none
Exchange 2010 Cross-Forest Administration Problems RRS feed

  • Question

  • We have a fresh install of Exchange 2010 in the domain1.local domain. We also have a two-way forest trust in place between the domain1.local and domain2.local domains.

    With Exchange 2007, we could log into the Exchange server in domain1.local using our domain2.local accounts and manage Exchange after following the steps here: http://technet.microsoft.com/en-us/library/bb232078(EXCHG.80).aspx

    In Exchange 2010, the Setup /prepareAD /ForeignForestFQDN:ForestA.contoso.com command no longer works because the /ForeignForestFQDN:ForestA.contoso.com switch is no longer valid. Instead, we set up Linked Role Groups following the document here: http://technet.microsoft.com/en-us/library/dd876918.aspx

    Now when we log into the Exchange 2010 server in the domain1.local domain with our domain2.local accounts and launch the Exchange Management Console, we get the error:

    The following error occurred when getting user information for 'DOMAIN2\username': The operation couldn't be performed because object 'DOMAIN2\username' couldn't be found on 'dc1.domain1.local'. It was running the command 'Get-LogonUser'.

    Notice that the EMC is looking on a domain controller in domain1.local to find an account in domain2.local. I'm not sure why it isn't looking on a domain controller in domain2.local for the domain2.local account.

    I can manage the Exchange 2010 server by using the Exchange Management Shell with my domain2.local account just fine, but can't use the Exchange Management Console.

    Friday, June 18, 2010 9:18 PM

Answers

  • According to the partner forum this is a 'known issue' and is scheduled to be fixed in Exchange 2010 SP2.
    • Marked as answer by Cory Wood Monday, August 30, 2010 1:29 PM
    Monday, August 30, 2010 11:39 AM

All replies

  • We have the exact same problem and I haven't been able to find a solution also.
    Tuesday, June 22, 2010 1:16 PM
  • We have same problem too.

    Rollup 4 also don't help.

    Really don't know what to do with this. No events logged

    Monday, July 12, 2010 4:14 PM
  • Are you running Rollup 4? Doesn't mean you're using a NetBIOS name with a dot, but is seems related.

    http://support.microsoft.com/kb/981033


    Michel de Rooij,
    MCITP Ent.Msg | MCTS W2008, E2k7Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
    I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
    Monday, July 12, 2010 6:58 PM
  • We are running Rollup 4 and the NetBIOS doesn't contain a dot.
    Monday, July 12, 2010 7:06 PM
  • What if you explicitely specify the CAS server using Properties (right-click) on the Exchange On-Premise node in EMC?

    What's the output of the ForeignForest* fields when you run the get-ExchangeOrganization cmdlet?


    Michel de Rooij,
    MCITP Ent.Msg | MCTS W2008, E2k7Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
    I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
    Monday, July 12, 2010 7:44 PM
  • The CAS server is already specified in the Properties of the Exchange On-Premises node.

    When I type get-ExchangeOrganization, it tells me "The term 'get-exchangeorganization' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."

    Monday, July 12, 2010 7:54 PM
  • Sorry, my bad .. should be get-OrganizationConfig

    Michel de Rooij,
    MCITP Ent.Msg | MCTS W2008, E2k7Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
    I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
    Monday, July 12, 2010 10:16 PM
  • Well it's very strange in my situation:

    ForeignForestFQDN     : {}
    ForeignForestOrgAdminUSGSid    :
    ForeignForestRecipientAdminUSGSid   :
    ForeignForestViewOnlyAdminUSGSid   :
    ForeignForestPublicFolderAdminUSGSid  :
    

    But I allready do command

    $ForeignCredential = get-credential
    New-RoleGroup "Exchange Management Group" -LinkedForeignGroup "Exchange Management Group" -LinkedDomainController dc1.mydomain.local -LinkedCredential $ForeignCredential -Roles ("Active Directory Permissions","Address Lists","Audit Logs","Cmdlet Extension Agents","Database Availability Groups","Database Copies","Databases","Disaster Recovery","Distribution Groups","Edge Subscriptions","E-Mail Address Policies","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual Directories","Federated Sharing","Information Rights Management","Journaling","Legal Hold","Mail Enabled Public Folders","Mail Recipient Creation","Mail Recipients","Mail Tips","Message Tracking","Migration","Monitoring","Move Mailboxes","Organization Client Access","Organization Configuration","Organization Transport Settings","POP3 And IMAP4 Protocols","Public Folder Replication","Public Folders","Receive Connectors","Recipient Policies","Remote and Accepted Domains","Retention Management","Role Management","Security Group Creation and Membership","Send Connectors","Transport Agents","Transport Hygiene","Transport Queues","Transport Rules","UM Mailboxes","UM Prompts","Unified Messaging","User Options","View-Only Configuration","View-Only Recipients")
    

    I think i need to run set-OrganizationConfig with needed parameters but i'm not sure that i can set two o more ForeignForestFQDN

    And of course we don't use dot in netbios names.

    Sorry for probably bad English.

     

    UPD

    [PS] D:\>set-OrganizationConfig -ForeignForestFQDN "mydomain.local"
    Cannot process argument transformation on parameter 'CustomerFeedbackEnabled'. Cannot convert value "System.String" to
    type "System.Nullable`1[System.Boolean]", parameters of this type only accept booleans or numbers, use $true, $false, 1
     or 0 instead.
      + CategoryInfo     : InvalidData: (:) [Set-OrganizationConfig], ParameterBindin...mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-OrganizationConfig

     

    [PS] D:\>set-OrganizationConfig -CustomerFeedbackEnabled $true -Industry "Other" -ForeignForestFQDN "mydomain.local"
    Cannot process argument transformation on parameter 'MailTipsAllTipsEnabled'. Cannot convert value "System.String" to t
    ype "System.Boolean", parameters of this type only accept booleans or numbers, use $true, $false, 1 or 0 instead.
      + CategoryInfo     : InvalidData: (:) [Set-OrganizationConfig], ParameterBindin...mationException
      + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-OrganizationConfig

     

    • Edited by Georgy Shamne Tuesday, July 13, 2010 12:20 PM New Information
    Tuesday, July 13, 2010 8:43 AM
  • As you can see from the ForeignForest attributes their empty (wanted to make sure). They're here for backwards Exchange 2007 compatability I assume (hence the 2007 Exchange groups eg OrgAdmin, RecipientAdmin etc).

    You use Linked Role Groups to manage permissions in the resource forest from the account forest (using universal Security groups/USGs) by connecting Exchange USGs (eg Role Groups) in the resource forest to USGs in the account forest.

    Now you already stated you were able for perform cmdlets from the EMS. Is that remotely, using a local Powershell session, or using a PowerShell session on the Exchange server (or resource forest) after logging in with your account from the account forest? I'm also assuming you have put the account you're using in the proper USG (in the account forest, not in the resource forest .. just to be sure).


    Michel de Rooij,
    MCITP Ent.Msg | MCTS W2008, E2k7Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
    I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
    Tuesday, July 13, 2010 1:18 PM
  • My ForeignForest attributes are empty as well.

    I am able to perform cmdlets from the EMS on the Exchange server (domain1.local) after logging in with my account from the account forest (domain2.local). This user is a member of the proper USG in the account forest.

    Below is the output of the get-rolegroup "organization management - linked" EMS command for the Linked Role Group I'm trying to use:

    RunspaceId        : 9fd38d74-54c5-4897-ab3a-711a652ac3f5

    ManagedBy         : {domain1.local/OU/Cory Wood, domain1.local/Microsoft Exchange Security Groups/Organi

                        zation Management}

    RoleAssignments   : {Active Directory Permissions-Organization Management - Linked, Address Lists-Organization Manageme

                        nt - Linked, ApplicationImpersonation-Organization Management - Linked, Audit Logs-Organization Man

                        agement - Linked, Cmdlet Extension Agents-Organization Management - Linked, Database Availability G

                        roups-Organization Management - Linked, Database Copies-Organization Management - Linked, Databases

                        -Organization Management - Linked, Disaster Recovery-Organization Management - Linked, Distribution

                         Groups-Organization Management - Linked, Edge Subscriptions-Organization Management - Linked, E-Ma

                        il Address Policies-Organization Management - Linked, Exchange Connectors-Organization Management -

                         Linked, Exchange Server Certificates-Organization Management - Linked, Exchange Servers-Organizati

                        on Management - Linked, Exchange Virtual Directories-Organization Management - Linked...}

    Roles             : {Active Directory Permissions, Address Lists, ApplicationImpersonation, Audit Logs, Cmdlet Extensio

                        n Agents, Database Availability Groups, Database Copies, Databases, Disaster Recovery, Distribution

                         Groups, Edge Subscriptions, E-Mail Address Policies, Exchange Connectors, Exchange Server Certific

                        ates, Exchange Servers, Exchange Virtual Directories...}

    DisplayName       : 

    Members           : {}

    SamAccountName    : Organization Management - Linked

    Description       : 

    RoleGroupType     : Linked

    LinkedGroup       : DOMAIN2\Organization Management

    IsValid           : True

    ExchangeVersion   : 0.10 (14.0.100.0)

    Name              : Organization Management - Linked

    DistinguishedName : CN=Organization Management - Linked,OU=Microsoft Exchange Security Groups,DC=domain1,DC=local

    Identity          : domain1.local/Microsoft Exchange Security Groups/Organization Management - Linked

    Guid              : 7f492934-83e3-4b5b-81a6-b3858117b0e8

    ObjectCategory    : domain1.local/Configuration/Schema/Group

    ObjectClass       : {top, group}

    WhenChanged       : 6/18/2010 11:25:13 AM

    WhenCreated       : 6/18/2010 11:25:13 AM

    WhenChangedUTC    : 6/18/2010 4:25:13 PM

    WhenCreatedUTC    : 6/18/2010 4:25:13 PM

    OrganizationId    : 

    OriginatingServer : dc1.domain1.local

    Tuesday, July 13, 2010 1:47 PM
  • Ok, how about appointing a configuration domain controller:

    http://technet.microsoft.com/en-us/library/aa998227.aspx


    Michel de Rooij,
    MCITP Ent.Msg 2007+2010| MCTS W2008, Ex2007+2010 Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
    I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
    Tuesday, July 13, 2010 2:45 PM
  • I just specified the PDC as the Configuration Domain Controller, but it made no difference.
    Tuesday, July 13, 2010 2:54 PM
  • Does anyone else have any other ideas? Does anyone else have Cross-Forest Administration working in Exchange 2010?
    Monday, August 23, 2010 8:56 PM
  • According to the partner forum this is a 'known issue' and is scheduled to be fixed in Exchange 2010 SP2.
    • Marked as answer by Cory Wood Monday, August 30, 2010 1:29 PM
    Monday, August 30, 2010 11:39 AM
  • Thanks for posting this in the partner forums Niclas. It's really disappointing that this isn't scheduled to be fixed until SP2.
    Monday, August 30, 2010 1:28 PM