-
Title
How to enable the Exchange Resource Forest Management solution. -
Description
How to enable the Exchange Resource Forest Management solution. -
Cause
Exchange Resource Forest Management requires Exchange 2007 or later to be deployed in the Exchange forest.Exchange Server should not be installed in the accounts forests. The Active Directory schema in the accountsforests does not need to be extended with the Exchange Server attributes.A trust between the Exchange forest and the accounts forest must be set up before you can use ExchangeResource Forest Management. At a minimum, an outgoing trust must be set up so that the Exchange forest truststhe accounts forest. -
Resolution
The following Active Roles components must be installed in your Active Directory environment:• Administration Service• Web Interface• Active Roles consoleYou can install these components on member servers in an accounts forest or in the Exchange forest. For installation instructions, see the Active Roles Quick Start Guide.Exchange 2007 requirements
To operate in an Exchange 2007 organization, Active Roles requires the following configuration:• The Administration Service installed on a member server in the Exchange forest.• Exchange 2007 Management Tools installed on the computer running the Administration Service.
Log on as Active Roles Admin
To configure Exchange Resource Forest Management, log on as Active Roles Admin. This ensures that you have sufficient rights to make the necessary configuration changes. Assuming the default configuration of the Active Roles Administration Service, you should log on with a domain user account that is a member of the Administrators group on the computer running the Administration Service.
Register domains with Active Roles
Exchange Resource Forest Management requires the following domains to be registered with Active Roles:
• In the Exchange forest, a domain that hold computers running the Mailbox server role
• In each accounts forest, the domains that hold the users you want to administer with Active Roles
When registering a domain, you are prompted to choose which account you want the Administration Service to
use to access the domain. You can either specify a so-called override account or let the Administration Service
use its service account. With either option, the account must have sufficient rights in the domain you are
registering. At a minimum, the account must have the following rights:
• Member of the Account Operators domain security group
• In case of Exchange 2007, member of the Exchange Recipient Administrator role in the Exchange forest
(see “Access to Exchange Server/Exchange 2007” in the Active Roles Quick Start Guide)
• In case of Exchange 2010 or 2013, member of the Recipient Management role group in the Exchange
forest (see “Access to Exchange Server/Exchange 2010” or “Access to Exchange Server/Exchange 2010”
in the Active Roles Quick Start Guide), and enabled for remote Exchange Management Shell (see
“Support for remote Exchange Management Shell” in the Active Roles Quick Start Guide)
• In the Exchange forest, read access to Exchange configuration data (see “Permission to read Exchange
configuration data” in the Active Roles Quick Start Guide).Applying the Policy Object
Active Roles provides a built-in Policy Object containing the mailbox management policy for Exchange resource
forest topology. To enable Exchange Resource Forest Management, you need to:
• Link that Policy Object to the appropriate containers in the accounts forest. These are the containers
that hold the user accounts you want to administer using Exchange Resource Forest Management.
• Optionally, view or change policy settings.To link the Policy Object to an organizational unit or domain
1 In the Active Roles console tree, select Configuration | Policies | Administration | Builtin.
2 In the details pane, right-click the Built-in Policy - ERFM - Mailbox Management Policy Object, and then
click Policy Scope.
3 In the dialog box that appears, click Add, and then select the desired organizational unit or domain in
the accounts forest.Out of the box, the Policy Object has all policy settings configured. You can use the Active Roles console to view
or change policy settings as needed.To view or change policy settings
1 Double-click the Built-in Policy - ERFM - Mailbox Management Policy Object.
2 In the Properties dialog box that appears, go to the Policies tab, and double-click the entry in the list of
policies.
3 In the Properties dialog box that appears, do any of the following:
• On the Shadow Account tab, view or change the container and default description for new
shadow accounts.
• On the Master Account tab, view or change the attribute to store a reference to shadow account.
• On the Synced tab, view or change the list of synchronized properties.
• On the Substituted tab, configure your custom list of substituted properties in addition to the
default list.
• On the Back-synced tab, view or change the list of back-synchronized properties.Note: ARS schedule task "ERFM - Mailbox Management" can be used to automate this operation. Any existing Exchange linked mailbox within scope will be synced and back-synced everytime policy "ERFM - Mailbox Management" is applied.