Unified Communications and Messaging

Discussions and links regarding Microsoft Exchange, Lync and Windows. Fun with Microsoft based telephony, Unified Messaging and more!!

The Mind Lab

Thought experiments. Exploring new ideas. Food for thought!

What is a fullfilling life?

Thoughts on life, happiness and fullfillment.

Monday, July 23, 2012

User Enabling in a Lync Resource Forest Deployment

Lync Server 2010 can be used in a Resource Forest configuration, similar to Exchange 2010.  There is plenty of information on TechNet regarding the configuration for Exchange and Lync in a Resource Forest scenario.
I won’t get into those details here as I think they are well covered.  However, I would like to delve into the differences between enabling cross-forest users for Lync versus Exchange.  In Exchange the process for enabling users for Linked Mailboxes is very straight-forward, a wizard driven process via the Exchange Management Console.
Lync does not have that luxury.  It relies on powershell commands and tools from the OCS 2007 Resource Kit.  The entire process is covered in great detail on Dr. Rez's Lync Blog.
The process has many aspects, but here are the key points:
·         A disabled account in the Resource Forest is enabled for Lync
·         The msRTCSIP-OriginatorSID user attribute of this disabled account is populated with the SID of the user account from the User Forest
·         This allows the User Forest account to logon to Lync services via the disabled Resource Forest account
There are two methods of populating the msRTCSIP-OriginatorSID attribute on the Resource Forest Account.

Manual method:

Used if there is no Exchange environment or if linked mailboxes are NOT in use for whatever reason.
Key points:
·         Must manually create user account in Resource Forest
·         You must manually map the objectSID attribute from the User Forest account to the msRTCSIP-OriginatorSID attribute in the Resource Forest account via ADSIEDIT.msc

Automatic method:

Assumes that Exchange 2007/2010 Linked mailboxes are in use in the Resource forest.  The creation of the Linked Mailbox accomplishes the following:
·         Creation of the matching, disabled Resource Forest account
The following tasks must then be completed via the Lync Server:
·         Enable disabled Resource Forest account for Lync
o   Via Lync Control Panel
o   Via Lync Mgmt. Shell
·         Use of the sidmap.wsf tool to map the User Forest account SID associated with the Linked Mailbox, to the Linked Lync user in the Resource Forest

Given the details involved in running sidmap.wsf I’ve found it easiest to simply script this entire process.  I’ve created scripts to do the following:
·         Cross-forest Lync User enabling:
o   Enables the disabled Resource Forest account for Lync
§  Sets the SIP Sign-in address
§  Sets the Primary pool server
o   Runs the sidmap.wsf command against a specific OU containing disabled Exchange Linked Mailboxes user accounts, allowing sidmap.wsf to copy the user SID from the msExchMasterAccountSid attribute to the msRTCSIP-OriginatorSID attribute
·         Verify Cross-forest SID attributes:
o   Checks to see if the Resource Accounts msRTCSIP-OriginatorSID is populated and displays the SAM Account name and OU of the Resource account
o   If the attribute is populated, translates the SID value back to the SAM Account name of the User Forest account so it can be compared to ensure it is the right associated account
Cross-forest Lync User Enabling script:
$name=read-host "Enter the linked username (domain\<username>) to enable for Lync"
$sip=read-host "Enter the SIP Address for the user (ie: jdoe@sipdomain.com)"
$FullSip="sip:"+$sip
$a = new-object -comobject wscript.shell
$intAnswer = $a.popup("Do you want to enable the user on the Head Office Lync Server?", 0,"Lync Cross-Forest User Enabling" ,4)
If ($intAnswer -eq 6) {
  $intAnswer2 = $a.popup("You are enabling $name `nWith SIP Address:$FullSip `nOn the Head Office Lync Server.  `nIs this correct?", 0,"Lync Cross-Forest User Enabling" ,4)
  If ($intAnswer2 -eq 6) {
    enable-csuser -identity $name -RegistrarPool HQ-FE.domain.local -SipAddress $FullSip
    write-host "Enabling user for Lync..."
    Start-Sleep -s 30
    cd "c:\program files\microsoft lync server 2010\reskit\lcssync"
    .\sidmap.wsf /OU=LinkedMailboxes,DC=domain,DC=local
    write-host "User Enabled Successfully."
  } else {
    $a.popup("Cancelling.")
  }
} else {
  $intAnswer3 = $a.popup("You are enabling $name `nWith SIP Address:$FullSip `nOn the branch Lync Server.  `nIs this correct?", 0,"Lync Cross-Forest User Enabling" ,4)
  If ($intAnswer3 -eq 6) {
    enable-csuser -identity $name -RegistrarPool Branch-FE.domain.local -SipAddress $FullSip
    write-host "Enabling user for Lync..."
    Start-Sleep -s 30
    cd "c:\program files\microsoft lync server 2010\reskit\lcssync"
    .\sidmap.wsf /OU=LinkedMailboxes,DC=domain,DC=local
    write-host "User Enabled Successfully."
  } else {
    $a.popup("Cancelling.")
  }
}
cd "c:\"

Lync Script for finding OriginatorSID:

[console]::ForegroundColor = "green"
$objUserName = read-host "Type in the first and last name of the user (IE: John Doe)"
[console]::ResetColor()
Write-host -foregroundcolor "cyan" -nonewline "The Resource Forest account details are below:"
Get-CSUser -identity $objUserName | fl identity,originatorsid,samaccountname
$objUserSID = get-csuser -identity $objUserName | foreach {$_.originatorsid.value}
if ($objUserSID -eq $null) {
  Write-host -foregroundcolor "cyan" "OriginatorSid is empty.  User not enabled for cross-forest Lync services"
} else {
  $objSID = New-Object System.Security.Principal.SecurityIdentifier ($objUserSID)
  $objUser = $objSID.Translate([System.Security.Principal.NTAccount])
  Write-host -foregroundcolor "cyan" "Below is the AD User Account in the User Forest, tied to this Lync User:"
  write-host -foregroundcolor "yellow" $objUser
}


Lync RBAC Considerations

The other side effect I’ve noticed is that you cannot assign Cross-forest user accounts to Lync RBAC roles.  The reason is simple:
·         Default or custom Lync RBAC Roles are associated with Universal Security groups in the Forest that Lync is a member of
·         Only Domain Local security groups can take members and groups from another Forest
·         Domain Local security groups cannot be members of Universal security groups
·         Hence there is no way to nest a user account in the User Forest to a Universal security group in the Resource Forest
Your only alternative is to create AD accounts in the Resource Forest and use separate logons.

Exchange gets around this by the simple fact that RBAC roles can be assigned directly to Exchange mailboxes, and hence via any SID associated with those mailboxes.  So Linked Mailboxes assigned to RBAC roles allow the User Forest SID to logon to the Exchange ECP.

Tuesday, July 3, 2012

Enthusiasm for Knowledge and its Ability to Inspire.

It is a very basic tenet of my worldview that the pursuit of knowledge is one of the greatest abilities of the human condition.  That our brains ability to experience reality around us, and through the leveraging crane of consciousness to ponder, question and build mental scenarios beyond the present is what most clearly raises us above the rest of our animal cousins.

But the brain is tricky.  Consciousness is slippery.  As vast as our ability is to soak in all the information around us, our senses are of course hopelessly outmatched.  There's far to much sensory information coming out of the firehose than we could ever hope to drink.  And to that end, our brain and the tool of consciousness take short cuts, make judgement calls, filter what it is we experience, based on the vast history of our evolutionary journey to survive and procreate.

People take their internal recollections, memories and experiences to be beyond reproach, even with frequent and numerous examples to the contrary.  Eye witness accounts are rightly held to be unreliable in isolation, our memories fade and change and even become incorrect over time, we can experience things (hallucinations, dreams, etc.) that we know, and can prove to not have happened in our objective reality.  And yet, when we feel we know something, really know it, all this evidence to the contrary is swept to the side.

I contend that any pursuit of knowledge must always come from a base of modesty.  From an acknowledgement of our weaknesses and our bias' and our areas of ignorance.  It must also come from a strong sense of curiousity about the inner workings of the world around us.  That search will not be a straight and tidy path, but rather a messy and exponential expansion of ideas and theories from multiple sources, coalescing more and more over time as the culture and community of Science and technology works upon it.  It will also contain dead-ends, paths that at the time seemed coherent with our ability to understand and objectively quantify reality around us.  But that perhaps fall flat as new ideas, or new tools for quantifying reality come to light.

We should all agree to start the search with our most basic of tools, that which we can see, touch, smell, taste, hear.  And then slowly layer tools and ideas on top of that which assist us in describing reality around us, the ability to objectively measure physical phenomena as an example.  And to be cautious of areas we know can be unreliable, such as our own individual experiences, and to vet those against a methodology of critical evaluation.

I feel that our culture today is in peril of losing this sense of curiousity and enthusiasm for knowledge.  That the average person is more content with consuming the cultural and societal fast food of simple personal gratification, entertainment and politeness, than openly and honestly discussing topics that should surely be of great interest to us all.

And so I hope to provide here some paths to content that I think a healthy and curious mind will readily consume and find to be tasty food for thought.

I would ask people to try switching up, just on occasion to start with, 30-60 minutes of their normal consumption of normal entertainment, for something with a little more intellectual meat to it.

Neil deGrasse Tyson is a person I have great respect for.  I admire his ability to speak plainly, yet eloquently about his enthusiasm for science, knowledge and learning.  Spend an hour with Neil, and see if your brain doesn't feel a little more satisfied than say watching the latest episode of Breaking Bad ;)

Monday, July 2, 2012

So THIS is the Interwebs.

I traditionally subscribed to the attitude or practice of being comfortably behind the curve in adopting new technology.  A curious stance for an IT professional I know, but there you have it.  I think it mainly had to do with my general disdain for jumping on that good old bandwagon, as well as my general opinion that things very rarely live up to the hype that we as social creatures tend to assign to them.

However, over the past few years I've worked to reverse that trend.  I tend to be very cautious when commenting on most anything.  I like to understand a topic, whether for or against, before I'm comfortable commenting on it in front of others.  This has lead me to honestly looking into all sorts of different aspects of technology and social media to determine which I think hold actual benefit and value to me.

And so I finally stumble across Blogger, long after everyone else, like the nerdy kid making a late and ackward entrance into the party he wasn't invited to in the first place.

I'll be working on the template for this over the coming weeks and months to settle into something succinct, functional, and hopefully cool looking.