Demystifying Federation in Exchange 2010 / 2013

Recently, I've seen a lot of cases where customers are perplexed by the various options available to them when using the Microsoft Federation Gateway combined with FIM / ILM to share calendar availability from one Exchange forest to another - for instance, when they have purchased another company and are needing to allow collaboration between the two environments.

In a Federated environment, we assume two separate Exchange environments exist. In this instance, you'd also ideally use something like ILM / FIM (see TechNet articles here for further information). This will allow the GAL to be synchronized, and the Organization Relationship created within Exchange 2010 / 2013 combined with a Federated Trust will allow for certain delegation - free/busy, calendar sharing, remote moves and so forth.

However, this will not allow for cross-forest permissions. Currently, this is unsupported when using FIM / ILM and Federation to manage cross-forest availability as discussed above. When using FIM / ILM in this way, a "Contact" mail-enabled object is created in the alternate environment to match the user in the source environment. Contacts, however, cannot be used for mailbox permissions - the only way to achieve this is by leveraging the functionality of what's known as a Linked Mailbox - and even if we waned to attempt this, we couldn't create a one as it would invariably match the already existing Contact that has been created by leveraging federation with FIM.

At this point in time, there is no supported way for cross-forest permissions to work. Ideally, you'd hopefully be working through a migration plan to centralize your users into one Exchange forest.