Free busy sharing between trusted domains - requires contact records? RRS feed

  • Question

  • Hi,

    I have set up free / busy sharing between two trusted forests, without federation.  2013 on one side and 2010 SP2 on the other.  This works but only after Contact records are created for users in the other domain (i.e. it doesn't work when just typing the recipients email address).  I know I could use a script or the free Quest tool which can do this sync, but I thought it would work just using email address.

    My questions are:

    1. Is there a way to get the current configuration to work without requiring the Contact records?

    2. If not, will configuring a federation work without the requirement to create Contact records in each domain?



    Thursday, August 6, 2015 11:45 PM

All replies

  • By using the Add-AvailabilityAddressSpace commandlet which has been introduced from Exchange 2013 we would be able to share the exchange free busy data between 2 forests.

    If a trust relationship exists between the two forests you dont need to create contacts

    If a trust relationship exists run the following commands.

    Add-AvailabilityAddressSpace -ForestName toybox.com -AccessMethod PerUserFB -UseServiceAccount $true


    The above command adds the target domain’s address space  in source domain to share the free busy information in a secured way

    Please refer my blog on the same for further config with an example


    Note:If there is no Trust relationship then definitely you  need to create contacts

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish (MVP)

    Friday, August 7, 2015 2:46 AM
  • Hi Sathish,

    Thanks for your response - yes indeed the AD forest trust is in place and I have run the following commands for the free busy sharing:

    1. From Forest1 Server (Exchange 2013):

    Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "forest2\exchange servers"

    Add-AvailabilityAddressSpace -Forestname forest2 –AccessMethod PerUserFB -UseServiceAccount:$true

    Export-AutodiscoverConfig -TargetForestDomainController "forest2DC" -TargetForestCredential (Get-Credential) -MultipleExchangeDeployments $true

    2. From Forest2 Server (Exchange 2010 SP2):

    Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "forest1\exchange servers"

    Get-ClientAccessServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "forest1\exchange servers"

    Add-AvailabilityAddressSpace -Forestname forest1 –AccessMethod PerUserFB -UseServiceAccount:$true

    Export-AutodiscoverConfig -TargetForestDomainController "forest1DC" -TargetForestCredential (Get-Credential) -MultipleExchangeDeployments $true

    Can you see any issue with the commands or where I can look to see why it is not working with email address only?  One thing to mention is forest2 has a different internal domain name from the email address suffix.  So the trust and free busy commands are against the internal domain name but the email addresses have a different primary SMTP suffix.  I'm thinking to check which attribute is used in the remote domain and whether that / UPN / etc is populated correctly.

    Appreciate you help!


    Tuesday, August 11, 2015 3:59 AM
  • Hi Sathish,

    Also I found this article which seems to say that GALsync is required regardless of trusted / untrusted configuration:


    It seems different every article I read but I'm sure it has worked in the past - confusing!

    Tuesday, August 11, 2015 4:23 AM
  • What version of Outlook are you using to look up Free/Busy? If you are using Outlook 2007, then you will need GALSync between the two forests for Free/Busy to work. However with Outlook 2010 and later, that is not a requirement however recommended to avoid users from incorrectly typing attendee's email addresses.
    Tuesday, August 11, 2015 4:29 AM
  • Hi 

    The availability service uses the legacyExchangeDN attribute to retrieve the F/B information.
    Based on my understanding the SMTP domain for the two organization is not related to the Free/Busy.

    may be you can try this and see the results

    1)grant permissions to your account forest users on "ms-exch-epi-token-serialization"  and on all CAS servers:

    Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User  "DOMAIN\USer"

    2)Check that the permissions are ok with:

    Get-ClientAccessServer | Get-WebServicesVirtualDirectory | Get-ADPermission | where {$_.User -like "Domain\User"} | ft –auto

    If none of the above helps we will collect the logs 

    Please access the EWS url on the Outlook client via IE and see if it can be accessed successfully.

    If there are any error, please also check the IIS log and post the detailed error for us.

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish (MVP)

    Tuesday, August 11, 2015 5:54 AM
  • Hi Sathish,

    I tried the following:

    - created testuser1 in domain1
    - created testuser2 in domain2

    From domain1:
    Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User  "domain2\testuser2"

    From domain2:
    Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights "ms-exch-epi-token-serialization" -User  "domain1\testuser1"

    I have verified I can access the EWS web directories from each side.

    I am testing free/busy in OWA and it is not working.  From domain1 (2013) I see error 'Free/busy information isn't available because the Availability service for the attendee couldn't be contacted'

    From domain2 (2010) I see error 'No information - error code 5009'

    In the IIS log on domain1 I can only see:
    GET /owa/service.svc/s/GetPersonaPhoto related to testuser2

    IIS on domain2 I can see:

    Any ideas on further troubleshooting?  Should I just set up external federation instead or will I potentially have the same issue?



    Tuesday, August 18, 2015 11:26 PM