Tag Archive for: Resource Forest

Using a Dedicated Exchange Forest (Resource Forest)

Priasoft Migration Suite for Exchange (PMSE)

Often, setting up a separate Active Directory forest that is dedicated to running Exchange is a better solution than integrating the Exchange application into your production Active Directory security forest.

The Exchange forest (also known as the resource forest) is dedicated to running Exchange and hosting mailboxes. User accounts are contained in one or more forests, referred to as the account forests, which are separate from the resource forest. Using this model, updates and changes to Exchange can be made without affecting the production user account forests.

See Example Image

How it works:

The user from the account forest (where logons occur) is associated with a mailbox attached to a disabled placeholder user in the resource forest. This allows users to access mailboxes that reside in the Exchange resource forest.

The resource forest model is nearly identical to what is provided by Office 365’s Exchange Online, only with more control and easier configuration and setup.  There are 3 ways a user would access the mailbox in the resource forest:

  • Without a Windows Trust:  Users would be prompted for credentials by Outlook and other clients.  There is not a built-in Single-Sign-On feature without a Trust.
  • With a Windows Trust Using ‘Linked Mailboxes’:  Users are not prompted for credentials and the mailbox account in the resource forest is marked with the SID of the logon user in the account forest.
  • With a Windows Trust Using ‘SID Future’:  Users are not prompted for credentials and the SID of the resource forest account is copied to the user in the account forest as an additional SID.

Note that setting up a Resource Forest does NOT mean that the same level of complexity must be created with regards to Active Directory Domain Controllers and AD Sites.  In this scenario, AD plays a supporting role to Exchange and its primary purpose is to provide the address book (by way of the Global Catalog).  As such, one (or more likely two, for redundancy) Domain Controller is all that is required, even if there is a need for many Exchange servers.  This means that the setup and deployment of a resource forest is quick and not as costly as may have initially been imagined.  The DCs in this Resource Forest are not processing logons, logon scripts, and the myriad of other actions and services that a DC normally provides.

A few key Benefits:

  • A dedicated security boundary between Active Directory and Exchange administration.
  • Features of new platform are realized immediately compared to a ‘mixed-mode’ setup where some key features are always disabled during the while 2 versions run concurrently.
  • You can move to new versions of Exchange, like Exchange 2010, 2013, 2016, without polluting, corrupting, or disrupting your existing production Exchange implementation
  • Eliminates risk to your existing Exchange implementation
    • There are important risks to consider by adding a newer version of exchange to an existing one such as:
    • …the newer version will try to take control of many actions, like inbound mail flow, transport rules, and other system level operational tasks.
    • …the newer version may enforce attributes on users that are incompatible, but which the current deployment does not
    • …the newer version cannot be fully tested and made “production-ready” without interfering with the current environment
    • …once the AD Schema is extended to support the new version, there is no ability to reverse the changes
    • …Public Folder databases/mailboxes may not sync to newer versions.  For example, there is NO REPLICATION between Exchange 2013 PFs and older versions of exchange.  If the PF deployment is very large, users may be without PF data for days or weeks after the mailbox migration.
  • If a need arises during setup or testing of the Resource Forest to re-architect the environment, such can be done with no impact to the current environment.
  • If you merge with another entity it’s simply a matter of creating a trust with the new accounts forest and not having to disrupt the exchange organization
  • If you divest part of your business entity’s its much simpler to break off the Exchange resources without giving away sensitive security objects that would be part of the User Domains.
  • Schema modifications needed for Exchange are isolated to just the Exchange forest and do not need to be implement in the Accounts forest
  • Less stress on Global Catalogs and directory replication in the user accounts forest as all this traffic can remain in the Exchange resource forest
  • Patches and updates that are not Exchange related, do not have to be installed in the Exchange forest.  This adds a level of stability that is unavailable in a mixed AD/Exchange forest.
  • AD container and OU structure can be designed with Exchange Administration in mind and does not have to follow complex architecture of a user forest You can manage users and groups in a way the makes sense for Exchange and not be dependent on how users in the account forest are managed – imagine having a container structure where Executive and Large mailboxes were separated from contractors and simple “mail-consumers”.
  • Distribution lists are not co-mingled with security groups because of separate forests.  DLs in the Exchange forest can be guaranteed to only provide access to exchange resources.

A few “reported” detractors to the Resource Forest (but not really)

  • More admin work
    • This is one of the first proposed “negatives” of a Resource Forest.  However, it’s a bit of a fallacy.  While it is true, at a technical level, that 2 object have to be created and configured when a new user is hired, there is plenty of ability to script such actions into a single atomic event.  Powershell, available since Exchange 2007 makes such work trivial now.
    • Compared to the many advantages and the infrequency (in most organizations…but not all) of new hires/terminations, the Resource Forest should still be considered.
  • Password Sync
    • This is reported from time to time, but really only by those that don’t truly understand the model.  There are 2 options listed above to provide single-sign-on, which inherently means that passwords do not need to sync.

Prerequisites

  • Two Active Directory forests:
    • One forest contains the user accounts for your organization. In this procedure, this forest is called the accounts forest.
    • One forest does not contain user accounts and does not yet have Exchange installed. In this procedure, this forest is called the Exchange Forest or Resource Forest. You will use the procedure to install Exchange in this forest.
  • You have correctly configured Domain Name System (DNS) for name resolution across forests in your organization. To check that you have DNS configured correctly, ping each forest from the other forest or forests in your organization. 

For more detailed information on deploying an Exchange resource forest see the following:

Exchange 2010 resource forest

Exchange 2007 resource forest

Exchange 2003 resource forest

Issues to be considered while thinking about moving mailboxes to Exchange 2010 using the Microsoft native tools

Priasoft Migration Suite for Exchange (PMSE)

Below is a table of the issues to be considered while thinking about moving mailboxes using the Microsoft native tools in both the ‘upgrade’ and ‘deployment’ scenarios supported by Microsoft.

Note: If you’re using the Priasoft Migration Suite for Exchange this article does not apply to you.

Exchange 2003 To 2010

  • You need to use “move request” cmdlets in 2010 shell to move the mailboxes.
  • Move requests are performed by the Microsoft Exchange Mailbox Replication Service (MRS) that runs on all Client Access servers (CAS). Therefore, CAS servers are busy moving mailboxes and not servicing clients’ requests.
  • If you implement Exchange 2010 as an upgrade, some features of Exchange 2010 will not be available until the migration is completed and the organization in moved to a native mode state.
  • You must never try to manage a 2010 mailbox using a 2003 management tool or snap in
  • You can’t use 2003 System Manager.
  • You must be careful to use a split administration model while co-existing to not cause problems with migrated objects.
  • The mailbox move is offline, which means that the users can’t access the emails while it is moved.
  • No roll-back support – If something goes wrong you may need to go back to tape to restore the mailbox
  • No support for native tools – if they don’t work they don’t work.
  • No Outlook client profile automation for migrated mailboxes. No automatic enabling of RPC encryption for Outlook 2003 based clients. You will need to do them manually or you will need to disable RPC encryption on Exchange 2010 (not recommended)
  • No Public Folder migration tools
  • No distribution group migration tools
  • You can’t move mailboxes if running Exchange 2003 SP1 or earlier, you must update all servers to 2003 SP2+
  • You can’t perform message tracking configuration tasks between Exchange 2010 and Exchange 2003
  • You must use Exchange 2003 messaging tracking tools within your Exchange 2003 organization, and Exchange 2010 messaging tracking tools within your Exchange 2010
  • Side-by-side management for Exchange Server 2003 and Exchange 2010 management tools isn’t supported, because Exchange Server 2003 management tools can only be run on 32-bit machines
  • In order to do Cross-forest move requests must create mail-enabled users with the required attributes in the target forest or it won’t work
  • Depending on the scenario you just may be able to preserve mailbox folder delegates and send-on behalf of delegates
  • If upgrading, you must run the setup /PrepareLegacyExchangePermissions command so that the Exchange 2003 Recipient Update Service functions correctly
  • If upgrading, you are required to update the Active Directory schema for Exchange Server 2010
  • If upgrading, you must Upgrade Custom LDAP Filters to OPATH Filters

Exchange 2007 To 2010

  • You can use 2010 console or “move request” cmdlets in 2010 shell to move the mailboxes.
  • If you implement Exchange 2010 in mixed mode, some features of Exchange 2010 will not be available until the migration is completed and the organization in moved to a native mode state.
  • Move requests are performed by the Microsoft Exchange Mailbox Replication Service (MRS) that runs on all Client Access servers (CAS). Therefore, CAS servers are busy moving mailboxes and not servicing clients’ requests.
  • You can’t use “move-mailbox” cmdlet in 2007 shell.
  • No roll-back support – If something goes wrong you may need to go back to tape to restore the mailbox
  • No support for native tools – if they don’t work they don’t work.
  • The mailbox move is online, which means that the users can be online while the move happens.
  • You can’t move mailboxes from 2007 SP1 or earlier, the source should run 2007 SP2+
  • Exchange 2007 Mailbox databases can’t be managed from the EMC in Exchange 2010
  • No Public Folder migration tools
  • No distribution group migration tools
  • No Outlook client profile automation for migrated mailboxes. No automatic enabling of RPC encryption for Outlook 2003 based clients. You will need to do them manually or you will need to disable RPC encryption on Exchange 2010 (not recommended)
  • The EMC in Exchange 2010 can’t manage Exchange 2007 mobile devices
  • Exchange 2007 Mailbox databases can’t be managed from the EMC in Exchange 2010
  • You can’t use message tracking configuration tasks between Exchange 2010 and Exchange 2007
  • You must use Exchange 2007 messaging tracking tools within your Exchange 2007 servers, and Exchange 2010 messaging tracking tools within your Exchange 2010 servers.
  • Exchange 2010 and Exchange 2007 servers can only be viewed from their corresponding version of the EMC
  • In order to schedule Cross-forest move requests must create mail-enabled users with the required attributes in the target forest or it won’t work
  • If upgrading, you are required to update the Active Directory schema for Exchange Server 2010
  • Depending on the scenario you just may be able to preserve mailbox folder delegates and send-on behalf of delegates

Exchange 5.5 And 2000 To 2010

  • Not supported by Exchange 2010 native tools
  • If you want to move to Exchange 2010 using native tools from Exchange 5.5 you must first migrate to Exchange 2003/2007 then to Exchange 2010
  • If you want to move to Exchange 2010 using native tools from Exchange 2000 you must first migrate to Exchange 2003/2007 then to Exchange 2010

In short, it’s not as simple as tossing in a CD. Can it be done? Sure, would we want to do it? Nope.

We highly recommend you consider the resource forest model for Exchange 2010 to avoid trying to mix the old with the new. This model, in our opinion, allows the most flexibility during migration, allows you to build your Exchange organization to your needs, and provides benefits well into the future. It also helps to reduce risk. Something we all like!

This is not a complete list of issues nor should it be used as a roadmap to moving to Exchange 2010. We are providing this simply as a comparison and we do not take any responsibility whatsoever for the information contained. You are encouraged to do your own due diligence and research.