lync 2010 global installation latam configuration

Lync 2010 Global Installation TYCO

Lync 2010 Global Installation – Multiple Forest, Central Forest Topology Page | 1

Introduction

Previous versions of Office Communications Server relied on Active Directory Domain Services (AD DS) to store all global settings and groups necessary for the deployment and management of Office Communications Server. In Lync Server 2010, much of this information is stored in the Central Management store instead of AD DS, but User object schema extensions, including Office Communications Server 2007 and Office Communications Server 2007 R2 schema extensions, are still stored in AD DS.

Microsoft Lync Server 2010 communications software supports the same Active Directory Domain Services (AD DS) topologies as Microsoft Office Communications Server 2007 R2 and Microsoft Office Communications Server 2007. The following topologies are supported:

Single forest with single domain Single forest with a single tree and multiple domains Single forest with multiple trees and disjoint namespaces Multiple forests in a central forest topology Multiple forests in a resource forest topology

In previous documentation the Lync 2010 installation was described to provide a scalable, country independent and failover scenario for the TYCOFS EMEA and APAC users. We have described the installation for Lync 2010 Enterprise in Stratford UK EMEA Data Centre providing the Enterprise Pool solution for the EMEA users.

This document will provide a description how to implement a Lync 2010 installation within multiple forests (CFSAD, TYCOFS and TYCOFS.LOCAL.ZA considering).

The following figure identifies the icons used in the illustrations in this section.



Multiple Forest, Central Forest

Lync Server 2010 supports multiple forests that are configured in a central forest topology. Central forest topologies use contact objects in the central forest to represent users in the other forests. The central forest also hosts user accounts for any users in this forest. A directory synchronization product, such as Microsoft Identity Integration Server (MIIS), Microsoft Forefront Identity Manager (FIM) 2010, or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1), manages the life cycle of user accounts within the organization: When a new user account is created in one of the forests or a user account is deleted from a forest, the directory synchronization product synchronizes the corresponding contact in the central forest.

A central forest has the following advantages:

Servers running Lync Server are centralized within a single forest. Users can search for and communicate with other users in any forest. Users can view presence of other users in any forest. The directory synchronization product automates the addition and deletion of contact

objects in the central forest as user accounts are created or removed.

The following figure illustrates a central forest topology. In this figure, there are two-way trust relationships between the domain that hosts Lync Server, which is in the central forest, and each user-only domain, which is in a separate forest. The schema in the separate user forests does not need to be extended.



A multiple forest topology is often used in organizations that have a need for multiple forests in Active

Directory Domain Services (AD DS) to help provide security or organizational boundaries.

Multi-forest deployment of Microsoft Lync Server 2010 communications software can be in a:

Central forest

Resource forest

Central Forest

In a central forest topology, servers running Lync Server 2010 in the central forest provide services to

users and groups in the central forest, in addition to users and groups in all other forests, which are

called user forests. The central forest deployment offers the benefits of centralized administration and

minimizes complexity in a multiple forest environment.

To support a central forest topology, the following prerequisites are required:



Microsoft Forefront Identity Manager 2010, Microsoft Identity Lifecycle Manager 2007 Feature Pack

1 (FP1), or Microsoft Identity Integration Server 2003 SP2 — In order to synchronize data across

your forests, you must deploy one of these life cycle manager tools.

To synchronize the necessary attributes from user forests to a central forest, Lync Server provides a

tool called LcsSync.

Resource Forest

In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts

servers running Lync Server 2010 but does not host any logon-enabled user accounts.

Outside the resource forest, user forests host enabled user accounts but no servers running Lync Server

2010. Within the resource forest, a corresponding disabled user account exists for each user account in

the user forests.

The resource forest hosts only enterprise application servers and does not contain any primary user

accounts. The primary user accounts from other forests are represented as disabled user accounts. An

ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user

account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server

2010 and mail-enabled for Microsoft Exchange Server if it is deployed.

CONCLUSION:

With the Global Integrated Solution for the two forests CFSAD and TYCOFS the Central Forest Model is

appropriate. Even other forests can be integrated in this solution, to bring resource user forests into the

Lync forest.

1. Central Forest Topology for Lync Server 2010 In a central forest topology, servers running Lync Server 2010 in the central forest provide services

to users and groups in the central forest, and also to users and groups in all other forests, which are

called user forests.

The central forest deployment offers the benefits of centralized administration and minimizes

complexity in a multiple forest environment.

This document will not describe in depth the installation based on the Multiple Forest, Central Forest

model. Please see http://www.microsoft.com/en-us/download/confirmation.aspx?id=11300#

http://www.microsoft.com/en-us/download/confirmation.aspx?id=11300



Note:

You must establish a two-way trust between the central forest and user forests to enable

distribution group expansion when groups from user forests are synchronized as contacts to the

central forest.

2. Prerequisites for a Central Forest Topology Deployment To support a central forest topology, the following prerequisites are required.

Identity life cycle manager—One of the following supported identity life cycle managers must be

deployed.

Microsoft Forefront Identity Manager 2010

Microsoft Identity Lifecycle Manager 2007 FP1

Microsoft Identity Integration Server 2003 SP2

As above tools are now all integration in Microsoft Forefront Identity Manager 2010, this document will

be using the latter tool to synchronize user objects from user forests into contacts in the Lync Central

Forest.



Lync Central Forest Topology – User Forest

In a central forest topology, servers running Lync Server 2010 in the central forest provide services to

users and groups in the central forest, and also to users and groups in all other forests, which are called

user forests. Central forest is in our scenario tycofs.com, whereas the user forest is tycofs.local.za (South

Africa Users)

The central forest deployment offers the benefits of centralized administration and minimizes

complexity in a multiple forest environment.

After you have deployed Lync Server in the central forest, complete the following steps:

Step 1: Configuring the Microsoft Forefront Identity Manager 2010 for Lync Server 2010

Step 2: Enabling Contacts for Lync Server 2010

After you have deployed Lync Server 2010, modify the configuration of the identity life cycle manager

server that is responsible for synchronizing user objects as contacts across all forests.

The Lync Server Sync tool configures the management agent of each forest except the central one in

order to synchronize its user and group information with the identity life cycle manager server. The

identity life cycle manager server generates a metaverse object that represents each user or group and

it then synchronizes each user or group object as a contact in the central forest. Because all Lync Server

users and groups are synchronized as contacts (including the users or groups object security identifier

(SID)) in every other forest, users can still communicate with each other across forest boundaries after

the identity life cycle manager server is reconfigured, and users can still take advantage of distribution

group expansion across forests.

For configuring Lync Server in a multiple-forest environment, we are using the synchronization software

Forefront Identity Manager 2010.

Step 1: Configuring the Microsoft Forefront Identity Manager 2010 for Lync

Server 2010 Each server that hosts the different FIM 2010 R2 server-side components has a different software

requirement. We will focus on the required software that is required for synchronizing our user’s forests

to the Lync Central Forest.

- The 64-bit edition of Windows Server 2008 R2 Standard or Enterprise



- Microsoft SQL Server 2008 64-bit Standard or Enterprise, Service Pack 1 (SP1), SQL Server 2008

R2, Standard/Enterprise or later.

- Windows SharePoint Services 3.0 Service Pack 2 (SP2) or Microsoft SharePoint Foundation 2010.

Please follow the below link for Identity Life Cycle Manager Server : https://technet.microsoft.com/en-

us/library/gg670892.aspx

We will not discuss all the required steps for installation to the above requirements.

The Forefront Identity Manager is configured to do the following:

Import the user objects and group objects from two user forests as Metaverse Objects

Export the metaverse objects to the central forest as contact objects.

To install and configure the Lync Server Sync Tool, Lcssync, perform the following steps:

1. Install the Lync Server Sync Tool.

2. Extend the Metaverse Schema in the Identity Life Cycle Manager (So the Lync Server attributes

can be synchronized)

3. Configure Extensions for the Lync Server Sync Tool (Configuring the extensions determines how

synchronization is handled for Lync Server 2010 objects that are synchronized by the identity life

cycle manager)

4. Configure the Object Deletion Rule in the Identity Life Cycle Manager (After you have configured

extensions for the Lync Server 2010 Sync tool, configure the rule that determines what the

identity life cycle manager server will do when a user object is deleted in a forest and how it will

synchronize the deletion with the central forest. If a user object is deleted in a user forest, the

https://technet.microsoft.com/en-us/library/gg670892.aspx




corresponding contact object that is used by Lync Server in the central forest must also be

deleted. Configuring the object deletion rule ensures that the identity life cycle manager server

and Lync Server handle this situation correctly)

5. Create a Management Agent for the Lync Server Sync Tool in the Central Forest.

6. Create a Management Agent for the Lync Server Sync Tool in all User Forests.

7. Importing, Synchronizing, and Provisioning Lync Server Objects.

The Lync Server Sync tool configures the management agent of each forest except the central one in

order to synchronize its user and group information with the identity life cycle manager server. The

identity life cycle manager server generates a metaverse object that represents each user or group and

it then synchronizes each user or group object as a contact in the central forest. Because all Lync Server

users and groups are synchronized as contacts (including the users or groups object security identifier

(SID)) in every other forest, users can still communicate with each other across forest boundaries after

the identity life cycle manager server is reconfigured, and users can still take advantage of distribution

group expansion across forests.



LATAM configuration: Importing, Synchronizing, and Provisioning Lync Server Objects

After you have created management agents for all forests in your environment, you need to synchronize

user and contact information. During this initial synchronization, you import Active Directory data for

each forest into the connector space, synchronize this data in the metaverse, and then export this data

from the metaverse to the central forest.





LATAM configuration: Importing, Synchronizing, and Provisioning Lync Server Objects





So we do have two Management Agents setup:

- One for the forest lat.tyc.local (from where the users will be gathered)

- One for the forest tycofs.com (in where the contacts will be created)


Steps to complete are described below:

- Run a FULL Import on the Management Agent in the Central Forest

- Run a FULL import on the Management Agent in the User Forest

- Synchronize the Metaverse in the Central Forest (Run the Management Agent in the Central

Forest, and select “Full Sync”.

- Synchronize the Metaverse in the User Forest (Run the Management Agent in the User Forest,

and select “Full Sync”.

- Provision in the Central Forest (Run the Management Agent in the Central Forest, and select

“Export”.

For LATAM there is a need to setup a Management Agent to synchronize the user objects from off

lat.tyc.local into contacts into TYCOFS.COM. In the below Procedure you will find the steps to configure

the two used Management Agents successfully.




Configure Management Agent “Lcs Central Forest”

First step is to configure the Lcs Central Forest Agent which is used for the Lync User Forest. This is

tycofs.com in where we have our Lync EMEA organization. To create a new Management Agents please

select Right Click inside the Name where you have to use “Import Management Agent”

This will be defaulted to the Share in where the Extensions for Lync will be found. This location is

“C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions”



For the Central Forest we are selecting “lcscentralforestma”, which is the default for the Central Forest.

Please leave the Name as default “Lcs Central Forest”, fill in the Description to identify the Agent if more

Agents are in use. Select Next and configure the desired options for TYCOFS.COM



Select the forest TYCOFS.COM



Select Containers:

This is from where the Forest should gather the full import from for all the Objects that have been

created already. We are choosing LATAM only from off the OU “Lync 2010 FIM Synchronization”

Please note that the Container location is the SAME as is in the file inside the folder C:\Program

Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\lcscfg” on the

server ukstr1ly00004.tycofs.com

The synchronization process is using the lcssync.dll file, which reads from the lcscfg.xml file. Therefore

please use the same locations.

Configure Provisioning Hierarchy will be used during provisioning to create any necessary container

objects in the connected directory. Only containers with one or fewer required.



We can leave this as default to “o” and “ou”.



We will leave all the default settings and select Next to continue on the next step.

The next is Select Object Types in where we are selecting the Object Type class to look for any objects.

For sure the Contact is required, so we will tick that.

The next is to select the Attributes in where we are interesting in to synchronize. As there is a high need

for use to look into the msRTCSIP-OriginatorSid (TYCOFS.COM) - ObjectsSid from legacy LAT.TYC.LOCAL

Domain we need to select Show All to see all the Attributes.



And check if the desired attribute inside TYCOFS.COM are selected. The below list out all the Attributes

that are in play for this Management Agent:

- C

- Cn

- Comment

- Company

- Department

- Description

- DisplayName

- GivenName

- HomePhone

- IpPhone

- L

- Mail

- ManagedBy

- Manager

- Mobile

- msDS-SourceObjectDN

- msRTCSIP-OriginatorSid

- msRTCSIP-SourceObjectType

- objectSid

- otherHomePhone

- otherMobile

- otherPager

- ohterTelephone

- pager

- physicalDeliveryOfficeName

- sn

- st

- telephoneNumber

- thumbnailPhoto

- title

Most of the attributes are standard and are required in the necessary Information that needs to be

shown after that the Contact will be created inside TYCOFS.COM and be enabled for Lync. If required

any additional attribute can be selected to synchronize.

In the Configure Connector Filter, we can filter on any appropriate action to select/deselect the objects

from off TYCOFS.COM. For now we will leave this as is:



The next is the “Configure Join and Projection Rules” in where we will add the desire to map the

different attributes we are trying to bring over from legacy Domain (lat.tyc.local) into User Forest

Domain (tycofs.com)

It is required to first of all select YES on the Join Data Source Object Type for Contact only!! We are not

interested in any other Join or Protection Rule.



In the Attribute Flow we are selecting the Metaverse Attribute will flow into the desired Contacts

attribute (Data Source Attribute).

For LATAM synchronization and Lync Enabling Process we have the below Standard in place:

[email protected]

In where:

- Firstname is the SamAccountName from off the User Forest LAT.TYC.LOCAL

- Lastname is for all the accounts “latam”.

So from the Metaverse (the Collection for the synchronization accounts) we are deselecting the SN

attribute. This will be filled by Powershell script with default “latam”.

mailto:[email protected]



The following step is the Configure Deprovisioning step, which we leave as default

In the Configure Extensions you will find the Rules Extension name “lcssync.dll”, which needs to be used

to synchronize Users from the Users Forest to Contacts inside the Central Forest.



This will be the final step, so we will click OK to configure the Lcs Central Forest Management Agent.



Configure Management Agent “Lcs User Forest - LATAM”

Next step is to configure the Lcs User Forest Agent which is used for the User Forest from which is the

source from where the information is gathered. This is lat.tyc.local for the LATAM region. To create a

new Management Agents please select Right Click inside the Name where you have to use “Import

Management Agent”

This will be defaulted to the Share in where the Extensions for Lync will be found. This location is

“C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions”



As we are interested in the User Forest we will select “lcsuserforestma”. Select open high lightening this

name.

We are changing the name to reflect the Source “Lcs User Forest – LATAM” and providing a description

for the need for this Management Agent.

To gather information from the Source lat.tyc.local there is a need to create a service account that is

able to read information from the user forest (Account for Directory Replication Changes is required

(http://absolute-sharepoint.com/2012/12/step-by-step-guide-to-configure-the-replicating-directory-

changes-for-sharepoint-2010-and-2013.html).

http://absolute-sharepoint.com/2012/12/step-by-step-guide-to-configure-the-replicating-directory-changes-for-sharepoint-2010-and-2013.html




For the Lat.tyc.local we have created the LyncAdSync Service Account with the desired privileges.

Select the forest LAT.TYC.LOCAL



Select Containers:

Please select the OU’s from where the Users should be provisioned into the MetaVerse. We have used

the below Sub-OUs inside the LT-Users OU.

Configure Provisioning Hierarchy will be used during provisioning to create any necessary container

objects in the connected directory. Only containers with one or fewer required.

We can leave this as default to “o” and “ou”.



We will leave all the default settings and select Next to continue on the next step.

The next is Select Object Types in where we are selecting the Object Type class to look for any objects.

For sure the Contact is required, so we will tick that.

The next is to select the Attributes in where we are interesting in to synchronize. As there is a high need

for use to look into the msRTCSIP-OriginatorSid (TYCOFS.COM) - ObjectsSid from legacy LAT.TYC.LOCAL

Domain we need to select Show All to see all the Attributes.

And check if the desired attribute inside LAT.TYC.LOCAL are selected. The below list out all the

Attributes that are in play for this Management Agent:

- C

- Cn

- Company



- Department

- Description

- DisplayName

- GroupType

- HomePhone

- IpPhone

- L

- Mail

- ManagedBy

- Manager

- Mobile

- objectSid

- otherHomePhone

- otherMobile

- otherPager

- ohterTelephone

- pager

- sIDHistory

- st

- telephoneNumber

- thumbnailPhoto

- title

- UserAccountControl

Most of the attributes are standard and are required in the necessary Information that needs to be

shown after that the Contact will be created inside TYCOFS.COM and be enabled for Lync. If required

any additional attribute can be selected to synchronize.

For LATAM synchronization and Lync Enabling Process we have the below Standard in place:

[email protected]

In where:

- Firstname is the SamAccountName from off the User Forest LAT.TYC.LOCAL

- Lastname is for all the accounts “latam”.

So from the Metaverse (the Collection for the synchronization accounts) we are deselecting the SN and

GivenName attribute. This will be filled by Powershell script with GivenName {SamAccountName} and

SN default “latam”.




In the Configure Connector Filter, we can filter on any appropriate action to select/deselect the objects

from off TYCOFS.COM.

The filter on User is setup to meet the below criteria.

- Mail needs to be present in the User Forest on the User Object;

- The user needs to be ENABLED in the User Forest.

We are not willing to flow User Objects based on above criteria so we will filter these out as above

configuration.

The next is the “Configure Join and Projection Rules” in where we will add the desire to map the

different attributes we are trying to bring over from legacy Domain (lat.tyc.local) into User Forest

Domain (tycofs.com)



For Single Sign-on to Lync it is required that the ObjectSid from the Source Forest (lat.tyc.local) is filled

into the msRTCSIP-OriginatorSid into the Destination Forest (tycofs.com).

This guarantees that whenever a user logs on a lat.tyc.local Computer with

his/her user account inside this forest is able to use Lync without entering

his/her credentials!!!

In the Attribute Flow we are selecting the Metaverse Attribute will flow into the desired Contacts

attribute (Data Source Attribute).



Please take note on the above that we are synchronising the sAMAccountName from User Forest into

the comment attribute inside the Central Forest. In the Management Agent Central Forest, we have

setup an Attribute Flow for the Comment field to the GivenName inside the Central Forest. This so that

we have NOT any Identical givenNames which are used for the SIP Address.

The following step is the Configure Deprovisioning step, which we leave as default

In the Configure Extensions you will find the Rules Extension name “lcssync.dll”, which needs to be used

to synchronize Users from the Users Forest to Contacts inside the Central Forest.

This will be the final step, so we will click OK to configure the Lcs User Forest Management Agent!



Importing, Synchronizing, and Provisioning Lync Server Objects





Steps to complete are described below:

- Run a FULL Import on the Management Agent in the Central Forest







“Export”.

After you provision the central forest, you should verify that contact objects have been created for each

user object in the user forests. You must then enable these contacts for Lync Server 2010.

- Run a FULL import on the Management Agent in the Central Forest




“Export”.



After you provision the central forest, you should verify that contact objects have been created for each

user object in the user forests. You must then enable these contacts for Lync Server 2010.

Please look into the OU “OU=LATAM,OU=Lync 2010 FIM Synchronization,OU=Users,OU=TIP

Projects,OU=Divisions,DC=TYCOFS,DC=COM” to where the last Export should have created the desired

Contacts to be enabled for Lync.

Please review that all the Attributes as you have setup to flow are imported.

- First name should be filled by the SamAccountName from lat.tyc.local

- Display Name should be filled by the Display Name from lat.tyc.local (this is required for the

Lync Address Book)

- The E-mail address field should be EMPTY, as if filled it is causing a Synchronisation to Microsoft

managed Domain which we SHOULD AVOID!!



Please review the other attributes.

The import attribute to check is the msRTCSIP-Originator which should be filled by the ObjectSID from

the lat.tyc.local.



Enabling Contacts for Lync

Users cannot use Lync Server 2010 until they are enabled for all Lync Server services. After you have

synchronized Active Directory Domain Services (AD DS) for users, groups, and contacts across all your

forests, enable the contacts that you created in the central forest for Lync Server.

To streamline and automate this process, we are using a three steps process to enable the contacts:

1. As we are using [email protected] as the users SIP address, there is a need for us

to fill the Lastname with “latam”. The script will take care on this;

2. To ensure that the Contact is NOT synchronized to Microsoft the script will fill the

extensionAttribute13 with “Never”, which will bring the contact out of synchronization;

3. Latest step is to Enable all Created Contacts to Lync. The script will be run against the OU

“LATAM” and will process on all Contacts that have not been ENABLED for Lync already.

Above steps will be a scheduled task run every day. We have streamlined all of this as per below

Powershell Script.

LATAM FIM - Enable for Lync.ps1

This script will be running at the Lync Front End Server ukstr1ly00001.tycofs.com and will run first of all

at a daily interval.

For the naming convention we have used [email protected] for their unique SIP address.

Note:

As earlier mentioned, for excluding the created objects out of the Global GAL in our Email

environment, the script will automatically fill “ExtensionAttribute13” with “Never”. Additional

we need to ensure that the Mail Attribute is empty as this is not required for Lync enabled

contact

The below should appear!





Appendix:

All servers reside in the EMEA Stratford Data Centre.

Ukstr1ly00004.tycofs.com:

- Windows 2008 R2 - Lync Server running the Microsoft Forefront Identity Management Tool

- Microsoft Sharepoint Foundation 2010 installed

- Microsoft SQL 2008 R2 installed – Database can be facilitated at another SQL Database Cluster

Lync EMEA Frontedge Servers:

- Ukstr1ly00001.tycofs.com and ukstr1ly00002.tycofs.com are the two FrontEnd Lync servers,

that can hold maximum around 20.000 users. Easily this can be extended by either bringing a

regional FrontEdge Server or facilitate an extra FrontEnd Server in Stratford.

AD specifications:

Two service accounts for the FIM tool running:

- Tycofs\GBL-FIM-Agent : for running the FIM Tool

- Tycofs\GBL-FIM-Service: for running the synchronization.

User forest: Service Account that is able to read information from the user forest (Account for Directory

Replication Changes is required (http://absolute-sharepoint.com/2012/12/step-by-step-guide-to-configure-

the-replicating-directory-changes-for-sharepoint-2010-and-2013.html). For the lat.tyc.local we have

created the account tycofs.local.za we have used lat.tyc.local\LyncAdSync



lync 2010 global installation latam configuration

Documents