How to integrate Project Server 2010 with Exchange Server 2010, but on different domains?

Question

Hello everyone,

 

this is my first question on MSDN, a tricky one. Perhaps some of you might already have stumbled into this.

I want to configure two domains to allow synchronization of project tasks in Outlook and OWA: domain1(with Project Server) and domain2 (with Exchange Server)

Basically the domain1 contains: AD server, Project Server - so more like a user server

the domain2 contains: mail server, exchange server - so much like a SMTP server.

 

I want Project Server on domain1 to be trusted two-way by the Exchange server on domain2.

 

How can i do this?

Thanks!

Answer 1

Are you users going to need to use two separate credentials to access e-mail and to access PWA?

the reason i'm asking is that once you have a 2 way trust setup between the domain you should be able to follow the guide on technet

http://technet.microsoft.com/en-us/library/ff468700.aspx

Your only caveat that i can think if that you would need to setup all the users that need exchange sync with the exchange AD account in Project Server.

so they would login as exchange.domain\username in PWA, which pretty much defeats the purpose of having two domains.

 

If your two domains are already existing and you need to integrate, you might be better off migrating the Project Server into the Exchange Active Directory Environment.

Answer 2

Thanks for your answer.

 

Problem is i could launch the command:

 

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity domain1\sharepoint_prod_adm | select-object).identity -extendedRights ms-Exch-EPI-Impersonation

 

 

But when i go to the next step:

New-ManagementRoleAssignment -Name ProjectServerExchangeIntegration -Role applicationImpersonation -User domain1\sharepoint_prod_adm

i get following error:

 

domain1 wasn't found. Please make sure you've typed it correctly.

    + CategoryInfo          : NotSpecified: (0:Int32) [Add-ADPermission], ManagementObjectNotFoundException

    + FullyQualifiedErrorId : 3F3826E1,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

domain1 and domain2 are two-way trusted because mail is working and so are other features. Except Project Server which i am not able to integrate because this step is failing over and over.

Answer 3

Domain 1 Contains Project Server and AD Server

Domain 2 Contains Exchange Server

 

Is the exchange server using the AD which is in domain 1?

 

Another thing probably you can check is other than two way trust is the two way GAL sync enabled between these two domains?

---

Abhijeet M. Mohite

Answer 4

Which is the version of Exchange Server and from where did you referred this comand:

 

New-ManagementRoleAssignment -Name ProjectServerExchangeIntegration -Role applicationImpersonation -User domain1\sharepoint_prod_adm

---

Abhijeet M. Mohite

Answer 5

Which is the version of Exchange Server and from where did you referred this comand:

 

New-ManagementRoleAssignment -Name ProjectServerExchangeIntegration -Role applicationImpersonation -User domain1\sharepoint_prod_adm

---

Abhijeet M. Mohite

Hello Abhijeet,

 

thanks for your respons.

The version is Exchange 2010. this command is from technet, listed as cmdlet for Project Server integration into Exchange.

Haven't checked the GAL. will do that.

Should i run these cmdlets from the domain2 Exchange Mgmt Shell (as admin ofc)?

I have ran these cmdlets from PowerShell on domain1.

Answer 6

What I understand from article is you need to execute below given commands on Exchange Server:

 

1. Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity <AppPoolAccount> | select-object).identity -extendedRights ms-Exch-EPI-Impersonation

 

Note: <AppPoolAccount> is the application pool account for the Project Server service application

 

2. Add-ADPermission -Identity "<ProjUser>" -User <FarmAdministrator> -extendedRights ms-Exch-EPI-May-Impersonate

Note: <ProjUser> is the name of the Project Server user whom you are configuring, and <FarmAdministrator> is the SharePoint Server farm administrator account

 

Entire procedure is at http://technet.microsoft.com/en-us/library/ff468700.aspx

 

I can not see from where did you used New-ManagementRoleAssignment -Name ProjectServerExchangeIntegration -Role applicationImpersonation -User domain1\sharepoint_prod_adm

 

Its not about domain1 or domain2 from which you should run the commands. You need to run the above commands given by me on Exchange server. If your farm administrator account is in domain1 then the command should include domain 1\Farm Administrator account name and if he is in domain2 then command should include domain2\Farm Administrator account.

 

Hope I am able to explain. Request to see the document from start to end and follow each step carefully freshly.

---

Abhijeet M. Mohite

Answer 7

Exactly what i was afraid of.

The user <farm admin> is not recognized on a different domain( he is sharepoint farm admin on domain 1 and the command is being run on domain 2)

So basically an AD problem...

 

How should i allow this farm admin to work on both domains?

 

Thank you!

Answer 8

You mean to say you are running a command on Exchange Server which is in domain2?

 

If there is two way sync and GAL sync enabled between these two domains then the user should get identified as well authenticated any ways.

What I can suggest to try is, if possible:

 

1. Add the Sharepoint Admin account which is domain1 to the domain 2 as a active directory contact object

or

2. Try the run the Project Server queue service and events service with any user in domain2 and execute the exchange command using that user.

---

Abhijeet M. Mohite

Answer 9

If the above response in confusing what I am trying to suggest is:

 

Create

1.       AD Contact object or

2.       an AD User (disabled)

 

in Domain2 which exactly matches to SharePoint admin account in domain1 and set the msExchMasterAccountSid to be the same as the objectSid for the corresponding account in domain1

 

And then try running the exchange command

 

If above is not possible then:

 

Create a user in domain2 and add that account in Project web application pool, make that account as systemadmin at sql server and also run the project events service and project queuing service with that user.

 

 

Answer 10

Thank you

 

1. you mean adding a new user to domain2 (with the same user AD name as in domain1)? Or you mean a contact object in any folder on the Domain Controller server?

2. i don't have these services on domain2 (exchange domain), only on the domain01 (AD user domain + sharepoint+project server)

 

 

Answer 11

You may get Microsoft articles on how to create Active Directory contact objects

 

and

 

The mentioned services are of Project Server which in-turn are used while making the Task sync calls to Exchange Server. And I am suggesting to run those services with the user created in Domain2.

 

 

---

Abhijeet M. Mohite

Answer 12

How to test if the sharepoint admin which is on domain1 gets recognized by domain2?

Should i try adding him as an Exchange Admin (on domain2) ?

my customer has not GAL enabled and i think that could be the issue. (customer says it's not)

Answer 13

Adding him as a admin wont help.

Testing can be as simple as trying to logging in to any machine in domain2 with user name in domain1...

GAL sync should ahve replicated these users data across domain and you wouldnt have faced this problem.

 

Try creating the AD Contact objects for the required users. That is the option you should try. 

---

Abhijeet M. Mohite

Answer 14

Ok, what i have tried is to ping server drom one domain to another and viceversa.

It worked.

I isolated the problem to Exchange and wonder how can i add a sharepoint farm admin from domain1, to Exchange farm admins on domain2?

 

Thanks for great help