Exchange 2010 Cross-Forest Administration Problems

Status
Not open for further replies.
C

Cory Wood

We have a fresh install of Exchange 2010 in the domain1.local domain. We also have a two-way forest trust in place between the domain1.local and domain2.local domains.

With Exchange 2007, we could log into the Exchange server in domain1.local using our domain2.local accounts and manage Exchange after following the steps here: http://technet.microsoft.com/en-us/library/bb232078(EXCHG.80).aspx

In Exchange 2010, the Setup /prepareAD /ForeignForestFQDN:ForestA.contoso.com command no longer works because the /ForeignForestFQDN:ForestA.contoso.com switch is no longer valid. Instead, we set up Linked Role Groups following the document here: http://technet.microsoft.com/en-us/library/dd876918.aspx

Now when we log into the Exchange 2010 server in the domain1.local domain with our domain2.local accounts and launch the Exchange Management Console, we get the error:

The following error occurred when getting user information for 'DOMAIN2\username': The operation couldn't be performed because object 'DOMAIN2\username' couldn't be found on 'dc1.domain1.local'. It was running the command 'Get-LogonUser'.

Notice that the EMC is looking on a domain controller in domain1.local to find an account in domain2.local. I'm not sure why it isn't looking on a domain controller in domain2.local for the domain2.local account.

I can manage the Exchange 2010 server by using the Exchange Management Shell with my domain2.local account just fine, but can't use the Exchange Management Console.
 
J

JorenD

We have the exact same problem and I haven't been able to find a solution also.
 
G

Georgy Shamne

We have same problem too.

Rollup 4 also don't help.

Really don't know what to do with this. No events logged
 
C

Cory Wood

We are running Rollup 4 and the NetBIOS doesn't contain a dot.
 
M

Michel de Rooij

What if you explicitely specify the CAS server using Properties (right-click) on the Exchange On-Premise node in EMC?

What's the output of the ForeignForest* fields when you run the get-ExchangeOrganization cmdlet?

Michel de Rooij,
MCITP Ent.Msg | MCTS W2008, E2k7Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
 
C

Cory Wood

The CAS server is already specified in the Properties of the Exchange On-Premises node.

When I type get-ExchangeOrganization, it tells me " The term 'get-exchangeorganization' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."
 
G

Georgy Shamne

Well it's very strange in my situation:

ForeignForestFQDN : {} ForeignForestOrgAdminUSGSid : ForeignForestRecipientAdminUSGSid : ForeignForestViewOnlyAdminUSGSid : ForeignForestPublicFolderAdminUSGSid :

But I allready do command

$ForeignCredential = get-credential New-RoleGroup " Exchange Management Group" -LinkedForeignGroup " Exchange Management Group" -LinkedDomainController dc1.mydomain.local -LinkedCredential $ForeignCredential -Roles (" Active Directory Permissions" ," Address Lists" ," Audit Logs" ," Cmdlet Extension Agents" ," Database Availability Groups" ," Database Copies" ," Databases" ," Disaster Recovery" ," Distribution Groups" ," Edge Subscriptions" ," E-Mail Address Policies" ," Exchange Connectors" ," Exchange Server Certificates" ," Exchange Servers" ," Exchange Virtual Directories" ," Federated Sharing" ," Information Rights Management" ," Journaling" ," Legal Hold" ," Mail Enabled Public Folders" ," Mail Recipient Creation" ," Mail Recipients" ," Mail Tips" ," Message Tracking" ," Migration" ," Monitoring" ," Move Mailboxes" ," Organization Client Access" ," Organization Configuration" ," Organization Transport Settings" ," POP3 And IMAP4 Protocols" ," Public Folder Replication" ," Public Folders" ," Receive Connectors" ," Recipient Policies" ," Remote and Accepted Domains" ," Retention Management" ," Role Management" ," Security Group Creation and Membership" ," Send Connectors" ," Transport Agents" ," Transport Hygiene" ," Transport Queues" ," Transport Rules" ," UM Mailboxes" ," UM Prompts" ," Unified Messaging" ," User Options" ," View-Only Configuration" ," View-Only Recipients" )

I think i need to run set-OrganizationConfig with needed parameters but i'm not sure that i can set two o more ForeignForestFQDN

And of course we don't use dot in netbios names.

Sorry for probably bad English.

UPD

[PS] D:\>set-OrganizationConfig -ForeignForestFQDN " mydomain.local" Cannot process argument transformation on parameter 'CustomerFeedbackEnabled'. Cannot convert value " System.String" to type " System.Nullable`1[System.Boolean]" , parameters of this type only accept booleans or numbers, use $true, $false, 1 or 0 instead. + CategoryInfo : InvalidData: :)) [Set-OrganizationConfig], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-OrganizationConfig

[PS] D:\>set-OrganizationConfig -CustomerFeedbackEnabled $true -Industry " Other" -ForeignForestFQDN " mydomain.local" Cannot process argument transformation on parameter 'MailTipsAllTipsEnabled'. Cannot convert value " System.String" to t ype " System.Boolean" , parameters of this type only accept booleans or numbers, use $true, $false, 1 or 0 instead. + CategoryInfo : InvalidData: :)) [Set-OrganizationConfig], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-OrganizationConfig
 
M

Michel de Rooij

As you can see from the ForeignForest attributes their empty (wanted to make sure). They're here for backwards Exchange 2007 compatability I assume (hence the 2007 Exchange groups eg OrgAdmin, RecipientAdmin etc).

You use Linked Role Groups to manage permissions in the resource forest from the account forest (using universal Security groups/USGs) by connecting Exchange USGs (eg Role Groups) in the resource forest to USGs in the account forest.

Now you already stated you were able for perform cmdlets from the EMS. Is that remotely, using a local Powershell session, or using a PowerShell session on the Exchange server (or resource forest) after logging in with your account from the account forest? I'm also assuming you have put the account you're using in the proper USG (in the account forest, not in the resource forest .. just to be sure).
Michel de Rooij,
MCITP Ent.Msg | MCTS W2008, E2k7Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
 
C

Cory Wood

My ForeignForest attributes are empty as well.

I am able to perform cmdlets from the EMS on the Exchange server (domain1.local) after logging in with my account from the account forest (domain2.local). This user is a member of the proper USG in the account forest.

Below is the output of the get-rolegroup " organization management - linked" EMS command for the Linked Role Group I'm trying to use:

RunspaceId : 9fd38d74-54c5-4897-ab3a-711a652ac3f5

ManagedBy : {domain1.local/OU/Cory Wood, domain1.local/Microsoft Exchange Security Groups/Organi
zation Management}

RoleAssignments : {Active Directory Permissions-Organization Management - Linked, Address Lists-Organization Manageme
nt - Linked, ApplicationImpersonation-Organization Management - Linked, Audit Logs-Organization Man
agement - Linked, Cmdlet Extension Agents-Organization Management - Linked, Database Availability G
roups-Organization Management - Linked, Database Copies-Organization Management - Linked, Databases
-Organization Management - Linked, Disaster Recovery-Organization Management - Linked, Distribution
Groups-Organization Management - Linked, Edge Subscriptions-Organization Management - Linked, E-Ma
il Address Policies-Organization Management - Linked, Exchange Connectors-Organization Management -
Linked, Exchange Server Certificates-Organization Management - Linked, Exchange Servers-Organizati
on Management - Linked, Exchange Virtual Directories-Organization Management - Linked...}

Roles : {Active Directory Permissions, Address Lists, ApplicationImpersonation, Audit Logs, Cmdlet Extensio
n Agents, Database Availability Groups, Database Copies, Databases, Disaster Recovery, Distribution
Groups, Edge Subscriptions, E-Mail Address Policies, Exchange Connectors, Exchange Server Certific
ates, Exchange Servers, Exchange Virtual Directories...}

DisplayName :

Members : {}

SamAccountName : Organization Management - Linked

Description :

RoleGroupType : Linked

LinkedGroup : DOMAIN2\Organization Management

IsValid : True

ExchangeVersion : 0.10 (14.0.100.0)

Name : Organization Management - Linked

DistinguishedName : CN=Organization Management - Linked,OU=Microsoft Exchange Security Groups,DC=domain1,DC=local

Identity : domain1.local/Microsoft Exchange Security Groups/Organization Management - Linked

Guid : 7f492934-83e3-4b5b-81a6-b3858117b0e8

ObjectCategory : domain1.local/Configuration/Schema/Group

ObjectClass : {top, group}

WhenChanged : 6/18/2010 11:25:13 AM

WhenCreated : 6/18/2010 11:25:13 AM

WhenChangedUTC : 6/18/2010 4:25:13 PM

WhenCreatedUTC : 6/18/2010 4:25:13 PM

OrganizationId :

OriginatingServer : dc1.domain1.local
 
C

Cory Wood

I just specified the PDC as the Configuration Domain Controller, but it made no difference.
 
C

Cory Wood

Does anyone else have any other ideas? Does anyone else have Cross-Forest Administration working in Exchange 2010?
 
N

Niclas Holmkvist

According to the partner forum this is a 'known issue' and is scheduled to be fixed in Exchange 2010 SP2.
 
C

Cory Wood

Thanks for posting this in the partner forums Niclas. It's really disappointing that this isn't scheduled to be fixed until SP2.
 
Status
Not open for further replies.
Top