Lync Server 2013 Resource Forest Deployment with Manual Sync · Technet Blog ; Introduction I would like to share detailed information on Lync 2013 resource forest setup with manual

Technet Blog ; http://blogs.technet.com/b/saleesh_nv/

Lync Server 2013 – Resource Forest Deployment with Manual Sync

Saleesh Neduvayalil

http://blogs.technet.com/b/saleesh_nv/


Introduction

I would like to share detailed information on Lync 2013 resource forest setup with manual sync configuration. Currently, I have two AD forests as seen below. Contoso.com is the resource forest where in Lync server is hosted and fabrikam.com is my user forest. Following steps will help you with Lync resource forest deployment.

Prerequisites For Lync resource forest deployment

A) DNS Zone Creation

We need to create secondary DNS Zone in each forest for DNS resolution. Following steps will help you with DNS configuration.

Login to resource forest DNS server and open DNS Manager. Right click on forward look up zone and select new

zone;


http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-66/4505.1.png



Click next on new DNS zone snap in window ;

Select secondary zone as below and click next;





Enter fabrikam.com as secondary DNS zone in resource forest and click next;

Add master DNS server FQDN/IP address and click next ;





Once zone information has been validated. Click finish and complete the zone creation.

Repeat the same steps for User forest and add contoso.com as secondary DNS zone and complete the configuration.

B) Add Additional SIP domain

If customer wants to use fabrikam.com as default SIP domain for user forest , we should add fabrikam.com as an additional sip domain in Lync topology. This will make sure that fabrikam users can login to Lync client via local domain. Also make sure that Lync pool certificate have all necessary SAN entries added for fabrikam.com. Following screenshot may help you;





C) Configure Forest Trust

Next step is to configure trust between contoso and fabrikam forest. Following steps may help you with trust configuration.

Login to contoso domain controller and open Active directory domains and Trusts;

Right on contoso domain and select properties;





Select trust tab and click on New Trust as highlighted below;

Click next on new trust snap in ;





Enter fabrikam.com for creating the trust and click next;

Select forest wide trust and click next;





One way trust is sufficient to build the resource forest topology. I have selected two way trust so that all feature will work as expected. Select two way trust and click next;

Select this domain only option and click next;





Select forest-wide authentication and click next;

Enter the trust configuration password and click next;





Click next to complete the configuration;

Confirm outgoing trust check box and click next;



http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-90-66/12.png


Also confirm incoming trust and click next;

Click on finish and trust configuration has been completed successfully.





You should be able to see fabrikam.com in the forest trust list.




User provisioning and Manual Sync Configuration

D) User Provisioning

Create a new user in fabrikam forest (User Forest) ;

Create a matching user in contoso forest (Resource Forest) and right click and disable the user.





Now contoso forest user has been disabled successfully;

Login to Lync control panel and click on enable users ;

Find the users from AD and select the disabled user from the list;






Specify primary sip domain for the disabled user as fabrikam.com and enable the user. Following screenshot may help you;

Now disabled user has been provisioned for Lync 2013.





E) Manual attribute Sync

Login to fabrikam domain control and open active directory users and computers. Select the new user created earlier and click on attribute editor. ( You may need to enable advanced feature in the ADUC snap in view to see attribute editor tab). Find objectSID attribute;

Click on ObjectSid , copy the value in a notepad as highlighted below;





Login to contoso forest and open ADUC. Select disabled user and open user properties page and select attribute editor. Find msRTCSIP-Originatorsid attribute ;

Click on msRTCSIP-Originatorsid attribute and click on edit , paste the value which you copied from user forest objectsid as mentioned above and Click OK. Following screenshots may help you.





I have successfully updated msRTCSIP-Originatorsid value , apply and OK.

You need to make sure that following attributes are matching between user forest and resource forest user.





F) User Behavior and Testing

Let me test the user behavior in user forest. Login to fabrikam forest machine with domain user ID and password.

Launched Lync 2013 client and enter SIP URI enabled in resource forest ;





You may get certificate warning at first time. Select always trust this server check box as below.

You may get following error on first time login. You should enter fabrikam\userID (user forest) and password for authentication.

Once completed , you should be able to sign in to Lync client successfully.





G) Certificate Trust

If you don't have contoso forest root certificate on fabrikam client machine , you may get below error.





Export the root CA from contoso forest and copy to fabrikam client machine. Open MMC and open certificate console. Import the root CA under trusted root certificate authority folder.

Select the imported certificate on the client machine.

Contoso root CA has been successfully imported to fabrikam client.





H) SID Mapper Testing

If you don't have exchange server in resource forest , you may get following error while running SID Mapper tool on Lync 2013 server. Following screenshot may help you.

I have installed exchange 2010 server in resource forest for testing, SIP mapper tool started working as expected.

Summary

Manual sync is not the best way to manage large resource forest organization. However , this article may help you to

understand the requirements and configuration required for Lync resource forest deployment.





Documents

Lync Server 2013 Resource Forest Deployment with Manual Sync · Technet Blog ; Introduction I would like to share detailed information on Lync 2013 resource forest setup with manual