WIXLIB

MICROSOFT FEDERATIONANDCROSS-FOREST DELEGATIONWhitepaper Free/BusyNETsec12. July 2016NETsec GmbH & Co.KG Schillingsstrasse 117 DE - 52355 Düren

Introduction . 4Cross-Forest-Delegation . 4GALsync and Free/Busy . 5General Troubleshooting . 6Common Tools . 6Deployment Guide . 7Matrix - Overview . 7Exchange 2003 . 9Exchange On Premise - Exchange On Premise . 9Exchange On Premise - Office 365 . 9Office 365 - Office 365 . 9Microsoft Federation . 10How to Configure Exchange 2010 SP1 Federation . 10Deep dive into rich coexistence between Exchange Forests . 10Managing Federated Sharing with the EAC. 10Sharing in Exchange Online . 10Understanding Federation (Exchange 2010). 10The Hybrid Free Busy Troubleshooter Now Available . 10Sharing . 11Exchange Federation . 11Troubleshooting Federated Sharing . 11Configure Free/Busy Sharing Between Exchange Organizations . 11Cross-Forest Delegation. 12Technical Modules . 12Readiness Analyzer. 12Environment . 13Description . 13Screenshots . 13*** Troubleshooting Checklist *** . 14Required Permissions . 14Administrative Permissions . 14Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest DelegationMicrosoft Federation / Federated Sharing . 42

Default Calendar permissions . 14Connecting . 15General Name Resolution . 15Exchange SMTP Connectors . 18Autodiscover Name Resolution . 21Certificates . 23Create Certificates . 24Bind Certificates . 25Trust Certificates . 27Screenshots . 29Web Services . 32Description . 32Screenshots . 33Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation*** Troubleshooting Checklist *** . 343Synchronize with GALsync . 36Description . 36*** Troubleshooting Checklist *** . 37Cross-Forest Delegation . 38GALsync specification . 38Domain Trust . 39AvailabilityAddressSpace . 40Final Result . 46HowTo. 46Screenshots . 46Troubleshooting . 48Help . 48Description . 48Tools . 49Appendix. 50querySchema.ps1. 50Free/Busy and Shared Namespace . 51Document tags . 52

IntroductionThis technique uses the Microsoft Federation Gateway, a free cloud-basedservice, as the trust broker between two federated organizations. Toenable federated sharing, each organization must establish a one-timefederation trust with the Microsoft Federation Gateway and configureeither an organization relationship or sharing policies with each other.Cross-Forest-DelegationIf you use this technology your people can see free/busy information ofanother Exchange organization. Additionally your people can managecalendars of people in the other organization in the same way they usedelegated calendars internally. In that case you need a domain trustbetween the Active Directory domains.Technically quite a range of TCP/IP ports are required for communicationbetween the organizations, see chapterPorts Required for Trusts in Domain and Forest Trust Tools and /Cc756944(V Ws.10).aspx.Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest DelegationMicrosoft Federation / Federated Sharing4

GALsync and Free/BusyIn Exchange 2003 to Exchange 2010 you could use system public foldersfor a free/busy query. We implemented this architecture in GALsync up toversion 4*.Since Exchange 2007 natively the Exchange Availability Service as a WebService is used for Free/Busy queries. Since Exchange 2013 and ExchangeOnline there are no system public folders for Free/Busy informationavailable anymore.Since GALsync 5 supports Microsoft Federation and Cross-ForestDelegation.Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation* MICROSOFT STOPPED SUPPORTING EXCHANGE 2003 ON THE 8TH APRIL 2014. A S MUCH AS WEWOULD LIKE TO KEEP COMPATIBILITY UP FOR ALL VERSIONS , WE CANNOT SUPPORT AN ENVIRONMENTWHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER HIMSELF . S TARTING ON THE DEPRECATIONOF EXCHANGE 2003, GAL SYNC 4 WILL BE COMPLETELY REPLACED BY THE CURRENT VERSION OFGALSYNC.5

General TroubleshootingThese are some additional tools and resources for diagnosing issues withFree/busy Hybrid Environment Free/busy survey.aspx?scid sw%3ben%3b3526&showpage 1 Remote Connectivity Analyzerhttps://testconnectivity.microsoft.com/ Outlook Connectivity Guided vey.aspx?scid sw;en;3601&showpage 1 The Microsoft Online Services Diagnostics and Logging (MOSDAL)Support s.aspx?id 626 Office 365Video: Troubleshooting Issues with Free/Busy Information in Office OutlookClients for Office 365Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest DelegationCommon Tools6

Deployment GuideWhitepaper Free/Busy – Microsoft Federation and Cross-Forest DelegationMatrix - Overview7Source OrgTarget xchangeOnlineExchangeOnlineTechnique to getFree/BusyPublic folders 2Public folders 2Public folders 2Not supportedNot supportedPublic folders 2Microsoft Federation orCross-Forest DelegationMicrosoft Federation orCross-Forest DelegationMicrosoft Federation orCross-Forest DelegationMicrosoft FederationPublic folders 2Microsoft Federation orCross-Forest DelegationMicrosoft Federation orCross-Forest DelegationMicrosoft Federation orCross-Forest DelegationMicrosoft FederationVersion to sync ncGALsyncGALsyncv4v4v4v4v7v4v7v4v71111 1 1GALsync v7GALsync v7GALsync v7GALsync v4GALsync v71GALsync v7GALsync v7GALsync v7GALsync v7Not supportedGALsync v4GALsync v7Microsoft Federation or GALsync v7Cross-Forest DelegationMicrosoft Federation or GALsync v7Cross-Forest DelegationMicrosoft Federation or GALsync v7Cross-Forest DelegationMicrosoft FederationGALsync v71 Not supported1 2007Microsoft FederationGALsync v4GALsync v7GALsync v72010Microsoft FederationGALsync v72013Microsoft FederationGALsync v7ExchangeOnlineMicrosoft FederationGALsync v7

2Public Folder technology of Exchange 2003.* MICROSOFT STOPPED SUPPORTING EXCHANGE 2003 ON THE 8TH APRIL 2014. A S MUCH AS WEWOULD LIKE TO KEEP COMPATIBILITY UP FOR ALL VERSIONS , WE CANNOT SUPPORT AN ENVIRONMENTWHICH IS NO LONGER SUPPORTED BY THE MANUFACTURER HIMSELF . S TARTING ON THE DEPRECATIONOF EXCHANGE 2003, GAL SYNC 4 WILL BE COMPLETELY REPLACED BY THE CURRENT VERSION OFGALSYNC.Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest DelegationLegend:1 GALsync v4* provides an optional feature which copies all free/busyinformation from Exchange Public Folder store.8

Exchange 2003Scenarios with dedicated Exchange 2003 environments are not covered inthis Whitepaper.If you use Exchange 2003 (or Exchange 2007) combined with Exchange2010 SP1 the Exchange 2010 SP1 mailbox server must host a PublicFolder database and is the ONLY replica server for Free/Busy folder. Cross Org Availability using Federation Trust and hip.aspx Free/Busy sharing between Exchange 2003 and Exchange s/library/hh310374(v exchg.141).aspx Understanding Shared Free/Busy in Exchange 2003 HybridDeploymentsWhitepaper Free/Busy – Microsoft Federation and Cross-Forest ry/hh779664(v exchg.141).aspx9Exchange On Premise - Exchange On PremiseOn-Premise environments with Exchange 2007, 2010, 2013 or 2016 arecan use Microsoft Federation or if the on-premise environments have trustthey can use Cross-Forest Delegation.Exchange On Premise - Office 365The Microsoft Federation enables to share free/busy information in ahybrid deployment.Office 365 - Office 365The Microsoft Federation enables to share free/busy information betweenOffice 365 tenants.

Here some great articles how to configure MICROSOFT FEDERATION:How to Configure Exchange 2010 SP1 igure-exchange-2010sp1.htmlDeep dive into rich coexistence between Exchange ForestsHenrik Walter has written a great post. Although he describes MICROSOFTFIM and MIRCOSOFT DIRSYNC tool you may read this article and simplyreplace MICROSOFT FIM with NETSEC part1.htmlManaging Federated Sharing with the xSharing in Exchange j916670(v exchg.150).aspxUnderstanding Federation (Exchange 335047(v exchg.141).aspxThe Hybrid Free Busy Troubleshooter Now ow-available.aspxWhitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest DelegationMicrosoft FederationYou can use NETSEC GALSYNC to provide contacts with DirectorySynchronization and use MICROSOFT FEDERATION to get Free/Busyinformation.10

dd638083(v exchg.150).aspxExchange FederationJohan Veldhuis describes how to setup a Federation ation-deel-ii/and how toTroubleshooting Federated federared-sharing/Configure Free/Busy Sharing Between Exchange OrganizationsWhitepaper Free/Busy – Microsoft Federation and Cross-Forest ry/hh310374(v exchg.141).aspx11

Technical ModulesThis chapter provides you with more details considering the differentrequirements.Readiness AnalyzerIn a first step you should validate if your environments are ready. Simplyfollow these questions:TopicGeneralValidateDoes the Exchange and Domain Controllers eventlogsindicate any critical errors?Does the Exchange Best Practice Analyzer indicate anycritical errors?Does dcdiag on the domain controllers indicate any criticalerrors?NetworkAre you able to nslookup the local and remote environmentfrom both sides?Are you able to nslookupautodiscover. remoteSMTP . domain Are you able to send SMTP-Messages between the differentenvironments?Webservices Can you connect to the Autodiscover service by using the Eandmail AutoConfiguration tool in Outlook?CertificatesCan you run test-outlookwebservice using a local accountwithout errors?Can you run test-outlookwebservice using a remote accountwithout errors?Do your environment, i.e. the CAS servers trust the rootcertificate of the remote forest?GALsyncCan you synchronize objects from source environment to theremote forest?Are the objects created as contacts there?Can Outlook / OWA clients in remote forest see thesynchronized objects in GAL?AvailabilityDid you configure AvailabilityAddressSpace andAvailabilityConfig correctly?Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest DelegationCross-Forest Delegation12

EnvironmentDescriptionIn this step you collect some information about your own and yourpartners’ environment. Please note Name of the forestName of the domains in the forestName of sitesName of Domain Controllers and Global CatalogsVersion of the Active Directory SchemaNames of all Exchange CAS ServersExchange Server versions (see possible values in appendix or run PSscript querySchema.ps1)Local firewall-rules on the Exchange serversGet-Exchangeserver fl name, edition, admindisplayversion,serverrole, siteWhitepaper Free/Busy – Microsoft Federation and Cross-Forest DelegationScreenshots132007a2010a2010b2013a

Does dcdiag on your DCs or does Exchange Best Practice Analyzer (exbpa) on your Exchange serversindicate any errors, which could be related to your issue?Are the clients in both forests able to get free/busy information of other clients in the same domain?Are the clients in both forests able to send mails to clients in the remote domain by inserting their SMTPaddress into the TO: field of the message?Are all required ports open?Read article “Exchange, Firewalls, and y.aspxRequired PermissionsAdministrative PermissionsYou must be prepared to run some of the steps as a user with sufficientprivileges. Some configurations you have to make require an accountwhich is member of the Exchange Organization Management and/or ActiveDirectory Domain Administrators group.Please note the account you want to use.Default Calendar permissionsThe permissions should be set to Free/Busy time to be displayed. Check the Default Calendar permissions for the mailbox(es) you would like to view Free/Busy informationfor. click on a Calendar Properties Permissions. The permissions should be set to Free/Busy time to bedisplayed.Whitepaper Free/Busy – Microsoft Federation and Cross-Forest Delegation – Microsoft Federation and Cross-Forest Delegation*** Troubleshooting Checklist ***14