Hi,

I have set up free / busy sharing between two trusted forests, without federation.  2013 on one side and 2010 SP2 on the other.  This works but only after Contact records are created for users in the other domain (i.e. it doesn't work when just typing the recipients email address).  I know I could use a script or the free Quest tool which can do this sync, but I thought it would work just using email address.

My questions are:

1. Is there a way to get the current configuration to work without requiring the Contact records?

2. If not, will configuring a federation work without the requirement to create Contact records in each domain?

Thanks,

Simon

By using the Add-AvailabilityAddressSpace commandlet which has been introduced from Exchange 2013 we would be able to share the exchange free busy data between 2 forests.

If a trust relationship exists between the two forests you dont need to create contacts

If a trust relationship exists run the following commands.

Add-AvailabilityAddressSpace -ForestName toybox.com -AccessMethod PerUserFB -UseServiceAccount $true

 

The above command adds the target domains address space  in source domain to share the free busy information in a secured way

Please refer my blog on the same for further config with an example

http://exchangequery.com/2014/11/10/steps-to-configure-cross-forest-availability-between-two-exchange-forests-in-exchange-2013/

Note:If there is no Trust relationship then definitely you  need to create contacts

Hi Sathish,

Thanks for your response - yes indeed the AD forest trust is in place and I have run the following commands for the free busy sharing:

1. From Forest1 Server (Exchange 2013):

Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "forest2\exchange servers"

Add-AvailabilityAddressSpace -Forestname forest2 AccessMethod PerUserFB -UseServiceAccount:$true

Export-AutodiscoverConfig -TargetForestDomainController "forest2DC" -TargetForestCredential (Get-Credential) -MultipleExchangeDeployments $true

2. From Forest2 Server (Exchange 2010 SP2):

Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "forest1\exchange servers"

Get-ClientAccessServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "forest1\exchange servers"

Add-AvailabilityAddressSpace -Forestname forest1 AccessMethod PerUserFB -UseServiceAccount:$true

Export-AutodiscoverConfig -TargetForestDomainController "forest1DC" -TargetForestCredential (Get-Credential) -MultipleExchangeDeployments $true

Can you see any issue with the commands or where I can look to see why it is not working with email address only?  One thing to mention is forest2 has a different internal domain name from the email address suffix.  So the trust and free busy commands are against the internal domain name but the email addresses have a different primary SMTP suffix.  I'm thinking to check which attribute is used in the remote domain and whether that / UPN / etc is populated correctly.

Appreciate you help!

Simon

Hi Sathish,

Also I found this article which seems to say that GALsync is required regardless of trusted / untrusted configuration:

https://technet.microsoft.com/en-us/library/bb125182

It seems different every article I read but I'm sure it has worked in the past - confusing!

What version of Outlook are you using to look up Free/Busy? If you are using Outlook 2007, then you will need GALSync between the two forests for Free/Busy to work. However with Outlook 2010 and later, that is not a requirement however recommended to avoid users from incorrectly typing attendee's email addresses.

Hi 

The availability service uses the legacyExchangeDN attribute to retrieve the F/B information.
Based on my understanding the SMTP domain for the two organization is not related to the Free/Busy.

may be you can try this and see the results


1)grant permissions to your account forest users on "ms-exch-epi-token-serialization"  and on all CAS servers:

Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User  "DOMAIN\USer"


2)Check that the permissions are ok with:


Get-ClientAccessServer | Get-WebServicesVirtualDirectory | Get-ADPermission | where {$_.User -like "Domain\User"} | ft auto

If none of the above helps we will collect the logs 


Please access the EWS url on the Outlook client via IE and see if it can be accessed successfully.

If there are any error, please also check the IIS log and post the detailed error for us.

Hi Sathish,

I tried the following:

- created testuser1 in domain1
- created testuser2 in domain2

From domain1:
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User  "domain2\testuser2"

From domain2:
Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User  "domain1\testuser1"

I have verified I can access the EWS web directories from each side.

I am testing free/busy in OWA and it is not working.  From domain1 (2013) I see error 'Free/busy information isn't available because the Availability service for the attendee couldn't be contacted'

From domain2 (2010) I see error 'No information - error code 5009'

In the IIS log on domain1 I can only see:
GET /owa/service.svc/s/GetPersonaPhoto related to testuser2

IIS on domain2 I can see:
RecipientsList=SMTP:testuser1@domain1.com~GeneralException:MailRecipientNotFoundException

Any ideas on further troubleshooting?  Should I just set up external federation instead or will I potentially have the same issue?

Thanks,

Simon