Forum Discussion

StefanoC66's avatar
StefanoC66
Iron Contributor
Nov 26, 2024

Exchange Availability service

I'm looking for clarification about the configuration on cross forest availability services explained in the followin article

Configure the Availability service for cross-forest topologies | Microsoft Learn

We have two forests with an exchange org on each of them.

Forest A 

--- AD     companyA.local

---SMTP  companyA.com

 

Forest B

--- AD    companyB.local

---SMTP companyB.com

 

There's a bidirectional trusts between the two forests

they need to be able to share the user's free/busy information between the two forest and the article seems to be what we need.

It mentions to complete two steps 

Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "<Remote Forest Domain>\Exchange servers"

Add-AvailabilityAddressSpace -Forestname ContosoForest.com -AccessMethod PerUserFB -UseServiceAccount $true

 

given our setup am I correct if I do the following  ?

IN FOREST A

Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "companyB\Exchange servers"

Add-AvailabilityAddressSpace -Forestname CompanyB.com -AccessMethod PerUserFB -UseServiceAccount $true

 

IN FOREST B

Get-MailboxServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-Exch-EPI-Token-Serialization" -User "companyA\Exchange servers"

Add-AvailabilityAddressSpace -Forestname CompanyA.com -AccessMethod PerUserFB -UseServiceAccount $true

 

Thanks

 

Exchange Server

1 Reply

  • BaylorTitan's avatar
    BaylorTitan
    Iron Contributor
    Mar 13, 2025

    Execute in Forest A.
    powershell# Grant Cross-Forest Permission
    Get-MailboxServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights “ms-Exch-EPI-Token-Serialization” -User “companyB\ Exchange Servers”
    # Add-AvailabilityAddressSpace
    Add-AvailabilityAddressSpace -ForestName companyB.com -AccessMethod PerUserFB -UseServiceAccount $true
    2. In Forest B run: powershell
    # Grant cross-forest privileges
    Get-MailboxServer | Add-ADPermission -AccessRights ExtendedRight -ExtendedRights “ms-Exch-EPI-Token-Serialization” -User “companyA\ Exchange Servers”
    # Add-AvailabilityAddressSpace
    Add-AvailabilityAddressSpace -ForestName companyA.com -AccessMethod PerUserFB -UseServiceAccount $true
    3. Key Note: Replacing Real Domains
    companyA.com and companyB.com need to be replaced with actual forest root domains (DNS names, not NetBIOS names).
    Verifying Service Accounts
    companyB\Exchange Servers must be the security group to which the Exchange servers in Forest B belong (default group name is Exchange Servers).
    Two-way Trust Check
    Ensure that two-way Kerberos trust exists between the two forests and that the domain in which the Exchange server resides participates in this trust.
    Firewall Open Ports
    Open TCP ports 80/443 (HTTP/HTTPS) and 808 (RPC over HTTP) between Exchange servers.
    Quick Authentication.
    Run the following command in any forest to check if the configuration takes effect:
    powershell
    Test-AvailabilityServiceConnectivity -TargetForest companyB.com -Verbose
    If Success is returned, the configuration was successful.