Lync Server 2010 can be used in a Resource Forest configuration, similar to Exchange 2010. There is plenty of information on TechNet regarding the configuration for Exchange and Lync in a Resource Forest scenario.
I won’t get into those details here as I think they are well covered. However, I would like to delve into the differences between enabling cross-forest users for Lync versus Exchange. In Exchange the process for enabling users for Linked Mailboxes is very straight-forward, a wizard driven process via the Exchange Management Console.
Lync does not have that luxury. It relies on powershell commands and tools from the OCS 2007 Resource Kit. The entire process is covered in great detail on Dr. Rez's Lync Blog.
The process has many aspects, but here are the key points:
· A disabled account in the Resource Forest is enabled for Lync
· The msRTCSIP-OriginatorSID user attribute of this disabled account is populated with the SID of the user account from the User Forest
· This allows the User Forest account to logon to Lync services via the disabled Resource Forest account
There are two methods of populating the msRTCSIP-OriginatorSID attribute on the Resource Forest Account.
Manual method:
Used if there is no Exchange environment or if linked mailboxes are NOT in use for whatever reason.
Key points:
· Must manually create user account in Resource Forest
· You must manually map the objectSID attribute from the User Forest account to the msRTCSIP-OriginatorSID attribute in the Resource Forest account via ADSIEDIT.msc
Automatic method:
Assumes that Exchange 2007/2010 Linked mailboxes are in use in the Resource forest. The creation of the Linked Mailbox accomplishes the following:
· Creation of the matching, disabled Resource Forest account
The following tasks must then be completed via the Lync Server:
· Enable disabled Resource Forest account for Lync
o Via Lync Control Panel
o Via Lync Mgmt. Shell
· Use of the sidmap.wsf tool to map the User Forest account SID associated with the Linked Mailbox, to the Linked Lync user in the Resource Forest
Given the details involved in running sidmap.wsf I’ve found it easiest to simply script this entire process. I’ve created scripts to do the following:
· Cross-forest Lync User enabling:
o Enables the disabled Resource Forest account for Lync
§ Sets the SIP Sign-in address
§ Sets the Primary pool server
o Runs the sidmap.wsf command against a specific OU containing disabled Exchange Linked Mailboxes user accounts, allowing sidmap.wsf to copy the user SID from the msExchMasterAccountSid attribute to the msRTCSIP-OriginatorSID attribute
· Verify Cross-forest SID attributes:
o Checks to see if the Resource Accounts msRTCSIP-OriginatorSID is populated and displays the SAM Account name and OU of the Resource account
o If the attribute is populated, translates the SID value back to the SAM Account name of the User Forest account so it can be compared to ensure it is the right associated account
Cross-forest Lync User Enabling script:
$name=read-host "Enter the linked username (domain\<username>) to enable for Lync"
$sip=read-host "Enter the SIP Address for the user (ie: jdoe@sipdomain.com)"
$FullSip="sip:"+$sip
$a = new-object -comobject wscript.shell
$intAnswer = $a.popup("Do you want to enable the user on the Head Office Lync Server?", 0,"Lync Cross-Forest User Enabling" ,4)
If ($intAnswer -eq 6) {
$intAnswer2 = $a.popup("You are enabling $name `nWith SIP Address:$FullSip `nOn the Head Office Lync Server. `nIs this correct?", 0,"Lync Cross-Forest User Enabling" ,4)
If ($intAnswer2 -eq 6) {
enable-csuser -identity $name -RegistrarPool HQ-FE.domain.local -SipAddress $FullSip
write-host "Enabling user for Lync..."
Start-Sleep -s 30
cd "c:\program files\microsoft lync server 2010\reskit\lcssync"
.\sidmap.wsf /OU=LinkedMailboxes,DC=domain,DC=local
write-host "User Enabled Successfully."
} else {
$a.popup("Cancelling.")
}
} else {
$intAnswer3 = $a.popup("You are enabling $name `nWith SIP Address:$FullSip `nOn the branch Lync Server. `nIs this correct?", 0,"Lync Cross-Forest User Enabling" ,4)
If ($intAnswer3 -eq 6) {
enable-csuser -identity $name -RegistrarPool Branch-FE.domain.local -SipAddress $FullSip
write-host "Enabling user for Lync..."
Start-Sleep -s 30
cd "c:\program files\microsoft lync server 2010\reskit\lcssync"
.\sidmap.wsf /OU=LinkedMailboxes,DC=domain,DC=local
write-host "User Enabled Successfully."
} else {
$a.popup("Cancelling.")
}
}
cd "c:\"
Lync Script for finding OriginatorSID:
[console]::ForegroundColor = "green"
$objUserName = read-host "Type in the first and last name of the user (IE: John Doe)"
[console]::ResetColor()
Write-host -foregroundcolor "cyan" -nonewline "The Resource Forest account details are below:"
Get-CSUser -identity $objUserName | fl identity,originatorsid,samaccountname
$objUserSID = get-csuser -identity $objUserName | foreach {$_.originatorsid.value}
if ($objUserSID -eq $null) {
Write-host -foregroundcolor "cyan" "OriginatorSid is empty. User not enabled for cross-forest Lync services"
} else {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($objUserSID)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
Write-host -foregroundcolor "cyan" "Below is the AD User Account in the User Forest, tied to this Lync User:"
write-host -foregroundcolor "yellow" $objUser
}
Lync RBAC Considerations
The other side effect I’ve noticed is that you cannot assign Cross-forest user accounts to Lync RBAC roles. The reason is simple:
· Default or custom Lync RBAC Roles are associated with Universal Security groups in the Forest that Lync is a member of
· Only Domain Local security groups can take members and groups from another Forest
· Domain Local security groups cannot be members of Universal security groups
· Hence there is no way to nest a user account in the User Forest to a Universal security group in the Resource Forest
Your only alternative is to create AD accounts in the Resource Forest and use separate logons.
2 comments:
We have a multi forest setup, and I decided to test the manual method WITHOUT matching the user account name, first/last, or password. (full trust between the forests)
I copied the Object SID from userA in the user forest to the msRTPOriginatorSID value on User B in the resource forest. User A and B had different names, first names, last names, and passwords.
I then logged into CWA (still active from our OCS 2007 in the resource forest) with the username and password of USER A, and it logged into User B's Lync 2013 account.
I then logged into the OCS client on a PC homed in the User Forst, logged in as User A, but put the SIP address for User B into the sign in value, and it also logged into the lync account for UserB. It did NOT require a username and password.
You article is great, but the matching appears to not be needed. All you need to do is move the SID from the user forest into the msRTCOriginatorSId in the resource forest and you are good to go.
Side note: The 'user' forest in this case ALSO has an old OCS2007 implementation (both forests do right now), and that did not cause any issues.
I've updated the post based on your feedback. Thinking back I don't think I'd explicitly tested the requirement for the matching attributes as my accounts just happened to match already.
Glad the article was of help to you. It's not a very common deployment scenario for Lync, and so it took me a fair amount of trial and error at first to get the process down in a way that was easy to hand over operationally afterwards.
Post a Comment