Skip to content

Deploy Exchange in Resource Account forest topology

May 6, 2010

Deploy Exchange in Resource/Account forest topology

 Why companies are separating forests?    

Companies separate forest due to multiple business requirements like data and service isolation and in situation of mergers and acquisition process. There may also be certain requirements to keep different schema for both forests.    

 What is resource forest?    

In Resource forest environment, there is a forest where Microsoft Exchange 2003 server is installed and one more forest where only accounts will be kept. Users in account forest will be associated with mailboxes in resource forest.    

We need extra hardware and infrastructure to deploy a forest that hosts all the mailboxes. We face problems related to GAL in cross forest topology but this problem is not there with exchange 2003 resource forest as all the users with mailboxes are in same resource forest.    


Figure1: Scenario

In Resource forest I have installed only Exchange Server 2003.  We need to setup an environment to share messaging infrastructure of with with all possible settings.  ð     Users in   




 ð     Users in   



Step 1: We have to configure the correct name resolution between forests before we setup Trust between two forests. Make sure Network connectivity is already in place between forests.   Setup Resource forest for name resolution:  On DNS server of Resource forest ( in forwarders tab put DNS domain and IP address of DNS server in account forest (   

Figure 2 Resource forest DNS forwarding

 Setup Account forest for name resolution: On DNS server of account forest ( in forwarders tab put DNS domain and IP address of DNS server in resource forest (   

Figure 3 Account Forest dns setup

 Step 2: Setting up trust between forests    

 Requirement of setting up a trust is to have an administrative account in both forests. Both the forests should be running Windows 2003 functional level to build forest trust. You can raise the forest functional level from Active Directory Domain and trust node. Plan before raising forest functional level   

Figure 4 Forest functional level change

Perform these steps in Resource forest to setup trust  Open Active Directory Domains and Trusts.  

  1. Right-click on Resource Forest domain ( and select Properties.
  2.  Click on New Trust Button. Add name of account forest in Name field. 

Figure 5 Enter the name of account forest

4.  Select trust type Forest Trust * it will not be visible if forest functional level is not windows 2003.   

Figure 6 Select trust type as Forest Trust

5.  Select Direction of trust as One-way: Outgoing.   

6.  Select sides of trust: Both this domain and specified domain.   

7. Enter user name and password of administrative account in Account forest.   

 8. Select authentication level as Forest-wide.   

Figure 7 Select authentication level as Forest wide

9. Click next on “Trust selection complete”.   

10. Trust creation complete will be will showing the details of trust.   

Figure 8 Details of trust completion

11. Complete New trust Wizard Status  shown.   

Figure 9. completing New trust Wizard

Step 3: Create a Disable user account in Resource forest    

  1. open Active directory users and computers snap in
  2. Select the OU where you want to create new resource account,
  3. Select Account is Disabled check box when creating new user in resource forest


Figure 10 Accout is disabled

  4. Create mailbox of this user and open mailbox rights in Exchange Advanced tab of this disabled user properties. Add linked accout forest user and assign Full mailbox and associated external permissions.   

Figure 11 Mailbox permissions on resource forest mailbox

*don’t use associated external account permission with enabled account because it is not supported and create problems   

5. Now configure outlook profile of user in account forest and check if mailflow is working…   

Figure 12 outlook configured in account forest

Step 4: Setup automatic provisioning of accounts Provisioning process is required so that Active Directory updates are reflected in Exchange. For example, creating a new Active Directory user in Account forest generates a mailbox-enabled object with permissions that is disabled in resource forest. You can use third party scripts or confirm MIIS 2003 for this purpose.   

Click on link below to download this post in word file Resource account forest setup with Exchange Server 2003

  1. Manish permalink

    If Event id 9548 is logged and disabled user is not able to recieve mail and login then obtain “NoMAS” tool and run

  2. Major thankies for that post.Really looking forward to read more. Keep writing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: