Multiple Forests
When Microsoft designed Windows 2000, they assumed that
organizations would build their entire networks inside of a single Windows
forest. The designers knew that such things as corporate mergers would
cause difficulties, but they pretty much left solution of those problems for
later products. The most daunting difficulties arose in relation to
authentication. Authentication was and continues to be a problem for
Exchange 2000 users, but more pressing are issues relating to
synchronizing GALs, sharing a common SMTP address space,
synchronizing address lists, and moving Exchange objects between forests.
Functional-level Windows 2003 forests address this issue by allowing
cross-forest trusts. Microsoft provides tools for replicating global address
lists.
 Windows 2000 allowed for a form of trusts between forests,
but such trusts were not built between forests; they were
built between the individual domains within the forests. For
large organizations, trust lists became unwieldy.
Additionally, in Windows 2000 there was no way to pick
and choose among the users who were trusted. You either
trusted all users in a forest or you trusted none of them.
Windows 2003 fixed these problems by implementing
cross-forest trusts and selective authentication.
Synchronizing GALs
Microsoft Identity Integration Server 2003 (MIIS) is designed to
synchronize Exchange 2000 and 2003 GALs across forests. It doesn’t
replicate user, contact, or group objects across the GALs in multiple forests.
Rather it imports each of these objects into its Metabase. Then, for each
forest, MIIS creates a contact object for each of the three objects, places the
contact into the Metabase, and then propagates these contacts to the GALs
in the Active Directories in other forests. MIIS is organized around
Windows Organizational Units, which allows for finer grained selection of
mail objects to be replicated to other forests.
 For more on MIIS and its use, visit
www.microsoft.com/miis or read the Microsoft white
paper “Microsoft Identity and Integration Server Global
Address List Synchronization.”
Sharing a Common SMTP Address Space
What if you need to support two or more Exchange organizations
that use the same SMTP domain? There is a way. Let’s look at a twoforest/organization situation. Call the organizations A and B. Here’s what
you would need to do.
First, assure that the default SMTP proxy addresses for organizations
A and B are the same. You may need to change one or both proxies
depending on where you’re starting and where you want to end up. Then,
set up an SMTP server in organization A to act as an SMTP smart host for
organization B. All mail for the SMTP address space will be received at
organization A, and then e-mail for organization B will be transferred to an
SMTP server in organization B using standard smart host protocols. Mail
from organization B will either be delivered by an SMTP server inside of
organization B or through the smart host at organization A.
All of this cross-organizational SMTP mail movement is supported
by the Exchange SMTP Connector. The SMTP lets you use Windows
authentication to improve the security of message movement between
organization A and B.
 For more on setting up and using SMTP smart hosts, see
Barry Gerber’s, Mastering Microsoft Exchange Server 2003
(Sybex, 2003), Chapter 13.
Synchronizing Address Lists
If you need to synchronize Exchange address lists across Windows
forests, you have a number of choices. I’ll discuss three of these here.
Microsoft makes a product called “Microsoft Identify Integration Server”
(MIIS). Hewlett-Packard offers LDAP Directory Synchronizer Utility
(LDSU). CPS Systems has a product called SimpleSync. All of these
products use LDAP protocols.
Microsoft Identify Integration Services 2003 (MIIS) can be used to
synchronize global address lists across Exchange organizations (Windows
2003 forests). MIIS is not specifically an Exchange 2003 product. It’s tied
to Windows 2003. MIIS can synchronize what is called “identity
information” (usernames, passwords, address lists, etc.) across a range of
“identity repositories.” Identity repositories can be Windows Active
Directories or be foreign to Windows and Active Directory. MIIS includes
a feature specifically for synchronizing Exchange 2000/2003 global address
lists between Exchange organizations. MIIS comes in two flavors: Standard
and Enterprise. MIIS Standard Edition is a part of Windows 2003, although
it shipped separately after Windows 2003 shipped. MIIS Enterprise Edition
is sold separately. Standard Edition supports only Active Directory
synchronization and only up to five forests. Enterprise Edition offers all of
the features I mentioned above. You can find out more about MIIS at
www.microsoft.com/miis.
HP’s LDSU has been around for some time. It works well with any
LDAP-based directory, providing bidirectional synchronization of any
LDAP data that adheres to LDAP Protocol V2. It is a very generic product,
which has its advantages and disadvantages. On the plus side, with enough
knowledge of LDAP and the directories you must synchronize, you can
sync just about anything between directories. On the minus side, setting up
some standard Windows- or Exchange-based syncs is easier with MIIS than
LDSU. You can find out more about LDSU at
h18005.www1.hp.com/services/messaging/mg_ldap_fact
.html.
SimpleSync is a reasonably priced generic LDAP synchronization
product that is fairly easy to set up and operate. You can take a look at a
recommended procedure for syncing Exchange and Active Directory
objects on CPS Systems website at www.cps-systems.com.