How to Manage Multiple Forest

Sameer,

Please see the section "Operation in Multi-forest Environments" in the ActiveRoles Server AdminGuide for a walk-thru on this subject.

Hi Greg,

Thanks for your reply.  I went through the document.  I managed to do the configuration but I had a partial success.  Let me explain the setup, probably you can help me better after understanding that.

I have two forests as mentioned earlier. Both forest has its own Exchange organization. ARS is installed in one forest.

e.g.
Forest 1 - abc.com + exchange org + ARS
Forest 2 - xyz.com with echange org

I have created trust between both the forests and assigned the required permissions to the ABC\ARS service account in the Forest2. I am able to create user in forest2 domain using ABC\ARS service account. But when it tries to create mailbox it throws an error saying "An ARS service should be present in the forest where you are trying to create a mailbox".

I installed a service as well in the second forest but it didn't work.

I opened a case with support. As per support a single ARS service should work with both the forests.

Please help.

Regards,
Sameer

Hi Sameer,
I haven't had to add a trusted forest to my config but will be shortly. Instead of using a service account from your Forest 1, have you tried creating a separate account in Forest 2 to use as the 'override account'? The Admin and/or Quick Start guides should cover how to configure the override accounts in the managed domain(s).

Hope that helps.

Hi Mathew

I have used an override account. The service account in my abc.com domain is separate and the service account in my xyz.com domain is separate. While adding both the accounts I have specified respective service accounts.

I have done the following now.

I opened the ARS MMC under the abc\ars account and added abc domain as managed domain
I opened another ARS MMC under the xyz\ars account and added xyz domain as managed domain
Using respective service accounts I am able to create users and mailboxes in respective domains using ARS MMC
I accessed the AD using ARSWebsite from both the forest using respective service accounts i.e. ARSwebsite from abc domain under abc\ars account and xyz\ars from xyz domain but it points to the same domain i.e. ABC.
How do I make the websites point to respective domains?

Regards,
Sameer

I have similar problem as Sameer. Need to cereate mailbox in the multi forest and each forest has it's own exchange. Each forest domains are added in my configuration as a managed domain using override service account..

ARS is per domain (regardless of Forest) tool.
ARS does not have explicit configuration option to point to few Exchange Orgs.
From Exchange standpoint, Exchange as a Resource can span different AD Forests as Auth Masters.
I would recommend to open Support Case to confirm that the situation with few Exchnage Forests is supports. ARS reads Exchange Org from CN=Confiruration,DC=Forest1 and, maybe will read few Forests if Managed Domains1,2 belong to different Forests.

Aidar.. Thank you.. the concern i have wouldn't be addressed by support case. You've provided good information.. just to be sure let me reiterate my situation.
I have linked 20+ domains from 6 forests in ARS. ARS server and master service account is in one of the managed domain/forest. My exchange guys are implementing exchange in each forest. So, I need to cut a remote mailbox for users in each managed domains in their respective exchange environment. To do this, I will configure the exchange policy. My question is will i be able to see the respective exchange configuration in the policy for each managed domain or the policy will always display exchange configuration of the ARS server home forest?

I am doing this to have exchange in hybrid mode while O365 integration is underway for remaining forests and also to support multiple smtp address.

By default, Active Roles will check for Microsoft Exchange servers only within the same Forest where the Active Roles server is present. This behaviour can be changed by using one of the edsvaExchangeProperties flags.

This one should be relevant:


ForceViewEntireForest

Default Value: False

Active Roles Version(s): 7.0+

When this parameter is set to True, and no Exchange Server is found in the domain of the Exchange recipient being administered, Active Roles configures its Exchange management session to view all the Exchange objects in the forest (equivalent to the Set-AdServerSettings -ViewEntireForest $true command in the Exchange Management Shell).

Without this parameter, Active Roles is unable to manage Exchange recipients in the domains where Exchange Server is not installed.



In order to set this flag, run the following VB Script once as an Active Roles Administrator to update the central setting in the Active Roles Configuration database, and then restart all Active Roles services sharing that database:

option explicit

Const NewExchangeProperties =""
Const strEdsvaExchangeProperties = "edsvaExchangeProperties"
Const strXPath = "/ExchangeProperties"
Const strSuccessString = "Exchange Properties updated successfully."

Dim objServiceObject : Set objServiceObject=GetObject("EDMS://CN=Server Configuration,CN=Configuration")

Dim strXML
On Error Resume Next
objServiceObject.GetInfoEx Array(strEdsvaExchangeProperties) ,0
strXML = objServiceObject.Get(strEdsvaExchangeProperties)
On Error GoTo 0


if (IsEmpty(strXML)) then
objServiceObject.Put "edsvaExchangeProperties", NewExchangeProperties
objServiceObject.SetInfo
WScript.Echo strSuccessString
else

Dim objXDoc : Set objXDoc = CreateObject( "Msxml2.DOMDocument.6.0" )
objXDoc.setProperty "SelectionLanguage", "XPath"
objXDoc.async = False
objXDoc.LoadXML strXML

Dim objNode : Set objNode = objXDoc.selectSingleNode( strXPath )

If objNode Is Nothing Then

WScript.Echo "Fail: Wrong XML format"

Else

objNode.setAttribute "ForceViewEntireForest","true"

objServiceObject.Put "edsvaExchangeProperties", objXDoc.xml
objServiceObject.SetInfo
WScript.Echo strSuccessString
End If

End If

Historically, what we would do is configure AR's Exchange Resource Forest Manager which would handle "replicating" the user accounts to the Exchange Resource Forest to establish the stub users that the mailboxes are attached to.

That component required that an AR server reside in the Exchange Resource Forest.

Here's a KB article about this:

support.oneidentity.com/.../how-to-enable-the-exchange-resource-forest-management-solution-

....now this may have changed as of version 7.1?

Terrance.. Thank you for the script and explanation.
My apology for being pain but I need to clarify following though..
Each of my managed domain/forest will have their own exchange server in the forest..
I need ARS to be able to see and create mailbox in each domain on their exchange server rather than trying to create exchange mailbox on a server belong to the same forest as ARS server is.
For example:
domainA.ForestA.com has Exchange
DomainB.ForestB.Com has exchange
DomainC.ForestC.com has exchange and ARS server is in this domain.

I would like to configure exchange policy in ARs for each domain so that i can create mailbox for DomainA users on their own exchange server, DomainB users on their own exchange server and DomainC on their own exchange server

Three different exchange polices linked to three different domains to target three different exchnge environment..

I believe I can set virtualattribute edsaCreateMsEXCHmailbox to true to trigger these polices.