Solved

Enabling email encryption netween 2 forests, and moving existing CA database from Forest A to Forest B

Posted on 2008-06-10
7
332 Views
Last Modified: 2010-04-18
Hi I wonder if someone has done it and can advise on the best way of doing it.

We are currently in the process of merging two forests into one and 2 Exchange organisations into one. I am using ADMT v3 to move AD objects and that works fine. I am using exmerge to move mail between the Exchange organisations that is fine too.

My question is how do I enable email encryption between the forests during the course of the merge?

Also how do I enable users that have been migrated over to still be able to access their old encrypted emails?

Do I have to transfer the hole CA database once the merge is fully comleted?

I have been looking to find a good document on the web for this, but could not find any.

I am aware of the method when you copy the public certificate between the 2 forests, and then using adsiedit.msc export each user's certificate attribute and copy over to the other forest. To me that beeing the most efficient way sounds difficutlt to believe.

Please help.


0
Comment
Question by:GALYAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Paka
ID: 21758168
Do you have one or two CAs?  Are these Enterprise CAs or standalone CAs?  If you're trying to merge two Enterprise CAs, I don't think it will work.  You'll have to use the CA of the forest that will remain after the merge is complete and reissue certs to the users that lost the forest.  

To be able to read the encrypted emails after the move, I'd recommend having the users forward their encrypted emails to themselves and disable the encryption before they do then run the exmerge.

Copying the certs might work, but since their issuing CA will be offline, you will get certificate validation issues.
0
 

Author Comment

by:GALYAS
ID: 21758510
Hi Paka,

Thanks a lot for the response.

We have 2 enterprise CA's  one for each forests.

Do you know how I can enable CA encryption between the 2 forest while merging is in progress. The two networks are rather big and it will take months to complete, so I need an interim solution?

Thank you in advance
0
 
LVL 22

Expert Comment

by:Paka
ID: 21758535
I'm unclear as to what you mean by "enable CA encryption between the 2 forests while merging is in progress".  Do you want to:
1) encrypt email between users in the two forests?
2) protect the SMTP links between the Exchange servers using encryption?
3) encrypt all traffic between the two forests?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:GALYAS
ID: 21758592
I mean 1) encrypt email between users in the two forests
0
 
LVL 22

Expert Comment

by:Paka
ID: 21760841
If you have both forests up during the migration you should be able to use the existing certs to encrypt email.  When you migrate a user over, delete their old certs, reissue new ones, setup the Outlook profile to use the new ones and you should be good to go.  There are a couple good guides on forest merges on the web to address other potential problems - I'll see if I can dig one up for you.
0
 

Author Comment

by:GALYAS
ID: 21760934
Is there anything that needs to be done on Both CA's in order to accomplish this.
At the moment UserA from ForestA is unable to send encrypted email to usersB in ForestB? We are still talking two different forests, 2 Exchange Organisations, 2 GAL's

Thanks a lot for digging those documents for me and all your help
0
 

Accepted Solution

by:
GALYAS earned 0 total points
ID: 21803499
After I did some research I found out a bit easier way then adsiedit, but still done on individual basis.

For those of you that may be interested here is the solution.

To enable S/MIME encryption between 2 forest take  the following steps as described in the article below.It applies to Exchange 2003  as well.

http://msexchangeteam.com/archive/2008/04/23/448761.aspx

Please keep in mind that you need to send to the contacts, A second Address Book for the external mail enabled contacts will be ideal for this case.

Also once mail is moved across forests you can still view email encrypted with your old CA if you export your certificate as .pfx file(from Forest A) and import it into your Outlook client(on forest B)
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question