Exchange Resource Forest
An Exchange Resource Forest is a Microsoft deployment option for centralizing Exchange messaging within an organization, while still maintaining one or more independent Active Directory domains for employee network access. This scenario is common in large enterprises or in disparate organizations where the enterprise is comprised of many independent departments or companies, each with its own IT department and Active Directory domains, yet still wishing to centralize their Exchange Messaging while minimizing the impact on employees.
The Exchange Resource Forest (ERF) consists of an AD domain that is dedicated to running Exchange and is separate from the external AD domain(s) where the users are located. For every user account that exists in the external AD domain(s), an equivalent ¡§placeholder¡¨ user account is created in the ERF and provisioned with a mailbox. The mailbox rights settings for each mailbox can be modified to allow access by the original user in the external AD domain. A one-way trust is established between the ERF and the external AD domains so users that authenticate to an external AD domain automatically gain access to the ERF environment. The security of the external AD domain is preserved since user and administrative accounts in the ERF environment do not automatically link back to the external AD domain.
Benefits of Using an Exchange Resource Forest
- Any errors or problems in the Exchange Resource Forest are independent and have no impact on the corporate AD domain(s).
- The ERF ensures that the schema of the external AD domain(s) is/are not modified by installing Exchange or any other messaging/collaboration-related utilities.
- Exchange and AD administrators have access only to the resources they need to mange their environments.
- Exchange managers are given complete control of Exchange without having to involve AD managers.
- AD managers can administer their own respective environment without involving Exchange managers.
Improved Employee Experience:
- Users experience single sign-on authentication, since they only need to log on to the corporate AD to get access to their e-mail. They do not need to log into a separate mail service.
Challenges of Using an Exchange Resource Forest
When using an Exchange Resource Forest, organizations typically face the challenge of efficient and effective deployment and ongoing management.
The set-up of a new employee requires that an account be created in both the relevant corporate domain and in the ERF.
Mailbox creation is manually intensive:
- The placeholder account in the ERF domain must be created, and then disabled to improve security.
Each new placeholder account must be mail enabled.
- The mailbox rights for this account must be set correctly so that the user from the external AD domain has full access and is the owner of the mailbox. This is potentially an error prone task, and mistakes can result in the user not having access to e-mail, or create a security breach with the wrong user gaining access to another user¡¦s e-mail.
- Address Books must be maintained for each segregated business unit, as well as across the enterprise. This may involve complicated naming standards and setting special attributes in Active Directory on the accounts specifically for this purpose.
- Distribution Lists must be managed from the ERF domain. Administrators from each company or division typically require access to the common ERF domain to do this, posing security concerns.
When a user is removed from a corporate AD domain, the equivalent user account in the ERF needs to be manually removed and/or archived.
Administration of mailbox settings must occur within the ERF domain, requiring a delegated administration tool such as ProvisorERF to enable this in a secure manner.
For more information, please contact us at ERF@abridean.com or call 1.877.520.4277.