How to setup Mailflow between a forest in a Lab

Infrastructure : This technical document provides you the basic necessary steps to have mailflow from one forest to another forest. This is just a lab environment for testing purpose and learning the new technologies because in real-time environment the setup will not be as easy as stated here.

                                                        Why I require this sort of setup?
 I was going through many articles for understanding what is exchange and what are the protocols and how to setup. It looks beautiful if I see this thing in theory only but when it comes to practical, sometime I need to break my head how to setup. Many time I came across the situation where customer call up and they need assistance for inter-org (One of the best example) , really my friends I have to break my head inorder to  reproduce the same setup in the vmware. And finally I have to satisfy myself with 70% of output like keeping the two exchange in the same forest. Other example will be RPC over https etc.

                                                                   Who can Read this?
 I am sure most of our colleague might be knowing this already. Especially Mailflow Troubleshooter guys no doubt about it. I am just putting this article in our blog so that level 1 administrator can also know about this and take the best out of this article for their different lab scenario. In this article the steps which I am going to show you is the output which I tested out.

                                                                 Best suitable scenario
 We can have this lab setup for inter-org purpose, rpc over https or outlook anywhere, Exchange 2007 disclaimer setup for external users, understand mail architecture internal as well as external (routing group concept).

                                                                        Prerequisites
1) 3 windows 2003 Servers out of which one is optional
2) Vmware
3) Exchange Applications.
Note : 3 windows 2003 servers – I have two servers for two different forest and one server I kept in DMZ network which is having two nic cards latterly I can use that dmz server for Edge server configuration or ISA server. Moreover I don’t want to put many load on only two servers.
Already I have installed windows, Exchange and network configuration.

Steps:
1) Creating Network connectivity between two forest
2) Disabling Chimney and Enabling IP Router option
3) Giving authentication for both the domain on each exchange server in the Default virtual server
4) Creating SMTP Connector on both the end
5) Creating a mailbox
6) Testing the Mailflow


Lets start of :
Domain which I have created is a) contoso.com & b) Microsoft.com


a) Contoso.com
Lets take a look on the Contoso Domain:
Computer Name : Conty.contoso.com
OS :  windows 2003 with sp2
Exchange  : Exchange 2003 with sp2
Network card  : one network card
DNS  : Active Directory Integrated Zone
Windows IP Configuration
      Host Name . . . . . . . . . . . . : conty
      Primary Dns Suffix  . . . . . . . : contoso.com
      IP Routing Enabled. . . . . . . . : Yes
      DNS Suffix Search List. . . . . . : contoso.com
Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . :
      IP Address. . . . . . . . . . . . : 192.168.0.1
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.2
      DNS Servers . . . . . . . . . . . : 192.168.0.1

Microsoft.com
 Now lets come to Microsoft.com Domain;
Windows IP Configuration
   Host Name . . . . . . . . . . . . : MS-DC
   Primary Dns Suffix  . . . . . . . : Microsoft.com
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Microsoft.com
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.10.10.1
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . : 10.10.10.2
   DNS Servers . . . . . . . . . . . : 10.10.10.1
                                              192.168.0.1

Now if you see the above configuration what we have is
Contoso.com Ip address range is 192.168.0.x and default gateway is 192.168.0.2
Microsoft.com ip address range is 10.10.10.x and default gateway is 10.10.10.2

Edge Server
Brought a new Server called as Edge in the DMZ network of Microsoft.com
 Host name : Edge (workgroup)
 Configured two NIC  and named it as Contoso and Microsoft (figure 1)

                                                Assigned a static ip address for contoso and Microsoft

Contoso Nic IP (edge Server N/w Card) (Figure 2)

Microsoft Nic (Edge server 2nd Nic Card) Figure 3
 

                                            Windows ip configuration of DMZ server
Windows IP Configuration
Host Name . . . . . . . . . . . . : Edge   
Primary Dns Suffix  . . . . . . . : microsoft.com   
Node Type . . . . . . . . . . . . : Unknown   
IP Routing Enabled. . . . . . . . : Yes   
DNS Suffix Search List. . . . . . : microsoft.com
Ethernet adapter Microsoft:   
Connection-specific DNS Suffix  . :    
IP Address. . . . . . . . . . . . : 10.10.10.2   
Subnet Mask . . . . . . . . . . . : 255.0.0.0   
Default Gateway . . . . . . . . . : 192.168.0.1   
DNS Servers . . . . . . . . . . . : 10.10.10.1
 
Ethernet adapter Contoso:
Connection-specific DNS Suffix  . :    
IP Address. . . . . . . . . . . . : 192.168.0.2   
Subnet Mask . . . . . . . . . . . : 255.255.255.0   
Default Gateway . . . . . . . . . : 10.10.10.2   
DNS Servers . . . . . . . . . . . : 192.168.0.1


                                            Edge is in the DMZ network of Microsoft.com (figure 4)
 

                                        Disabling  the Chimney from all 3 servers & Enabing IP Router

Now edge server can ping Microsoft.com and contoso.com server. But the server who are residing in both the domain they are not able to ping to each other except the edge server.
Added the host entry.
Then I have enabled IPEnable Router and disabled EnableTCPChimney and even Enable RSS is disabled.
                You can find this key on HKLM\System\CCS\Services\Tcpip\Parameters (figure 5)
 
 

Enable IP router and disable TCPChimney & RSS for conty.contoso.com and ms-dc.microsoft.com and then take a reboot of all the servers.

 For more information on TCPChimney & RSS please refer this link :
                        Windows 2003 SP2 Might effect Exchange Server
http://exchangeserverinfo.com/2007/09/12/windows-2003-sp2-might-effect-exchange-server.aspx

After this you can see that the ping reply status which will show you the communication happening between the server.
                                              Configuring Exchange Server for Mailflow between the forest
 
Here I am going to show you the step which i took on Contoso.com Exchange server and for Microsoft.com Exchange server you need to follow the same steps what we are implementing on Contoso.com


Now lets go to Contoso.com Exchange Server
1) First you need to (Just to have easy administration purpose)
Open ESM => Exchange Organization => Properties and select Display Routing Group (figure 6)

 
2) Expand the Exchange Organization => First Administrative Group => Servers => Conty (server name) => Protocols => SMTP => Default Virtual Server => Properties => Connection (figure 7)

3) Expand the Exchange Organization => First Administrative Group => Servers => Conty (server name) => Protocols => SMTP => Default Virtual Server => Properties => Relay (figure 8)

 
4) Create a smtp connector
                                Routing Group => create a new smtp connector
                                Name it as : Cont-MS
                                Local Bridgehead Server : Contoso Local Exchange Server
                                Forward to : give the ip address of Microsoft Domain 10.10.10.1 (Figure 9)

 
Note : In Conotos Domain I have given the ip address of Microsoft.com domain (10.10.10.1) as a forwarder
Go to Address Space Tab of the new stmp connector (cont-MS):
             Fill this following :
                                         *.microsoft.com
                                         *.contoso.com (as shown in the Figure 10)

 
Follow the same step for Microsoft.com also but in the forward option in smtp connector you need to give the ip address of contoso.com domain i.e 192.168.0.1


                                        Checking the network connectivity between Contoso and Microsoft
Once you are done
Make sure you enable ip router, disable chimney and Disable RSS on all three servers.
Make sure all the servers are able to ping each other
Make sure you are able to telnet.

                                         Create a mailbox in the exchange server
Created two users for two organization each
contoso@contoso.com
microsoft@microsoft.com
Send one test mail from one to other domain and vice versa (Figure 11)

 


Now I am able to send to and from two different forest and now I can test different lab scenario. I guess it is worthful for you all and thank you for viewing this article.