>From an Exchange perspective, that's broken. Exchange can be installed in any >domain in a forest and service all of the domains in the forest. Exchange >server administration happens at the forest level (in the configuration naming >context), but Exchange user administration happens at the domain level.
And I will tell you, although I can't go into specifics, that there are changes in upcoming CUs for 2013 and 2016 that, from your perspective, will move away from your desired behavior even more. You may also already find that 2013 and 2016 fail because they attempt to find at least one DC out of the primary Exchange site. You can easily query any global catalog for the appropriate domain of a user and get an appropriate DC for the domain from the forest RootDSE (which I suspect you already know). This is recommended. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Friday, December 11, 2015 6:06 PM To: '[email protected]' Subject: [Exchange] RE: Exchange mailbox creation in forest The issue results from the existing framework, and when configuring that framework to manage Active Directory objects in a forest, it is designed to be pointed at the forest root. At that point, it always connects to a server in the root and uses the ADSI api's to create a user in whichever child domain is needed. This process can be configured to return the domain controller used here (not the referral, but the root DC in whatever site was enumerated). That DC can then be passed to the Enable-Mailbox cmdlet but in this case it doesn't help. While we get the site we just created through, it's not the child domain and the lack of referral chasing makes that facility here irrelevant. We are working to modify the framework so that while it may target a root domain to enable the desired behavior, it enumerates the child domain requested for the create, then creates in that site and returns that DC which is more correct or useful really. The way this framework is designed, we more than likely only have a single exchange server we connect to, or if connecting to an org (better but less common in practice), we don't get to pick which mb server as its automatically discovered. Another enhancement might be to also infer the exchange server to connect to given the domain used for initial account creation. Thanks, jlc -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Friday, December 11, 2015 3:52 PM To: [email protected] Subject: [Exchange] RE: Exchange mailbox creation in forest Perhaps I'm completely misunderstanding. The lack of tracking referrals? How can you create a user in a domain without a writable DC for that domain? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Friday, December 11, 2015 2:27 PM To: '[email protected]' Subject: [Exchange] RE: Exchange mailbox creation in forest Well, I guess of there isn't a workaround we will modify the automation tools. The limitation seems a bit shocking. Thanks, jlc -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Friday, December 11, 2015 12:05 PM To: [email protected] Subject: [Exchange] RE: Exchange mailbox creation in forest It sounds to me like you already know the answer. :-) Or is there a question in there that I missed? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Friday, December 11, 2015 12:58 PM To: [email protected] Subject: [Exchange] Exchange mailbox creation in forest I am working with some automation in an Active Directory env with an empty root and a few child domains. The automation is selecting a random DC which happens to consistently be the forest level DC for account creation in child domains. I can get this value and want to use it as the DomainController parameter for Enable-Mailbox to ensure a successful creation in Exchange shortly after. Whether I provide the downlevel or distinguished name format, it doesn't help. It seems none of the exchange tools interpret referrals. The DomainController param apparently must be in the domain of the user? Anyone have any insight on this type of scenario? Thanks! jlc
