This post explains how to configure Office Communications Server in a resource forest topology, in a resource topology, a single resource forest contains all Office Communications Server servers and disables user accounts for each logon enabled account in a user forest.

A resource forest topology is an Active Directory® Domain Services topology used to deploy Office Communications Server and Microsoft Exchange Server in one Active Directory forest while all logon enabled user accounts are located in a separate Active Directory forest. The resource forest hosts only servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. The SID (security identifier) of a disabled user account in the resource forest is mapped to the corresponding primary user account in the other forest to allow for single sign in. These disabled user accounts are enabled for Office Communications Server and mail-enabled for Exchange Server if it is deployed.

Prerequisites

To support a resource forest topology, Office Communications Server must be deployed in your resource forest and configured at least with one-way trust between the resource forest and all user forests (such that the resource forest trusts all user forests).

Also DNS Forwarding between users forests DNS Servers and new resources forest DNS Servers is required to allow name resolution across forests.

If you have not deployed Office Communications Server, see the Microsoft Office Communications Server Planning Guide and the Microsoft Office Communications Server Deployment Series.

Figure below shows how an example organization, configured as an Enterprise pool in its resource forest.

clip_image001

After you have deployed Office Communications Server in the resource forest, complete the following steps:

  • Extend the new Forest Schema for Exchange 2007, this step is required to have all Exchange attributes available in the new resource Forest, so if you want to enable user for OCS with SIP Address same as user email address which is the normal scenario to avoid educating users with different address for Communicator Login, then mail attributes should be the same as in old users forest.
  • Use ADMT to migrate all users as disabled accounts with the corresponding attributes for each user account in the user forests, all Mail enabled groups should be migrated as well to the new resource forest, the second option is to create the users in the new Resource Forest as disabled users and manually copy the required attributes from the user accounts in each user forest to the corresponding disabled user account in the Resource Forest, however the second option is not recommended and will include some problems.
  • Use ILM to synchronize all attributes from users in Users Forest to disabled Users in Resources Forest.
  • Use ILM to synchronize Mail attributes from Groups in Users Forest to Groups in Resource Forest, mail attribute will be required for groups to able to query mail enabled groups in communicator.
  • Use ILM to schedule synchronizing changes between Users Forest and the new Resource Forest.
  • Enable these disabled accounts for Office Communications Server.
  • Enable Anonymous access on Address Book Web Service Virtual Directory on OCS Front End Server
  • Enable Anonymous access on Group Expansion Web Service Virtual Directory OCS Front End Server

Extend the new Resource Forest Schema for Exchange 2007

In all cases if the old Forest host Exchange 2003 or Exchange 2007, it is better to extend the new Resource Forest with Exchange 2007 schema, in this case the disabled user accounts will already exist and many of the necessary attributes on the disabled user accounts will be populated.

Use ADMT for Users Migration

Creating Disabled users manually in Resource Forest will require allot of attributes synchronization and can lead for some issues, the best way that was tested is using ADMT to migrate the users from old Users Forest to the new Resource Forest.

For more information about using ADMT refer to ADMT Guide http://technet.microsoft.com/en-us/library/cc974332(WS.10).aspx.

Use ILM for attributes synchronization

  • ms-RTC-SIP-OriginatorSID Attribute which is required by OCS in resource forest , this attribute should be synchronized using ILM by master Account SID for User in Users Forest.
  • All User Properties attributes that will be required to be populated in Office Communicator should be synchronize using ILM, for example:

o Telephone Number

o Mobile Number

o DisplayName

o IP Phone Number

o Mail

o ...

Table below shows the attributes that must be mapped from a user object in the user forest to a corresponding disabled user object in the resource forest using the example user, User A.

Attribute

User A in User Forest

Disabled user account for User A in a Resource Forest

Cn

Dylan

Dylan

ObjectSID

Note   In a deployment that includes Microsoft Exchange Server, set the ObjectSID attribute to the value from the msExchMasterAccountSID attribute.

sidDylan

 

ms-RTC-SIP-OriginatorSID

 

sidDylan

ms-RTC-SIP-TargetHomeServer

   

telephoneNumber

555-1234

555-1234

displayName

Dylan Miller

Dylan Miller

givenName

Dylan

Dylan

Surname

Miller

Miller

physicalDeliveryOfficeName

4500

4500

l (city)

Redmond

Redmond

st (state)

WA

WA

Country

U.S.A

U.S.A

Title

Director

Director

Mail

dylan@contoso.com

dylan@contoso.com

Company

Contoso

Contoso

  • For Group expansion to work in a cross-forest scenario some attributes will be required to be synchronize to the Resource Forest as the following:

o ObjectSid

o Mail

o DisplayName

o GroupType

Table below shows how attributes are mapped from a user object to a contact object using the example group, Group A.

Attribute

Group A

Contact for Group A

Cn

GroupA

GroupA

ObjectSID

sidA

 

ms-RTC-SIP-OriginatorSID

 

sidA

displayName

GroupA

GroupA

groupType

Distribution Group - Universal

 

ms-RTC-SIP-SourceObjectType

 

Distribution Group - Universal

Mail

GroupA@contoso.com

GroupA@contoso.com

Distinguished name (DN)

<distinguished name of group A>

 

msRTCSIP-SourceObjectDN

 

<Distinguished name of group A>

  • To keep the new Resource Forest updated with changes in the Users Forest schedule task should be created to run ILM synchronization to synchronize any delta changes.

Enable Disabled Users for Office Communication Server

Enable disabled users for OCS in the Resource Forest should be done periodically depend on changes happened in the Users Forest, so if new user created in the User Forest and ILM synchronize this user to the Resource Forest then enable user for OCS and configure this user for OCS services is required, also in some change cases like change in email address for user in Users Forest and this user enabled for OCS in Resource Forest with SIP Address same like email address, then re-enable this user for OCS should be done to keep using his new email address as his SIP Address,

Below are the required steps to enable the disabled users for OCS:

1. In the resource forest, log on to a computer running the Office Communications Server 2007 service as a member of the RTCUniversalUserAdmins group.

2. Start Active Directory Users and Computers: Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Go to the organizational unit where you created your disabled user accounts.

4. Right-click the contact that you want to enable, click Properties, and then click the Communications tab.

5. Select the Enable users for Office Communications Server check box.

6. In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this user account and then select the SIP domain that is used by your Office Communications Server servers. For example, dylan@contoso.com.

7. In Server or pool, select the Office Communications Server server where you want to host the user account.

8. Click Configure.

9. In the User Options dialog box, select the appropriate settings required for your deployment and then click OK. Click OK again to apply the changes and close the user properties.

Enable Anonymous access on Address Book Web Service Virtual Directory on OCS Front End Server (Optional)

Enable Anonymous access on Address Book Web Service Virtual Directory on OCS Front End Server is optional step, however it is required step in case if there is VLAN restrictions between users VLANs and the new Resource Forest VLAN, which is normal scenario in most cases,

All you should change from IIS under default web site in all OCS Front End Servers is to allow Anonymous access on Address Book Virtual Directory and all sub Virtual Directories under it.

Enable Anonymous access on Group Expansion Web Service Virtual Directory OCS Front End Server (Optional)

Enable Anonymous access on Group Expansion Web Service Virtual Directory on OCS Front End Server is optional step, however it is required step in case if there is VLAN restrictions between users VLANs and the new Resource Forest VLAN, which is normal scenario in most cases,

All you should change from IIS under default web site in all OCS Front End Servers is to allow Anonymous access Group Expansion Virtual Directory and all sub Virtual Directories under it.