locked
Outlook Web Access access from user account forest in linked mailbox migration RRS feed

  • Question

  • We are about to embark on a cross-forest migration which will involve migrating users to a new AD forest but leaving Exchange (currently 2007) in the existing forest (converting the old forest to a resource domain using linked mailboxes).

    We have hit an OWA access issue due to our existing configuration in the source forest. At the time we installed Exchange 2007 we weren't anticipating doing a cross forest migration further down the line.  To make life a little easier for our users we configured the OWA logon format (authentication tab) to use "User Name Only", ie. we prefilled the domain portion of the login automatically so that the user didn't have to type in "domain\username" or UPN, instead the user just logged in just by typing their username and password.

    The issue we have now is that the domain information we have prefilled for the user is going to be the old / resource domain, any user that has migrated will obviously have new domain info, so even though their user name remains the same during the migration process their domain has changed and so entering the username and password is failing. OWA is prefilling the domain portion of the login with the old domain name, in a linked mailbox scenario the old domain account is disabled thus logon is failing.

    The only way we can think of getting around this is to change the logon format so that the user does have to enter the domain portion of the string, however we have quite a large user base (around 50,000) and so introducing a change in user logon behaviour after so many years is going to be a challenge and likely to result in increased calls to our support desk.  

    We thought about installing an additional CAS server with the new domain info in and trying to redirect the new domain users to this CAS server but reading / testing suggests that this would be a bad idea.  General recommendations are to configure all your CAS servers in the same AD site the same. Trying to isolate some CAS services to particular CAS servers is likely to cause problems.  We therefore don't want to do this.

    This thread is therefore just to ask if anyone has had a similar issue or if there are any suggestions.

    Thursday, November 17, 2011 10:55 AM

Answers

All replies