Quest® ActiveRoles™ Exchange Resource Forest Manager

Version 1.1.2

Release Notes

September 10, 2008

Welcome to ActiveRoles Exchange Resource Forest Manager

New in This Release

Resolved Issues and Enhancements

Welcome to ActiveRoles Exchange Resource Forest Manager

Many medium- and large-size companies find themselves in an environment that requires a multi-forest Active Directory deployment for security, business policy, or legal reasons, or because of autonomous business units.

Deployment of multiple forests introduces the need for inter-forest collaboration solutions, among which the most important is the Microsoft Exchange Server based messaging system. With multiple forests, one of the options for integrating Exchange with Active Directory is the resource forest model.

The resource forest model, also referred to as dedicated Exchange forest, implies a single Exchange organization that serves multiple forests. The Exchange forest (also known as the resource forest) is dedicated to running Exchange and hosting mailboxes. User accounts are contained in one or more forests, referred to as the account forests, which are separate from the resource forest.

The ability to have user accounts and user mailboxes in separate forests requires that shadow (or proxy) versions of user accounts be created and maintained in the Exchange forest by a directory synchronization process. For example, provisioning a user account in an account forest involves creation of a shadow, mailbox-enabled user account in the Exchange forest. The account properties need to be synchronized between the account forest and the Exchange forest.

To automate the provisioning and synchronization processes involved with the resource forest model, you can use ActiveRoles Exchange Resource Forest Manager, an add-on module for ActiveRoles Server that includes the following capabilities:

AutoProvision Provision of mailboxes in the Exchange forest upon creation of user accounts in account forests (Provision of mailboxes for existing accounts is also supported.)
Synchronization Updating directory data in the Exchange forest upon changes to user accounts in account forests
Deprovision De-provision of mailboxes in the Exchange forest upon deprovision of user accounts in account forests

For more information about this solution, refer to the ActiveRoles Exchange Resource Forest Manager Administrator Guide, which is part of the ActiveRoles Server documentation set.

New in This Release

The 1.1.2 release of ActiveRoles Exchange Resource Forest Manager extends and enhances the capabilities of the product, which now include:

Distribution List Manager AutoProvision Facilitates delegation of the membership management tasks for distribution lists in Exchange organizations that use the Exchange resource forest manager topology. For details, see the respective section in the ActiveRoles Exchange Resource Forest Manager Administrator Guide.
Support for Microsoft Exchange Server 2007 All features and functions of the product are now available in the environments that have Microsoft Exchange Server 2007 deployed in the Exchange resource forest.

New Features in the 1.1.1 Release

As compared to version 1.0, the 1.1.1 release adds a new option to link existing user accounts in the resource forest to master accounts in the account forest.

By default, the AutoProvision process creates a shadow account with the same name (CN) as the name (CN) of the master account. In case of an account name conflict (a user account with the same name already exists), a shadow account is created with a different name. This behavior can now be changed by using a certain policy parameter, to have the solution link the master account with the account that already exists in the resource forest instead of creating a new account with a name that differs from the name of the master account. For details, see the description of the "Associate with existing" policy parameter in the "Parameters of the ERFM - Account AutoProvision Policy Object" section in the ActiveRoles Exchange Resource Forest Manager Administrator Guide.

Resolved Issues and Enhancements

This section provides a list of issues that were resolved in ActiveRoles Exchange Resource Forest Manager version 1.1.2 (as compared to version 1.1.1). Each item in the list includes an ID number, which identifies the item, and a brief description of the issue.

TF00018594
Fixed: If Microsoft Exchange Server 2007 is deployed in the resource forest, then Exchange Resource Forest Manager may cause an error in ActiveRoles Server upon an attempt to create a user account in the account forest with the option not to create a mailbox for that account.

TF00018598
Fixed: If Microsoft Exchange Server 2007 is deployed in the resource forest and the ActiveRoles Server Administration Server is configured to perform Exchange recipient management tasks with the use of Exchange Server PowerShell cmdlets (default configuration option), then Exchange Resource Forest Manager may cease to work.

TF00040342
Fixed: With Exchange Resource Forest Manager deployed, the ActiveRoles Server Web Interface may fail to display the drop-down list of commands on the pages for managing user accounts.

TF00045983
Fixed: A script error may occur in Exchange Resource Forest Manager upon an attempt to retrieve properties of a master account if the back-link attribute on the master account (adminDescription, by default) contains an incorrect GUID value.

TF00046112
Fixed: The "Debug value" policy parameter is case-sensitive, so only the "True" or "False" setting has effect on this parameter.

TF00048853
Fixed: Exchange Resource Forest Manager may cause a script policy error in ActiveRoles Server when performing the Delete Mailbox task on a master account if the name of the account contains non-alphanumeric characters.

TF00049636
Fixed: Exchange Resource Forest Manager may not populate the back-link attribute on a master account (adminDescription, by default) although it was able to find the existing shadow account for that master account.

Known Issues

This section provides a list of the currently known issues that customers may experience with ActiveRoles Exchange Resource Forest Manager. For each issue, the list includes a brief description of the problem, and a workaround, if any exists, for the problem.

TF00018603
When searching a container in an account forest for user accounts by using search criteria that include Exchange-related properties, you may encounter the following problem: The search returns no results although the container does hold some user accounts that meet your search criteria. This problem is due to the fact that the search function does not take into account the policy-based process of substituting Exchange-related properties of the shadow accounts in the resource forest for those properties of the master accounts in the account forests.

When configuring Delivery Restrictions or Delivery Options for a user account in an account forest, you may encounter an empty list of objects in the "Select Objects" dialog box. This problem is due to the fact that the search function used to populate the list does not take into account the policy-based process of substituting Exchange-related properties of the shadow accounts in the resource forest for those properties of the master accounts in the account forests.

WORKAROUND
If you need to search by Exchange-related properties, choose the scope of your search in the resource forest rather than in account forests.

If you need to select objects when configuring Delivery Restrictions or Delivery Options, perform configuration on the shadow account that is associated with the master account you want to modify.

TF00018621
With the "Synchronized Attributes List" policy parameter modified so that the list of synchronized properties includes the "manager" attribute, the solution fails to update the "manager" attribute in the shadow account upon modification of that attribute in the respective master account, reporting a policy violation error event in the EDM Server event log.

WORKAROUND
To prevent this error, avoid adding the "manager" attribute to the list of synchronized properties. The "manager" attribute holds the distinguished name (DN) of the manager's user account. As such, the "manager" attribute value is forest-specific and cannot be written to a user account in a different forest. This limitation is due to the nature of the Active Directory directory services.

System Requirements

This solution runs on top of ActiveRoles Server, and requires the following to be deployed in your Active Directory environment prior to installing the solution:

ActiveRoles Server 6.1.0 or later, including the Administration Service and ActiveRoles Server console.
Microsoft Exchange 2000 or later in the resource forest, with one or more Exchange Servers installed.
Outgoing trusts from the resource forest to the account forests, so that users in domains of an account forest can authenticate in the resource forest.

For more information about the system requirements, see the "Deploying the Solution" section in the ActiveRoles Exchange Resource Forest Manager Administrator Guide.

Note that in addition to the main requirements for ActiveRoles Server, which can be found in the Release Notes document for ActiveRoles Server, the following requirements must be met in order for this solution to install and work:

Domains of both the resource forest and account forests must be registered with ActiveRoles Server as managed domains.
Installation must be performed on a computer running the ActiveRoles Server Administration Service. The Setup program requires that the Administration Service be up and running to make all the necessary changes to the configuration of ActiveRoles Server.

For more information about the system requirements, see the "Deploying the Solution" section in the ActiveRoles Exchange Resource Forest Manager Administrator Guide.

Global Operations

This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.

This release is Unicode-enabled and supports any character set. In this release, all product components should be configured to use the same or compatible character encodings and should be installed to use the same locale and regional options. This release is targeted to support operations in the following regions: North America, Western Europe and Latin America, Central and Eastern Europe, Far-East Asia, Japan.

This release has the following known capabilities or limitations: Globalization status is the same as for ActiveRoles Server 6.1.0 except that ActiveRoles Exchange Resource Forest Manager documentation is not localized.

Getting Started

Contents of the Release Package

The ActiveRoles Exchange Resource Forest Manager release package is included on the ActiveRoles Server distribution CD, and contains the following product items:

ActiveRoles Exchange Resource Forest Manager 1.1.2
Documentation

Installation Instructions

Follow these steps to install and start working with ActiveRoles Exchange Resource Forest Manager:

Ensure that your Active Directory environment meets the system requirements.
On the computer running the ActiveRoles Server Administration Service, run the Setup program, and follow the instructions in the Installation Wizard.

You can run the Setup program from the Solutions page in the ActiveRoles Server CD Autorun window by clicking ActiveRoles Exchange Resource Forest Manager.

Wait while the Setup program makes all the necessary changes to the ActiveRoles Server configuration.
Set up and apply the solution-specific configuration objects, to adjust the solution to your environment.

For information on how to deploy, configure, and use the solution, refer to the ActiveRoles Exchange Resource Forest Manager Administrator Guide.

For More Information

Get the latest product information, find helpful resources, and join a discussion with the ActiveRoles Quest team and other community members. Join the ActiveRoles Community at http://activeroles.inside.quest.com.

Contacting Quest Software:

Email	info@quest.com
Mail	Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA
Web	http://www.quest.com

Refer to our Web site for regional and international office information.

Contacting Quest Support:

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract.
Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com.

From SupportLink, you can do the following:

Quickly find thousands of solutions (Knowledgebase articles/documents).
Download patches and upgrades.
Seek help from a Support engineer.
Log and update your case, and check its status.

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures.
The guide is available at: http://support.quest.com/pdfs/Global Support Guide.pdf.

This document contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, Internet Weather Report, InTrust, IT Dad, JClass, Jint, JProbe, Knowledge Xpert, LeccoTech, LiteSpeed, LiveReorg, Matrix Insight, Matrix.Net, MIQ, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
Email: legal@quest.com

Disclaimer

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.