If the Archive Manager service accounts and security groups reside in a foreign forest (from the perspective of the Exchange Org) the usual method used to grant Exchange View Only permission will not work.
If the Archive Manager service accounts and security groups reside in a foreign forest (from the perspective of the Exchange Org) it will not be possible to grant View Only permission in the usual way because the underlying Universal Security Group (in the Exchange Org) can only contain accounts or groups from the same forest. To grant View Only permission to an account or group in a foreign forest, a Linked Role Group will need to be created.
Configuring a linked role group requires a trust between the Active Directory forest in which the linked role group will reside (Where Exchange 2010 is installed), and the foreign Active Directory forest where the service accounts for Archive Manager exist.
The following information about the foreign Active Directory forest is required:
Credentials:
A user name and password that can access the foreign Active Directory forest. This information is used with the LinkedCredential parameter on the New-RoleGroup cmdlet. This information is obtained by running the Get-Credential cmdlet. The format of the user name is domain\username.
Domain controller:
The fully qualified domain name (FQDN) of an Active Directory domain controller in the foreign Active Directory forest.
In the script below, replace: DC.FOREIGNDOMAIN.COM with the name of a domain controller in the foreign domain.
Foreign USG (Universal Security Group):
Create a Universal Security Group in the Foreign forest where the Archive Manager service accounts exist called:
"View-Only Organization Management - Linked"
Add the "Archive Manager Exchange Admin" security group as a member of the new group.
Run these 2 commands on an Exchange 2010 server:
$ForeignCredential = Get-Credential
New-RoleGroup -Name 'View-Only Organization Management - Linked' -Roles 'Monitoring', 'View-Only Configuration', 'View-Only Recipients' -Description 'Members of this management role group can view recipient and configuration objects and their properties in the Exchange organization. Linked to Universal Group in Foreign Forest' -LinkedForeignGroup "View-Only Organization Management - Linked" -LinkedDomainController DC.FOREIGNDOMAIN.COM -LinkedCredential $ForeignCredential
For additional information on Linked Role Groups see: http://technet.microsoft.com/en-us/library/dd876918.aspx
