Win2.Adatum.com
New-AcceptedDomain -Name "1ask2.com" -DomainName "1ask2.com" -DomainType Authoritative
New-AcceptedDomain -DomainName  exchangedelegation.1ask2.com -Name  FederationDomain
new-SendConnector -Name 'Internet' -Usage 'Internet' -AddressSpaces 'SMTP:*;1' -DNSRoutingEnabled $true  -SourceTransportServers 'WIN2'
Set-ReceiveConnector "Default Win2" -PermissionGroups AnonymousUsers,ExchangeUsers, ExchangeServers, ExchangeLegacyServers
new-EmailAddressPolicy -Name '1ask2 policy' -IncludedRecipients 'AllRecipients' -Priority 'Lowest' -EnabledEmailAddressTemplates 'SMTP:%m@1ask2.com'
update-EmailAddressPolicy -Identity '1ask2 policy'


EXServer.CartEasy.com
New-AcceptedDomain -Name "Abbcanada.com" -DomainName "Abbcanada.com" -DomainType Authoritative
New-AcceptedDomain -Name "FederationDomain" -DomainName "ExchangeDelegation.Abbcanada.com" -DomainType Authoritative
new-EmailAddressPolicy -Name 'abbcanada policy' -IncludedRecipients 'AllRecipients' -Priority 'Lowest' -EnabledEmailAddressTemplates 'SMTP:%m@abbcanada.com'
update-EmailAddressPolicy -Identity 'abbcanada policy'
new-SendConnector -Name 'Internet' -Usage 'Internet' -AddressSpaces 'SMTP:*;1' -DNSRoutingEnabled $true  -SourceTransportServers 'EXServer'
Set-ReceiveConnector "Default EXServer" -PermissionGroups AnonymousUsers,ExchangeUsers, ExchangeServers, ExchangeLegacyServers

DNS

DNS1

DNS2

Both 1ask2.com and abbcanada.com are public registered domain names. The DNS Server at Win2 is globally accessible.
Test mail delivery
Schong@1ask2.com and CChevron@abbcanada.com can deliver mail with each other.

EXserver.CartEasy.com
Install Certificate Authority Service
Windows 2008 R2 Enterprise --Certificate Authority

CA1

CA2

http://abbcanada.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
If <ServerDNSName> is used, http://exserver.carteasy.com will be created. The http://exserver.carteasy.com cannot be accessed through Internet.

Renew CA certificate…
Duplicate the Domain Controller certificate template as shown below:

CA3

Issue the “Copy of Domain Controller” template

CA4

MMC—certificate console (computer)
Request a new certificate

CA5

CA6

CA7

The certificate at EXserver.CartEasy.com must include:
Autodiscover.abbcanada.com
Autodiscover.Exchangedelegation.abbcanada.com
Abbcanada.com
ExchangeDelegation.abbcanada.com

CA8

The Federation Trust must use the certificate with private key exportable.

CA9

Get-ExchangeCertificate | ?{$_.friendlyname -eq "abbcanada.com"} | New-FederationTrust -Name "Microsoft Federation Gateway"
Export the CA certificate and Import it onto Win2.Adatum.com computer.
Get-FederatedDomainProof -DomainName abbcanada.com
Get-FederatedDomainProof -DomainName exchangeDelegation.abbcanada.com

proof

DNSCmd /RecordAdd abbcanada.com "@" TXT "Ono30IIfcBTEqnmdfdr6K7P3qHUDw3Qcw1seeP0I3B6MPQtrge+Mt5aScoAs78ATw88/jkj06RQXgeksRS8b0g=="

DNSCmd /RecordAdd abbcanada.com "ExchangeDelegation" TXT "Sk0pSsvD8wO5mzbAbwInaXGVxfQ8q6IIKeY5jOJcXj+OpMnyyg5GrZkWI7HKRxr3dxXrCevuWEhWbJPNmhI8PA=="

EMC—Managing Federation

ManageFederation

Win2.Adatum.com
Install Certificate Authority Service
Configure CDP and AIA

10

11

http://1ask2.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Renew CA Certificate…
Duplicate domain controller certificate with SUBJECT Name set to “Supply to request” and Issue it.
MMC –Certificate –Request a new certificate with template “Copy of Domain Controller”

12

Certificate for exchange Win2.Adatum.com must include:
Autodiscover.1ask2.com
Autodiscover.ExchangeDelegation.1ask2.com
1ask2.com
ExchangeDelegation.1ask2.com

13

14

The Friendly name for the certificate is 1ask2.com.
Get-ExchangeCertificate | ?{$_.friendlyname -eq "1ask2.com"} | New-FederationTrust -Name "Microsoft Federation Gateway"
Get-FederatedDomainProof -DomainName 1ask2.com
Get-FederatedDomainProof -DomainName ExchangeDelegation.1ask2.com

15

DNSCmd /RecordAdd 1ask2.com "@" TXT "vFX8UFXLRAJ825CPy5hj/UWYiFHJ7WTtjbtHMyBUfXdLXQcH3LPTM6vPdftAeJphFTv0O1lil1aoG3alBH23Uw=="
DNSCmd /RecordAdd 1ask2.com "ExchangeDelegation" TXT "jwQyaT6pHu0DFIfWS3OaTkgMFWBpxfxDNPCMIck/J5zpgwaUeSC7K5ZRG8dK5v+39nKGAaQLadPKpdvW7z0hvw=="

EMC—Managing Federation

20

Export CA certificate of CartEasy.com and Import it onto Trusted Root Authority store of Win2.Adatum.com.
Export CA Certificate of Adatum.com and Import it onto Trusted Root Authority store of EXserver.carteasy.com.
Get-FederationInformation –DomainName abbcanada.com
Get-FederationInformation –domainName 1ask2.com

21

Win2.Adatum.com

22

23

New-SharingPolicy -Name 'abbcanada Sharing' -Enabled $true -Domains 'abbcanada.com:CalendarSharingFreeBusySimple','1ask2.com:CalendarSharingFreeBusyReviewer, ContactsSharing'
'adatum.com/Users/Simon Chong' | Set-Mailbox -SharingPolicy 'abbcanada Sharing'
'adatum.com/Users/Administrator' | Set-Mailbox -SharingPolicy 'abbcanada Sharing'

EXServer.CartEasy.com

30

31

New-SharingPolicy -Name '1ask2 Sharing' -Enabled $true -Domains '1ask2.com:CalendarSharingFreeBusySimple','abbcanada.com:CalendarSharingFreeBusyReviewer, ContactsSharing'
'CartEasy.com/Users/Canon Chevron' | Set-Mailbox -SharingPolicy '1ask2 Sharing'
'CartEasy.com/Users/Tim Horton' | Set-Mailbox -SharingPolicy '1ask2 Sharing'

Test the Sharing Policy
SChong@1ask2.com (https://autodiscover.1ask2.com/owa)  can send Calendar Sharing invitation request to CChevron@abbcanada.com.
CChevron@abbcanada.com (https://autodiscover.abbcanada.com) can send Calendar Sharing invitation request to Schong@1ask2.com.

How about Contacts sharing within the same organization?
By OWA, you cannot share the Contacts within the same organization. By outlook 2010, administrator@1ask2.com can share its contact with Schong@1ask2.com.

The Sharing Policy is “abbcanada Sharing” .
New-SharingPolicy -Name 'abbcanada Sharing' -Enabled $true -Domains 'abbcanada.com:CalendarSharingFreeBusySimple','1ask2.com:CalendarSharingFreeBusyReviewer, ContactsSharing'

Self-signed certificate
Both computers
Remove Organization Relationships
Remove Federation Trust

Win2.Adatum.com
$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Federated Delegation" -DomainName  1ask2.com ,ExchangeDelegation.1ask2.com,Autodiscover.1ask2.com,autodiscover.ExchangeDelegation.1ask2.com,Win2.Adatum.com -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski
Get-ExchangeCertificate | ?{$_.friendlyname -eq "Exchange Federated Delegation"} | New-FederationTrust -Name "Microsoft Federation Gateway"

Get-FederatedDomainProof -DomainName 1ask2.com
Get-FederatedDomainProof -DomainName ExchangeDelegation.1ask2.com

Update the TXT record for 1ask2.com and Exchangedelegation.1ask2.com
Get-ExchangeCertificate | ?{$_.friendlyname -eq "Exchange Federated Delegation"} | Enable-ExchangeCertificate -Server 'WIN2' -Services 'IMAP, POP, IIS, SMTP'
Manage Federation
Add both abbcanada.com and ExchangeDelegation.abbcanada.com to the list of Federated Domains.

EXServer.CartEasy.com
$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Federated Delegation" -DomainName  abbcanada.com ,ExchangeDelegation.abbcanada.com,Autodiscover.abbcanada.com,autodiscover.ExchangeDelegation.abbcanada.com,exserver.carteasy.com -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski
Get-ExchangeCertificate | ?{$_.friendlyname -eq "Exchange Federated Delegation"} | New-FederationTrust -Name "Microsoft Federation Gateway"

Get-FederatedDomainProof -DomainName abbcanada.com
Get-FederatedDomainProof -DomainName ExchangeDelegation.abbcanada.com

Update the TXT record for 1ask2.com and Exchangedelegation.1ask2.com

Get-ExchangeCertificate | ?{$_.friendlyname -eq "Exchange Federated Delegation"} | Enable-ExchangeCertificate -Server 'exserver' -Services 'IMAP, POP, IIS, SMTP'
Manage Federation
Add both 1ask2.com and exchangedelegation.1ask2.com to the list of Federated Domains.
https://autodiscover.1ask2.com/owa and click Certificate Error and Copy the certificate to a file named as 1ask2Self.cer.
https://autodiscover.abbcanada.com/owa and click Certificate Error and copy the certificate to a file named as abbcanadaSelf.cer.
MMC –Certificate (computer) console
Import both 1ask2Self.cer and abbcanadaSelf.cer to Trusted Root Certification Authority of Win2.Adatum.com and EXServer.CartEasy.com.
SChong@1ask2.com (https://autodiscover.1ask2.com/owa)  can send Calendar Sharing invitation request to CChevron@abbcanada.com.
CChevron@abbcanada.com (https://autodiscover.abbcanada.com) can send Calendar Sharing invitation request to Schong@1ask2.com.