You are the messaging engineer for your company. Your company has a Windows Server 2003 Active Directory forest that contains one domain named Contoso. You plan to deploy Exchange Server 2007.
You need to recommend an Active Directory design that meets the following requirements:
Prevent the Contoso enterprise administrators from managing Exchange mailbox settings.
Prevent Exchange server administrators from managing Contoso user accounts.
Use one administrative console to manage all mailboxes and associated access permissions.
Which Active Directory design should you recommend?
A.
one Active Directory forest that contains multiple domains
B.
one Active Directory forest that contains one domain
C.
two Active Directory forests that have a cross-forest trust relationship
D.
two Active Directory forests that have no trust relationship
Explanation:
If you wish to separate the administration of AD from that of exchange objects, establish a separate AD forest dedicated solely to running Exchange. In this model, all active users and computers are contained in one or more Accounts Forests. Exchange is then installed by itself in a separate Resource Forest. A one-way trust is configured to link these forests, where the Resource Forest trusts the Accounts Forests. This way, all active users can access their mailboxes.Because an Exchange organization cant cross forest boundaries, each Resource Forest mailbox created requires that a corresponding user object also be created in the same forest. These placeholder accounts are disabled by default. Never can they be logged onto to hack into the wider organization. Typically, active users never realize these duplicate, inactive accounts even exist.
Active users in the Accounts Forest must be granted permission to log on to their Resource Forest mailboxes. This is accomplished by including the SID of each user in the msExchMasterAccountSID attribute of the disabled placeholder account.
Because all Exchange objects are contained in the Resource Forest, from the perspective of Exchange and Outlook, a single GAL supports all users across all forests in the organization.
http://technet.microsoft.com/en-us/library/bb124765.aspx
http://www.msexchange.org/articles_tutorials/exchange-server-2007/planning-architecture/deploying-exchange-resource-forest-part1.html