Cross-Forest Authentication | Microsoft Exchange Server 2003 Administrators Companion (Pro-Administrators Companion)

Because Exchange Server 2003 does not allow spoofing or forging of identities, Microsoft has given us a way to perform Cross-Forest Authentication to meet the needs of several scenarios.

One scenario occurs when a company spans two forests and cross-forest e-mail collaboration is needed. Because Exchange is scoped to the forest boundaries, it is a bit silly to set up two sets of contacts in two forests so that everyone in the company can e-mail each other internally and have their e-mail addresses resolve to their display names.

To enable cross-forest authentication, you must create connectors in each forest that uses an authenticated account from the other forest. Once the connectors are set up, e-mail is sent to one forest from the other forest by an authenticated user so that the e-mail addresses will resolve to the display names.

To configure cross-forest authentication, follow these steps:

Create an account in each forest that has Send As permissions in the target forest. Add this account to the properties of each Exchange server that will accept incoming e-mail from the other forest.
Create an SMTP Connector in the source forest that requires using authentication to send e-mail, and configure the connector to use the account in the target forest for all outgoing e-mail. On the SMTP Connector, ensure that you’ve configured the address space to include the specific target domain with a cost of “1”. Do not include an address space of “*” or any domain name. This will ensure that the SMTP Connector is used only when e-mail is sent between these domains.
Do the reverse going the other way between the two forests.

Now, when e-mail is sent between domains, the display names will resolve to the Global Address List names, which is often easier for your users to understand than the external SMTP addresses.