Outlook Live: Bulk E-Mail and Daily Recipient Rate Limits

Folks looking to go into Outlook Live should check this out:

Bulk E-Mail and Daily Recipient Rate Limits

Because when you re-create calendaring state as we do in a migration you are very likely to find some people who are hitting into this limit.

We sometimes do get the question: Why do you need to send messages if you are migrating calendars?

(We do, oh we really do!)

The answer: because calendaring in Exchange is a message-based protocol (Duh). Single appointments do not fall under this limit, but meetings DO. And remember, with meetings there's the invitation AND the response.

Outlook Live and Outlook On-Premises Differences

You know.... there's a bunch of these differences between Outlook live and Exchange on-premises.
And like discovering land mines you're only going to know when you step on one of them.
Such is the case with Throttling Policies and the EWSFindCountLimit.
What does this have to do with calendar migrations? Just in our UNDO function (a prudent safeguard which many of you seem to find comforting).
Our QA team discovered weird behavior in Live @ Edu that does not exist in on-premises Exchange when we were trying to UNDO several test insertions at once. The default limit in ESWFindCOuntLimit is 1000 items (and this in our case includes things in the Deleted folder).
So some of our higher-end users were not being UNDO-ne.
We're fixing that and preparing for the next landmine.
Stay tuned.

Inserting into Live @ Edu vs. inserting into on premises hardware

We were working with a client doing a migration into Live @ Edu and wanted to get some absolute data on calendar migration performance on their machines versus everyone else. So in true Sumatra fashion we created a test database of 20 users and had them insert it in their test environment. It took 19 minutes.

And we then inserted the same database into our Exchange environment. That took 12 minutes (not surprising, we have good hardware and not an enterprise-level load)

Then we inserted the same data into Outlook Live @ Edu. It took 71 minutes.

Just to be sure we were not doing something really wrong we ran it twice and got the same manatee-like languid pace. We're used to measuring migrations with a clock, not a calendar.

We're sure we're not processor bound on our client system. The question is whether we're processor-bound on the server (likely) or network-bound (not as likely). The results are in any event troubling for anyone wanting to do a bulk calendar migration.

But wait -- there's even MORE BAD NEWS FOR calendar migrations!

According to Message, Mailbox, and Recipient Limits (tip 'o the hat to Duncan in London), there are limits of 30 messages per minute and 500 recipients per day. And the logs from London's test runs indicate they are already hitting this limit.

Taking calendar data over in a full-state method we re-create all of these and it is not unusual for the even moderately-scheduled user to hit these limits.

Stay tuned. We're working on creative solutions.
There is a ray of hope, though. This thread indicates others are running into the same absurd limits and Microsoft MAY be willing to make exceptions (check out the procedure at the end).

We suggest you folks who want to do a full-state calendar migration contact your Microsoft Rep and ask them if they can get these limits removed for the duration of your migration.

International characters going into Live at Edu migrations

Because we're nutcases about accuracy and dependability we checked international characters going into Live @ Edu migrations and found no problems.

So umlauts, acutes, cedillas, and various other characters should come out fine.

Setting Permissions for a Live @ Edu Migration

OKAY, you are serious about getting out of Oracle Calendar and into the Exchange Cloud. So you need to know how to set up your permissions on your Live @ EDU Admin account so that the migration application has access to all accounts to do what it needs.

 

You only need to do this once and you can remove these (rather generous but necessary) permissions after you have verified the integrity of your data and removed the Keyword.

 

1. Setup live@edu:
   
   1. Your domain must be Org-owned (you'll be setting RBACs….)
      
   2. Create a service account, e.g. deleg8@livetest.YOURDOMAIN.com
      
2. On your PC, connect your local instance of Windows PowerShell to Outlook Live
   
   1. Prerequisites:
      
      1. You'll need Windows PowerShell 2.0.
         
         1. Get it here: http://support.microsoft.com/kb/968929
            
         2. If you have windows XP x86 must upgrade to SP3+; 
            
         3. If you have windows XP x64 use the windows server 2003 x64 version
            
      2. Launch PowerShell: Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell right-hand click and "Run-As administrator"
         
   2. Set the credentials for your Windows Live ID and Password for your Outlook Live account, then define a session
      
      1. $LiveCred = Get-Credential 
         
      2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
         
         1. If it fails to execute, then:
            
            1. Set-ExecutionPolicy RemoteSigned 
               
            2. …. Or unrestricted if you are brave
               
      3. Start a session to import the Outlook Live commands into your session.
         
         1. Import-PSSession $Session
            
         2. Setup RBAC impersonation using built-in role "ApplicationImpersonation"
            
3. Define RBAC impersonation in Powershell:
   
   1. New-ManagementRoleAssignment -Name EWSImpersonation -Role ApplicationImpersonation -User deleg8@livetest.YOURDOMAIN.com
      
   2. After you are done, disconnect Windows PowerShell from Outlook Live:
      
      1. Remove-PSSession $Session
         

Oracle Calendar to Exchange Live at Edu - the Video

We got a request for a video showing data migration from Oracle Calendar to Live @ Edu.

We put together an ad hoc committee to create the clearing for the conversation for possibility..... ah heck.... we just put some software up and did it.

Michael Moore has nothing to be afraid of.

You can also view it off our main site at http://www.sumatra.com/ocs-to-exchange.wmv

The melodious voice you hear is Zyg (whose role in Sumatra is the moody "Ben Affleck" character in contrast to Russ's "Matt Damon" persona).

Interested in trying it out? Our contact page is here.

Migrating Oracle Calendar Server into the Microsoft Exchange Cloud

The calendar gnomes have been busy.

We have gotten some requests to take Oracle Calendar Server into this Microsoft "cloud" thing (which last time I looked had a couple of different names).  Of course we started with Live @ Edu because that's where the first money is.

So if we look at Jimi's calendar in Oracle Calendar we see:

and if we look at his calendar in Sumatra's LIVE@ edu test system we see the exact same thing (minus the color which you cannot port anyway).

Some of you will notice the one appointment that's not there, which led us into looking at timing issues in Live @ Edu.  We found that changing our CAS and EWS URLs for the insertion to remove the "PSH" part removed the issue.

If your Outlook.com server is something like
PODnnnnnnPSH.outlook.com

use:
PODnnnnnn.outlook.com

instead on insertion.

... and Jimi's calendar comes out fine everywhere.  So in case you find yourself missing some data, check the URL you're pointing to.  We obviously don't have as much control over timing and performance in this scenario as we do in a native Exchange environment.  So the first few who go live with our tech are going to be taking the earliest risks for timing and the eternal X-Factor.

Oh yeah, this would work for Meeting Maker, Zimbra, Sun Java Calendar, anything else we can migrate.  But let's face it, Oracle Calendar Server is the one everyone is currently looking to drop ASAP.

This all involved minor changes to the SuExchange interface, mainly to specify Credentials to your CAS server.  Your Live admin account is the one to use:

This also means there's no need to "Run as..." with the Service Account.  Your  CAS credentials effectively ARE the Service Account.

There's also good news on conference rooms, which are looking like we can Accept and Decline them under our control but as always we want more field tests to make sure we're not drinking our own Kool-Aid: 

Keep in mind: our distinction is that we re-create meetings with guest lists and responses and re-create recurrence patterns in moving from OCS to Exchange, and that is the same whether going to the cloud or a native Exchange server.

So from the perspective of your end users it's a migration with results that make it act as though you've been using Exchange all along.

From the trenches: Exchange to Gmail

Ran into this and thought I'd pass it along.

CEO Of Company With 500 Employees: Here's Why We're Ditching Microsoft Outlook For Gmail

This is a corporation with only 500 users.  The number of companies we've seen with enterprise size considering ditching Google is easy to summarize: Zero.  There was one pathetic case we know of a company adopting Google then getting bought and having to drop it just as quickly, but my schadenfreude account is overdrawn this week.

Where we see a lot of Google Mail and Calendaring is in education and mainly for schools without a lot of endowment.  Note to readers: yes, that word has two meanings.

Updated May 26 to add this link:

Microsoft has a blog posting: Why are Businesses Leaving Google Apps?

Pick your Kool-Aid.

Add2Calendar Example from Facebook

It amazes me that Add2Calendar works when I least expect it.

In my Facebook updates I had the following:

I highlighted it and right clicked the IE8 Accelerator and this is what was immediately populated into Outlook:

Which I consider to be very cool.

Macintosh and Exchange: maybe no longer the horror it has been

If you've ever worked with us you know we want to deal with the Macintosh about as much as we want to spend our vacation at Chernobyl where we consider the radioactive waste level lower.

However, anecdotal evidence from some of our calendar buddies (Hi, Vince!) has given us indication of light at the end of the tunnel. Herewith is what we learned:

• If you want to use Apple mail, you should upgrade to OS X 10.6. Earlier versions were not all that good in terms of calendaring and mail. 10.6 has MUCH better mail handling.
• If you want to stay with Entourage, adopt the mantra "patch Entourage to the max" (12.2.3) then install the EWS patch: http://www.microsoft.com/mac/itpros/entourage-ews.mspx
• Go to Exchange 2010 (NOT 2007). OWA is MUCH better for Macintosh users in Exchange 2010. http://www.macworld.com/article/140257/2009/04/exchange2010_mac.html
• Finally, check out this link to the Mac 2011 Road Show: https://microsoft.crgevents.com/OfficeMac2011/Content/Home.aspx

This gets us as giddy with excitement as is possible given that we want to suffocate the whole Macintosh platform in the first place.

There's a few other places migrating Exchange Admins should check out if your Windows-phobic execs conform to Jobsian non-conformity.

Exchange 2010: OWA has a good summary of Outlook Web Access via Safari on a Mac.

Entourage Mac for Exchange Servers: Tips and Reports has the most comprehensive list of Entourage / Exchange issues I've seen (and while there are a LOT of them most are for previous versions).

ResourceWatch Error: The Service cannot be activated due to an exception during compilation

A client called after their ResourceWatch installation started to fail with this error:

Exception: System.ServiceModel.ServiceActivationException: The service '/ResourceDataService.svc' cannot be activated due to an exception during compilation. The exception message is: Could not load file or assembly 'App_Web_aza-n8ud, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies......

How odd----it's been running without issue for months.

There were two possible reasons for the failure:

1. The virtual directory was renamed, or
2. .Net Framework 3.5 was not installed

"Virtual Directory Renamed" When Sumatra The “Publish Web Site” deployment model in Microsoft’s Visual Studio hinges on the name of the web application mapping directly to the virtual directory name. Renaming the virtual directory without changing the ".compiled" directive causes the application to crash. If you don't have to rename the directory, don't. If you do, and it crashes, read Tom Fuller's post where he solves his 'Issue deploying WCF service to IIS 6 in non-updateable mode.'

".Net Framework 3.5" The other reason this fails is because .Net Framework 3.5 is not installed. (This is easily checked, and if you didn't rename the virtual directory, this is likely the problem.)

In this case, the app was moved to a different box, the virtual directories remained the same, BUT, .Net framework was not installed.

Managing Automatic Meeting Responses in Outlook 2010

An Oracle Calendar System migration client called because his end users were complaining ..... "Now that we have migrated how can we disable those irritating meeting invitations and responses?"

Keep in mind -- this is not about the migration process. This is about what happens when Oracle Calendar users transition from OCS to Exchange,

I'm not sure anyone has an answer for complaining end users, but I did come across a blog posting from Microsoft's Outlook team that talks about how to deal with meeting responses in Outlook 2010. (you know, the "I accept", "I decline" messages.....). The post describes how to create a rule to deal with those responses:

1. Keep meeting declines;
2. Keep all responses if they have a comment;
3. Otherwise, move tentative and accept messages into a sub folder (and out of the inbox!)
   

Read the blog post here!

The net result is that Exchange and Outlook will look more like what an OCS user community has been conditioned to expect over the years.

OWA bug fix - Change the start time of a recurring meeting with exceptions now works

When you change the start time of a recurring meeting series in Microsoft Exchange Server 2007 by using Outlook Web Access (OWA), any exceptions to individual meetings in the series are not removed. There's news to Sumatra's calendar customers. Their end users have dealt with this issue for several years.

Rejoice! Microsoft fixed it. For Exchange 2010. There is no joy in Exchange 2007 land - the fix is not for your servers. See KB 980051.

I'll update this post once I know the hotfix number or the rollup version.

"Add2Calendar" an IE8 - Web Accelerator

I receive one or two emails every day inviting me to attend some work, hobby, school, or sporting event. Many of these events, however, do not offer the "add this event to your Outlook calendar" functionality. If I want to add these events to my calendar, I have to do so manually - "cut and paste" the event details into a new Outlook appointment. Ok, it's not hard, it's tedious. It caused me to automate the process, via an Internet Explorer 8 "Web Accelerator".

I first learned about accelerators in an MSDN "Roadshow" put on by two Microsoft Developer Evangelists (Chris Bowen and Jim O'Neil.) They said it was simple to create one... I didn't believe them. I thought it was going to take several days to get started. It didn't. It was as simple as they said!

My accelerator parses highlighted text from the web browser, and return a calendar invitation "on-the-fly" that Outlook easily interprets. There are several ways of adding appointments to Outlook -- I chose iCalendar, since Outlook supports this open standard calendaring format.

What will the user see?

Here is an example of the accelerator in use. I received an email telling me about an upcoming Cambridge Science Festival event. The email directed me to "Boston.com" where I read the event details. I highlighted the event name and time, and right-hand clicked to launch the accelerator:

Here is what appeared in my calendar:

Voila! You can see Add2Calendar captured the event name, date and time, the event summary in the notes area, plus the URL of the event.
For the more technically inclined
This accelerator requires two components:

1. An XML file to define how the browser communicates with that service, and
2. A "URL-based service"

The process to create the XML file is well documented in MSDN. Here is the XML that defines how the browser communicates with the service:

<?xml version="1.0" encoding="UTF-8"?>
<os:openServiceDescription
xmlns:os="http://www.microsoft.com/schemas/openservicedescription/1.0">
<os:homepageUrl>http://www.sumatra.com</os:homepageUrl>
<os:display>
<os:name>Add appointment with Sumatra's Add2Calendar</os:name>
<os:icon>http://www.sumatra.com/images/favicon.ico</os:icon>
<os:description>
Highlight something on a web page and add the item into your calendar
</os:description>
</os:display>
<os:activity category="Appointment">
<os:activityAction context="selection">
<os:execute method="post"
action="http://www.sumatra.com/add2calendar/">
<os:parameter name="sel" value="{selection}" type="text" />
<os:parameter name="docURL" value="{documentUrl}" type="text" />
</os:execute>
</os:activityAction>
</os:activity>
</os:openServiceDescription>

I created my URL-service using PHP. The accelerator passes two parameters back to the PHP code ($sel and $DocURL). If those variables are not null, the PHP code can determine if it should show the "add the accelerator to your browser" page, or parse the selection string and return an iCalendar file.

The PHP code creates a form with a button to add the accelerator to the browser. There is also javascript to check if the accelerator exists:

<script language=\"JavaScript\">
window.onload = function()
{
if (window.external.IsServiceInstalled ('http://www.sumatra.com/add2calendar/add2calendar.xml','Appointment'))
{
document.getElementById('btnAdd2Calendar').disabled = true;
alert("Sumatra Add2Calendar accelerator is already installed!");
}
}
</script>
<BODY>
<h1>Welcome to Sumatra's Add2Calendar Web Accelerator.</h1gt;<br>
<h2>Overview:</h2><p>Not all web sites have an "add this event to your calendar" button....
<br><br><br><Please click the button to add the accelerator to your browser.<br>
<button id="btnAdd2Calendar" onclick="window.external.AddService('http://www.sumatra.com/add2calendar/add2calendar.xml')">Install Sumatra's Add2Calendar Accelerator</button>
<p>Copyright © 2000-2010 Sumatra Development LLC. All rights reserved.<br>

Hopefully this gets you started!

The accelerator doesn't parse everything, yet. It's work in progress. If you use the accelerator, and you have comments (and issues, too!), please post or email us: info AT sumatra DOT com

Ampersands in email addresses

Just ran a few thousand users from Oracle Calendar into Exchange (at a very security conscious site so we were not able to look at their mappings beforehand), and they had some problems with ampersands in email names.

Yep. Bad karma all around.

In fact, you should not be using most special characters for object names, as Microsoft documents here for Exchange 2003 and here for Exchange 2007.

Exchange Calendar Issues fixed with Rollups

Microsoft released rollups for its Exchange Servers on April 13, 2010:

• Update Rollup 10 for Exchange Server 2007 SP1 (KB981407),
• Update Rollup 4 for Exchange 2007 SP2 (KB981383), and
• Update Rollup 3 for Exchange 2010 (KB981401).

I want to report the calendar-related issues that these rollups fix:

Exchange 2007 (SP1 and SP2) - No calendar-related fixes in this rollup

Exchange 2010

1. RPC clients or MAPI on the Middle Tier clients may not receive responses from the mailbox server role on an Exchange 2010 server (KB981664)

Note: Microsoft recommends that you Clear the 'Check for publisher’s certificate revocation' for Outlook users. For OWA users, this rollup overwrites any customizations made to your "logon.aspx" pages.

New one-step mapping method OCS to Exchange

 

Mapping OCS Users & Resources to Exchange Accounts

First, we assume that you have already imported the "users.txt", "resources.txt", and "foreign.txt" into the database using the xCalReader.

There is really only ONE step: Run the query Q_Build_MM_Exchange_User_Map_From_Users

 

THAT'S IT!

We urge you to review the mapping table "MM_Exchange_User_Map" to ensure all accounts have been mapped, and that all accounts have an email address.

 

What happens if I want to change the email address for a few users in the Users table?

Edit the table User_Adjusted_Maps. You must copy the userid, UserNum, and mmLogin from the Users table, although we recommend you copy ALL fields. This makes review easier because you know who the accounts belong to! Add the exchange alias (exch_alias) and exchange SMTP address (exch_email). In the following example, we changed Peter W's email to peterw@nl.th....

 

 

 

What happens if users do not have email in the Users table?

Look in the "Exchange_email_Src" tab for "***Missing Email***", or look for unusual email in the exchange_email tab.

 

Is there a "query" to copy all users with blank emails in the Users table to the User_Adjusted_Maps table?

Yes. It's called "Q_Add_Users_with_Missing_Emails_to_User_Adjusted_Maps"

You will have to add the Exchange Alias and Exchange email address, AND the Exchange type. The choices are "Individual" for a user or group calendar account, and "Resource" for a conference room.

 

I do not see that query in my database?

You must have database version Blank_Conversion_DB_v8.13.0.0413.mdb or greater

 

Meeting Maker sites migrating to Exchange

You can use the exact same queries and methods above, but make sure the email you want to have in Exchange is associated with the MM account you are migrating using MM Admin.

Web-Based Meeting Schedulers via Mashable

I'm posting this up here for those of you who are interested.

Mashable has a review of four web-based meeting schedulers.

4 Web-Based Meeting Schedulers Reviewed

I actually tried Tungle and found it more trouble than it was worth (but that was at least a year ago). And why on earth would anyone name an app Doodle?

Since we deal with corporations I do not think this any of these are going to be high on the agenda among our loyal readers -- but you should see what the twenty-somethings in your organization are going to be trying to integrate with Exchange.

Migrating Large Oracle Calendar installations to Exchange by Subsets

Migrating Subsets of Larger Oracle Calendar Server Installations

April 9, 2010

Background: In re-creating meetings as live meetings from OCS, Sumatra uses the calendar of the meeting ORGANIZER as the definitive source for guest status. Since Exchange is a message-based system, it is crucial that in re-creating the calendar state calendar invitation come from the meeting owner. However, in the case where migrations must be done in phases, it is desirable to maintain as much as possible information from users external to the subset being migrated. This process deals with that.

As an example, let's say that we have an OCS installation in Europe that consists of about 2000 users in the Local users (NL) and 20,000 FOREIGN users (FR). Let's say the NL server is the first to migrate.

We have two issues, NL users as guests of meetings originated by FR users, and FR users as guests of meetings originated by NL users, as per the following table.

		As Owner
		NL	FR
As Guest	NL	OK	Case FR OWNER => insert as appointment in NL calendar?
	FR	Mail Contact	NOT YET MIGRATED

 

Process Change xCalReader Phase

1. Create an additional Users export file of the FOREIGN users and name it FOREIGN.TXT
   

1. Use the following command to generate this file from the FOREIGN OCS server:
   

uniuser -ls -format "%s%:%g%:%uid%:%id%:%node-id%:%email%:" -n 1 -p jimmorrison >foreign.txt

NOTE the additional %email% which will give us the email of that user as defined in OCS. We will need this information for the foreign users.

1. Place this file in the same directory as your USERS.TXT and UNICPOUTU export files. This means both of these files will be read and populated into the database at the same time before any calendar data.
   
2. You will have a new option in xCalReader to ANNOTATE calendar items from Foreign (FR) users.
   
3. Server NODE numbers MUST be different between the USERS.TXT and the FOREIGN.TXT files (see below – we want to assure that our created User ID numbers are unique – and NODE is one of the concatenated elements in this)
   

Notes In converting the users, invitations to NL users from FR users will be appointments in calendars. When the FR users who are OWNERS migrate, these will be overlayed with LIVE meeting data in Exchange. The user can then delete (or keep as they will) the appointment knowing that the meeting data will be updated with changes.

Using a mail contact has the following requirements and repercussions:

We do not (*think*) French users must be on NL server as MailContacts. Valid regular email addresses should be enough to generate invitation from NL owners to FR guests– but we want to encourage you to try it. French users will then receive Outlook calendar invitations to their mail accounts.

French users can accept/decline/ignore, Sumatra process does not create state for these users.

NOTE: this means there will be the original OCS meeting and the new meeting in their calendars, but the new Exchange/Outlook one will be the one updated when a NL user makes changes.

 

Code changes in xCalReader will act so as to

1. Automatically read FOREIGN users
   

1. Convert meetings from foreign users into appointments in guest calendars
   
2. Allow for an administrator defined "Tag" for foreign user originated meetings.
   

 

Process Change User Mapping Phase

User mapping proceeds as documented, except the FOREIGN users will need to be mapped as well. We're documenting this and will forward ASAP.

 

Process Change SuExchange2007

Code changes in SuExchange2007 will act so as to

1. Automatically validate foreign users
   
2. Not generate error messages for foreign user validation
   
3. Create FOREIGN users as guests
   

This will be transparent to current operation but will require testing.

 

 

Things we want you to be aware of

We already know we are not going to get access to any of your data – so we need you to be looking at it for us.

1. Once both USERS.TXT and FOREIGN.TXT are in – we need you to make sure there are no duplicated USER IDs in the USER table. We can tell you how to do this if need be.
   
2. We need you to test this first in miniature and then in full-scale as quickly as possible.
   
3. We could really use sample data from you "users.txt" and "foreign.txt", plus a user's export file that has foreign user meetings (both as an owner, and as a guest)
   

Resource Forest Redux

We just re-wrote the sections on our migration manual dealing with Resource Forests in Exchange 2007/2010 -- here's the early version

• The "User Forest" - I started with an existing AD 2003 Domain - ad03.herring.sumatra.local (windows server 2003)
  
  • Create a user account "Blarney Stone", alias = bstone in the herring.sumatra.local domain
    
• The "Resource Forest" - a new VM: "Resource" forest domain called Sherwood: ex07res.sherwood.sumatra.local. The CAS server is "ex07res"
  
  • In AD Domains & Trusts:
    
    • Ensure DOMAIN AND FOREST levels are windows 2003
      
    • Created a TWO-way: forest trust between the Resource & User forests (Sherwood to Herring) Note: A resource forest trust is a configured ONE-way trust between the Resource & User domains. If you do this, the service account won't be able to see AD, and thus won't be allowed to access anyone's mailbox.
      

Example of the TWO-WAY forest trust between the resource (Sherwood) and the user forest (Herring) (Shown from Active Directory Domains and Trusts)

• In AD Users & Computer on the RESOURCE FOREST ("sherwood"):
  
  • Added the computer ex07res to built-in group windows authorization access group
    
  • Create a service account deleg8 in the resource forest (A new USER account).
    
• Use Exchange Management Console to:
  
  • Create LINKED mailboxes "Blarney Stone" alias = bstone (in sherwood.sumatra.local) Linked to bstone (in herring.sumatra.local)
    
  • Remember to reconfigure IIS to use SSL and have OWA default site property (in the server configuration) to use forms-based authentication
    
• In AD Users & Computer on BOTH the RESOURCE FOREST ("sherwood") AND on the USER FOREST (herring):
  
  • Right-hand click on the domain, get properties, and in the security tab Grant Deleg8 FULL ACCESS to AD. You'll have to go into advanced and set these permissions "for this object & all child objects". If you don't see the security tab, turn on Advanced Features under the View menu.
    

Example of granting FULL Control to this object & all child objects (Deleg8 on Sherwood

(Shown from Active Directory Users & Computers)

• In Exchange Management Shell, on the Resource Forest (sherwood), run this against your CAS server, "ex07res"
  
  • Add impersonation between the (resource forest) service account AND the user account:
    
    • Add-AdPermission -Identity (Get-ExchangeServer -Identity "ex07res").Identity -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
      
    • Add-AdPermission -Identity "Blarney Stone" -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
      
  • Grant Full access to the (resource forest) service account AND the user account:
    
    • Add-MailboxPermission -Identity "Blarney Stone" -User sherwood\deleg8 -ExtendedRights fullAccess -InheritanceType All
      

      
      

• In the Sumatra UI on a 32-bit machine:
  
  • Run the code as the resource service account (sherwood\deleg8)
    
    • I assume you've already granted that account local login rights, and made it a local administrator so you can read/write from the disk)
      
  • The forest: "herring.sumatra.local"; the SMTP domain: "sherwood.sumatra.local"
    
  • CAS server: ex07res (https://ex07res/ews/exchange.asmx)
    
  • Access calendar using: IMPERSONATE
    
  • Test user: bstone (SMTP address: bstone@sherwood.sumatra.local)
    

    
    

• Other Notes and Deviations from the Sumatra documentation:
  
  • Something changed between Exchange 2007 RTM and SP1/SP2. we've had to change our process.
    
  • Microsoft's David Sterling said that EWS expects there to be some sort of AD object in the resource forest to represent the cross forest account, and unfortunately, a foreign security principal is not enough. He wrote out instructions here: http://msexchangeteam.com/archive/2008/04/18/448727.aspx. BUT it doesn't work because he recommends duplicating a SID between the User and Resource forests. That generates lots of AD errors for that service account, and breaks OWA access (as that service account).
    
  • The tool to set permissions on the RESOURCE forest (Sherwood) MIGHT cause you problems because it does not explicitly set permission inheritance. So the permissions might allow you to validate against the mailbox, but NOT insert calendar data. Here was the tool: http://msexchangeteam.com/files/12/attachments/entry447730.aspx
    

• Use the Get-Mailbox -resultsize unlimited add-mailboxpermission to set permissions for all accounts, e.g., Get-Mailbox -resultsize unlimited Add-AdPermission -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
  

  PowerShell example of using get-mailbox (you might see warnings if you've already applied the ExtendedRights to some mailboxes.
  

  
  

• We set AD access on both the RESOURCE and the USER forests
  
• We were able to add a test item using impersonation. Delegation was not working.
  
• After the migration:
  
  • Remove the service account's full access permissions in AD
    
  • Set the trust back to a one-way trust
    
  • Remove the service account
    

• Other fun facts about resource forests:
  
  • Full Disclosure: I am not a fan of Resource Forests. Yes, they offer additional security. At the cost of 4x the complexity. I apologize to you who have implemented them successfully and are happy Exchange Admins. I'm not alone in that opinion. How a resource forest can make you cry is Vermyndax's rant.
    
  • It's easy to implement the Resource Forest in a way that causes the end user's lots of pain. For example:
    
    • Every time the user logs in to Exchange, they have to enter their resource forest credentials. That's almost as bad as my car: it automatically locking the doors once the car starts moving. Great for safety. But, every time I want to exit the car, I either have to either unlock the door before I can open it, OR pull the door handle twice – the first time UNLOCKS the door, the second time OPENS the door. Great security design. Miserable user experience. But I digress. The way around this, by the way: You have to assign the account in the USER forest these additional rights:
      
      • "Read Permissions",
        
      • "Full Mailbox Access", and
        
      • "Associated External Account"
        
    • We had problems when some DELEGATES tried to access their boss' calendars and could not. We discovered those delegate mailboxes did not reside on the same server as their boss's mailbox. The solution: move the delegates mailbox!
      
    • There were access problems for customers who have public folders (you need them if you have Outlook 2003, or if your organization uses public folders). I couldn't figure out how to solve the access problem. Thankfully Jim McBee "Mostly Exchange Web Log" AND Jesper Bernle's Exchange Server blog wrote about how to solve it. Jim McBee found and fixed issues with permissions and delegate mailboxes.