none
Federation services / Linked Mailboxes

    Question

  • Hello Everyone,

    We are running Exch2010 SP1 with 12000 users. My company has bought another company with 350 exchange 2010 users. They would like to share free/busy information between both the companies and for which we can use Federation Services.

    They also want to use Linked Mailboxes. I don't know how will the Linked Mailboxes will setup and what will be the use of this.

    Do we need any AD Trust for Linked Mailboxes or only Federation Services will be enough.

    Another point is that ultimately we'll have to migrate them to our exchange servers by creating their mailboxes at our servers pretty soon. So, do you experts recommend setting up federation services for a small period of time?

    Thanks,

    Vik

    Thursday, July 12, 2012 8:28 AM

Answers

  • Yes, you need two-way AD trust between AD forests to be able to use linked mailboxes.

    For migration: You may use ADMT for User account and Computer account migration and Exchange Powershell commands to migrate the mailboxes between two Exchange orgs.


    - Sarvesh Goel - Enterprise Messaging Administrator (Exchange 2010)

    Thursday, July 12, 2012 10:47 AM
  • A linked mailbox is a mailbox associated with an external account. The resource forest scenario is an example of when you would want to associate a mailbox with an external account. In a resource forest scenario, user objects in the Exchange forest have mailboxes, but the user objects are disabled for logon. You must associate these disabled user accounts in the Exchange forest with enabled user objects in the external accounts forest.

    http://technet.microsoft.com/en-us/library/bb123524.aspx

    Thursday, July 12, 2012 5:45 PM
    Owner

All replies

  • Hi

    There are a few things to do to setup Federation, you will need a certificate etc. This article below outlines this for you:

    http://technet.microsoft.com/en-us/library/dd335047.aspx

    http://technet.microsoft.com/en-us/library/dd638083.aspx

    I personally would migrate them over to your platform, will be easier and quicker.

    Thursday, July 12, 2012 10:45 AM
    Owner
  • Yes, you need two-way AD trust between AD forests to be able to use linked mailboxes.

    For migration: You may use ADMT for User account and Computer account migration and Exchange Powershell commands to migrate the mailboxes between two Exchange orgs.


    - Sarvesh Goel - Enterprise Messaging Administrator (Exchange 2010)

    Thursday, July 12, 2012 10:47 AM
  • Thanks to both of you for your suggestions. I truly understand the federation services.

    What would be the use of Linked Mailboxes? Only mailboxes at our organization and account at their organizations? How these mailboxes will be accessed?

    If management decides to fully migrate them over to our organization then we need to use ADMT for user account migration?

    Do you think this will complicate the setup, doing all this for 350 users? Rather, we simply create their accounts and mailboxes at our domain. For time being, have them use both mailboxes (Ours n theirs) in single outlook profile and then do MX changes for routing their emails directly to our mailboxes.

    Please let me know what you experts recommends.

    Thanks,

    Vik

    Thursday, July 12, 2012 10:52 AM
  • "Rather, we simply create their accounts and mailboxes at our domain. For time being, have them use both mailboxes (Ours n theirs) in single outlook profile and then do MX changes for routing their emails directly to our mailboxes."

    You need to administer everything so it might be easier to do what you said above.

    Thursday, July 12, 2012 10:57 AM
    Owner
  • Thanks but I believe management wants to go by creating federation services and Linked mailboxes.

    What would be the use of Linked Mailboxes? Only mailboxes at our organization and account at their organizations? How these mailboxes will be accessed?

    What we can achieve with Linked mailboxes?

    Thanks for all your help.

    Thursday, July 12, 2012 3:47 PM
  • A linked mailbox is a mailbox associated with an external account. The resource forest scenario is an example of when you would want to associate a mailbox with an external account. In a resource forest scenario, user objects in the Exchange forest have mailboxes, but the user objects are disabled for logon. You must associate these disabled user accounts in the Exchange forest with enabled user objects in the external accounts forest.

    http://technet.microsoft.com/en-us/library/bb123524.aspx

    Thursday, July 12, 2012 5:45 PM
    Owner
  • When Exchange is used in a multi-forest scenario, you will typically have the Exchange forest which contains a plethora of tastefully appointed mailboxes and then a user forest which contains the actual user accounts.

    In such a scenario, the Exchange forest will contain "linked" mailboxes which are actual Active Directory user accounts that refer back to the associated user account in the user forest. When a non-Exchange Impersonated EWS call is made by one of these user accounts, IIS forwards the authentication request over to the user domain which validates the identity of the caller and returns a user token to the CAS server in the Exchange forest.

    This should work fine assuming that a trust relationship is set up between the forests. Once the user is authenticated, EWS attempts to look up Exchange-specific information about the *caller* in the Active Directory, which of course refers to the Exchange forest. In the normal case, there is indeed a user record (the linked mailbox) in the Exchange forest and EWS is able to proceed.

    Moreover, provide this document for reference. Have a check.


    Noya Lau

    TechNet Community Support

    Friday, July 13, 2012 9:02 AM
    Moderator
  • Hi Vik,

    I have implemented cross-forest free/busy many times and it routinely is put in place for a short period of time.  It doesn't take long to get configured so I would say that yes, I recommend setting it up even for a short period of time.  Here's a link to configuring the cross-forest availability service:

    http://technet.microsoft.com/library/bb125182.aspx

    By itself, this functionality does not require a forest trust.  However, as the article points out you have less control over the level of access when you do not have a forest trust in place.  And, as others have informed you in this thread, if you intend to migrate their mailboxes to your exchange server while leaving their AD accounts in the source forest, you will need a forest trust. 

    If you have not done cross forest moves before, you may also find this article helpful:  http://technet.microsoft.com/en-us/library/ee633491.aspx  That article will point you in the direction of what is needed to prepare the mailboxes for the cross forest move and then point out what it needed to prep the mailboxes for move.  (prepare-MoveRequest.ps1 for example)

    -Gary

    Friday, July 13, 2012 10:22 AM
  • Hi Gary,

    I'm sorry for being late on the reply.

    We don't have AD trust in place and we won't migrate these users in our forest because these users have already been created in our forest and they'll use the different login ids for their mailboxes.

    Is it necessary to configure Availability services for sharing free/busy information through Federation services?

    http://technet.microsoft.com/library/bb125182.aspx

    thanks,

    Vik

    Tuesday, August 07, 2012 2:52 PM
  • Exchange federation services and free/busy limitations with linked mailboxes - blog

    http://bexchangepro.blogspot.co.uk/2015/11/exchange-federation-services-and.html

    Friday, December 25, 2015 11:04 PM