My environment utilizes two Resource Forests (each holding an Exchange 2016 organization) one in the US and one in Europe; both Resource Forests share one Accounts Forest.
We needed to lock down authentication to the US forest because of business regulations...meaning no user in Europe would be able to connect to the US Exchange servers.
In order to fulfil this requirement, I implemented a Selective Trust which is:
"Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest."
In this two part series, I'll show you how to enable and configure the Selective Trust and how to apply authentication permissions on the Exchange Servers in the Resource Forest.
Create Security Groups
In order to keep user authentication clean and manageable, we'll use security groups in both forests.
In the Accounts Forest create a Security Group called something like "Accounts Forest Exchange Auth" and add the users who will be allowed to authenticate with the Exchange Forest.
**Note** The users in this group are the only ones will be able to connect to their Linked Mailboxes; users not in this group will get errors in Outlook that it can't find their mailbox.
In the Resource Forest create a Security Group called "Resource Forest Exchange Auth" and add the "Accounts Forest Exchange Auth" Security Group from the Accounts forest into that group.
**Note** This will basically be a nested group where the Accounts Forest Group is a member of the Resource Forest Group. This way, we only have to add members to one group, one time.
We're going to use this group in the Resource Forest to apply authentication permissions on the Exchange servers later.
Enabling Selective Authentication
Using the GUI:
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the forest root domain, and then click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties.
4. On the Authentication tab, click Selective authentication, and then click OK.
Using the command line:
Open an elevated CMD, and run the following (all on one line):
Netdom trust TrustingDomainName /domain:TrustedDomainName /SelectiveAUTH:Yes /userD:DomainAdministratorAcct
/passwordD:DomainAdminPwd
**Notes**
TrustingDomainName
The DNS name of the trusting forest root domain in the trust that is being managed.
TrustedDomainName
The DNS name of the forest root domain that is trusted in the trust that is being managed.
DomainAdministratorAcct
Your domain admin account
DomainAdminPwd
Your domain admin password
Now your Selective Trust has been created.
In the next article, we'll set the permissions on the Exchange servers, to allow users to authenticate.
Microsoft Enterprise Messaging tips, tricks, and general help.
No comments:
Post a Comment