locked
GAL synchronization between multiple untrusted forests RRS feed

  • Question

  • Hello,

    I would like to be able to synchronize GALs between a set of untrusted forsests composed of Exchange 2010 and Exchange 2013 (and maybe Exchange 2007). I would like to be able to decide centrally how companies get their GAL synchronized with other companies (fully, partially or not at all).

    The final goal is to have Get Free / Busy operations between those forests but with the specific feature that we have a server that sits between the querying Exchange and the queried Exchange. Therefore, a solution that prevents us to impersonate both Exchange with the autodiscover mechanism would not work.

    Those considerations taken into account, what would be the best solution to achieve this ?

    • Forefront Identity Manager
    • Microsoft Federation Gateway (does not work with Exchange 2007)
    • 3rd party application (which one ?)

    Thank you,

    Martin


    • Edited by mardef Thursday, November 6, 2014 3:36 PM
    Thursday, November 6, 2014 3:28 PM

Answers

  • Mardef, in response to your response to Ed Crowley, you actually can set your systems to update automatically, yet still "roll your own".  As he said, it's not that difficult - you just have a scheduled task run on your server that handles the updates, and your query for new mailboxes should only return items that were created or updated since the last synch cycle.
    Monday, November 10, 2014 6:33 PM

All replies

  • You can also roll your own, it's not real hard with PowerShell.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, November 6, 2014 6:45 PM
  • This implies making manual updates. Ideally, syncrhonization could be triggered centrally.
    Friday, November 7, 2014 8:30 AM
  • Hi,

    The Availability service improves information workers' free/busy information by providing secure, consistent, and up-to-date free/busy information to clients that are running Microsoft Outlook. By default, this service is installed with Exchange Server 2013. In cross-forest topologies where all connecting clients are running Outlook, the Availability service is the only method of retrieving free/busy information. You can use the Shell to configure the Availability service for cross-forest topologies.

    In untrusted forests, we can only configure the Availability service to retrieve free/busy information on an organization-wide basis. When the Availability service makes free/busy cross-forest requests at the organizational level, free/busy information is returned for each user in the organization.

    Refer from

    http://technet.microsoft.com/en-us/library/bb125182.aspx

    Here is a nice blog for reference about how to Configure the Availability Service for Cross-Forest Topologies

    http://blogs.technet.com/b/exchange/archive/2011/03/04/how-to-configure-the-availability-service-for-cross-forest-topologies.aspx

    Hope this will be helpful for you.

    Monday, November 10, 2014 1:01 AM
  • Thank you for this information. The availability federation between the untrusted forests is working fine.

    The problem I have is for Global Address Lists (GAL) synchronization across the different forsets. What would be the best solution keeping in mind the situation described in the first post.

    Monday, November 10, 2014 5:27 PM
  • Mardef, in response to your response to Ed Crowley, you actually can set your systems to update automatically, yet still "roll your own".  As he said, it's not that difficult - you just have a scheduled task run on your server that handles the updates, and your query for new mailboxes should only return items that were created or updated since the last synch cycle.
    Monday, November 10, 2014 6:33 PM
  • But how will the users be populated in the remote forest ? You need to give a Service Account credentials to all remote forests so they can push their users in your local AD ?

    Thursday, November 20, 2014 8:20 AM
  • Not really - you can export a file of the changes and email those to an account in the other forest.  That other account can read the email to get the changes and make the directory updates accordingly.
    Thursday, November 20, 2014 12:40 PM