Our exchange 2007 resource forest is our main domain/root forest which includes a number of users and groups. We are however going to trust a new forest and will be creating linked accounts for them as they don't have exchange and we want them to use ours. I've read that it requires our exchange forest to trust their forest in order to create linked accounts. All the documentation I read says to create a trust with forest-wide authentication, however this opens up more security than we'd like to this new forest. I'd prefer to create a forest trust with them, but use selective authentication and then specify on the exchange computer objects which users are allowed to authenticate to the exchange servers. Is this even possible or is there some other problems I'll run into if we dont have a forest-wide authentication enabled. thanks

Hi, I think you should use POP3 Accounts for other forest users this will be more secure for you and you will not feel your head under the chopping box. Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320

Not exactly the response I was looking for. Not interested in POP3 as we don't want local PSTs and need all the calendar features for resource scheduling for these users.

Hi philldogger, Per my known, you could do that, and the account could use the resource exchange. I also make a test, everything seems well. Selective authentication is a security setting that can be set on interforest trusts. It provides Active Directory administrators who manage a trusting forest more control over which groups of users in a trusted forest can access shared resources in a trusting forest. This increased control is especially important when administrators need to grant access to shared resources in their organization’s forest to a limited set of users located in another organization’s forest, because creating an external or forest trust provides a pathway for all authentication requests to travel between forests. Regards! Gavin

Gavin, if you have tested this before, can you elaborate more on what objects in AD you enabled "allowed to authenticate" on? Was it just the exchange servers? I've read of some people needing to allow the trusted forest users to authenticate to the domain controllers as well. Additionally what needs to be setup on their forest in order to connect to our forest's exchange...any preping, autodiscover records, etc...?

I've read to create an autodiscover host record in the their forest, so that answers that question, however still have yet to find any specifics about whether a Selective Authentication trust will work and what objects need "allowed to authenticate" enabled on them.

Hi philldoqqer, If you just want other forest user use the exchange feature, you could make a test as below: 1. check the selective authentication, you could enable "allowed to autheenticate" on the DC and Exchange server for the accounts through ADUC 2. test the account use the linked mailbox work whether or not, I have test, those is enough 3. per my known, when you check the "slective authentication", the resource could not be used by the other forest account except for you give enable the "allowed to authenticate" for the accounts, 4. if the account could use the exchange work well, you do not need enable anyother, if there is something wrong, we could do more research and confirm what should be enable. Regards! Gavin

I realize the steps necessary to test it, but I was posting here to see if someone is actually doing this and could report their findings. I don't want to move forward on this, and later find out there is additional problems. Thanks for the suggestions however.