Deploying Microsoft Lync Server 2010 in a Multiple Forest Environment
Deploying Microsoft Lync Server 2010 in a Multiple Forest Environment
Microsoft Lync Server 2010
Published: March 2012
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Copyright © 2012 Microsoft Corporation. All rights reserved.
Contents
Deploying Lync Server 2010 in a Multiple Forest Environment
Central Forest Topology for Lync Server 2010
Resource Forest Topology for Lync Server 2010
Part 1: Deploying Lync Server 2010 in a Central Forest Topology
Prerequisites for a Central Forest Topology Deployment
Step 1: Configuring the Identity Life Cycle Manager Server for Lync Server 2010
Install the Lync Server Sync Tool
Extend the Metaverse Schema in the Identity Life Cycle Manager
Configure Extensions for the Lync Server Sync Tool
Configure the Object Deletion Rule in the Identity Life Cycle Manager
Create a Management Agent for the Lync Server Sync Tool in the Central Forest
Create a Management Agent for the Lync Server Sync Tool in all User Forests
Importing, Synchronizing, and Provisioning Lync Server Objects
Import Active Directory Objects for Each Forest into the Connector Space
Synchronize the Metaverse
Provision the Central Forest
Step 2: Enabling Contacts for Lync Server 2010
Keep Information Synchronized for Lync Server 2010
Understanding How Attributes Are Synchronized for Lync Server 2010
Troubleshooting the Central Forest Topology for Lync Server 2010
Troubleshooting Client Issues
Part 2: Deploying Lync Server 2010 in a Resource Forest Topology
Prerequisites When Deploying Lync Server in a Resource Forest Topology
Step 1: Creating Disabled User Accounts
Step 2: Enabling Disabled User Accounts for Lync Server
Step 3: Populating the Required Attributes for Lync Server
Use the SID Mapping Tool to Populate Attributes in a Resource Forest
Synchronizing Attributes in Cross Forests for Lync Server 2010
Deploying Microsoft Lync Server 2010 in a Multiple Forest Environment
Deploying Lync Server 2010 in a Multiple Forest Environment
A multiple forest topology is often used in organizations that have a need for multiple forests in Active Directory Domain Services (AD DS) to help provide security or organizational boundaries. This document assumes that you have decided upon a multiple forest topology. For more guidance about when a multiple forest topology is appropriate and how to deploy it, see the Windows Server operating system documentation.
Multi-forest deployment of Microsoft Lync Server 2010communications software can be in a:
Central forest
Resource forest
Central Forest
In a central forest topology, servers running Lync Server 2010 in the central forest provide services to users and groups in the central forest, in addition to users and groups in all other forests, which are called user forests. The central forest deployment offers the benefits of centralized administration and minimizes complexity in a multiple forest environment.
To support a central forest topology, the following prerequisites are required:
Microsoft Forefront Identity Manager 2010, Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 (FP1), or Microsoft Identity Integration Server 2003 SP2 — In order to synchronize data across your forests, you must deploy one of these life cycle manager tools.
To synchronize the necessary attributes from user forests to a central forest, Lync Server provides a tool called LcsSync.
Resource Forest
In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts servers running Lync Server 2010 but does not host any logon-enabled user accounts.
Outside the resource forest, user forests host enabled user accounts but no servers running Lync Server 2010. Within the resource forest, a corresponding disabled user account exists for each user account in the user forests.
The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 and mail-enabled for Microsoft Exchange Server if it is deployed.
In This Section
Central Forest Topology for Lync Server 2010
Resource Forest Topology for Lync Server 2010
Part 1: Deploying Lync Server 2010 in a Central Forest Topology
Part 2: Deploying Lync Server 2010 in a Resource Forest Topology
Synchronizing Attributes in Cross Forests for Lync Server 2010
Central Forest Topology for Lync Server 2010
In a central forest topology, servers running Lync Server 2010 in the central forest provide services to users and groups in the central forest, and also to users and groups in all other forests, which are called user forests.
The central forest deployment offers the benefits of centralized administration and minimizes complexity in a multiple forest environment.
Part 1 of this document explains how to configure Lync Server 2010 to support users, groups, and distribution group expansion in a central forest environment. It briefly describes the multiple forest environment, but it assumes that you have already deployed the hardware and software so that you are ready to create and propagate user data so that a user in any forest can connect to Lync Server 2010 and communicate with any user in any connected forest.
See Also
Part 1: Deploying Lync Server 2010 in a Central Forest Topology
Resource Forest Topology for Lync Server 2010
In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts servers running Lync Server 2010 but does not host any logon-enabled user accounts.
Outside the resource forest, user forests host enabled user accounts but no servers running Lync Server 2010. Within the resource forest, a corresponding disabled user account exists for each user account in the user forests.
Part 2 of this document explains how to configure Lync Server 2010 to support a resource forest topology.
See Also
Part 2: Deploying Lync Server 2010 in a Resource Forest Topology
Part 1: Deploying Lync Server 2010 in a Central Forest Topology
The topics in this section explain how to configure Lync Server 2010 in a central forest topology, how to keep information synchronized when changes are made to user data, and how to troubleshoot common issues.
In This Section
Prerequisites for a Central Forest Topology Deployment
Step 1: Configuring the Identity Life Cycle Manager Server for Lync Server 2010
Step 2: Enabling Contacts for Lync Server 2010
Keep Information Synchronized for Lync Server 2010
Understanding How Attributes Are Synchronized for Lync Server 2010
Troubleshooting the Central Forest Topology for Lync Server 2010
Prerequisites for a Central Forest Topology Deployment
To support a central forest topology, the following prerequisites are required.
Identity life cycle manager—One of the following supported identity life cycle managers must be deployed.
Microsoft Forefront Identity Manager 2010
Microsoft Identity Lifecycle Manager 2007 FP1
Microsoft Identity Integration Server 2003 SP2
Important:
If Microsoft Identity Integration Server 2003 is deployed, it must be Microsoft Identity Integration Server 2003 SP2.
Lync Server deployed in your central forest—If you have not deployed Lync Server, see the Lync Server 2010 Planning documentation at and the Lync Server 2010 Deployment documentation at
The central forest can be an existing forest that hosts existing servers running Lync Server, users, groups, contacts, or you can create an entirely new forest.
The central forest should ordinarily be the one that hosts the largest number of users. Connectivity between the central forest and other forests should also be highly available.
Note:
You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
After you have deployed Lync Server in the central forest, complete the following steps:
Step 1: Configuring the Identity Life Cycle Manager Server for Lync Server 2010
Step 2: Enabling Contacts for Lync Server 2010
Step 1: Configuring the Identity Life Cycle Manager Server for Lync Server 2010
After you have deployed Lync Server 2010, modify the configuration of the identity life cycle manager server that is responsible for synchronizing user objects as contacts across all forests.
If Microsoft Exchange Server is not deployed in a cross-forest topology, deploy and configure the Lync Server Sync tool (Lcssync). Lcssync is included with the Lync Server 2010 Resource Kit. The remainder of this section focuses on using Lync Server Sync.
If Microsoft Exchange Server is deployed in a cross-forest topology, use the global address list (GAL) sync tool with the Lync Server Sync logic. Exchange Server uses GAL sync to synchronize contact information in the GAL between forests. In this situation, an update to the GAL sync tool is required because the identity life cycle manager server does not support the coexistence of two different synchronization agents.
The Lync Server Sync tool configures the management agent of each forest except the central one in order to synchronize its user and group information with the identity life cycle manager server. The identity life cycle manager server generates a metaverse object that represents each user or group and it then synchronizes each user or group object as a contact in the central forest. Because all Lync Server users and groups are synchronized as contacts (including the users or groups object security identifier (SID)) in every other forest, users can still communicate with each other across forest boundaries after the identity life cycle manager server is reconfigured, and users can still take advantage of distribution group expansion across forests.
Configure Forefront Identity Manager in the following manner:
For configuring Lync Server in a multiple-forest environment, make the primary supported synchronization software Forefront Identity Manager 2010.
If you use Microsoft Identity Lifecycle Manager 2007 FP1 or Microsoft Identity Integration Server 2003 SP2, extend the default "Persons" object metaverse schema by creating the attribute photo. To alter the synchronization rule, follow these steps:
1.Start Identity Manager.
2.From the toolbar, click Metaverse Designer.
3.From the object type list, click Person.
4.From Actions pane, click Add Attribute.
5.In the Add attribute to object type dialog box, click New Attribute.
6.In the attribute name box, enter photo.
7.From the Attribute type list, click Binary (non-Indexable), and then click OK.
8.Click OK again to finalize creating the attribute.
9.Verify that the photo attribute is added to the attribute list.
The identity life cycle manager server is configured to do the following:
Import the user objects and group objects from two user forests as identity life cycle manager server metaverse objects.
Export the metaverse objects to the central forest as contact objects.
To install and configure the Lync Server Sync tool, Lcssync, perform the following steps (each step is explained in detail in the subsequent sections).
Important
Microsoft Identity Integration Server 2003 SP2 uses the sync tool, Lcssync, which requires Microsoft .NET Framework 2.0.
You can download “.NET Framework 2.0 Redistributable” from the Microsoft Download Center at
1.Install the Lync Server Sync Tool.
2.Extend the Metaverse Schema in the Identity Life Cycle Manager.
3.Configure Extensions for the Lync Server Sync Tool.
4.Configure the Object Deletion Rule in the Identity Life Cycle Manager.
5.Create a Management Agent for the Lync Server Sync Tool in the Central Forest.
6.Create a Management Agent for the Lync Server Sync Tool in all User Forests.
7.Importing, Synchronizing, and Provisioning Lync Server Objects.
Install the Lync Server Sync Tool
Before you configure the Lync Server Sync tool, you must install the required files on the identity life cycle manager server. The files required for the Lync Server Sync tool are included in the Lcssync directory of the Lync Server 2010 Resource Kit.
To install the Lync Server Sync tool
1.On the server running the identity life cycle manager, in the Lync Server 2010 Resource Kit, go to the Lscssync directory.2.Copy all the files in this directory to the following directory on the server running the identity life cycle manager: %drive%:\Program Files\Microsoft Identity Integration Server\Extensions.
Important:
For Forefront Identity Manager, the folder will be located at: %Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions
3.In Active Directory Domain Services (AD DS), create an organizational unit (OU), or verify that a target OU for your contact objects exists on Lync Server in the central forest.
4.Go to the Extensions folder, and then open Lcscfg.xml.
5.Use the following format to modify the <target-ou> tag to include the target OU of the central forest:
<rules-extension-properties>
<lcssync-mas>
<lcsma name="Lcs Central Forest">
<target-ou>OU=contacts,DC=yourdomain,DC=com</target-ou>
</lcsma>
</lcssync-mas>
</rules-extension-properties>
For example:
<target-ou>OU=contactsDC=contosoDC=com</target OU>
6.If necessary, you can modify Logging.xml to change the file name and logging level. The following example shows the default values in the xml:
<logging>
<use-single-log>false</use-single-log>
<file-name>lcssync.log</file-name>
<logging-level>1</logging-level>
</logging>
Extend the Metaverse Schema in the Identity Life Cycle Manager
After you have installed the Lync Server Sync tool on the server running the identity life cycle manager, extend the metaverse schema so the Lync Server attributes can be synchronized.
To extend the metaverse schema
1.On the computer running Identity life cycle manager server, start Identity Manager: Click Start, click All Programs, click Microsoft Identity Integration Server, and then click Identity Manager.Note:
To open Synchronization service in Microsoft Forefront Identity Manager 2010: Click Start, click All Programs, click Forefront Identity Manager, and then click Synchronization service.
2.Click Metaverse Designer.
3.On the Actions menu, click Import Metaverse Schema.
4.Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcsmvschema.xml.
Important:
For Forefront Identity Manager, use the following location: %Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\Lcsmvschema.xml
5.When the schema import operation is completed, click OK.
Configure Extensions for the Lync Server Sync Tool
After you have extended the metaverse schema, configure the extensions for the Lync Server 2010 Sync tool. Configuring the extensions determines how synchronization is handled for Lync Server 2010 objects that are synchronized by the identity life cycle manager.
To configure extensions for the Lync Server Sync tool
1.On the computer running Identity life cycle manager server, start Identity Manager: Click Start, click All Programs, click Microsoft Identity Integration Server, and then click Identity Manager.Note:
To open Synchronization service in Microsoft Forefront Identity Manager 2010: Click Start, click All Programs, click Forefront Identity Manager, and then click Synchronization service.
2.On the Tools menu, click Options.
3.Select the Enable metaverse rules extension check box.
4.Click Browse.
5.Under Files, select Lcssync.dll.
6.Select the Enable Provisioning Rules Extension check box, and then click OK.
Configure the Object Deletion Rule in the Identity Life Cycle Manager
After you have configured extensions for the Lync Server 2010 Sync tool, configure the rule that determines what the identity life cycle manager server will do when a user object is deleted in a forest and how it will synchronize the deletion with the central forest. If a user object is deleted in a user forest, the corresponding contact object that is used by Lync Server in the central forest must also be deleted. Configuring the object deletion rule ensures that the identity life cycle manager server and Lync Server handle this situation correctly.