Multiple Active Directories accessing Exchange 2010 at a central site with no trusts
I have Exchange 2010 in a Windows 2008 R2 Native domain that hosts mailboxes for multiple companies. All of these companies are accessing email using Outlook Anywhere without any issue.
The companies are in their own Active Directories that do NOT have Exchange enabled in them. There are also no VPNs and no TRUSTS to/from these Active Directories, and we do not want to go in this direction.
We do not have Exchange 2010 installed in hosted mode because the tools make managing it a nightmare. We are segmenting GALs with the Exchange 2010 SP1 Address Book Policies. It works great!
We are manually having users sync their passwords using CHANGE-PASSWORD in Outlook 2010 OWA. However, we would like to get an automatic SSO if possible using Active Directory Federated Services or Forefront Identity Manager.
We already employ FIM to import user objects when a new company joins the party. We are having a very difficult time getting the PCMS module of FIM working, which is supposed to keep the AD's user object passwords in sync.
Does anyone know if ADFS is a better way to sync passwords between 2 untrusted / un-connected AD's? Or should we stay with FIM and just get it working? I've been researching ADFS and it seems like it may be easier and better at keeping passwords in sync.
We have no issues with opening ports / allowing access between DCs for FIM/ADFS, we just don't want to deal with trusts and seeing other directories in the dropdowns at all of these sites.
Any insight is appreciated.
The companies are in their own Active Directories that do NOT have Exchange enabled in them. There are also no VPNs and no TRUSTS to/from these Active Directories, and we do not want to go in this direction.
We do not have Exchange 2010 installed in hosted mode because the tools make managing it a nightmare. We are segmenting GALs with the Exchange 2010 SP1 Address Book Policies. It works great!
We are manually having users sync their passwords using CHANGE-PASSWORD in Outlook 2010 OWA. However, we would like to get an automatic SSO if possible using Active Directory Federated Services or Forefront Identity Manager.
We already employ FIM to import user objects when a new company joins the party. We are having a very difficult time getting the PCMS module of FIM working, which is supposed to keep the AD's user object passwords in sync.
Does anyone know if ADFS is a better way to sync passwords between 2 untrusted / un-connected AD's? Or should we stay with FIM and just get it working? I've been researching ADFS and it seems like it may be easier and better at keeping passwords in sync.
We have no issues with opening ports / allowing access between DCs for FIM/ADFS, we just don't want to deal with trusts and seeing other directories in the dropdowns at all of these sites.
Any insight is appreciated.
ASKER
This article has a well detailed way to do OWA using ADFS:
http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html
If this could be expanded to support Outlook Anywhere, this might be just about the greatest thing....
As for FIM, we have it working great for IMPORTING, almost no work at all. But no PCMS. :(
http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html
If this could be expanded to support Outlook Anywhere, this might be just about the greatest thing....
As for FIM, we have it working great for IMPORTING, almost no work at all. But no PCMS. :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
FIM is the only system that will allow you to sync passwords between AD environments. Unfortunately, I've never been able to get that working.