Configure Enterprise Vault Tasks to Archive from an Exchange server located in a different AD forest

Description

Validation Scenario

The scenario below is based on the Active Directory topology of a multiple Forest topology. There are 2 forests configured: Forest A and Forest B.

1. The Enterprise Vault (EV) server is located in Forest A/Domain A and the Exchange Server in Forest B/Domain B.
2. Forest A/Domain A is where the Vault Service Account (VSA) resides.
3. The Provisioning and Archiving Tasks are configured to use the VSA as the logon account.
   
    

Validation Steps

1. Ensure that a 2-way trust relationship has been configured between the 2 forests. To do this open AD Domain and Trust in the Domain A, go to the properties of Domain A and ensure that the ‘Incoming trusts’ and ‘Outgoing trusts’ has been set to the other forest, Domain B.
   (https://technet.microsoft.com/en-us/library/cc794775(v=ws.10).aspx)
    
2. Check that the VSA is a member of the Builtin Users group in Forest B. This is to allow the domain enumeration to succeed when the provisioning task is running.
    
3. On the EV Server make sure that the VSA is a member of the local administrators group. 
    
4. The following local security user rights should already be applied on the EV Server for the VSA:
       Logon as a process
       Replace a process-level token.
    
5. Check that the VSA has a mailbox on the Exchange Server in Forest B\Domain B and that the mailbox has been configured as a linked mailbox. If the VSA account does not have a mailbox a new one can be created. The example below is for Exchange 2010:
   1. Log on to the Exchange Server in Forest B.
   2. In Exchange management Console, create a new mailbox and select linked. Select New User and give it a name i.e. VSA_Linked
   3. Enter the details of the Forest/Domain containing the VSA (i.e. Domain A and VSA account).
   4. This will automatically disable the newly created account, VSA_Linked in this example, in Forest B.
6. Check that the Provisioning Task logon account has been set to use the VSA and ensure that provisioning of the Exchange Server works fine and no errors generated.
    
7. Set the Archiving Task Logon account to the VSA.
    
8. Ensure a valid system mailbox has been configured.The System mailbox needs to be located on the Exchange Server being archived, in this example it would be in Forest B.

Permissions Configurations

1. Log on to the Exchange Server in Forest B\Domain B as a user who has the Organization Management role. Run the Enterprise Vault Permissions script against the VSA for this Exchange Server. 
   
   Note: The account specified is the VSA in Forest A. The Linked mailbox is not used at this stage. In this example the Exchange Server is called Exch2010, however the same should apply for Exchange 2013.
   
   SetEVExchangePermissions.ps1 –User Domain A\VSA –Server Exch2010 -Action Add –Level ALL –Verbose $true
   
    
2. Log on to the Exchange Server in Forest B as a user who has organization management role and run the Enterprise Vault Throttling script against the Linked Mailbox
   
   i.e SetEVThrottlingPolicy.ps1 –User Domain B\VSA_Linked –Server Exch2010 -Version 2010
    
3. Assign access rights to the System Mailbox configured under the setting section of the task. In this example, this is the EVSysMbx mailbox, which has been checked in step 8 of the 'Validation Steps' section. This step is performed on the Exchange server in Forest B. The User Account to use is the Vault Service account residing in Forest A.
   
   i.e Add-ADPermission -Identity EVSysMbx  -User Domain A\VSA  -AccessRights ExtendedRight -ExtendedRights "send as"