EV9 Cross-Forest Implementation

OK So this is basically a resource domain that you have now right?

i.e.
Domain A = Users
Domain B = Mailboxes attached to disabled user accounts

DOMAINA\User1 has Mailbox Owner on DOMAINB\Mailbox1 correct?

And in the VAC you are targeting Exch2010-1.domainB.com and are provisioning against DomainB correct?

What are the exact permission errors you are seeing?
You ran the permissions script as an Exchange Admin specifying the EVAdmin, correct?
And the EVAdmin has a mailbox on Exchange 2010 that you are targeting?

Is the EVAdmin in DomainA or DomainB?
and its mailbox is on Exchange 2010 as well correct?

 

"Added an additional two-way, external trust between DomainA and DomainB, although probably redundant and unnecessary due to the forest-level trust."

This can in fact cause permission problems due to name suffix routing (this happened at my last similar engagement where the AD engineers configured the trusts incorrectly). You might want to read the following:

http://blogs.technet.com/b/askds/archive/2009/04/10/name-suffix-routing.aspx

As you have a forest level trust, you need to check the name suffix routing at that level in active directory domains and trusts.

Regards,

Jeff

JW3: Thank you for your time!

OK So this is basically a resource domain that you have now right? Correct

i.e.
Domain A = Users
Domain B = Mailboxes attached to disabled user accounts Yes this is accurate.

DOMAINA\User1 has Mailbox Owner on DOMAINB\Mailbox1 correct? Yes, DomainA\User1 has FullAccess and ExternalAccount permissions.

And in the VAC you are targeting Exch2010-1.domainB.com and are provisioning against DomainB correct? Yes this is correct. In DomainA, the primary EV mailbox archiving server has a new Archiving Task and Provisioning Task for the EX2010 servers in DomainB. (Also created is a new Exchange target, for DomainB.) There is an EVAdmin service account created in DomainB, with permission script successfully ran. This service account is what the archiving and provisioning tasks are attempting to run as.

What are the exact permission errors you are seeing? Errors dealing with "managed folders" or that the credentials for the DomainB service account are invalid, which they are not.
You ran the permissions script as an Exchange Admin specifying the EVAdmin, correct? Yes.
And the EVAdmin has a mailbox on Exchange 2010 that you are targeting? Correct.

Is the EVAdmin in DomainA or DomainB? DomainB.
and its mailbox is on Exchange 2010 as well correct? Correct.

@Jeff, thank you for this insight. I believe this is enough justification to remove the otherwise redundant domain-level trust!

Possibly....probably. Certainly just creating trusts across all domains without regard to how authentication works is not the best of ideas :)

Im assuming that you therefore have a separate vault service account and an account for running the archiving task in the remote domain?

Since you are using a remote account for running the task you are essentially going to have to give this account the same rights as when the vault service account was set up...i.e access to the enterprise vault server as an 'administrator' (so that it can log on as a service/log on locally etc etc) and rights to the EnterpriseVaultDirectory database.

Are the tasks actually starting properly for the exchange 2010 domain, or do they start and go to 'failed' after a short time?

I've also noticed in these kind of environments that when a service account is in the remote domain, impersonation does not work properly when creating MAPI profiles for certain functions, such as manual synch etc - although automatic synch is fine.

Hey Nature.....

Just wanted to follow-up and see if you had this resolved, if Jeff or JW fixed this for you, or if you had a differnt solution. Regardless... can you please note it accordingly or update us as to what happeend so that resources seeking to help can find those in need.

Many thanks!!
 

Regards.