|
|
|
date: Wed, 5 Mar 2008 14:49:02 -0800,
group: microsoft.public.exchange.design
back
Re: Questions regaring Exchange and multiple forests
Well, I don't necessarily have to go with seperate forests but I was advised
this would the best way of accomplishing this from the AD group. I would much
rather set them up as a child domain or a seperate domain all together.
So is it possible for them to manage their own user accounts from their
domain without affecting the rest of our domain?
I had suggested the RPC over HTTPS option to the seniors here but they seem
to want to stick to TCP for Exchange communications...
So, if it is possible to have them manage their own exchange accounts while
keeping the domains seperate, how is this done? We want to make sure we have
the ability to migrate the mailboxes off our server if/when they decide to
roll out one of their own.
Thanks!
"Mark Arnold [MVP]" wrote:
> On Wed, 5 Mar 2008 14:49:02 -0800, William
> wrote:
>
> >Hi Guys,
> >
> >I posted a threat in the AD user group looking for help and have been
> >directed to the Exchange group now.
> >
> >We are going to be openeing a new office in another country which will be
> >run by it's own IT staff ect. They would like to keep it seperate but not all
> >at the same time. I have been asked to design a set up so they can use our
> >existing exchange server but the domains would be completely seperate while
> >still reserving the ability to migrate the exchange mailboxes to their
> >exchange server if they do end up implementing one down the road.
> >
> >They should not have any access to our domain except for the exchange server
> >and we shoul dnot have any access to theirs unless logged on as enterprise
> >admin of course.
> >
> >We do not want them to have to use POP or IMAP and would like them to have
> >the full exchange experience.
> >
> >Idealy they should be able to create their own mailboxes on our exchange
> >server when they create new users in their domain.
> >
> >I have been advised the ised solution would be to create 2 forests and a
> >trust. From there there is no info on the exchange side of things...
> >
> >So... Is it possible to do all of this?
> >
> >Thanks!
>
> Yes, Exchange can do all of this. You can't give them the full
> Exchange experience with IMAP or POP though, you'll need RPC over
> HTTPS (Outlook Anywhere) to achieve that.
>
> As for who's going to manage it though I would suggest that you're
> going to have to do all the Exchange stuff.
> I don't see a need for a separate forest either beyond your apparent
> mandating of one. Sure, you can give them their own forest and use
> your own Exchange server using the "Associated External Account"
> (google it) concept but you need to be sure before you take that path.
>
date: Wed, 5 Mar 2008 15:13:02 -0800
author: William
Re: Questions regaring Exchange and multiple forests
I think maybe I am not coming across incorrectly... Let me clarify...
I was actively seeking advice on the appropriate solution from the AD forum
from which I was advised we should set up seperate forests and give the users
POP/IMAP access.
I do NOT want the users to use POP OR IMAP but DO want them to have the full
rich experience of using exchange server.
We are trying to find out if it is possible to keep the two sites seperate
(by means of seperate domains?) but still give them the ability to create
users and delete users on their end which would also create and delete the
mailboxes on the exchange server on our end (minimal management for us).
They want the remote site to be as seperate as possible so they feel they
are their own entity, but also want us to be connected enough that if
somthing falls through we can take over.
I am mearly looking for some direction in to which path is most logical and
what is/is not possible. From there I can begin doing the necessary research.
I basically need to advise the upper management whether what they want is
possible or anot, and then figure out how to implement what is possible.
Hope that makes sense.
Thanks much for your input thus far!
"Mark Arnold [MVP]" wrote:
> On Wed, 5 Mar 2008 15:13:02 -0800, William
> wrote:
>
> >Well, I don't necessarily have to go with seperate forests but I was advised
> >this would the best way of accomplishing this from the AD group. I would much
> >rather set them up as a child domain or a seperate domain all together.
>
> Well, a child domain is a possible although from what you've written
> so far it would be nearly pointless (which is why you should take
> advice from your AD group as they are closer to you - unless you are
> just talking about the AD forum in these newsgroups in which case I
> disagree with them.) A separate domain IS a separate forest so you
> should probably do a little reading up on things.
>
> >
> >So is it possible for them to manage their own user accounts from their
> >domain without affecting the rest of our domain?
>
> You can give them their own domain or an OU in the main domain and do
> delegation. The latter is probably better for you to control.
>
> >
> >I had suggested the RPC over HTTPS option to the seniors here but they seem
> >to want to stick to TCP for Exchange communications...
>
> Huh? If you are giving them POP/IMAP connectivity how the heck do you
> propose to give them a rich experience? Either you or your management
> need to read up on the protocols and features available.
>
> >
> >So, if it is possible to have them manage their own exchange accounts while
> >keeping the domains seperate, how is this done? We want to make sure we have
> >the ability to migrate the mailboxes off our server if/when they decide to
> >roll out one of their own.
> >
> Your requirements and your knowledge fall a long way short of us being
> able to give you a good answer that would be effective. If I were you
> I'd engage a consultant to sit with you for a day, brain dump and then
> give you the best option to take forward.
>
> >
> >Thanks!
> >
>
>
date: Thu, 6 Mar 2008 08:04:00 -0800
author: William
Re: Questions regaring Exchange and multiple forests
Sorry, first sentense should have read:
"I think maybe I am not coming across correctly..."
Thanks
"William" wrote:
> I think maybe I am not coming across incorrectly... Let me clarify...
>
> I was actively seeking advice on the appropriate solution from the AD forum
> from which I was advised we should set up seperate forests and give the users
> POP/IMAP access.
>
> I do NOT want the users to use POP OR IMAP but DO want them to have the full
> rich experience of using exchange server.
>
> We are trying to find out if it is possible to keep the two sites seperate
> (by means of seperate domains?) but still give them the ability to create
> users and delete users on their end which would also create and delete the
> mailboxes on the exchange server on our end (minimal management for us).
>
> They want the remote site to be as seperate as possible so they feel they
> are their own entity, but also want us to be connected enough that if
> somthing falls through we can take over.
>
> I am mearly looking for some direction in to which path is most logical and
> what is/is not possible. From there I can begin doing the necessary research.
> I basically need to advise the upper management whether what they want is
> possible or anot, and then figure out how to implement what is possible.
>
> Hope that makes sense.
>
> Thanks much for your input thus far!
>
>
> "Mark Arnold [MVP]" wrote:
>
> > On Wed, 5 Mar 2008 15:13:02 -0800, William
> > wrote:
> >
> > >Well, I don't necessarily have to go with seperate forests but I was advised
> > >this would the best way of accomplishing this from the AD group. I would much
> > >rather set them up as a child domain or a seperate domain all together.
> >
> > Well, a child domain is a possible although from what you've written
> > so far it would be nearly pointless (which is why you should take
> > advice from your AD group as they are closer to you - unless you are
> > just talking about the AD forum in these newsgroups in which case I
> > disagree with them.) A separate domain IS a separate forest so you
> > should probably do a little reading up on things.
> >
> > >
> > >So is it possible for them to manage their own user accounts from their
> > >domain without affecting the rest of our domain?
> >
> > You can give them their own domain or an OU in the main domain and do
> > delegation. The latter is probably better for you to control.
> >
> > >
> > >I had suggested the RPC over HTTPS option to the seniors here but they seem
> > >to want to stick to TCP for Exchange communications...
> >
> > Huh? If you are giving them POP/IMAP connectivity how the heck do you
> > propose to give them a rich experience? Either you or your management
> > need to read up on the protocols and features available.
> >
> > >
> > >So, if it is possible to have them manage their own exchange accounts while
> > >keeping the domains seperate, how is this done? We want to make sure we have
> > >the ability to migrate the mailboxes off our server if/when they decide to
> > >roll out one of their own.
> > >
> > Your requirements and your knowledge fall a long way short of us being
> > able to give you a good answer that would be effective. If I were you
> > I'd engage a consultant to sit with you for a day, brain dump and then
> > give you the best option to take forward.
> >
> > >
> > >Thanks!
> > >
> >
> >
date: Thu, 6 Mar 2008 08:43:02 -0800
author: William
Re: Questions regaring Exchange and multiple forests
On Thu, 6 Mar 2008 08:04:00 -0800, William
wrote:
>I think maybe I am not coming across incorrectly... Let me clarify...
>
>I was actively seeking advice on the appropriate solution from the AD forum
>from which I was advised we should set up seperate forests and give the users
>POP/IMAP access.
>
You were advised badly, very badly.
>I do NOT want the users to use POP OR IMAP but DO want them to have the full
>rich experience of using exchange server.
Good. Then tell "them" that the answer is RPC over HTTPS.
>
>We are trying to find out if it is possible to keep the two sites seperate
>(by means of seperate domains?) but still give them the ability to create
>users and delete users on their end which would also create and delete the
>mailboxes on the exchange server on our end (minimal management for us).
You can do this any way you want. Separate forest lets them have total
isolated control over their accounts. You have to have another account
for the user that you control. At all times you control the mailbox.
You can have a child domain that they look after. They can have some
control over the mailboxes and they can always elevate themselves to
control your domain.
You can have an OU for them in your domain.
>
>They want the remote site to be as seperate as possible so they feel they
>are their own entity, but also want us to be connected enough that if
>somthing falls through we can take over.
"They want". Well, give them what they want. If they want a crap
solution (and it sounds like they do) then persuade them otherwise.
>
>I am mearly looking for some direction in to which path is most logical and
>what is/is not possible. From there I can begin doing the necessary research.
>I basically need to advise the upper management whether what they want is
>possible or anot, and then figure out how to implement what is possible.
>
As a final answer for you and them I would suggest you go and tell
them to go away. If they "may" go off on their own later on I would
suggest a different forest and they use their own Exchange. Use:
http://support.microsoft.com/kb/321721 to take ownership of the email
and then forward the mail to them. Then if they want to go off they
can do so and you need to do nothing whatsoever. They have total
control of their email and AD but share your SMTP space.
Best compromise, best of both worlds.
IF, and it's clearly only an IF, they are not eventually going to go
off on their own you need to tell them to shut the fisk up and get
accounts and mailboxes created on your own domain, link the sites via
VPN and use Outlook or no VPN and use Outlook RPC over HTTPS.
>Hope that makes sense.
>
>Thanks much for your input thus far!
>
>
>"Mark Arnold [MVP]" wrote:
>
>> On Wed, 5 Mar 2008 15:13:02 -0800, William
>> wrote:
>>
>> >Well, I don't necessarily have to go with seperate forests but I was advised
>> >this would the best way of accomplishing this from the AD group. I would much
>> >rather set them up as a child domain or a seperate domain all together.
>>
>> Well, a child domain is a possible although from what you've written
>> so far it would be nearly pointless (which is why you should take
>> advice from your AD group as they are closer to you - unless you are
>> just talking about the AD forum in these newsgroups in which case I
>> disagree with them.) A separate domain IS a separate forest so you
>> should probably do a little reading up on things.
>>
>> >
>> >So is it possible for them to manage their own user accounts from their
>> >domain without affecting the rest of our domain?
>>
>> You can give them their own domain or an OU in the main domain and do
>> delegation. The latter is probably better for you to control.
>>
>> >
>> >I had suggested the RPC over HTTPS option to the seniors here but they seem
>> >to want to stick to TCP for Exchange communications...
>>
>> Huh? If you are giving them POP/IMAP connectivity how the heck do you
>> propose to give them a rich experience? Either you or your management
>> need to read up on the protocols and features available.
>>
>> >
>> >So, if it is possible to have them manage their own exchange accounts while
>> >keeping the domains seperate, how is this done? We want to make sure we have
>> >the ability to migrate the mailboxes off our server if/when they decide to
>> >roll out one of their own.
>> >
>> Your requirements and your knowledge fall a long way short of us being
>> able to give you a good answer that would be effective. If I were you
>> I'd engage a consultant to sit with you for a day, brain dump and then
>> give you the best option to take forward.
>>
>> >
>> >Thanks!
>> >
>>
>>
date: Thu, 06 Mar 2008 12:11:58 -0500
author: Mark Arnold [MVP]
Re: Questions regaring Exchange and multiple forests
Thanks very much for the input Mark... You have enforced everyhting I thought
and was trying to propose. You have been very helpfull.
Have a great day!
"Mark Arnold [MVP]" wrote:
> On Thu, 6 Mar 2008 08:04:00 -0800, William
> wrote:
>
> >I think maybe I am not coming across incorrectly... Let me clarify...
> >
> >I was actively seeking advice on the appropriate solution from the AD forum
> >from which I was advised we should set up seperate forests and give the users
> >POP/IMAP access.
> >
> You were advised badly, very badly.
>
> >I do NOT want the users to use POP OR IMAP but DO want them to have the full
> >rich experience of using exchange server.
>
> Good. Then tell "them" that the answer is RPC over HTTPS.
> >
> >We are trying to find out if it is possible to keep the two sites seperate
> >(by means of seperate domains?) but still give them the ability to create
> >users and delete users on their end which would also create and delete the
> >mailboxes on the exchange server on our end (minimal management for us).
>
> You can do this any way you want. Separate forest lets them have total
> isolated control over their accounts. You have to have another account
> for the user that you control. At all times you control the mailbox.
>
> You can have a child domain that they look after. They can have some
> control over the mailboxes and they can always elevate themselves to
> control your domain.
>
> You can have an OU for them in your domain.
>
> >
> >They want the remote site to be as seperate as possible so they feel they
> >are their own entity, but also want us to be connected enough that if
> >somthing falls through we can take over.
>
> "They want". Well, give them what they want. If they want a crap
> solution (and it sounds like they do) then persuade them otherwise.
> >
> >I am mearly looking for some direction in to which path is most logical and
> >what is/is not possible. From there I can begin doing the necessary research.
> >I basically need to advise the upper management whether what they want is
> >possible or anot, and then figure out how to implement what is possible.
> >
>
> As a final answer for you and them I would suggest you go and tell
> them to go away. If they "may" go off on their own later on I would
> suggest a different forest and they use their own Exchange. Use:
> http://support.microsoft.com/kb/321721 to take ownership of the email
> and then forward the mail to them. Then if they want to go off they
> can do so and you need to do nothing whatsoever. They have total
> control of their email and AD but share your SMTP space.
>
> Best compromise, best of both worlds.
>
> IF, and it's clearly only an IF, they are not eventually going to go
> off on their own you need to tell them to shut the fisk up and get
> accounts and mailboxes created on your own domain, link the sites via
> VPN and use Outlook or no VPN and use Outlook RPC over HTTPS.
>
> >Hope that makes sense.
> >
> >Thanks much for your input thus far!
> >
> >
> >"Mark Arnold [MVP]" wrote:
> >
> >> On Wed, 5 Mar 2008 15:13:02 -0800, William
> >> wrote:
> >>
> >> >Well, I don't necessarily have to go with seperate forests but I was advised
> >> >this would the best way of accomplishing this from the AD group. I would much
> >> >rather set them up as a child domain or a seperate domain all together.
> >>
> >> Well, a child domain is a possible although from what you've written
> >> so far it would be nearly pointless (which is why you should take
> >> advice from your AD group as they are closer to you - unless you are
> >> just talking about the AD forum in these newsgroups in which case I
> >> disagree with them.) A separate domain IS a separate forest so you
> >> should probably do a little reading up on things.
> >>
> >> >
> >> >So is it possible for them to manage their own user accounts from their
> >> >domain without affecting the rest of our domain?
> >>
> >> You can give them their own domain or an OU in the main domain and do
> >> delegation. The latter is probably better for you to control.
> >>
> >> >
> >> >I had suggested the RPC over HTTPS option to the seniors here but they seem
> >> >to want to stick to TCP for Exchange communications...
> >>
> >> Huh? If you are giving them POP/IMAP connectivity how the heck do you
> >> propose to give them a rich experience? Either you or your management
> >> need to read up on the protocols and features available.
> >>
> >> >
> >> >So, if it is possible to have them manage their own exchange accounts while
> >> >keeping the domains seperate, how is this done? We want to make sure we have
> >> >the ability to migrate the mailboxes off our server if/when they decide to
> >> >roll out one of their own.
> >> >
> >> Your requirements and your knowledge fall a long way short of us being
> >> able to give you a good answer that would be effective. If I were you
> >> I'd engage a consultant to sit with you for a day, brain dump and then
> >> give you the best option to take forward.
> >>
> >> >
> >> >Thanks!
> >> >
> >>
> >>
>
>
date: Thu, 6 Mar 2008 09:18:01 -0800
author: William
|
|
