Solved

Exchange connection across domain trust

Posted on 2010-09-15
7
771 Views
Last Modified: 2012-05-10
We have an existing 2003 exchange environment and when we went to upgrade we found out our config is not supported.

So we built a new domain (domain2) and built a 2010 exchange environment with a mailbox server, a hub transport, and a CAS.  Everything works great from outside the network.  We set up a two way trust between domain1 and domain 2

The issue is when a user in domain1 tries to connect to the new exchange server.  It gives a variety of different issues.  We have tried to connect Outlook to the AD server instead of the CAS, and that sometimes will work for the name resolution, but then Outlook crashes later.  It seems to be related to accessing the address list.

If we log into the exact same machine as a local user (no domain) it works just like it does from outside.

There is a hotfix from MS that is supposed to deal with a lot of 2010 issues, but I wanted to see if there was something with the trust that may be causing this issue.
0
Comment
Question by:TacoFlavoredKisses
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33684715
Are both domains in the same forest? Exchange tends to be a little finicky when there are two organizations in the same forest.
0
 
LVL 1

Author Comment

by:TacoFlavoredKisses
ID: 33702366
Sorry for the delay.  They are in separate forests.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 33702937
Okay. It's even worse when you've going from forest to forest. Usually you need a go-between product to handle authentication for Exchange between forests. Microsoft's Identity LifeCycle Manager (ILM) is built to handle that type of situation. The big issue is that Exchange doesn't properly communicate authentication information for users across a trust link. Trusts in general only provide SID translation between forests and Exchange needs a little more than that to work properly.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:TacoFlavoredKisses
ID: 33703713
That is too bad.

If we were to make the trust one way only and not trust domain a in domain b would this resolve the issue and now appear as a non trusted user?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33703784
Possibly. They would be required to enter credentials in the other domain, though. Without the trust, there's no way for them to be authenticated in the other domain, so they have to have a usable account in that domain to do anything in it. Trusts allow you to access most things in domain b using an account located in domain a. However, Exchange can't read or recognize the user in domain a properly, so you would need to create a user in domain b for that user to have access to the domain b exchange features, which is how you would handle authentication between domains without a trust. The problem is that you lose the single sign on capabilities. The user in domain a will have to enter credentials for domain b any time they try to access resources in that domain. Make sense?
0
 
LVL 1

Author Comment

by:TacoFlavoredKisses
ID: 33704401
Makes perfect sense.  Unless there is another way we aren't thinking of this seems like the best option.  So I will have them use accounts for domain b when launching outlook in domain a until we can fully migrate all the network components to the new domain.
0
 
LVL 1

Author Comment

by:TacoFlavoredKisses
ID: 33729528
Did not try to refund, but yet it is trying that.  Trying to object.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now