Link to home
Start Free TrialLog in
Avatar of rsdtech
rsdtechFlag for United States of America

asked on

Has anyone used the Add-AvailabilityAddressSpace cmdlet to allow free/busy lookups across untrusted forests?

Two Exchange 2007 organizations in untrusted forests.  With the Exchange Availibility Service, we should be able to use the Add-AvailabilityAddressSpace cmdlet to allow the lookup of free/busy information across forests.  

http://technet.microsoft.com/en-us/library/bb125182(EXCHG.80).aspx

The article above describes the steps required to make this happen.  I'm looking for someone to provide a little guidance and real world use of the cmdlet.
Avatar of rsdtech
rsdtech
Flag of United States of America image

ASKER

No comments after a day, so I increased the point value.

Anyone, anyone, Bueller?
Avatar of rsdtech

ASKER

OK. more points.

The commands described on the Microsoft link seem straight forward, but I'd really like to hear from someone that has done this and knows of any gotchas.

Thanks
*******
Cross-forest availability can be across trusted or untrusted forests.  The granularity of free/busy
information is determined by whether cross-forest free/busy has been configured as per-user or
org-wide.  Per-user free/busy is possible only in a trusted cross-forest topology and makes it
possible for Availability Service to make cross-forest requests on behalf of a particular user.   This
essentially makes it possible for a user in a remote forest can grant more granular or detailed free-
busy to a cross-forest user.  On the other hand, with org-wide free/busy, Availability Service can
make cross-forest requests only on behalf of a particular organization.  With org-wide free/busy, a
users default free/busy information is returned and it is not possible to control the granularity of
free/busy information given to users in the other forest.

********
Please read this to clear your doubts.

Scroll down to topic "Configuring Cross-Forest Availability Service"
http://www.exchangeninjas.com/AvailabilityServiceFAQ
Avatar of rsdtech

ASKER

From that page and the Managing CA document from MS.

UNTRUSTED CROSS-FOREST
On the cross-forest (target) CAS:
Set the orgwide account on the availability-config object:

set-availabilityconfig -orgwideaccount "mail.foo.com\orgwide_user" (for example)

Add the availability address space config object for the other forest. First check what the
msExchAvailabilityOrgWideAccount is on the Availability Configuration object on the target
forest - these are the credentials you need to specify with get-credential:

$a = get-credential  (enter the credentials for orgwide_user in domain mail.foo.com)

add-availabilityaddressspace -forestname <remote forest  mail.foo.com, for example>
-accessmethod orgwidefb -credential:$a

If I'm reading it correctly,  My domain is domain1, my user is user1.  The untrusted domain is domain2, the user is user2.  

I need to run: set-availabilityconfig -orgwideaccount "domain1\user1"

On the other forest, he needs to run - set-availabilityconfig -orgwideaccount "domain2\user2"

and then each of us needs to run:

$a = get-credential  (enter the credentials for user1 in domain1)

add-availabilityaddressspace -forestname "Domain1" -accessmethod orgwidefb -credential:$a (for his domain)

and

$a = get-credential  (enter the credentials for user2 in domain2)

add-availabilityaddressspace -forestname "Domain2" -accessmethod orgwidefb -credential:$a (in my domain)

The user accounts can be any user account in the domain?
ASKER CERTIFIED SOLUTION
Avatar of Exchange_Geek
Exchange_Geek
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Domain1 was referred to what you set the example as.

"If I'm reading it correctly,  My domain is domain1, my user is user1.  The untrusted domain is domain2, the user is user2"
Avatar of rsdtech

ASKER

In working through this, I've discovered that I had autodiscover and certificate issues that needed to be resolved before this could work.  I've corrected those issues on my domain and am working with the admins in the other domain to correct thier issues.  They should have thier new cert in a day or so and I'll begin testing again.

I'm not sure if this alone is enough to share the free/busy across forests, though.  Is this going to require
MIIS or IIFP?
MIIS and IIFP is ideally used for GAL sharing - so if you want to see people across to use GAL - thats what MIIS is primarily required for.
Avatar of rsdtech

ASKER

Thanks for your help.  In the end, having correctly applied UCC certificates was the biggest issue.  Both Exchange servers had single name certs for OWA, but nothing for autodiscover.  We both purchased UCC certs from GoDaddy and once applied the commands you provided allows us to now see Free/Busy info across the untrusted forests.  
Avatar of rsdtech

ASKER

Thanks to Exchange Geek for helping out.  The biggest issue in making this work was properly applied UCC certificates on both Exchange servers.  We both had single name certificates for OWA, but nothing for autodiscover.  Getting autodiscover to function both inside and outside of the network is critical in getting this to work.  Once autodiscover was functioning correctly for both organizations, the Set-AvailabilityConfig and Add-AvailabilityAddressspace cmdlets were all that was needed to see Free/Busy information across untrusted forests.