Deploying in A Multiple Forest Environment

Configuring Microsoft
Office Communications
Server 2007 (Public
Beta) in a Multiple-
Forest
Environment
Published March 2007
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of
the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying
with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Windows Vista, Active Directory, and SQL Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Contents
Contents............................................................. ..............................4
Introduction..................................................................................... ..1
Central Forest Topology................................................... .............1
Resource Forest Topology............................................... ..............1
Part 1: Deploying Office Communications Server in a Central Forest
Topology...................................................................................... ......2
Prerequisites.................................................. ..............................2
Step 1 Configure MIIS...................................................... .............4
Step 2 Enable Contacts for Communications Server 2007 Public Beta
.............................................................................................. .....15
Keeping Information Synchronized.............................................15
Understanding How Attributes Are Synchronized.......................18
Troubleshooting the Central Forest Topology .............................21
Part 2: Deploying Office Communications Server in a Resource Forest
Topology................................................................................... .......24
Prerequisites................................................ ..............................25
Step 1 Create Disabled User Accounts.......................................25
Step 2 Enable Disabled User Accounts for Office Communications
Server........................................................... .............................26
Step 3 Populating the Required Attributes for Office Communications
Server........................................................... .............................27
Introduction
A multiple forest topology is often used in enterprises that have a need for multiple forests in the
Active Directory® Domain Services to provide security or organizational boundaries. This
document assumes that you have decided upon a multiple forest topology. For more guidance on
when a multiple forest topology is appropriate and how to deploy, please see the documentation
for the Microsoft® Windows Server® operating system.
To support a multiple-forest environment, Microsoft Office Communications Server 2007 (Public
Beta) must be deployed in only one forest in your topology, which is designated as the central
forest or the resource forest. Deploying and synchronizing Communications Server 2007 across
multiple forests is not supported.
Central Forest Topology

In a central forest topology, Office Communications Servers in the central forest provide services
to users and groups in the central forest, as well as to users and groups in all other forests, which
are called user forests.
The central forest deployment offers the benefits of centralized administration and minimizes
complexity in a multiple forest environment.
Part 1 of this guide explains how to configure Office Communications Server 2007 to support
users, groups, and distribution group expansion in a central forest environment. It briefly
describes the multiple-forest environment, but it assumes that you have already deployed the
hardware and software so that you are ready to create and propagate user data so that a user in
any forest can connect to Office Communications Server and communicate with any user in any
connected forest.
Resource Forest Topology

In a resource forest topology, Office Communications Server is deployed in one forest, a resource
forest that hosts Office Communications Servers but does not host any logon enabled user
accounts.
Outside of the resource forest, user forests hosts enabled user accounts but no Office
Communications Servers. Within the resource forest, a corresponding disabled user account exits
for each user account in the user forests.
Part 2 of this guide explains how to configure Office Communications Server 2007 to support a
resource forest topology.
2 Deploying Communications Server 2007 in a Multiple Forest Environment
Part 1: Deploying Office

Communications Server in a Central
Forest Topology
This section explains how to configure Office Communications Server in a central forest
topology.
Prerequisites
To support a central forest topology, the following prerequisites are required.
• Microsoft Identity Integration Server In order to synchronize data across your forests,
you must deploy Microsoft Identity Integration Server. The following QFE is required for
proper cross-forest synchronization:
http://www.microsoft.com/downloads/details.aspx?familyid=FA9DBB67-4654-4C94-B073-
AA59676130AF&displaylang=en. For information on how to deploy MIIS, see the
Microsoft Identity Integration Server documentation.
• Office Communications Server deployed in your central forest. If you have not deployed
Communications Server, see the Microsoft Office Communications Server Planning Guide
and the Microsoft Office Communications Server Deployment Series.
The central forest can be an existing forest that hosts existing Communications Servers, users,
groups, and contacts, or you can create an entirely new forest.
The central forest should normally be the one that hosts the largest number of users. Connectivity
between the central forest and other forests should also be highly available. Figure 1 shows how
an example organization, Contoso, configured an Enterprise pool in its central forest.
Deploying Communications Server 2007 in a Multiple Forest Environment 3
Figure 1 Example of a Multiple Forest topology
(1)
SQL
MIIS Server
(2) (2)
(3) (3)
Active Directory
Active Directory Active Directory
Users &
Users &
groups
groups Contacts
User Forest User Forest
Pool
Central Forest
...
Labels SQL
Active
SQL
MIIS Server
Directory Communications Server 2007
Pool
User and (1 ) – MIIS synchronizes Communications Server users as contacts
Contact object
group objects
(2 ) – Minimum trust requirements are a 1-way trust between domains hosting Communications Server in one
forest and user- and groups in the other forest
Enterprise
SQL
SQL server (3 ) – Schema does not need to be extended
Edition server
After you have deployed Communications Server in the central forest, you do the following:
1. Configure the Microsoft Identity Integration Server.
2. Enable contacts for Communications Server.
Step 1 Configure MIIS

After you have deployed Communications Server 2007, modify the configuration of the
Microsoft Identity Integration Server (MIIS) that is responsible for synchronizing User objects as
contacts across all forests.
Configure the MIIS Server in the one of two ways:
• If you do not have Exchange deployed in a cross-forest topology, deploy and configure
Communications Server sync, the Lcssync tool available in the Communications Server
2007 Resource Kit. The remainder of this section focuses on using Communications Server
sync.
• If Microsoft Exchange Server is deployed in a cross-forest topology, use the GAL (global
address list) sync tool with the logic for Communications Server Sync. Exchange uses GAL
sync to synchronize contact information in the GAL between forests. In this situation, an
update to the GAL sync tool is required because MIIS does not support the coexistence of
two different synchronization agents.
Communications Server Sync configures the management agent of each forest except the central
one in order to synchronize its user and group information with MIIS. MIIS generates a
metaverse object that represents each user or group and it then synchronizes each user or group
object as a contact in the central forest. Since all Communications Server users and groups are
synchronized as contacts (including the user’s or group’s object SID) in every other forest, users
can still communicate with each other across forest boundaries after the MIIS server has been
reconfigured and users can still take advantage of distribution group expansion across forests.
The following figure illustrates how MIIS was reconfigured in the Contoso environment.
Figure 2 Configuring the MIIS Server
As Figure 2 illustrates, the MIIS server is configured to do the following:

• Import the User objects and Group objects from two user forests as MIIS metaverse objects.
• Export the metaverse objects to the central forest as Contact objects.
To install and configure Communications Server Sync tool, Lcssync, perform the following steps
(each step is explained in detail in the subsequent sections):
1. Ensure that .NET 2.0 Framework is installed on the server running MIIS.
2. Install Communications Server Sync (Lcssync) from the Resource Kit.
3. Extend the metaverse schema in MIIS.
4. Configure extensions in MIIS.
5. Configure object deletion rules in MIIS.
6. Create the management agent for the central forest.
7. Create the management agent for all user forests.
8. Import, synchronize, and provision Communications Server objects.
Install the .NET 2.0 Framework on the MIIS Server

The Communications Server Sync tool, LCSSync requires .NET Framework 2.0.
You can install the .NET Framework Version 2.0 from the Microsoft Web site at
http://www.microsoft.com/downloads/details.aspx?FamilyID=9655156b-356b-4a2c-857c-
e62f50ae9a55&displaylang=en.
Deploying Communications Server Sync Tool

Before you can configure the Communications Server Sync tool, install the required files on your
MIIS server. The files required for the Communications Server Sync tool are included in the
Lcssync directory of the Communications Server 2007 Resource Kit.
To deploy the Communications Server Sync tool
1. On the MIIS computer, in the Communications Server 2007 Resource Kit, go to the
Lscssync directory.
2. Copy all the files in this directory to the following directory on the MIIS Server:
%drive%:\Program Files\Microsoft Identity Integration Server\Extensions.
3. In the Active Directory® Domain Services, create an organization unit, or verify that a target
organizational unit for your Contact objects exists on the Communications Server in the
central forest.
4. Go to the \Microsoft Identity Integration Server\Extensions folder, and then open
Lcscfg.xml.
5. Use the following format to modify the <target-ou> tag to include the target organization
unit of the central forest:
<rules-extension-properties>
<lcssync-mas>
<lcsma name="Lcs Central Forest">
<target-ou>OU=contacts,DC=yourdomain,DC=com</target-ou>
</lcsma>
</lcssync-mas>
</rules-extension-properties><target-ou>path to contact organizational
unit</target OU>
For example:
<target-ou>OU=contactsDC=contosoDC=com</target OU>
6. If necessary, you can modify Logging.xml to change the file name and logging level. The
example below shows the default values in the xml:
<logging>
<use-single-log>false</use-single-log>
<file-name>lcssync.log</file-name>
<logging-level>1</logging-level>
</logging>
Extending the Metaverse Schema in MIIS

After you have installed the Communications Server Sync tool on the MIIS Server, extend the
metaverse schema so that the Communications Server attributes can be synchronized.
To extend the metaverse schema
1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to
Microsoft Identity Integration Server, and then click Identity Manager.
2. Click Metaverse Designer.
3. On the Actions menu, click Import Metaverse Schema.
4. Select %drive letter%:\Program Files\Microsoft Identity Integration
Server\Extensions\Lcsmvschema.xml.
5. When the schema import operation has completed successfully, click OK.
Configuring Extensions for the Communications Server Sync tool

After you have extended the metaverse schema, configure the extensions for the
Communications Server Sync tool. The way that you configure the extensions determines how
synchronization is handled for Communications Server objects that are synchronized by MIIS.
To configure extensions for the Communications Server Sync tool
2. On the Tools menu, click Options.
3. Select the Enable metaverse rules extension check box.
4. Click Browse.
5. Under Files, select Lcssync.dll.
Figure 3 Configure Extensions
6. Select the Enable Provisioning Rules Extension check box, and then click OK.
Configuring the Object Deletion Rule in MIIS
After you have configured extensions for the Communications Server Sync tool, configure the
rule that determines what MIIS will do when a User object is deleted in a forest and how it will
synchronize the deletion with the central forest. If a User object is deleted in a user forest, the
corresponding Contact object that is used by Communications Server in the central forest must
also be deleted. Configuring the object deletion rule ensures that MIIS and the Communications
Server handle this situation correctly.
To configure the Object Deletion Rule
2. Click Metaverse Designer. The Identity Manager window should appear as shown in
Figure 4.
Figure 4 Configure Object Deletion Rule in Metaverse Designer
3. Under Object types, right-click person.

4. In the adjacent Actions pane, click Configure Object Deletion Rule.
5. In the Configure Object Deletion Rule dialog box, which is shown in Figure 5, click Rules
Extension, and then click OK.
Figure 5 Configure Object Deletion Rule
Creating the Management Agent for the Central Forest

After you have configured the Communications Server Sync tool, create a management agent for
the Communications Server Sync tool in the central forest.
To create a management agent for the Communications Server Sync
tool in the central forest
2. Click Management Agents.
3. On the Actions menu, click Import Management Agent.
Server\Extensions\Lcscentralforestma.xml, and then click Open. The Create Management
Agent dialog box appears.
Figure 6 Create Management Agent
5. In Name, type a name for the management agent. This name must be identical to the name
that is specified in the <lcsma name => tag in Lcscfg.xml.
6. Click Next.
7. Enter the user name and password of a member of the DomainAdmins group on the
Communications Server in the central forest.
8. Click Next.
Figure 7 Partitions Matching
9. In Partitions Matching, under Update Partitions, select the partition that needs to be
updated, and in Existing Partitions, select the partition that contains the distinguished name
of your central forest.
10. Click Match.
11. In Existing Partitions, select each unmatched partition and click Deselect.
12. Click OK.
13. In Select directory partitions, clear the check boxes for all domains except for the domain
that has the target organizational unit that you specified in Lcscfg.xml when you deployed
the Communications Server Sync tool.
14. Click Containers.
15. In Select Containers, select the OU container where contacts will be stored, and then click
OK.
16. Click Next.
17. On the Select Objects page, accept the default values, and then click Next.
18. On the Select Attributes page, accept the default values, and then click Next.
19. On the Configure Connector Filter page, accept the default values, and then click Next.
20. On the Configure Join and Projection Rules page, accept the default values, and then click
Next.
21. On the Configure Attribute Flow page, accept the default values, and then click Next.
22. On the Configure Deprovisioning page, accept the default values, and then click Next.
23. On the Configure Extensions page, verify that Lcssync.dll is selected, and then click
Finish.
Creating Management Agent for the User Forests

After you have created the management agent in the central forest, create a management agent
for all user forests.
To create a management agent for the Communications Server Sync
tool in all user forests
3. On the Actions menu, click Import Management Agent.
Server\Extensions\Lcsuserforestma.xml, and then click Open.
5. In the Name box, type a unique name for the management agent.
6. Click Next.
7. Enter the user name and password of a member of the DomainAdmins group on the
Communications Server in the user forest.
8. Click Next.
9. In Partitions Matching, under Update Partitions, select the partition that needs to be
updated, and in Existing Partitions select the partition that contains the distinguished name
of your user forest.
10. Click Match
11. In Existing Partitions, select each unmatched partition, and then click Deselect.
12. Click OK.
13. Click Next.
14. In Select directory partitions, clear the check boxes for all domains except the first domain
where the organization unit where the Users and Groups objects in this forest exist. MIIS
will synchronize these User objects and Group objects as contacts in the central forest.
15. Click Containers.
16. In Select Containers, select the OU container where contacts will be stored, and then click
OK.
17. Repeat steps 14 through 16 for each domain that contains users and groups that will use the
Communications Servers in the central forest.
18. Click Next.
19. On the Select Objects page, accept the default values, and then click Next.
20. On the Select Attributes page, accept the default values, and then click Next.
21. On the Configure Connector Filter page, accept the default values, and then click Next.
22. On the Configure Join and Projection Rules page, accept the default values, and then click
Next.
23. On the Configure Attribute Flow page, accept the default values, and then click Next.
24. On the Configure Deprovisioning page, accept the default values, and then click Next.
25. On the Configure Extensions page, verify that Lcssync.dll is selected, and then click
Finish.
Importing, Synchronizing, and Provisioning Communications

Server Objects
After you have created management agents for all forests in your environment, synchronize user
and contact information. During this initial synchronization, import Active Directory data for
each forest into the connector space, synchronize this data in the metaverse, and then export this
data from the metaverse to the central forest.
Import Active Directory Objects for Each Forest into the
Connector Space
For each forest, import data stored in its Active Directory into the forest’s Connector Space.
Perform this step on the central forest and all user forests in your environment.
To import Active Directory data into the Connector Space from the
central forest
3. Right-click the management agent for the central forest, and then click Run.
4. Click Full Import, and then click OK.
To import Active Directory data into the Connector Space from each
user forest
3. Right-click the management agent for your first user forest, and then click Run.
4. Click Full Import, and then click OK.
5. Repeat steps 1 through 4 for each user forest in your environment.
Synchronize the Metaverse
After you have imported Active Directory data from the central forest and each user forest in
your environment, synchronize the metaverse with the data in each forest.
Note
You must synchronize the metaverse with data from the
central forest before you synchronize with the user forests.
To synchronize the metaverse for central forest information

3. Right-click the management agent for the-central forest, and then click Run.
4. Click Full Sync, and then click OK.
To synchronize the metaverse for your user forests
4. Click Full Sync, and then click OK.
5. Repeat steps 1 through 4 for each user forest in your environment.
Provision the Central Forest
After synchronizing the information imported from all user forests, you export all the
information from the metaverse to the central forest. This process is known as provisioning.
To provision the central forest
4. Click Export, and then click OK.
After you provision the central forest, you should verify that Contact objects have been created
for each User object in the user forests. You must then enable these contacts for Communications
Server 2007.
Step 2 Enable Contacts for Communications

Server 2007 Public Beta
Users cannot use Communications Server until they are enabled for Office Communications
Server service. After you have synchronized Active Directory for users, groups, and contacts
across all your forests, enable the contacts that you created in the central forest for
Communications Server.
If all contacts have an e-mail address that corresponds to their SIP address, you can enable all
contacts simultaneously. If not all the contacts have an e-mail address that corresponds to their
Sip address, or if you want to host these users on different servers or pools, configure each
contact individually.
To enable all contacts for Communications Server
1. In the central forest, log on to a Communications Server 2007 as a member of the
RTCUniversalUserAdmins group.
2. Start Active Directory Users and Computers: Click Start, point to All Programs, point to
Administrative Tools, and then click Active Directory Users and Computers.
3. Go to the organizational unit where you created your contacts.
4. Select all contacts, right-click the highlighted area, and then click Enable users for
To enable an individual contact for Communications Server
1. In the central forest, log on to a Communications Server 2007 as a member of the
RTCUniversalUserAdmins group.
2. Start Active Directory Users and Computers: Click Start, point to All Programs, point to
Administrative Tools, and then click Active Directory Users and Computers.
3. Go to the organizational unit where you created your contacts.
4. Right-click the contact that you want to enable, click Properties, and then click the
Communications tab.
5. Select the Enable user for Office Communications Server check box.
6. In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this contact
and select the SIP domain that is used by your Communications Servers. For example,
Dylan@contoso.com.
7. In Server or pool, select the Communications Server where you want to host the contact.
Keeping Information Synchronized

After initial synchronization, you can perform incremental synchronizations to update only data
that has changed since the previous synchronization. For example, if a new user account is added
in a user forest, you would synchronize only this new user data and create a contact for this user
in the central forest.
Import Active Directory Objects for Each Forest into the
Connector Space
For each forest, you import data that is stored in the Active Directory into the forest’s connector
space. You must perform this step for each user forest in which user information has changed.
To import Active Directory data into the Connector Space
4. Click Delta Import, and then click OK.
5. Repeat steps 1 through 4 for each forest where Active Directory changes have occurred
(where users, groups, or contacts have been changed, added, or deleted).
Synchronize the Metaverse
After you have imported new Active Directory data for each user forest in your environment, you
synchronize the information for each forest in the metaverse.
Note
You must synchronize information from the central forest
before synchronizing information from user forests.
To synchronize the metaverse for your central forest

3. Right-click the management agent for your central forest, and then click Run.
4. Click Delta Sync, and then click OK.
To synchronize the metaverse for your user forests
4. Click Delta Sync, and then click OK.
5. Repeat steps 1 through 4 for each forest where changes have occurred.
Provision the Central Forest
After you have synchronized the new data that was imported from all user forests, you provision
the central forest so that Contact objects are created, updated, or deleted for each change in the
user forest and any new contacts are enabled for Communications Server.
To provision the central forest

4. Click Export, and then click OK.
Deploying Communications Server
2007 in a Multiple Forest Environment 18
Understanding How Attributes Are Synchronized

After you install and run the Communications Server Sync tool as described in “Step 1
Configuring MIIS” earlier in this guide, attributes on the User and Contact objects will be
modified as follows.
Contact Attributes Added through Schema Prep
Because the Active Directory schema in the central forest was extended during the
Communications Server 2007 installation, the Contact objects in the central forest have the
following new attributes:
• ms-RTC-SIP-PrimaryHomeServer
• ms-RTC-SIP-IsMaster
• ms-RTC-SIP-TargetHomeServer
Attributes Synchronized by Communications Server Sync
Communications Server Sync synchronize all of the following attributes:
• objectSid
• telephoneNumber
• displayName
• givenName
• sn (surname)
• physicalDeliveryOfficeName
• l (city)
• st (state)
• country
• title
• mail
• company
• cn
The following table shows how attributes are mapped from a user object to a Contact object
using the example user, UserA.
Table 1 The attributes on the User and Contact objects
Attribute User A Contact for User A
Cn UserA UserA
ObjectSID sidA
ms-RTC-SIP- sidA
OriginatorSID
ms-RTC-SIP-
TargetHomeServer
telephoneNumber 555-1234 555-1234
displayName User A User A
givenName Dylan Dylan
surname Miller Miller
physicalDeliveryOfficeN 4500 4500
ame
l (city) Redmond Redmond
st (state) WA WA
Country U.S.A U.S.A
Title Director Director
Mail userA@contoso.com userA@contoso.com
Company Contoso Contoso
Group Attributes
Communications Server Sync and updated GAL sync synchronize all of the following attributes:
• objectSid
• mail
• displayName
• groupType
Table 2 The attributes on the Group and Contact objects

Attribute Group A Contact for Group A
Cn GroupA GroupA
ObjectSID sidA
ms-RTC-SIP- sidA
OriginatorSID
displayName GroupA GroupA
groupType Distribution Group -
Universal
ms-RTC-SIP- Distribution Group -

SourceObjectType Universal
Mail GroupA@contoso.com GroupA@contoso.com
Deploying Communications Server
2007 in a Multiple Forest Environment 21
Troubleshooting the Central Forest Topology

Use this section to help troubleshoot problems that you may encounter. For general MIIS
information, consult the MIIS documentation on the Microsoft Web site at:
http://www.microsoft.com/windowsserversystem/miis2003/techinfo/default.mspx.
Note Only using Kerberos for or both NTLM and Kerberos for authentication of contacts in the
central forest is not supported.
Issue: SIP-enabled Contact object cannot sign in • If a 401error appears in
the logs, there may be an authentication problem.
• Check the Contact object by using LDP.exe, and ensure all the SIP attributes are
populated, al Contact objects must have msRTCSIP-OriginatorSid set, or authentication
will fail.
• If the contact is not created properly, check the MIIS logs.
• If needed, set the LcsSync logging level to 3, as explained in “Deploying
Communications Server Sync Tool” earlier in this guide. Synchronize the contact again
to find out why the Contact object is not being created.
• Verify that credentials (user name and password) from the original user forest are used:
If the central forest is in the Contoso domain, and the User object is replicated from the
Northwind Traders domain to Contoso as a Contact object, Northwind Traders
credentials must be used for sign-in.
• Check the cross-forest trust relationship. The central forest must trust incoming
credentials from the user forest.
• Verify that you are not using either Kerberos or both Kerberos and NTLM as your
authentication protocol in the central forest. You must be using only the NTLM
protocol.
• If client receives a 404 error, there is a replication problem.
• Verify that the Contact object is properly SIP-enabled and that it exists in the
Communications Server 2007 database.
• Use Dbanalyze.exe, which is available in the Microsoft Office Communications Server
2007 Resource Kit, to get the user report for this particular user. Ensure that the user
exists in the database.
• Check Communications Server logs for any “RTC User Replicator” errors or warnings.
Communicator Log Files

Use the Communicator log files to troubleshoot client issues.
Open the files communicator0.log and Communicator-uccp-0.log found under
<Drive>:\Documents and Settings\%User%\Tracing
MIIS Errors
The following table lists some common MIIS errors and describes the possible causes and
resolution.
Error Constant Description
no-start-no-domain-controller The run step failed to start because the domain

controller could not be contacted by the server. The
next step in the run profile will not run and obsolete
data will not be removed. If an import step returned
this value, the next step will not be attempted again
and any placeholder objects will not be removed.
Verify that the domain controller is connected to the
network.
If this string is the value for the
MIIS_ManagementAgent.RunStatus property, then
no step is currently running but a run step has been
run in the past.
no-start-no-partition-delete The run step failed to start because domain or naming

context has been deleted. The next step in the run
profile will not run and obsolete data will not be
removed. If an import run step returned this value, the
next step will not be retried and any placeholder
objects will not be removed.
Verify that the specified partition still exists.
no run step is currently running but a run step has
been run in the past.
no-start-partition-not-configured The run step failed to start because the required

partition is not selected in Configure Directory
Partitions dialog box of the management agent
properties. The next step in the run profile will not run
and obsolete data will not be removed. If an import
step returned this value, the next step will not be
retried and any placeholder objects will not be
removed.
Verify that the appropriate partition is selected.
For more information see "Configure directory
partitions" in the Microsoft Identity Integration
Server 2003 Help.

no-start-partition-rename The run step failed to start because the selected

partition in Configure Directory Partitions dialog
box of the management agent properties has been
renamed. Verify that the appropriate partition is
selected.
For more information, see "Configure directory
partitions" in the Microsoft Identity Integration
Server 2003 Help.
stopped-extension-dll-file-not- The run step stopped because the specified assembly

found name could not be found. The next step in the run
profile will not run and obsolete data will not be
removed. If an import step returned this value, the
step will not be attempted again the any placeholder
objects will not be removed.
Check the event log for the assembly name that the
server was trying to load. Next, in Properties, in the
Configure Rules Extensions dialog box of the
management agent or in Configure Rules Extensions
on the Metaverse Rules Extensions tab, specify the
correct assembly name to prevent this return value.
For more information, see "Configure rules extensions"
for management agent rules extensions or "Configure
provisioning for metaverse rules extensions" in the
Microsoft Identity Integration Server 2003 Help.
MIIS_ManagementAgent.RunStatus property, then no
run step is currently running but a run step has been
run in the past.
stopped-server This error can be returned when Microsoft SQL

Server™ is stopped and you are trying to run
Management Agents.
The run step stopped because of an unknown server
error. The next step in the run profile will not run and
obsolete data will not be removed. If an import step
returned this value, the processing of retries and
cleanup of placeholder objects will not be performed.
Resolve the server error.

MIIS_ManagementAgent.RunStatus property, then no
run step is currently running but a run step has been
run in the past.
stopped-out-of-memory The run step stopped because of insufficient server

memory. The next step in the run profile will not run
and obsolete data will not be removed. If an import
run step returned this value, the processing of retries
and cleanup of placeholder objects will not be
performed.
Increase the server memory.
stopped-extension-dll-load The run step stopped because the specified

assembly name cannot be loaded due to an
unknown error. The next step in the run profile will
not run and obsolete data will not be removed. If an
import run step returned this value, the processing
of retries and cleanup of placeholder objects will
not be performed.
Check the event log for the assembly name that the
server was trying to load.
Part 2: Deploying Office

Communications Server in a
Resource Forest Topology
This section explains how to configure Office Communications Server in a resource forest
topology. As explained earlier, in a resource topology, a single resource forest contains all Office
Communications Servers and disable user accounts for each logon enabled account in a user
forest.
As explained earlier, a resource forest topology is an Active Directory® Domain Services
topology used to deploy Office Communications Server and often Exchange in one Active
Directory forest while all log-on enabled user accounts are located in a separate Active Directory
forest. The resource forest hosts only servers and does not contain any primary user accounts.
The primary user accounts from other forests are represented as disabled user accounts. The SID
(security identifier) of a disabled user account in the resource forest is mapped to the
corresponding primary user account in the other forest to allow for single sign on. These disabled
user accounts are enabled for Office Communications Server and mail-enabled for Exchange if it
is deployed.
Prerequisites
To support a resource forest topology, you must have deployed Office Communications Server
deployed in your resource forest and configured at least a one-way trust between the resource
forest and all user forests (such that the resource forest trusts all user forests).
If you have not deployed Communications Server, see the Microsoft Office Communications
Server Planning Guide and the Microsoft Office Communications Server Deployment Series.
Figure 8 shows how an example organization, Contoso, configured an Enterprise pool in its
resource forest.
Figure 8 Example of a Resource Forest Topology
After you have deployed Communications Server in the resource forest, you do the following:
• Create disabled accounts with the corresponding attributes for each user account in the user
forests. This process will vary depending on whether or not you have Microsoft Exchange
Server deployed in the resource forest, as explained in the following section.
• Enable these disabled accounts for Office Communications Server.
Step 1 Create Disabled User Accounts

For each user account in a user forest, you must create a corresponding disabled user account in
the resource forest. This process varies depending on whether or not Exchange Server is
deployed in your resource topology:
If Exchange is deployed in your resource forest, the disabled user accounts will already exist and
many of the necessary attributes on the disabled user accounts will already be populated. You can
run a script to update the attributes that are not automatically updated by Exchange Server.
If you do not have Exchange Server deployed in your resource topology, then you must create the
disabled accounts and manually copy the required attributes from the user accounts in each user
forest to the corresponding disabled user account in the resource forest. This method can
introduce problems that are difficult to fix. As an alternative, consider deploying Office
Communications Server in the central forest topology. For more information, see Part 1:
Deploying Office Communications Server in a Central Forest Topology.
Step 2 Enable Disabled User Accounts for Office

Communications Server
Users cannot use Communications Server until they are enabled for the Office Communications
Server service. After you have created the disabled user accounts for each user in the user forests,
you must enable these accounts for the Office Communications Server service.
If all disabled user accounts have an e-mail address that corresponds to their SIP address, you can
enable all disabled user accounts simultaneously. If not all the disabled user accounts have an e-
mail address that corresponds to their SIP address, or if you want to host these users on different
servers or pools, configure each disabled user account individually.
To enable all disabled user accounts for Communications Server
1. In the resource forest, log on to a computer running the Office Communications Server 2007
service as a member of the RTCUniversalUserAdmins group.
2. Start Active Directory Users and Computers: Click Start, point to Administrative Tools,
and then click Active Directory Users and Computers.
3. Go to the organizational unit where you created your disabled user accounts.
4. Select all user accounts, right-click the selection, and then click Enable Users for
5. Follow the steps in the Enable Users Wizard to complete the task.
6. Open the Office Communications Server Administrative Tools and verify that that the users
were enabled for the specified pool.
To enable an individual disabled user account for Communications
Server
1. In the resource forest, log on to a computer running the Office Communications Server 2007
service as a member of the RTCUniversalUserAdmins group.
2. Start Active Directory Users and Computers: Click Start, point to Administrative Tools,
and then click Active Directory Users and Computers.
3. Go to the organizational unit where you created your disabled user accounts.
4. Right-click the contact that you want to enable, click Properties, and then click the
Communications tab.
5. Select the Enable users for Office Communications Server check box.
6. In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this user
account and select the SIP domain that is used by your Communications Servers. For
example, dylan@contoso.com.
7. In Server or pool, select the Office Communications Server where you want to host the user
account.
8. Click Configure.
9. In the User Options dialog box, select the appropriate settings required for your deployment
and click OK. Click OK again to apply the changes and close the user properties.
Step 3 Populating the Required Attributes for

Office Communications Server
The following table shows the attributes that must be mapped from a user object in the user forest
to a corresponding disabled user object in the resource forest using the example user, UserA.
Table 3 The attributes on the User and Contact objects
User A in User Forest Disabled user account for User
Attribute
A in a Resource Forest
Cn Dylan Dylan
ObjectSID sidDylan
Note In a deployment
that include Exchange,
set the ObjectSID
attribute to the value
from the
msExchMasterAccou
ntSID attribute.
ms-RTC-SIP- sidDylan
OriginatorSID
ms-RTC-SIP-
TargetHomeServer
telephoneNumber 555-1234 555-1234
displayName Dylan Miller Dylan Miller
givenName Dylan Dylan
Surname Miller Miller
physicalDeliveryOfficeN 4500 4500
ame
l (city) Redmond Redmond
st (state) WA WA
Country U.S.A U.S.A

Title Director Director
Mail dylan@contoso.com dylan@contoso.com
Company Contoso Contoso
Note
In resource forest deployments with Exchange Server, all of
the attributes are already populated except for the ones
beginning with the ms-RTC-SIP prefix. Populate these
attributes using the SID mapping tool.
In resource forest deployments without Exchange Server, you
must manually populate the required attributes on each
disabled user account in your resource forest. This method
can introduce problems that are difficult to fix. In these
deployments, use the Central Forest topology instead. For
more information, see Part 1: Deploying Office
Communications Server in a Central Forest Topology.
Using the SIP Mapping Tool to Populate Attributes in a Resource

Forest
To allow single sign-on when a disabled user account is enabled for an Exchange Server mailbox,
use the SID Mapping Tool to map the SID (security identifier) of a disabled user account in the
resource forest to the corresponding primary user account in the user forest. The SID Mapping
Tool is delivered as part of the Office Communications Server 2007 Resource Kit.
To run the SID Mapping Tool
1. Log on to a server joined to an Active Directory domain in the resource forest using an
account that is a member of the DomainAdmins group.
2. If necessary, install the Office Communications Server 2007 Resource Kit. You can
download the resource kit from the same Web site you used to download Office
Communications Server 2007. After you download the resource kit, see the Office
Communications Server Resource Kit readme for more information.
3. From the command prompt, configure the Microsoft Windows® Scripting Host to use
cscript by running the following command.
wscript //h:cscript
Click OK in the confirmation box.
4. Change the path of the command prompt by running the following command:
cd “%programfiles%\Office Communications Server 2007\Reskit\LCSSync”
5. Review the accounts in the resource forest that will be updated by running the following
command:
sidmap.wsf /OU:<DN of container with disabled user accounts> /query
where:
• /OU specifies the distinguished name (DN) of the container with the disable user
accounts. To represent the DN, use the following format:
OU=<name>,DC=<domain name>,DC=<subdomain name>
For example, OU=Acounting,DC=contoso,DC=com
• /query limits the SID Mapping Tool to only query the resource forest and not populate
the attributes.
The command returns a list of disabled user accounts in the resource forest.
6. Populate the attributes in the resource forest by running the following command:
sidmap.wsf /OU:<DN of container with disabled user accounts>
[/logfile:<path\filename>]
Where /logfile is an optional parameter that saves the results of your operation to a file for
your records. This log file is automatically populated with a list of logon-disabled and Office
Communications Server-enabled users.

Deploying in A Multiple Forest Environment

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Deploying in A Multiple Forest Environment

Загружено:

Авторское право:

Доступные форматы

Configuring Microsoft

© 2007 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Central Forest Topology

Resource Forest Topology

Part 1: Deploying Office

Step 1 Configure MIIS

Figure 2 Configuring the MIIS Server

As Figure 2 illustrates, the MIIS server is configured to do the following:

Install the .NET 2.0 Framework on the MIIS Server

Deploying Communications Server Sync Tool

Extending the Metaverse Schema in MIIS

Configuring Extensions for the Communications Server Sync tool

3. Under Object types, right-click person.

Creating the Management Agent for the Central Forest

Creating Management Agent for the User Forests

Importing, Synchronizing, and Provisioning Communications

To synchronize the metaverse for central forest information

Step 2 Enable Contacts for Communications

Keeping Information Synchronized

To synchronize the metaverse for your central forest

To provision the central forest

Understanding How Attributes Are Synchronized

Table 2 The attributes on the Group and Contact objects

ms-RTC-SIP- Distribution Group -

Troubleshooting the Central Forest Topology

Communicator Log Files

Error Constant Description

no-start-no-domain-controller The run step failed to start because the domain

no-start-no-partition-delete The run step failed to start because domain or naming

no-start-partition-not-configured The run step failed to start because the required

MIIS_ManagementAgent.RunStatus property, then

no-start-partition-rename The run step failed to start because the selected

stopped-extension-dll-file-not- The run step stopped because the specified assembly

stopped-server This error can be returned when Microsoft SQL

If this string is the value for the

stopped-out-of-memory The run step stopped because of insufficient server

stopped-extension-dll-load The run step stopped because the specified

Part 2: Deploying Office

Step 1 Create Disabled User Accounts

Step 2 Enable Disabled User Accounts for Office

Step 3 Populating the Required Attributes for

Country U.S.A U.S.A

Using the SIP Mapping Tool to Populate Attributes in a Resource

Вам также может понравиться