Exchange - Different Domain, Same Forest Users
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
@dbeato said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
Okay, so @dbeato got me thinking about forests, so I ran
Get-ADForestfrom each DC and they show nothing but themselves. I'm thinking this is a DNS issue or the Trust might have not been configured properly. Going to start poking around there and see what I can find.
No, you have two different Forest plain and simple. Each Exchange is separate in each domain.
Yup, just checked it out and they are two separate Forests. Forest Trust, rather than Tree-Root Trust. Now I have to get permissions to change this or researching if hopping domains with Exchange is supported.
Here's a question for the boss - why do you need two domains? What purpose does it serve?
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
yeah - but us techies rarely (I've never seen anyone talk about it) call it that - we know that a trust exists between all domains in a Forest, that's a primary component to what makes them a forest.
Ah, so what trust that's different than the automatic Tree-Root of inter-forest domains are we talking about?
In this situation we don't worry about it. We know you have a Forest - so the trust issue is a non issue.
Now a question for @dbeato - can you have more than one Exchange system inside a domain? I guess I was under the impression you couldn't, or at least wouldn't. This of course doesn't mean you only have one exchange server - you have as many as you need/want, but they are all part of the same Exchange group for lack of a better name, you doll out the Exchange rolls (Mailbox, Hub, Edge transport) to different Exchange servers as needed.
I'm guessing most businesses only have one Edge Transport server, though if you need resiliency you might have more. The mailbox servers are what the end users normally attach Outlook to, so in G-I-Jones case he might have two: one to be closer to set of users A, and another to be closer to set of users B. But I'm pretty sure both could have .net or .org on them.And I totally off base here?
You can have as many Exchange Servers in your domain as you possibly can. I have customers with a least 3 or more in different locations o regions as well. Exchange 2013 and upward allowed the access of severs through the Front End Server which proxies to the other servers as well.
Right, but my point was that they are a collective single entity.... the OP made it sound like his Exchanges were completely separate - and now seeing it's likely he does not have a single forest, but instead two forests with a trust relationship.. .no wonder he can't do what he wants.
Yeah, even with a domain trust you can share things between Exchanges as well.
-
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
yeah - but us techies rarely (I've never seen anyone talk about it) call it that - we know that a trust exists between all domains in a Forest, that's a primary component to what makes them a forest.
Ah, so what trust that's different than the automatic Tree-Root of inter-forest domains are we talking about?
In this situation we don't worry about it. We know you have a Forest - so the trust issue is a non issue.
Now a question for @dbeato - can you have more than one Exchange system inside a domain? I guess I was under the impression you couldn't, or at least wouldn't. This of course doesn't mean you only have one exchange server - you have as many as you need/want, but they are all part of the same Exchange group for lack of a better name, you doll out the Exchange rolls (Mailbox, Hub, Edge transport) to different Exchange servers as needed.
I'm guessing most businesses only have one Edge Transport server, though if you need resiliency you might have more. The mailbox servers are what the end users normally attach Outlook to, so in G-I-Jones case he might have two: one to be closer to set of users A, and another to be closer to set of users B. But I'm pretty sure both could have .net or .org on them.And I totally off base here?
You can have as many Exchange Servers in your domain as you possibly can. I have customers with a least 3 or more in different locations o regions as well. Exchange 2013 and upward allowed the access of severs through the Front End Server which proxies to the other servers as well.
Right, but my point was that they are a collective single entity.... the OP made it sound like his Exchanges were completely separate - and now seeing it's likely he does not have a single forest, but instead two forests with a trust relationship.. .no wonder he can't do what he wants.
Yeah, even with a domain trust you can share things between Exchanges as well.
HUH - like what?
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
yeah - but us techies rarely (I've never seen anyone talk about it) call it that - we know that a trust exists between all domains in a Forest, that's a primary component to what makes them a forest.
Ah, so what trust that's different than the automatic Tree-Root of inter-forest domains are we talking about?
In this situation we don't worry about it. We know you have a Forest - so the trust issue is a non issue.
Now a question for @dbeato - can you have more than one Exchange system inside a domain? I guess I was under the impression you couldn't, or at least wouldn't. This of course doesn't mean you only have one exchange server - you have as many as you need/want, but they are all part of the same Exchange group for lack of a better name, you doll out the Exchange rolls (Mailbox, Hub, Edge transport) to different Exchange servers as needed.
I'm guessing most businesses only have one Edge Transport server, though if you need resiliency you might have more. The mailbox servers are what the end users normally attach Outlook to, so in G-I-Jones case he might have two: one to be closer to set of users A, and another to be closer to set of users B. But I'm pretty sure both could have .net or .org on them.And I totally off base here?
You can have as many Exchange Servers in your domain as you possibly can. I have customers with a least 3 or more in different locations o regions as well. Exchange 2013 and upward allowed the access of severs through the Front End Server which proxies to the other servers as well.
Right, but my point was that they are a collective single entity.... the OP made it sound like his Exchanges were completely separate - and now seeing it's likely he does not have a single forest, but instead two forests with a trust relationship.. .no wonder he can't do what he wants.
You can do a Federation Trust between the Exchange servers to share Contacts and Calendars.
https://docs.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-help -
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
yeah - but us techies rarely (I've never seen anyone talk about it) call it that - we know that a trust exists between all domains in a Forest, that's a primary component to what makes them a forest.
Ah, so what trust that's different than the automatic Tree-Root of inter-forest domains are we talking about?
In this situation we don't worry about it. We know you have a Forest - so the trust issue is a non issue.
Now a question for @dbeato - can you have more than one Exchange system inside a domain? I guess I was under the impression you couldn't, or at least wouldn't. This of course doesn't mean you only have one exchange server - you have as many as you need/want, but they are all part of the same Exchange group for lack of a better name, you doll out the Exchange rolls (Mailbox, Hub, Edge transport) to different Exchange servers as needed.
I'm guessing most businesses only have one Edge Transport server, though if you need resiliency you might have more. The mailbox servers are what the end users normally attach Outlook to, so in G-I-Jones case he might have two: one to be closer to set of users A, and another to be closer to set of users B. But I'm pretty sure both could have .net or .org on them.And I totally off base here?
You can have as many Exchange Servers in your domain as you possibly can. I have customers with a least 3 or more in different locations o regions as well. Exchange 2013 and upward allowed the access of severs through the Front End Server which proxies to the other servers as well.
Right, but my point was that they are a collective single entity.... the OP made it sound like his Exchanges were completely separate - and now seeing it's likely he does not have a single forest, but instead two forests with a trust relationship.. .no wonder he can't do what he wants.
You can do a Federation Trust between the Exchange servers to share Contacts and Calendars.
https://docs.microsoft.com/en-us/exchange/configure-a-federation-trust-exchange-2013-helpOK cool... can you move a mailbox from one side to the other and keep it's original email address?
-
You can also setup Linked mailboxes
https://docs.microsoft.com/en-us/exchange/manage-linked-mailboxes-exchange-2013-help?redirectedfrom=MSDN -
@dbeato said in Exchange - Different Domain, Same Forest Users:
You can also setup Linked mailboxes
https://docs.microsoft.com/en-us/exchange/manage-linked-mailboxes-exchange-2013-help?redirectedfrom=MSDNnot what the OP is looking for though. that's a single Exchange plant in one of the forests... from the sounds of it, forest 1 (.net) and forest 2 (.org) it sounds like the boss wants users in forest 2 to have their mailbox on forest 1 Exchange - is that possible?
-
you know - before we dive into all that madness - we should find out - Is there really a need for two forests? If not - get back to a single forest setup.
Once there - do you really need two domains in the same forest? If the only reason the boss setup a second domain (and the second forest) was because he thought he had to inorder for Exchange to handle emails for a second domain - you need to correct that thinking, a single Exchange server can handle a huge number of email domains.
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
a single Exchange server can handle a huge number of email domains.
Thousands
-
@Dashrender All of this could have been avoided if I would have just double checked the boss’s work in the first place. Lesson learned.
I think his thoughts were that having students on a separate domain (.net) provided some sort of security measure with accessing staff domain shares and the like (.org), because they would be .net users.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I think his thoughts were that having students on a separate domain (.net) provided some sort of security measure with accessing staff domain shares and the like (.org), because they would be .net users.
If he believes that the NTFS permissions don't work, then different domain / forest will do absolutely nothing. AD provides zero security, it's not that kind of thing. This is 100% a question of NTFS and share permission, nothing to do with AD at all.
The number of misunderstandings of computing basics necessary for him to think this is pretty heavy. For example...
- He has to fundamentally think AD is something that it is not. And simultaneously not know Windows basics to know filesystem and share permissions systems. All three of these things individually are extremely basic.
- He has to not trust whatever of those things he thinks is providing the security. From the description, it has to be AD. So he wants to use AD while simultaneously not believing that it works. Why would he implement it believing it would create a breach?
- He has to not understand domains and forests because there is no security or mechanism difference between them. So the separation that he's done has no effect, whatever. Everyone is open to everyone else as if there is only one domain. It's more complex to maintain, but adds no security. It adds no security in reality, but would also add no security in the weird misunderstanding world that he must have come up with because the point of the "trust" is to remove all barriers between the two.
- All of this tells us that he's not in a position to be maintaining Windows systems in a situation where security is important.
- Which in turn tells us that running Exchange in house is out of the question. That's only okay in extremely niche situations, all of which revolve around having both very good Windows Admin and Exchange Admin skills already in house and already paid for that can't be eliminated. And even then, it rarely makes sense.
- It suggests that Windows, AD, and Exchange are all inappropriate technology choices because there is a lack of understanding what they are and as none of them are likely candidates as good choices even when they are well known, the chances that they are acceptable choices when they aren't known approaches zero.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
All of this could have been avoided if I would have just double checked the boss’s work in the first place. Lesson learned.
That's one way to handle it. Another is... why is there someone in a "boss" position making decisions that he's clearly not trained to do at all and why isn't he asking people for help? As the boss, there is nothing wrong with not knowing what Windows or AD are and not understanding email systems. That's fine. But how can he be the boss while making decisions around this stuff, especially really important ones, knowing he doesn't know anything about it?
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
Once there - do you really need two domains in the same forest? If the only reason the boss setup a second domain (and the second forest) was because he thought he had to inorder for Exchange to handle emails for a second domain - you need to correct that thinking, a single Exchange server can handle a huge number of email domains.
It's deeper than this. This is correct, you need to step back. But not one pace, all the paces. What we know at this point implies that every decision along this path, not just the latest ones, was made recklessly and possibly randomly.
-
@scottalanmiller said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
Once there - do you really need two domains in the same forest? If the only reason the boss setup a second domain (and the second forest) was because he thought he had to inorder for Exchange to handle emails for a second domain - you need to correct that thinking, a single Exchange server can handle a huge number of email domains.
It's deeper than this. This is correct, you need to step back. But not one pace, all the paces. What we know at this point implies that every decision along this path, not just the latest ones, was made recklessly and possibly randomly.
Well yeah, but it's likely since the boss is making these kinds of calls/mistakes, the OP can't likely do much other than attempt to fix it or find another job. And fixing it will require the boss being OK with it being fixed.
I mean the OP could go over the bosses head and report him - but how often does that that work out in the reportee's favor? likely pretty rare.
-
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I've talked to the boss and he agreed that we adjust the trust and make them the same forest.
Could even be a single domain. Anything will work, some things are just easier.
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
More than anything, it's important for you to have all of the information to understand when you are learning something good from the boss, or just learning that he's in over his head
-
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
Once you do that - you'll only have one exchange system. that system will have both .net and .org in it and life will be generally much easier for you.
-
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
Once you do that - you'll only have one exchange system. that system will have both .net and .org in it and life will be generally much easier for you.
Or move to Office 365, G Suite, Zoho or some other external email system.
-
@dbeato said in Exchange - Different Domain, Same Forest Users:
@Dashrender said in Exchange - Different Domain, Same Forest Users:
@G-I-Jones said in Exchange - Different Domain, Same Forest Users:
I went to lunch and came back and boy did this thread get juicy. @scottalanmiller , as always your input is both appreciated and needed. I'm really trying to learn all I can about everything, and you all (to include @Dashrender , @DustinB3403 regularly) come through time and time again to school me. For that I'm eternally grateful.
The grand silver lining to any of this is that I've not only got more experience now with things I've previously never touched (i.e. multi-domain Exchange deployments and AD trusts), but I'm learning too that some things I'm questioning like "why do we need another domain for this?" are apparently more rooted in my own understanding of things than inexperience on my part, which means despite all the failures on his or my own part, I am learning.
I've talked to the boss and he agreed that we adjust the trust and make them the same forest. I'm not going to push the issue any further but am going to try to get as much out of the situation as possible for me.
Once you do that - you'll only have one exchange system. that system will have both .net and .org in it and life will be generally much easier for you.
Or move to Office 365, G Suite, Zoho or some other external email system.
LOL
