William Yang's Techbox

Ideas for Exchange Server, FIM, RMS, Lync, etc

Deploy Lync Server 2010 in a Resource Forest Topology (Part 1)

with 8 comments

The Lync system is normally running in the same forest of user accounts. However, in some situation, we have to put it in a resource forest. For example:

1. The account forest functional level is lower than Windows 2003. For example, Windows 2000, or windows 2000 mixed. Lync Server deployment requires Windows 2003 forest functional level.

2. There are multiple forests in your company and users in other forests wants to use your Lync server with SSO.

3. Due to some security consideration, you want to separate resources into different forests.

There is one Microsoft Technet document talking about it.

Deploying Lync Server 2010 in a Multiple Forest Environment


I am here to show a detail procedure and a real sample about how to do this.

Some basic concepts first:

a. Account Forest

The forest hosts Users and Groups.

b. Resource Forest

In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts servers running Lync Server 2010 but does not host any logon-enabled user accounts.

Outside the resource forest, account forests host enabled user accounts but no servers running Lync Server 2010. Within the resource forest, a corresponding disabled user account exists for each user account in the user forests.

c. AD Attribute mapping

The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 service.

If the account is also enabled for mail-enabled for Microsoft Exchange Server, the ObjectSID should already be copied to msExchMasterAccountSid attribute. So you can use a tool called LcsSync (sidmap.wsf

) to help you copy the ObjectSID value from the AD attribute (msExchMasterAccountSid) to the attribute (msRTCSIP-OriginatorSid) for every disabled user in the forest.

d. Trust between account forest and resource forest

1. It does not require the 2 forests to be the same functional level. For example, the account domain can be Windows 2000 mixed, the resource forest can be Windows 2008. So we might not be able to build a “Forest type” trust. So the “External type” of forest trust is best option to support this.

Here is a list for trust type between forests.

Trust type






One-way or two-way

Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust. For more information, see When to create an external trust.


Transitive or nontransitive

One-way or two-way

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For more information, see When to create a realm trust.



One-way or two-way

Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest. For more information, see When to create a forest trust.



One-way or two-way

Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees. For more information, see When to create a shortcut trust.

2. Since we are going to use the msRTCSIP-OriginatorSid attribute of resource forest object to map the ObjectSID value of account forest object, we need to disable the “security identifier (SID) filter quarantining” on the forest trust. The netdom command is used to perform this job.

Command to disable “curity identifier (SID) filter quarantining”.

netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* 
/UO:DomainA\Administrator /PO:* /Quarantine:no

For example, the contoso forest (resource forest) TRUST the fabrikam forest (account forest), to disable the SID filtering on the trust:

netdom trust contoso.com /domain:fabrikam.local /quarantine:No /userD:fabrikam\administrator

/passwordD:* /userO:contoso\administrator /passwordO:*

3. If Lync server is in resource forest, Exchange server is in account forest, and if we need to enable Exchange Unified Messaging (UM) and other Lync Server to office integration scenarios, the msRTCSIP-PrimaryUserAddress has to be added to list of proxyAddresses in both Microsoft Exchange Server and Lync Server forests, and a two-way trust should be established between both forests.

But if UM feature is not required, or Lync and Exchange are both in the resource forest, a one-way trust is good enough.

Now let’s show the topology of the sample system. The following diagram shows how the organization Fabrikam has:


  • Account forest: shanghai.fabrikam.local. All user accounts and groups, and Exchange mailboxes are in this forest. (Domain controller: DC01.shanghai.fabrikam.local.)
  • Resource forest: Febres.com. The Lync server is running in the Febres.com. (Domain controller: DC02.Febres.com. Lync server: LyncSrv01.Febres.com)
  • Email addresses: @Fabrikam.com, @Fabrikam.local
  • SIP addresses are same email addresses.
  • Assume the UM feature is not required here, so a one-way trust is built (FebRes.com trust Shanghai.Fabrikam.com).
  • SID filtering is disabled on the trust.
  • FIM 2010 is used to synchronize the required accounts to the resource forest as a disable account, and flow necessary attributes to them.
  • Test clients: client01, client02
  • No firewall is blocked between the 2 forests.


Written by actionxp

September 4, 2011 at 1:42 am

Posted in Lync Server 2010

8 Responses

Subscribe to comments with RSS.

  1. Hi Actionxp,
    Nice article. Have you written part 2 yet? Can you go into configuration options of FIM please i.e. which Forest should FIM be installed in?
    If there is only a one way trust can free/busy inforamtion be read by Lync or is a two-way trust also required for this?

    Patrick Yore

    September 21, 2011 at 10:39 pm

    • yes, will post shortly.
      FIM can be installed at either side, just doing dir sync. but sine it is account/resource topo, I put it in the resource forest.

      oneway trust is good enough. because getting F/B from outlook is your desktop client operation(lync contact Outlook), nothing to do with server.


      October 4, 2011 at 10:04 am

  2. Any chance we’ll still see a part 2? Or has the blog stopped?


    August 6, 2012 at 8:52 pm

    • sorry, just come back. I have been writing blogs in some Chinese language forum. now will put effort here.


      November 7, 2012 at 10:53 am

      • PoÅ›rednio majÄ… tyle, że ich brak przy Wilanowskiej spowodowany jest brakiem odpowiedniego odwodnienia. Czyli chodniki nie powstanÄ… nim nie zrobiÄ… kanalizacji. ChodziÅ‚o mi głównie o to, żeby znowu „sÅ‚użby sp2cajlne&#8e21; siÄ™ nie zagapiÅ‚y i czyÅ›ciÅ‚y regularnie wszystkie odpÅ‚ywy.


        May 9, 2017 at 9:13 pm

  3. Hi,
    did you had chance to write part 2 for this?


    February 14, 2013 at 6:14 am

  4. could i use this if there are logon-enabled user accounts in the resource forest?


    February 13, 2014 at 3:46 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: