Environment Scenario:
This scenario is focused on a multi-forest environment with one-way trust. With the canadian.com forest trusting the american.com forest and the american.com forest does not trust the canadian.com forest. All user accounts and access rights are located in the american.com forest. Only Exchange mailbox accounts are located in the canadian.com forest.
canadian.com forest (resource) american.com forest (managed)
No authentication allowed in American.com forest User Authentication allowed
Exchange Installed – Mailboxes here Active Directory User and Contacts
WebDir Installed Active Directory Groups
Group Policies
File and Print Sharing
Other local services
WebDir Service Account
WebDir Administrators Group
WebDir Help Desk Group
Two WebDir User Accounts
How to configure WebDir in a one-way forest trust environment
Imanami WebDir can support a multi-forest environment that has one-way or two-way trust between them. For this article we are going to discuss how to configure WebDir to support a one-way forest trust environment. In order to manage users and groups in a separate forest you must be a member of the WebDir Administrators Group or WebDir Helpdesk Group. The steps provided below will show you how to successfully configure WebDir to perform this task.
Microsoft Active Directory Configuration:
1. Setup one-way trust between the forests (canadian.com->american.com). For more information on creating a trust relationship between forest, please review the Microsoft Article provided at the link below:
Create a forest trust
http://technet2.microsoft.com/windowsserver/en/library/7929b0c4-efe1-409c-99e3-efe9815f426d1033.mspx?mfr=true
2. Create a WebDir Service Account in the managed forest (american.com). Give the service account Administrative privileges in the managed forest (american.com).
3. Create two security groups called, “WebDir Admins Group” and “WebDir Helpdesk Group” in the american.com forest. Do not create a mail address for the groups.
4. Create two accounts in the managed forest (american.com). Do not create a mailbox or email address for the accounts in the managed forest (american.com). All mailboxes are being created in the resource forest (canadian.com) and associated to the user account in the managed forest (american.com). For more information on using a dedicated Exchange Forest , please review the article located at the link below:
Using a dedicated Exchange Forest
http://technet.microsoft.com/en-us/library/aa997312.aspx
5. Add one account to the membership of the WebDir Admins Group and the second account as a member of the WebDir Helpdesk Group.
Imanami WebDir Configuration:
1. Download and install the latest build of WebDir (4.0.1250.0) on the webdir.canadian.com server located in the canadian.com forest.
2. When the WebDir console is displayed it will prompt you to create a virtual server. Click on the “Yes” button to close the prompt and display the virtual server wizard. (Figure 1)
Figure 1
3. Leave the default virtual server name (WebDir 4) or type a new name for the virtual server in the textbox displayed in Figure 2.
Figure 2
4. Click the “Next” button on the Welcome page. Select the “Active Directory Only” server type from the dropdown menu. Click on the “Next” button to continue. (Figure 3)
Figure 3
5. Type the name of the managed forest (american.com) and the WebDir admin account credentials as displayed in Figure 4.
Figure 4
6. Leave the default settings on the Internet Server page and click on the “Next” button to continue.
7. Click on the button […] at the end of the Helpdesk Group, then type “WebDir Helpdesk Group” in the textbox. Click on the “Check Names” button to resolve the group. When the group name is displayed in bold font, click on the “OK” button to close the dialog box. (Figure 5)
Figure 5
8. Click on the button […] at the end of the Administrators Group, then type “WebDir Admins Group” in the textbox. Click on the “Check Names” button to resolve the group. When the group name is displayed in bold font, click on the “OK” button to close the dialog box. Click on the “Next” button to continue. (Figure 6)
Figure 6
9. The next six pages are for informational purposes only. Click on the “Next” button six times to display the last page in the wizard. Then click on the “Finish” button to create the virtual server.
10. If you click on the first URL located on the General tab of the WebDir virtual server it will attempt to log you in with the credentials established on the machine that WebDir is installed and display the error message shown in Figure 7.
Figure 7
11. To properly test the connection, you will need to use a computer that is a member of the managed forest (American.com), then type the first URL (http://forest1/webdir4) displayed under the general tab of the virtual server into a web browser to begin managing users and groups in the american.com forest.
Please note--To include Administrators from both forest in the WebDir Administrator and\or WebDir Helpdesk groups, you will need to have a two-way forest trust established. Otherwise, all accounts and groups will need to reside in the managed forest (American.com). When a two-way forest trust is established, users that are members of the administrator and helpdesk groups defined in steps 7 & 8 will be able to modify accounts in each forest.