Deploy Lync Server 2010 in a Resource Forest Topology (Part 1)

with 8 comments

The Lync system is normally running in the same forest of user accounts. However, in some situation, we have to put it in a resource forest. For example:

1. The account forest functional level is lower than Windows 2003. For example, Windows 2000, or windows 2000 mixed. Lync Server deployment requires Windows 2003 forest functional level.

2. There are multiple forests in your company and users in other forests wants to use your Lync server with SSO.

3. Due to some security consideration, you want to separate resources into different forests.

There is one Microsoft Technet document talking about it.

Deploying Lync Server 2010 in a Multiple Forest Environment

http://technet.microsoft.com/en-us/library/gg670909.aspx

I am here to show a detail procedure and a real sample about how to do this.

Some basic concepts first:

a. Account Forest

The forest hosts Users and Groups.

b. Resource Forest

In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts servers running Lync Server 2010 but does not host any logon-enabled user accounts. Outside the resource forest, account forests host enabled user accounts but no servers running Lync Server 2010. Within the resource forest, a corresponding disabled user account exists for each user account in the user forests.

c. AD Attribute mapping

The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 service. If the account is also enabled for mail-enabled for Microsoft Exchange Server, the ObjectSID should already be copied to msExchMasterAccountSid attribute. So you can use a tool called LcsSync (sidmap.wsf ) to help you copy the ObjectSID value from the AD attribute (msExchMasterAccountSid) to the attribute (msRTCSIP-OriginatorSid) for every disabled user in the forest.

d. Trust between account forest and resource forest

1. It does not require the 2 forests to be the same functional level. For example, the account domain can be Windows 2000 mixed, the resource forest can be Windows 2008. So we might not be able to build a “Forest type” trust. So the “External type” of forest trust is best option to support this. Here is a list for trust type between forests. Trust type Transitivity Direction Description External Nontransitive One-way or two-way Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust. For more information, see When to create an external trust. Realm Transitive or nontransitive One-way or two-way Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For more information, see When to create a realm trust. Forest Transitive One-way or two-way Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest. For more information, see When to create a forest trust. Shortcut Transitive One-way or two-way Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees. For more information, see When to create a shortcut trust. 2. Since we are going to use the msRTCSIP-OriginatorSid attribute of resource forest object to map the ObjectSID value of account forest object, we need to disable the “security identifier (SID) filter quarantining” on the forest trust. The netdom command is used to perform this job. Command to disable “curity identifier (SID) filter quarantining”. netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* /UO:DomainA\Administrator /PO:* /Quarantine:no For example, the contoso forest (resource forest) TRUST the fabrikam forest (account forest), to disable the SID filtering on the trust: netdom trust contoso.com /domain:fabrikam.local /quarantine:No /userD:fabrikam\administrator /passwordD:* /userO:contoso\administrator /passwordO:* 3. If Lync server is in resource forest, Exchange server is in account forest, and if we need to enable Exchange Unified Messaging (UM) and other Lync Server to office integration scenarios, the msRTCSIP-PrimaryUserAddress has to be added to list of proxyAddresses in both Microsoft Exchange Server and Lync Server forests, and a two-way trust should be established between both forests. But if UM feature is not required, or Lync and Exchange are both in the resource forest, a one-way trust is good enough.

Now let’s show the topology of the sample system. The following diagram shows how the organization Fabrikam has:

• Account forest: shanghai.fabrikam.local. All user accounts and groups, and Exchange mailboxes are in this forest. (Domain controller: DC01.shanghai.fabrikam.local.)
• Resource forest: Febres.com. The Lync server is running in the Febres.com. (Domain controller: DC02.Febres.com. Lync server: LyncSrv01.Febres.com)
• Email addresses: @Fabrikam.com, @Fabrikam.local
• SIP addresses are same email addresses.
• Assume the UM feature is not required here, so a one-way trust is built (FebRes.com trust Shanghai.Fabrikam.com).
• SID filtering is disabled on the trust.
• FIM 2010 is used to synchronize the required accounts to the resource forest as a disable account, and flow necessary attributes to them.
• Test clients: client01, client02
• No firewall is blocked between the 2 forests.

Advertisement

Written by actionxp

September 4, 2011 at 1:42 am

Posted in Lync Server 2010