Chat now with support
Chat with Support

Active Roles 7.5 - Solutions Guide

Active Roles Solutions Overview ERFM Solution Overview Configuration Transfer Wizard overview Understanding SPML Provider Skype for Business Solution Overview
Introducing Skype for Business Server User Management Supported Active Directory topologies User Management policy Master Account Management policy Access Templates for Lync Server Deploying the Solution Managing Skype for Business Server Users
Management Pack for SCOM

Technical description

Exchange Resource Forest Management extends the mailbox management capabilities of Active Roles in the case of resource forest topology. This topology option assumes that you have:

  • At least one Active Directory forest containing logon-enabled user accounts for your organization, referred to as an accounts forest. The accounts forest does not have Exchange Server installed, nor does it need to have the Active Directory schema extended with the Exchange Server attributes.
  • An Active Directory forest with Exchange Server, referred to as the Exchange forest, to hold mailboxes for user accounts from the accounts forest.
  • Trust relationships configured so that the Exchange forest trusts the accounts forest.

With Exchange Resource Forest Management, you can use Active Roles to:

  • Create a mailbox for a user account from the accounts forest.

    You can create a mailbox when creating a user account in the accounts forest. It is also possible to create a mailbox for a user account that already exists in the accounts forest. As a result, Active Roles creates a disabled user account (shadow account) with a linked mailbox in the Exchange forest, and associates the shadow account and the mailbox with the user account (master account) held in the accounts forest.

  • View or change mailbox properties, and perform Exchange tasks, on a user account from the accounts forest (master account) that has a linked mailbox in the Exchange forest.

    The pages for managing the master account include all Exchange properties and tasks that are normally available when the mailbox resides in the same forest as the managed user account. With Exchange Resource Forest Management, Active Roles synchronizes the Exchange properties displayed or changed on the pages for managing the master account with the properties of the linked mailbox.

  • View or change the personal or organization-related properties of the master account while having them synchronized to the respective properties of the shadow account.

When you use Active Roles to change the personal or organization-related properties of the master account, Exchange Resource Forest Management causes Active Roles to apply the changes to those properties of the shadow account as well. This function ensures correct information about the master account in the Exchange address lists.

  • Deprovision a master account while having Active Roles deprovision the master account’s mailbox in the Exchange forest.

When you deprovision a master account, Exchange Resource Forest Management causes Active Roles to apply the deprovisioning policies to both the master account and shadow account. As a result, Active Roles makes all the necessary changes to deprovision the mailbox. You can revert these changes by undeprovisioning the master account.

  • Delegate Exchange mailbox management tasks by applying Access Templates to containers that hold master accounts.

For example, you can apply the “Exchange - Recipients Full Control” Access Template to a container in the accounts forest, which enables the delegated administrator to create, view or change linked mailboxes in the Exchange forest by managing master accounts held in that container.

  • Enable a master account to update membership list of a distribution group held in the Exchange forest.

When you make a shadow account the manager or a secondary owner of a distribution group and allow the manager or secondary owners to update membership list, Exchange Resource Forest Management ensures that the corresponding master account has sufficient rights to add or remove members from that group using Exchange clients such as Microsoft Outlook or Outlook Web App.

Exchange Resource Forest Management also enables Active Roles to provide all these administrative capabilities for linked mailboxes created by Active Roles with an earlier version of Exchange Resource Forest Management or without Exchange Resource Forest Management, or created by tools other than Active Roles. Exchange Resource Forest Management schedules Active Roles to search the managed domains for linked mailboxes whose master account:

  • Is in the scope of the Exchange Resource Forest Management policy for mailbox management
  • Does not have a reference to the shadow account expected by Exchange Resource Forest Management

For each master account that meets these conditions, Active Roles updates the master account with a reference to the shadow account, thereby extending the capabilities of Exchange Resource Forest Management to that master account and its linked mailbox. As a result, the linked mailbox falls under the control of Exchange Resource Forest Management.

Policy Object

Exchange Resource Forest Management uses a Policy Object to implement mailbox management policy for Exchange resource forest topology. This policy enables Active Roles to create and manage linked mailboxes in the resource forest by administering linked master accounts in an accounts forest. The Policy Object is in the Configuration/Policies/Administration/Builtin container. The name of the Policy Object is Built-in Policy - ERFM - Mailbox Management.

To enable Exchange Resource Forest Management, you need to apply that Policy Object to the domain or container that holds linked master accounts you want Active Roles to administer.

Policy settings

The topics in this section cover the mailbox management policy settings.

Container for new shadow accounts

The policy allows you to specify the container in which you want Active Roles to create shadow accounts when creating linked mailboxes managed by Exchange Resource Forest Management. You can select the desired organizational unit in the Exchange forest or you can let Active Roles choose the default container.

If you select a particular organizational unit, Active Roles creates shadow accounts in that organizational unit. You can select an organizational unit from any domain of the Exchange forest that is registered with Active Roles as a managed domain.

If you let Active Roles choose the default container for new shadow accounts, then Active Roles creates shadow accounts in the Users container in a particular domain of the Exchange forest. If the forest root domain of the Exchange forest is registered with Active Roles as a managed domain, then Active Roles creates shadow accounts in that domain. Otherwise, Active Roles creates shadow accounts in the domain that appears first in the ordered list of the managed domains from the Exchange forest. Note that Exchange Resource Forest Management requires at least one domain of the Exchange forest to be registered with Active Roles as a managed domain.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating