Has anyone used the Add-AvailabilityAddressSpace cmdlet to allow free/busy lookups across untrusted forests?

Posted on 2008-11-05
Last Modified: 2010-04-21
Two Exchange 2007 organizations in untrusted forests.  With the Exchange Availibility Service, we should be able to use the Add-AvailabilityAddressSpace cmdlet to allow the lookup of free/busy information across forests.

The article above describes the steps required to make this happen.  I'm looking for someone to provide a little guidance and real world use of the cmdlet.
Question by:rsdtech

    Author Comment

    No comments after a day, so I increased the point value.

    Anyone, anyone, Bueller?

    Author Comment

    OK. more points.

    The commands described on the Microsoft link seem straight forward, but I'd really like to hear from someone that has done this and knows of any gotchas.

    LVL 33

    Expert Comment

    Cross-forest availability can be across trusted or untrusted forests.  The granularity of free/busy
    information is determined by whether cross-forest free/busy has been configured as per-user or
    org-wide.  Per-user free/busy is possible only in a trusted cross-forest topology and makes it
    possible for Availability Service to make cross-forest requests on behalf of a particular user.   This
    essentially makes it possible for a user in a remote forest can grant more granular or detailed free-
    busy to a cross-forest user.  On the other hand, with org-wide free/busy, Availability Service can
    make cross-forest requests only on behalf of a particular organization.  With org-wide free/busy, a
    users default free/busy information is returned and it is not possible to control the granularity of
    free/busy information given to users in the other forest.

    Please read this to clear your doubts.

    Scroll down to topic "Configuring Cross-Forest Availability Service"

    Author Comment

    From that page and the Managing CA document from MS.

    On the cross-forest (target) CAS:
    Set the orgwide account on the availability-config object:

    set-availabilityconfig -orgwideaccount "\orgwide_user" (for example)

    Add the availability address space config object for the other forest. First check what the
    msExchAvailabilityOrgWideAccount is on the Availability Configuration object on the target
    forest - these are the credentials you need to specify with get-credential:

    $a = get-credential  (enter the credentials for orgwide_user in domain

    add-availabilityaddressspace -forestname <remote forest, for example>
    -accessmethod orgwidefb -credential:$a

    If I'm reading it correctly,  My domain is domain1, my user is user1.  The untrusted domain is domain2, the user is user2.  

    I need to run: set-availabilityconfig -orgwideaccount "domain1\user1"

    On the other forest, he needs to run - set-availabilityconfig -orgwideaccount "domain2\user2"

    and then each of us needs to run:

    $a = get-credential  (enter the credentials for user1 in domain1)

    add-availabilityaddressspace -forestname "Domain1" -accessmethod orgwidefb -credential:$a (for his domain)


    $a = get-credential  (enter the credentials for user2 in domain2)

    add-availabilityaddressspace -forestname "Domain2" -accessmethod orgwidefb -credential:$a (in my domain)

    The user accounts can be any user account in the domain?
    LVL 33

    Accepted Solution

    • On a Client Access server in the target forest, run the following command to set the organization-wide account on the availability configuration object to configure the access level for free/busy information:
      Copy Code

      Set-AvailabilityConfig -OrgWideAccount "\User"
    • Run the following commands to add the Availability address space configuration object for the source forest:
      Copy Code

      $a = get-credential  (Enter the credentials for organization-wide user in domain)
      Add-AvailabilityAddressspace -Forestname -Accessmethod OrgWideFB -Credential:$a

    LVL 33

    Expert Comment

    Domain1 was referred to what you set the example as.

    "If I'm reading it correctly,  My domain is domain1, my user is user1.  The untrusted domain is domain2, the user is user2"

    Author Comment

    In working through this, I've discovered that I had autodiscover and certificate issues that needed to be resolved before this could work.  I've corrected those issues on my domain and am working with the admins in the other domain to correct thier issues.  They should have thier new cert in a day or so and I'll begin testing again.

    I'm not sure if this alone is enough to share the free/busy across forests, though.  Is this going to require
    MIIS or IIFP?
    LVL 33

    Expert Comment

    MIIS and IIFP is ideally used for GAL sharing - so if you want to see people across to use GAL - thats what MIIS is primarily required for.

    Author Closing Comment

    Thanks for your help.  In the end, having correctly applied UCC certificates was the biggest issue.  Both Exchange servers had single name certs for OWA, but nothing for autodiscover.  We both purchased UCC certs from GoDaddy and once applied the commands you provided allows us to now see Free/Busy info across the untrusted forests.  

    Author Comment

    Thanks to Exchange Geek for helping out.  The biggest issue in making this work was properly applied UCC certificates on both Exchange servers.  We both had single name certificates for OWA, but nothing for autodiscover.  Getting autodiscover to function both inside and outside of the network is critical in getting this to work.  Once autodiscover was functioning correctly for both organizations, the Set-AvailabilityConfig and Add-AvailabilityAddressspace cmdlets were all that was needed to see Free/Busy information across untrusted forests.

    Featured Post

    Promote certifications in your email signature

    Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

    Join & Write a Comment

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Set OWA language and time zone in Exchange for individuals, all users or per database.
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now