I have a conceptual question:
I manage user accounts for local network access using Active Directory (let's call this network A). We use an external service provider for email accounts, who's also running Active Directory for account management (network B).
In this configuration, every user ends up with two usernames: one for the local network (A), and one for email (B). Let's call the usernames DOMAIN_A\username and DOMAIN_B\username.
I was wondering whether these usernames could be unified by creating a trust relationship between the two active directory servers? Is that possible? It seems to be right now, that the purpose of a AD trust relationship is only to allow users from network B to authenticate against their home AD while being on network A. Does a trust relationship also allow to connect / map AD accounts on different networks (different ADs), so that using a single username, will log the user into both network A and network B? That is, using DOMAIN_A\username as a long-in, I can login to both network A resources and network B resources? I this is indeed possible, how do you have to setup the mapping between DOMAIN_A\username and DOMAIN_B\username? The two ADs won't be able to guess which usernames belong to the same user.
EDIT: this website might have the solution. However it is still unclear to me.
That link you posted may work, but you need to be clear on this:
There is no such thing as merging / joining / combining / whatever Active Directory accounts - this is the same whether on a single domain, single forest, multiple domains, multiple forests with trusts etc etc etc
In your case, an account on Network A is always mutually exclusive to an account on Network B - even if they were to share the same username.
It may help if you always think of the username in terms of "DOMAINA\Username" vs "DOMAINB\Username" - you should see now how these two will always be different.
With regards to Exchange, you have a mailbox belonging to DOMAINB\john.smith - by using that link, you're setting up permissions so that DOMAIN\smith.john can access the account. Just in the same way that, on a single domain, you may give a manager access to someone else e-mail.