Has anyone used the Add-AvailabilityAddressSpace cmdlet to allow free/busy lookups across untrusted forests?

Two Exchange 2007 organizations in untrusted forests.  With the Exchange Availibility Service, we should be able to use the Add-AvailabilityAddressSpace cmdlet to allow the lookup of free/busy information across forests.  


The article above describes the steps required to make this happen.  I'm looking for someone to provide a little guidance and real world use of the cmdlet.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsdtechAuthor Commented:
No comments after a day, so I increased the point value.

Anyone, anyone, Bueller?
rsdtechAuthor Commented:
OK. more points.

The commands described on the Microsoft link seem straight forward, but I'd really like to hear from someone that has done this and knows of any gotchas.

Cross-forest availability can be across trusted or untrusted forests.  The granularity of free/busy
information is determined by whether cross-forest free/busy has been configured as per-user or
org-wide.  Per-user free/busy is possible only in a trusted cross-forest topology and makes it
possible for Availability Service to make cross-forest requests on behalf of a particular user.   This
essentially makes it possible for a user in a remote forest can grant more granular or detailed free-
busy to a cross-forest user.  On the other hand, with org-wide free/busy, Availability Service can
make cross-forest requests only on behalf of a particular organization.  With org-wide free/busy, a
users default free/busy information is returned and it is not possible to control the granularity of
free/busy information given to users in the other forest.

Please read this to clear your doubts.

Scroll down to topic "Configuring Cross-Forest Availability Service"
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

rsdtechAuthor Commented:
From that page and the Managing CA document from MS.

On the cross-forest (target) CAS:
Set the orgwide account on the availability-config object:

set-availabilityconfig -orgwideaccount "mail.foo.com\orgwide_user" (for example)

Add the availability address space config object for the other forest. First check what the
msExchAvailabilityOrgWideAccount is on the Availability Configuration object on the target
forest - these are the credentials you need to specify with get-credential:

$a = get-credential  (enter the credentials for orgwide_user in domain mail.foo.com)

add-availabilityaddressspace -forestname <remote forest  mail.foo.com, for example>
-accessmethod orgwidefb -credential:$a

If I'm reading it correctly,  My domain is domain1, my user is user1.  The untrusted domain is domain2, the user is user2.  

I need to run: set-availabilityconfig -orgwideaccount "domain1\user1"

On the other forest, he needs to run - set-availabilityconfig -orgwideaccount "domain2\user2"

and then each of us needs to run:

$a = get-credential  (enter the credentials for user1 in domain1)

add-availabilityaddressspace -forestname "Domain1" -accessmethod orgwidefb -credential:$a (for his domain)


$a = get-credential  (enter the credentials for user2 in domain2)

add-availabilityaddressspace -forestname "Domain2" -accessmethod orgwidefb -credential:$a (in my domain)

The user accounts can be any user account in the domain?
  • On a Client Access server in the target forest, run the following command to set the organization-wide account on the availability configuration object to configure the access level for free/busy information:
    Copy Code

    Set-AvailabilityConfig -OrgWideAccount "Domain1.com\User"
  • Run the following commands to add the Availability address space configuration object for the source forest:
    Copy Code

    $a = get-credential  (Enter the credentials for organization-wide user in Domain1.com domain)
    Add-AvailabilityAddressspace -Forestname Domain1.com -Accessmethod OrgWideFB -Credential:$a
Ref: http://technet.microsoft.com/en-us/library/bb125182.aspx


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Domain1 was referred to what you set the example as.

"If I'm reading it correctly,  My domain is domain1, my user is user1.  The untrusted domain is domain2, the user is user2"
rsdtechAuthor Commented:
In working through this, I've discovered that I had autodiscover and certificate issues that needed to be resolved before this could work.  I've corrected those issues on my domain and am working with the admins in the other domain to correct thier issues.  They should have thier new cert in a day or so and I'll begin testing again.

I'm not sure if this alone is enough to share the free/busy across forests, though.  Is this going to require
MIIS and IIFP is ideally used for GAL sharing - so if you want to see people across to use GAL - thats what MIIS is primarily required for.
rsdtechAuthor Commented:
Thanks for your help.  In the end, having correctly applied UCC certificates was the biggest issue.  Both Exchange servers had single name certs for OWA, but nothing for autodiscover.  We both purchased UCC certs from GoDaddy and once applied the commands you provided allows us to now see Free/Busy info across the untrusted forests.  
rsdtechAuthor Commented:
Thanks to Exchange Geek for helping out.  The biggest issue in making this work was properly applied UCC certificates on both Exchange servers.  We both had single name certificates for OWA, but nothing for autodiscover.  Getting autodiscover to function both inside and outside of the network is critical in getting this to work.  Once autodiscover was functioning correctly for both organizations, the Set-AvailabilityConfig and Add-AvailabilityAddressspace cmdlets were all that was needed to see Free/Busy information across untrusted forests.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.