Exchange Server 2007: Cross Forest Exchange Impersonation

Based on the feedback on post Cross Forest Exchange Impersonation in Exchange 2007 Service Pack 1, I wanted to provide you with some "real life" examples to help you actually implement this. To dig into cross forest Exchange Impersonation a little more, we will use two approaches.  The first is the "easy" one, in which we create […]

Based on the feedback on post Cross Forest Exchange Impersonation in Exchange 2007 Service Pack 1, I wanted to provide you with some "real life" examples to help you actually implement this.

To dig into cross forest Exchange Impersonation a little more, we will use two approaches.  The first is the "easy" one, in which we create a linked mailbox in the Exchange forest to represent the Service Account.  The second is the "almost as easy, but not quite so" in which we manually create and link a cross forest contact in the Exchange forest to represent the Service Account.

Linked Mailbox

Given that our Exchange resource forest and our user forest have a trust relationship established, it seems reasonable that a request against and Exchange CAS box using a user account from the user forest will work.  However, as indicated in the previous blog post, EWS expects there to be some sort of AD object in the resource forest to represent the cross forest account, and unfortunately, a foreign security principal is not enough.  So, we will use the new-mailbox PowerShell Cmdlet to create a linked mailbox which will create a mailbox in the Exchange forest that is "linked" back to the Service Account in the user forest.

First, we need to get the credentials of an account that has rights to read directory information from the user domain.  The LinkedCredential parameter of new-mailbox expects a PSCredential instance.  We can create these credentials as follows:

$pass = read-host -AsSecureString <br />$creds = new-object -typename System.Management.Automation.PSCredential -argumentlist "YourUserDomain\ServiceAccount",$pass

The first line will allow you to type in a password in the shell which will be masked with password masking characters.  The resulting secure string will then be stored in $pass.  The next line creates an instance of the PSCredential class using the domain\username and the obtained password.

With this information you can call new-mailbox as follows:

new-mailbox -Name "ServiceAccount" -Database "Your Mailbox Database" -LinkedMasterAccount YourUserDomain\ServiceAccount -LinkedDomainController yourDC.userdomain.contoso.com -LinkedCredential $creds -UserPrincipalName serviceAccount@userdomain.contoso.com

Name is just the name of the user account that will be created in the Exchange resource forest.  This does not have to be the same as the name of the account in the user forest[…]

Full Article

Exchange Server 2007, Exchange 2007, Development, Knowledgebase