In my test lab I'm trying to get f/b working between 2007/2010 in trusted domains following these articles. http://technet.microsoft.com/en-us/library/bb125182%28EXCHG.80%29.aspx http://blogs.technet.com/b/exchange/archive/2011/03/04/3412075.aspx However I cannot get it work! Arrrggh! I've got FIM syncing the users from the 2010 forest that appear as "forest mail contact" in 2007. When I create a meeting from my 2007 Outlook client, add the 2010 "contact" and it tries to update the f/b, I get these errors on the 2007 server. Event Type: Error Event Source: MSExchange ADAccess Event Category: Topology Event ID: 2130 Date: 7/22/2011 Time: 4:02:29 PM User: N/A Computer: ISLAB2-EXCH2K7 Description: Process w3wp.exe (EWS) (PID=3624). Exchange Active Directory Provider could not find an available domain controller in domain DC=islab,DC=com. This event may be caused by network connectivity issues or configured incorrectly DNS server. This event may also occur if you have not configured correctly your multiple Active Directory sites. Event Type: Error Event Source: MSExchange Availability Event Category: Availability Service Event ID: 4001 Date: 7/22/2011 Time: 4:02:28 PM User: N/A Computer: ISLAB2-EXCH2K7 Description: Process 3624[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-129558493332128396]: Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestWithAutoDiscover failed. Exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException: A cross-forest Availability service that can fill request for mailbox <islabuser3>SMTP:islabuser3@islab.com could not be found.. This event may occur when Availability Service cannot discover an Availability Service in the remote forest. From the 2007 Outlook client I can successfully open the autodiscovery URL for the 2010 server and no resulting certificate errors are thrown. Good right? :D Also, on the 2010 side this error is being thrown occasionally.. Log Name: Application Source: MSExchange ADAccess Date: 7/24/2011 8:17:35 PM Event ID: 2130 Task Category: Topology Level: Error Keywords: Classic User: N/A Computer: islab-exch2k10.islab.com Description: Process w3wp.exe () (PID=3768). Exchange Active Directory Provider could not find an available domain controller in domain DC=islab2,DC=com. This event may be caused by network connectivity issues or configured incorrectly DNS server. This event may also occur if you have not configured correctly your multiple Active Directory sites. Any ideas?

The events are clearly talking about Network issues. Run netdiag on the sever and check if you are getting error. About outlook that's fine, thats the issue with Cert which is no big deal to fix it :) Post the update. Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com

Run netdiag on the sever and check if you are getting error. All passed.. C:\Program Files\Support Tools>netdiag ..................................... Computer Name: ISLAB2-EXCH2K7 DNS Host Name: islab2-exch2k7.islab2.com System info : Microsoft Windows Server 2003 R2 (Build 3790) Processor : EM64T Family 6 Model 44 Stepping 2, GenuineIntel List of installed hotfixes : KB2079403 KB2115168 KB2124261 KB2229593 KB2296011 KB2345886 KB2347290 KB2360937 KB2378111 KB2387149 KB2393802 KB2412687 KB2419635 KB2423089 KB2440591 KB2443105 KB2443685 KB2476490 KB2478960 KB2478971 KB2483185 KB2485663 KB2503665 KB2506212 KB2507618 KB2507938 KB2508272 KB2508429 KB2509553 KB2510587 KB2524375 KB2530548 KB2535512 KB2536276 KB2544521 KB2544893 KB2555917 KB923561 KB924667-v2 KB925398_WMP64 KB925902 KB926122 KB926139-v2 KB927891 KB929123 KB932168 KB936357 KB941569 KB942831 KB944653 KB946026 KB948496 KB950762 KB950974 KB952004 KB952069 KB952954 KB954155 KB954550-v7 KB955759 KB956572 KB956802 KB956844 KB958469 KB958644 KB959426 KB960803 KB960859 KB961118 KB961501 KB967723 KB968389 KB969059 KB970430 KB970483 KB971029 KB971032 KB971657 KB971737 KB972270 KB973507 KB973540 KB973815 KB973869 KB973904 KB973917-v2 KB974112 KB974318 KB974392 KB974571 KB975025 KB975467 KB975558_WM8 KB975560 KB975562 KB975713 KB977816 KB977914 KB978338 KB978542 KB978601 KB978695 KB978706 KB979309 KB979482 KB979687 KB980232 KB980436 KB981322 KB982132 KB982666 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection Netcard queries test . . . : Passed Host Name. . . . . . . . . : islab2-exch2k7 IP Address . . . . . . . . : 10.1.1.120 Subnet Mask. . . . . . . . : 255.255.0.0 Default Gateway. . . . . . : 10.1.0.1 Primary WINS Server. . . . : 10.1.0.10 Secondary WINS Server. . . : 10.1.0.13 Dns Servers. . . . . . . . : 10.1.1.119 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge r Service', <20> 'WINS' names is missing. WINS service test. . . . . : Passed Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{40EC52A4-3EA4-4F8D-86CA-86C8B42F625D} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the <00> 'WorkStation Servi ce', <03> 'Messenger Service', <20> 'WINS' names defined. Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{40EC52A4-3EA4-4F8D-86CA-86C8B42F625D} The redir is bound to 1 NetBt transport. List of NetBt transports currently bound to the browser NetBT_Tcpip_{40EC52A4-3EA4-4F8D-86CA-86C8B42F625D} The browser is bound to 1 NetBt transport. DC discovery test. . . . . . . . . : Passed DC list test . . . . . . . . . . . : Passed Trust relationship test. . . . . . : Passed Secure channel for domain 'ISLAB2' is to '\\islab2-2003r2dc.islab2.com'. Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed Bindings test. . . . . . . . . . . : Passed WAN configuration test . . . . . . : Skipped No active remote access connections. Modem diagnostics test . . . . . . : Passed IP Security test . . . . . . . . . : Skipped Note: run "netsh ipsec dynamic show /?" for more detailed information The command completed successfully

glaviolette, Some questions for you to answer: What are the settings you have done so far for the AvailabilityAddressSpace? What about Autodiscover...is that name included in the certificates? Is a public or self-signed Certificate Used? :Martina Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.

glaviolette, Some questions for you to answer: What are the settings you have done so far for the AvailabilityAddressSpace? What about Autodiscover...is that name included in the certificates? Is a public or self-signed Certificate Used? Following the document mentioned, I've run on the source exchange server (islab2.com): Add-AvailabilityAddressSpace -Forestname islab.com -AccessMethod PerUserFB -UseServiceAccount:$true Yes, I've included "autodiscover.islab.com" and the netbios name in the SAN of the self signed cert. Also, as I *somewhat* eluded to in my original message, I've tested the autodiscover URL (https://autodiscover.islab.com/autodiscover/autodiscover.xml) from the "islab2.com" Outlook client from IE and they work (however they are asking for auth?) Self Signed Thanks for your reply. Oh! I should also mention there is an Exchange 2003 server in the islab.com domain, in case it makes any difference.

Hi, Ok two problems: In order for this to work, a self-signed certiciate can not be used. Both servers must have a certificate that the other trust This will not work for users that have their mailbox on Exchange 2003. Availability Service is an Exchange 07/10-thing If the domain name and emaildomain is they same, then you can run the below in each enviroment. If the emaildomain is something else, then replace the value for -Forestname IN TARGET - Islab.com Add-AvailabilityAddressSpace -ForestName islab2.com -AccessMethod PerUserFB -UseServiceAccount:$true Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab2.com\Exchange Servers" IN SOURCE - Islab2.com Add-AvailabilityAddressSpace -ForestName islab.com -AccessMethod PerUserFB -UseServiceAccount:$true Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab.com\Exchange Servers" :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

Hi, Ok two problems: In order for this to work, a self-signed certiciate can not be used. Both servers must have a certificate that the other trust This will not work for users that have their mailbox on Exchange 2003. Availability Service is an Exchange 07/10-thing If the domain name and emaildomain is they same, then you can run the below in each enviroment. If the emaildomain is something else, then replace the value for -Forestname IN TARGET - Islab.com Add-AvailabilityAddressSpace -ForestName islab2.com -AccessMethod PerUserFB -UseServiceAccount:$true Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab2.com\Exchange Servers" IN SOURCE - Islab2.com Add-AvailabilityAddressSpace -ForestName islab.com -AccessMethod PerUserFB -UseServiceAccount:$true Get-ClientAccessServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights "ms-Exch-EPI-Token-Serialization" -User "islab.com\Exchange Servers" :Martina Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Huh, the Technet article seems to indicate as long as the self signed SAN cert is imported into the other server that's sufficient, you're saying that's not true? Sorry, I've run those EXACT commands on each target/source. No joy.. :( Thanks for your assistance!

Huh, the Technet article seems to indicate as long as the self signed SAN cert is imported into the other server that's sufficient, you're saying that's not true? This is that the Technet article say: Cross-Forest Availability and Certificates When you install Exchange 2007 with the Client Access server role, a self-signed certificate is created. The self-signed certificate has two Subject Alternative Name (SAN) entries: one for the NetBIOS name of the Client Access server and one for the fully qualified domain name (FQDN) of the Client Access server. Therefore, if you plan to use the default self-signed certificate installed on the Client Access server, you have only one option to make Autodiscover work between both forests: You must export the SCP from the target forest to the source forest. In this scenario, you must have a trust relationship between both forests Is really the DNS-Domainname and SMTP-Domain the same? If not you must replace the value for -Forestdomain in the command. The name of the switch is really missleading. It´s the primary SMTP-domain from the trusted domain that has to be added. Can you run test-outlookwebservices and post the output? Example: test-outlookwebservices -identity:somuser@sourceSMTP.com -TargetAddress someuser@TargetSMTP.com | flPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.

So, as self signed will work if exported to each forest, which I have done. Yup, DNS/SMTP domain both match (islab.com/islab2.com). Here is the output, which I have run before. Not very helpful that I could see?? [PS] C:\Documents and Settings\Administrator.ISLAB2>Test-OutlookWebServices -Ide ntity:islabuser1@islab2.com -TargetAddress islabuser1@islab.com | fl Id : 1003 Type : Information Message : About to test AutoDiscover with the e-mail address islabuser1@islab2. com. Id : 1006 Type : Information Message : The Autodiscover service was contacted at https://islab2-exch2k7.isla b2.com/Autodiscover/Autodiscover.xml. Id : 1011 Type : Error Message : When querying Availability for islabuser1@islab.com received 5039: Id : 1016 Type : Error Message : [EXCH]-Error when contacting the AS service at https://islab2-exch2k7 .islab2.com/EWS/Exchange.asmx. The elapsed time was 312 milliseconds. Id : 1015 Type : Success Message : [EXCH]-Successfully contacted the OAB service at https://islab2-exch2 k7.islab2.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds. Id : 1014 Type : Success Message : [EXCH]-Successfully contacted the UM service at https://islab2-exch2k 7.islab2.com/UnifiedMessaging/Service.asmx. The elapsed time was 671 milliseconds. Id : 1006 Type : Success Message : The Autodiscover service was tested successfully. Id : 1021 Type : Information Message : The following web services generated errors. As in EXCH Please use the prior output to diagnose and correct the errors.

Please configure external Availability Service URL the same as the internal URL for a test. Also, please temporarily turn off firewall and antivirus program to check the result. Thanks. Novak Wu

This is that the Technet article say: Cross-Forest Availability and Certificates When you install Exchange 2007 with the Client Access server role, a self-signed certificate is created. The self-signed certificate has two Subject Alternative Name (SAN) entries: one for the NetBIOS name of the Client Access server and one for the fully qualified domain name (FQDN) of the Client Access server. Therefore, if you plan to use the default self-signed certificate installed on the Client Access server, you have only one option to make Autodiscover work between both forests: You must export the SCP from the target forest to the source forest. In this scenario, you must have a trust relationship between both forests Just to be clear, you are using a self-singed Certificate and not one issued from your Certificate Server? If you are, you must export and import the SCP Settings, according to the Technet Article. Please run get-exchangecertificate | fl and post the output here The output from Test-Outlookwebservices is informative. It shows that connectivity exists but Availability Service doesn´t work and that is usually caused by the certificate not beeing trusted, or missing name in the cert etc. Could you also run Get-WebServicesVirtualDirectory | fl Name,*url* and post the output? :MartinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.

Hi Glaviolette, Any update on this issue?Martina Miskovic

Hi Glaviolette, Any update on this issue? Martina Miskovic Sorry for the delayed reply. Yes, I finally got it working! While I don't have the *exact* answer, I can take a guess it had to do with matching my External/Internal URLs for each service with the certificate. Then testing those URLs from each Exchange server in IE. I had created my own SAN certs on each lab DC/Certsrv then copied/installed the root CA to each lab exchange server. This article helped as well. http://www.enowconsulting.com/blog/index.php?paged=4

I am glad it works for you now. Thank for the update glaviolette!Martina Miskovic