Well... there are some Microsoft customers who would like to have two different forests. They'll use one forest to deploy resources like LCS, OCS, Exchange etc.. and they will use other forest to host users. This is fairly simple using any identity integration application like MIIS, IIFP etc. But recently I worked with a customer who didnt want to use any identity integration application, still had to deploy inter forest deployment of LCS. (After implemetation I concluded that this is simpler than using any identity integration application... :) )
Suppose there are two Forests ForestA and ForestB. You've deployed LCS 2005 sp1 or OCS 2007 in ForestA. The user accounts reside in ForestB.
Create a one way trust between ForestA and ForestB. Users from ForestB should be able to access resources of ForestA.
Create an OU in ForestA where LCS\OCS is deployed.
Name this OU as DisabledAccounts.
Ensure that users from ForestB are imported in ForestA DisabledAccounts OU as disabled users. (Better to use scripts rahter than manually!)
Log on to a server joined to an Active Directory domain in the resource forest using an account that is a member of the DomainAdmins group.
Install LCS or OCS resource kit on a memeber server in the ForestA.
At the command prompt, run the following command to configure the Microsoft Windows® operating system Scripting Host to use cscript.wscript //h:cscriptIn the confirmation box, click OK.
Open a command prompt and change to the directory where the LC 2005 Reskit is installed.
Review the resource forest accounts that will be updated by running the following command: sidmap.wsf /OU:<DN of container with disabled user accounts> /querywhere: · /OU specifies the distinguished name (DN) of the container with the disable user accounts. To represent the DN, use the following format: OU=<name>,DC=<domain name>,DC=<subdomain name>For example, OU=Accounting,DC=contoso,DC=com· /query limits the SID Mapping Tool to only query the resource forest and not populate the attributes.The command returns a list of disabled user accounts in the resource forest.
Populate the attributes in the resource forest by running the following command:sidmap.wsf /OU:<DN of container with disabled user accounts> [/logfile:<path\filename>]Where /logfile is an optional parameter that saves the results of your operation to a file for your records.
This log file is automatically populated with a list of logon-disabled and Communications Server-enabled users.
Ensure that the imported disabled users in ForestA are now LCS\OCS enabled.
Now ForestB users should be able to login using ForestB account.
Note: For authentication you will be using credential of ForestB.
And that's all...
LCS 2005 Resource kit
OCS 2007 Resource kit
I looked into sidmap.wsf script and I believe it's imoprant to mention, that Exchange should already be in the Resource Forest.
Didnt know we can do inter forest deployment without MIIS. quite interesting.. thanks!
Does this setup support Kerberos cross forest authentication? or only NTLM? I am doing this and can only authenticate with Kerberos, but some documentation suggest Kerberos should work.