestFQDN parameter, the command creates the Exchange universal security groups in the local forest and sets permissions on these groups. Adding the ForeignForestFQDN parameter specifies that you want to give the Exchange universal security groups in a foreign forest permission to the Exchange configuration in the forest where you run the command.To verify that Setup completed successfully, perform the following steps:
In Forest B, right-click the Exchange Servers universal security group, and then click Properties.
On the Security tab, under Group or user names, select Exchange Organization Administrators (<Forest A domain\Exchange Organization Administrators>).
Verify that Allow is selected for the Full Control permission.
Note
If Setup fails because of insufficient access rights, verify that you created the universal security groups correctly in Forest A, that the groups are nested correctly, and that the Exchange Organization Administrators group has full control of the new organizational unit and all three new universal security groups, and then perform Step 9 again.
To administer Exchange in Forest B by using an account in Forest A, add the account in Forest A to one or more of the Exchange universal security groups that you created in Forest A.
(Optional) Change the trust from a two-way to a one-way forest trust. To do this, delete the existing two-way incoming trust with Forest A. For detailed steps, see Remove a manually created trust.
Note
Be sure to select Yes, remove the trust from both the local domain and the other domain.
Note
You must retain the outgoing trust.
In Active Directory Users and Computers in Forest B, on the View menu, click Advanced Features.
(Optional) If you want recipient administrators in Forest A to administer users in Forest B, you must manually assign them permissions. Perform the following steps:
In Active Directory Users and Computers in Forest B, right-click the Users container, and then click Properties.
On the Security tab, click Advanced.
Under Permissions entries, select the entry where Type is Allow, Name is Exchange Recipient Administrators (<Forest A domain\Exchange Recipient Administrators>), and Permission is Special, and then click Edit.
On the Permission Entry for Users page, on the Objects tab under Permissions, select Allow for the following permissions: List Contents, Read All Properties, Write All Properties, Read Permissions, Create User Objects, Delete User Objects.
Click OK.
On the Advanced Security Settings for Users page, select the Allow inheritable permissions from the parent to propagate to this object and all child objects check box, and then click OK.
Note
This step provides the permissions necessary for members of the Exchange Recipient Administrators group in Forest A to modify objects in the User container in Forest B. Running Setup /ForeignForestFQDN in Forest B (in Step 9) granted users in the Exchange security groups in Forest A permission to Exchange properties in Forest B, but not to Windows user properties in Forest B.
To provide permissions to other groups in Forest A so they can modify objects in the User container in Forest B, select a different group on the Advanced Security Settings for Users page.(Optional) If you want administrators in Forest A to have permission to use the Exchange Management Console and the Exchange Management Shell on an Exchange server in Forest B, you must manually grant permissions on the Bin, Public, and Scripts directories in the Exchange Server directory to the user. Perform the following steps:
Navigate to the Exchange Server directory where Exchange is installed. (By default the directory is %programfiles%\Microsoft\Exchange Server.)
Right-click the Bin directory, and then click Properties.
On the Security tab, click Add, and then enter the user or group to which you want to give permission.
Under Permissions for <user or group>, select Allow for the Read & Execute permission, and then click OK.
Right-click the Public directory, and then click Properties.
On the Security tab, click Add, and then enter the user or group to which you want to give permission.
Under Permissions for <user or group>, select Allow for the Read & Execute permission, and then click OK.
Right-click the Scripts directory, and then click Properties.
On the Security tab, click Add, and then enter the user or group to which you want to give permission.
Under Permissions for <user or group>, select Allow for the Read & Execute permission, and then click OK.
Note
To administer Exchange in Forest B, users in Forest A must also be able to log on to a server in Forest B that has Exchange or the Exchange management tools installed. If you add users in Forest A to the Domain Admins group or to the local Administrators group on the server in Forest B so that they can log on to a server in Forest B, they will already have Read & Execute permissions on the Bin, Public, and Scripts directories. Alternatively, you can give users in Forest A specific permissions to log on to a server remotely by using the Terminal Services component of Windows Server 2003.
Exchange 2007 RTM
To configure cross-forest administration in the RTM version of Exchange 2007
If you are in a classic cross-forest scenario, you have Exchange installed in both Forest A and Forest B, and if you do not want the user in Forest A who will administer Exchange in Forest B to also be an administrator in Forest A, you must rename, move to a different organizational unit, or move to a different domain the following organizational unit and groups in Forest A:
Microsoft Exchange Security Groups
Exchange Organization Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
After you rename or move these groups, they will still have the same membership and permissions, and you will still be able to administer Exchange in Forest A by using accounts that are members of these groups.
If you are in a classic cross-forest scenario, you have Exchange installed in both Forest A and Forest B, and you want the user in Forest A to administer Exchange in both Forest A and Forest B, continue to Step 7.
If you are in a resource forest scenario, continue to Step 2.
In the root domain of Forest A, create a new organizational unit called Microsoft Exchange Security Groups. For more information about creating an organizational unit, see Create a New Organizational Unit.
In the Microsoft Exchange Security Groups organizational unit in Forest A, create the following universal security groups:
Exchange Organization Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
For more information, see Create a new group.
Note
Be sure to select Universal for the group scope and Security for the group type.
In Forest A, perform the following steps to add the Exchange Organization Administrators group to the Exchange Recipient Administrators group:
Right-click the Exchange Recipient Administrators group, and then click Properties.
On the Members tab, click Add.
In Select Users, Computers, or Groups, type Exchange Organization Administrators, and then click OK.
Click OK on the Exchange Recipient Administrators Properties page.
In Forest A, perform the following steps to add the Exchange Recipient Administrators group to the Exchange View-Only Administrators group:
Right-click the Exchange View-Only Administrators group, and then click Properties.
On the Members tab, click Add.
In Select Users, Computers, or Groups, type Exchange Recipient Administrators, and then click OK.
Click OK on the Exchange View-Only Administrators Properties page.
In Active Directory Users and Computers in Forest A, on the View menu, click Advanced Features, and then perform the following steps:
Right-click the Microsoft Exchange Security Groups organizational unit, and then click Properties.
On the Security tab, under Group or user names, select Exchange Organization Administrators.
Under Permissions for Exchange Organization Administrators, select Full Control, and then click OK.
Right-click the Exchange Organization Administrators group, and then click Properties.
On the Security tab, under Group or user names, select Exchange Organization Administrators.
Under Permissions for Exchange Organization Administrators, select Full Control, and then click OK.
Right-click the Exchange Recipient Administrators group, and then click Properties.
On the Security tab, under Group or user names, select Exchange Organization Administrators.
Under Permissions for Exchange Organization Administrators, select Full Control, and then click OK.
Right-click the Exchange View-Only Administrators group, and then click Properties.
On the Security tab, under Group or user names, select Exchange Organization Administrators.
Under Permissions for Exchange Organization Administrators, select Full Control, and then click OK.
Log on to Forest B by using an account that is a member of the Enterprise Admins group in Forest B, and then run the following command from a Command Prompt window:
Setup /prepareAD /ForeignForestFQDN:ForestA.contoso.com
This command verifies that the Exchange universal security groups in Forest A are created and that permissions are assigned correctly. In Forest B, the command configures access control entries (ACEs) in Active Directory on the Exchange configuration objects so that the newly created Exchange universal security groups in Forest A have rights to the Exchange configuration in Forest B. When you run
Setup /PrepareAD
without the ForeignForestFQDN parameter, the command creates the Exchange universal security groups in the local forest and sets permissions on these groups. Adding the ForeignForestFQDN parameter specifies that you want to give the Exchange universal security groups in a foreign forest permission to the Exchange configuration in the forest where you run the command.To verify that Setup completed successfully, perform the following steps:
In Forest B, right-click the Exchange Servers universal security group, and then click Properties.
On the Security tab, under Group or user names, select Exchange Organization Administrators (<Forest A domain\Exchange Organization Administrators>).
Verify that Allow is selected for the Full Control permission.
Note
If Setup fails because of insufficient access rights, verify that you created the universal security groups correctly in Forest A, that the groups are nested correctly, and that the Exchange Organization Administrators group has full control of the new organizational unit and all three new universal security groups, and then perform Step 7 again.
To administer Exchange in Forest B by using an account in Forest A, add the account in Forest A to one or more of the Exchange universal security groups that you created in Forest A.
(Optional) Change the trust from a two-way to a one-way forest trust. To do this, delete the existing two-way incoming trust with Forest A. For detailed steps, see Remove a manually created trust.
Note
Be sure to select Yes, remove the trust from both the local domain and the other domain.
Note
You must retain the outgoing trust.
In Active Directory Users and Computers in Forest B, on the View menu, click Advanced Features.
(Optional) If you want recipient administrators in Forest A to administer users in Forest B, you must manually assign them permissions. Perform the following steps:
In Active Directory Users and Computers in Forest B, right-click the Users container, and then click Properties.
On the Security tab, click Advanced.
Under Permissions entries, select the entry where Type is Allow, Name is Exchange Recipient Administrators (<Forest A domain\Exchange Recipient Administrators>), and Permission is Special, and then click Edit.
On the Permission Entry for Users page, on the Objects tab under Permissions, select Allow for the following permissions: List Contents, Read All Properties, Write All Properties, Read Permissions, Create User Objects, Delete User Objects.
Click OK.
On the Advanced Security Settings for Users page, select the Allow inheritable permissions from the parent to propagate to this object and all child objects check box, and then click OK.
Note
This step provides the permissions necessary for members of the Exchange Recipient Administrators group in Forest A to modify objects in the User container in Forest B. Running Setup /ForeignForestFQDN in Forest B (in Step 7) granted users in the Exchange security groups in Forest A permission to Exchange properties in Forest B, but not to Windows user properties in Forest B.
To provide permissions to other groups in Forest A so they can modify objects in the User container in Forest B, select a different group on the Advanced Security Settings for Users page.(Optional) If you want administrators in Forest A to have permission to use the Exchange Management Console and the Exchange Management Shell on an Exchange server in Forest B, you must manually grant permissions on the Bin, Public, and Scripts directories in the Exchange Server directory to the user. Perform the following steps:
Navigate to the Exchange Server directory where Exchange is installed. (By default the directory is %programfiles%\Microsoft\Exchange Server.)
Right-click the Bin directory, and then click Properties.
On the Security tab, click Add, and then enter the user or group to which you want to give permission.
Under Permissions for <user or group>, select Allow for the Read & Execute permission, and then click OK.
Right-click the Public directory, and then click Properties.
On the Security tab, click Add, and then enter the user or group to which you want to give permission.
Under Permissions for <user or group>, select Allow for the Read & Execute permission, and then click OK.
Right-click the Scripts directory, and then click Properties.
On the Security tab, click Add, and then enter the user or group to which you want to give permission.
Under Permissions for <user or group>, select Allow for the Read & Execute permission, and then click OK.
Note
To administer Exchange in Forest B, users in Forest A must also be able to log on to a server in Forest B that has Exchange or the Exchange management tools installed. If you add users in Forest A to the Domain Admins group or to the local Administrators group on the server in Forest B so that they can log on to a server in Forest B, they will already have Read & Execute permissions on the Bin, Public, and Scripts directories. Alternatively, you can give users in Forest A specific permissions to log on to a server remotely by using the Terminal Services component of Windows Server 2003.
For More Information
For more information about installing Exchange 2007 by using Setup.com from a Command Prompt window, see How to Install Exchange 2007 in Unattended Mode.