Deploying In A Multiple Forest Environment

Configuring Microsoft Office Communications Server 2007 (Public Beta) in a MultipleForest Environment Published March 2007

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Windows Vista, Active Directory, and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents Contents............................................................. ..............................4 Introduction..................................................................................... ..1 Central Forest Topology................................................... .............1 Resource Forest Topology............................................... ..............1 Part 1: Deploying Office Communications Server in a Central Forest Topology...................................................................................... ......2 Prerequisites.................................................. ..............................2 Step 1 Configure MIIS...................................................... .............4 Step 2 Enable Contacts for Communications Server 2007 Public Beta .............................................................................................. .....15 Keeping Information Synchronized.............................................15 Understanding How Attributes Are Synchronized.......................18 Troubleshooting the Central Forest Topology .............................21 Part 2: Deploying Office Communications Server in a Resource Forest Topology................................................................................... .......24 Prerequisites................................................ ..............................25 Step 1 Create Disabled User Accounts.......................................25 Step 2 Enable Disabled User Accounts for Office Communications Server........................................................... .............................26 Step 3 Populating the Required Attributes for Office Communications Server........................................................... .............................27

Introduction A multiple forest topology is often used in enterprises that have a need for multiple forests in the Active Directory® Domain Services to provide security or organizational boundaries. This document assumes that you have decided upon a multiple forest topology. For more guidance on when a multiple forest topology is appropriate and how to deploy, please see the documentation for the Microsoft® Windows Server® operating system. To support a multiple-forest environment, Microsoft Office Communications Server 2007 (Public Beta) must be deployed in only one forest in your topology, which is designated as the central forest or the resource forest. Deploying and synchronizing Communications Server 2007 across multiple forests is not supported.

Central Forest Topology In a central forest topology, Office Communications Servers in the central forest provide services to users and groups in the central forest, as well as to users and groups in all other forests, which are called user forests. The central forest deployment offers the benefits of centralized administration and minimizes complexity in a multiple forest environment. Part 1 of this guide explains how to configure Office Communications Server 2007 to support users, groups, and distribution group expansion in a central forest environment. It briefly describes the multiple-forest environment, but it assumes that you have already deployed the hardware and software so that you are ready to create and propagate user data so that a user in any forest can connect to Office Communications Server and communicate with any user in any connected forest.

Resource Forest Topology In a resource forest topology, Office Communications Server is deployed in one forest, a resource forest that hosts Office Communications Servers but does not host any logon enabled user accounts. Outside of the resource forest, user forests hosts enabled user accounts but no Office Communications Servers. Within the resource forest, a corresponding disabled user account exits for each user account in the user forests. Part 2 of this guide explains how to configure Office Communications Server 2007 to support a resource forest topology.

2

Deploying Communications Server 2007 in a Multiple Forest Environment

Part 1: Deploying Office Communications Server in a Central Forest Topology This section explains how to configure Office Communications Server in a central forest topology.

Prerequisites To support a central forest topology, the following prerequisites are required. •

Microsoft Identity Integration Server In order to synchronize data across your forests, you must deploy Microsoft Identity Integration Server. The following QFE is required for proper cross-forest synchronization: http://www.microsoft.com/downloads/details.aspx?familyid=FA9DBB67-4654-4C94-B073AA59676130AF&displaylang=en. For information on how to deploy MIIS, see the Microsoft Identity Integration Server documentation.

•

Office Communications Server deployed in your central forest. If you have not deployed Communications Server, see the Microsoft Office Communications Server Planning Guide and the Microsoft Office Communications Server Deployment Series.

The central forest can be an existing forest that hosts existing Communications Servers, users, groups, and contacts, or you can create an entirely new forest. The central forest should normally be the one that hosts the largest number of users. Connectivity between the central forest and other forests should also be highly available. Figure 1 shows how an example organization, Contoso, configured an Enterprise pool in its central forest.

Deploying Communications Server 2007 in a Multiple Forest Environment

3

Figure 1 Example of a Multiple Forest topology (1) SQL

MIIS Server (2)

(2)

(3)

(3)

Active Directory Active Directory

Users & groups User Forest

Contacts

Active Directory

Users & groups User Forest

Pool Central Forest

Labels Active Directory

SQL

SQL

User and group objects Enterprise Edition server

...

MIIS Server

Contact object

Communications Server 2007 Pool (1 ) – MIIS synchronizes Communications Server users as contacts (2 ) – Minimum trust requirements are a 1-way trust between domains hosting Communications Server in one forest and user- and groups in the other forest

SQL

SQL server

(3 ) –

Schema does not need to be extended

After you have deployed Communications Server in the central forest, you do the following: 1.

Configure the Microsoft Identity Integration Server.

2.

Enable contacts for Communications Server.

4

Deploying Communications Server 2007 in a Multiple Forest Environment

Step 1 Configure MIIS After you have deployed Communications Server 2007, modify the configuration of the Microsoft Identity Integration Server (MIIS) that is responsible for synchronizing User objects as contacts across all forests. Configure the MIIS Server in the one of two ways: •

If you do not have Exchange deployed in a cross-forest topology, deploy and configure Communications Server sync, the Lcssync tool available in the Communications Server 2007 Resource Kit. The remainder of this section focuses on using Communications Server sync.

•

If Microsoft Exchange Server is deployed in a cross-forest topology, use the GAL (global address list) sync tool with the logic for Communications Server Sync. Exchange uses GAL sync to synchronize contact information in the GAL between forests. In this situation, an update to the GAL sync tool is required because MIIS does not support the coexistence of two different synchronization agents.

Communications Server Sync configures the management agent of each forest except the central one in order to synchronize its user and group information with MIIS. MIIS generates a metaverse object that represents each user or group and it then synchronizes each user or group object as a contact in the central forest. Since all Communications Server users and groups are synchronized as contacts (including the user’s or group’s object SID) in every other forest, users can still communicate with each other across forest boundaries after the MIIS server has been reconfigured and users can still take advantage of distribution group expansion across forests. The following figure illustrates how MIIS was reconfigured in the Contoso environment.

Deploying Communications Server 2007 in a Multiple Forest Environment

Figure 2 Configuring the MIIS Server

As Figure 2 illustrates, the MIIS server is configured to do the following: •

Import the User objects and Group objects from two user forests as MIIS metaverse objects.

•

Export the metaverse objects to the central forest as Contact objects.

To install and configure Communications Server Sync tool, Lcssync, perform the following steps (each step is explained in detail in the subsequent sections): 1.

Ensure that .NET 2.0 Framework is installed on the server running MIIS.

2.

Install Communications Server Sync (Lcssync) from the Resource Kit.

3.

Extend the metaverse schema in MIIS.

4.

Configure extensions in MIIS.

5.

Configure object deletion rules in MIIS.

6.

Create the management agent for the central forest.

7.

Create the management agent for all user forests.

8.

Import, synchronize, and provision Communications Server objects.

Install the .NET 2.0 Framework on the MIIS Server The Communications Server Sync tool, LCSSync requires .NET Framework 2.0.

5

6

Deploying Communications Server 2007 in a Multiple Forest Environment

You can install the .NET Framework Version 2.0 from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyID=9655156b-356b-4a2c-857ce62f50ae9a55&displaylang=en.

Deploying Communications Server Sync Tool Before you can configure the Communications Server Sync tool, install the required files on your MIIS server. The files required for the Communications Server Sync tool are included in the Lcssync directory of the Communications Server 2007 Resource Kit.

To deploy the Communications Server Sync tool 1.

On the MIIS computer, in the Communications Server 2007 Resource Kit, go to the Lscssync directory.

2.

Copy all the files in this directory to the following directory on the MIIS Server: %drive%:\Program Files\Microsoft Identity Integration Server\Extensions.

3.

In the Active Directory® Domain Services, create an organization unit, or verify that a target organizational unit for your Contact objects exists on the Communications Server in the central forest.

4.

Go to the \Microsoft Identity Integration Server\Extensions folder, and then open Lcscfg.xml.

5.

Use the following format to modify the tag to include the target organization unit of the central forest: OU=contacts,DC=yourdomain,DC=com path to contact organizational unit

For example: OU=contactsDC=contosoDC=com

6.

If necessary, you can modify Logging.xml to change the file name and logging level. The example below shows the default values in the xml: <use-single-log>false lcssync.log 1

Deploying Communications Server 2007 in a Multiple Forest Environment

Extending the Metaverse Schema in MIIS After you have installed the Communications Server Sync tool on the MIIS Server, extend the metaverse schema so that the Communications Server attributes can be synchronized.

To extend the metaverse schema 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Metaverse Designer.

3.

On the Actions menu, click Import Metaverse Schema.

4.

Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcsmvschema.xml.

5.

When the schema import operation has completed successfully, click OK.

Configuring Extensions for the Communications Server Sync tool After you have extended the metaverse schema, configure the extensions for the Communications Server Sync tool. The way that you configure the extensions determines how synchronization is handled for Communications Server objects that are synchronized by MIIS.

To configure extensions for the Communications Server Sync tool 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

On the Tools menu, click Options.

3.

Select the Enable metaverse rules extension check box.

4.

Click Browse.

5.

Under Files, select Lcssync.dll.

Figure 3 Configure Extensions

6.

Select the Enable Provisioning Rules Extension check box, and then click OK.

7

8

Deploying Communications Server 2007 in a Multiple Forest Environment

Configuring the Object Deletion Rule in MIIS After you have configured extensions for the Communications Server Sync tool, configure the rule that determines what MIIS will do when a User object is deleted in a forest and how it will synchronize the deletion with the central forest. If a User object is deleted in a user forest, the corresponding Contact object that is used by Communications Server in the central forest must also be deleted. Configuring the object deletion rule ensures that MIIS and the Communications Server handle this situation correctly.

To configure the Object Deletion Rule 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Metaverse Designer. The Identity Manager window should appear as shown in Figure 4.

Figure 4 Configure Object Deletion Rule in Metaverse Designer

3.

Under Object types, right-click person.

4.

In the adjacent Actions pane, click Configure Object Deletion Rule.

Deploying Communications Server 2007 in a Multiple Forest Environment

5.

In the Configure Object Deletion Rule dialog box, which is shown in Figure 5, click Rules Extension, and then click OK.

Figure 5 Configure Object Deletion Rule

Creating the Management Agent for the Central Forest After you have configured the Communications Server Sync tool, create a management agent for the Communications Server Sync tool in the central forest.

To create a management agent for the Communications Server Sync tool in the central forest 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

On the Actions menu, click Import Management Agent.

4.

Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcscentralforestma.xml, and then click Open. The Create Management Agent dialog box appears.

9

10

Deploying Communications Server 2007 in a Multiple Forest Environment

Figure 6 Create Management Agent

5.

In Name, type a name for the management agent. This name must be identical to the name that is specified in the tag in Lcscfg.xml.

6.

Click Next.

7.

Enter the user name and password of a member of the DomainAdmins group on the Communications Server in the central forest.

8.

Click Next.

Deploying Communications Server 2007 in a Multiple Forest Environment

11

Figure 7 Partitions Matching

9.

In Partitions Matching, under Update Partitions, select the partition that needs to be updated, and in Existing Partitions, select the partition that contains the distinguished name of your central forest.

10. Click Match. 11. In Existing Partitions, select each unmatched partition and click Deselect. 12. Click OK. 13. In Select directory partitions, clear the check boxes for all domains except for the domain that has the target organizational unit that you specified in Lcscfg.xml when you deployed the Communications Server Sync tool. 14. Click Containers. 15. In Select Containers, select the OU container where contacts will be stored, and then click OK. 16. Click Next. 17. On the Select Objects page, accept the default values, and then click Next. 18. On the Select Attributes page, accept the default values, and then click Next.

12

Deploying Communications Server 2007 in a Multiple Forest Environment

19. On the Configure Connector Filter page, accept the default values, and then click Next. 20. On the Configure Join and Projection Rules page, accept the default values, and then click Next. 21. On the Configure Attribute Flow page, accept the default values, and then click Next. 22. On the Configure Deprovisioning page, accept the default values, and then click Next. 23. On the Configure Extensions page, verify that Lcssync.dll is selected, and then click Finish.

Creating Management Agent for the User Forests After you have created the management agent in the central forest, create a management agent for all user forests.

To create a management agent for the Communications Server Sync tool in all user forests 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

On the Actions menu, click Import Management Agent.

4.

Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcsuserforestma.xml, and then click Open.

5.

In the Name box, type a unique name for the management agent.

6.

Click Next.

7.

Enter the user name and password of a member of the DomainAdmins group on the Communications Server in the user forest.

8.

Click Next.

9.

In Partitions Matching, under Update Partitions, select the partition that needs to be updated, and in Existing Partitions select the partition that contains the distinguished name of your user forest.

10. Click Match 11. In Existing Partitions, select each unmatched partition, and then click Deselect. 12. Click OK. 13. Click Next. 14. In Select directory partitions, clear the check boxes for all domains except the first domain where the organization unit where the Users and Groups objects in this forest exist. MIIS will synchronize these User objects and Group objects as contacts in the central forest. 15. Click Containers. 16. In Select Containers, select the OU container where contacts will be stored, and then click OK.

Deploying Communications Server 2007 in a Multiple Forest Environment

13

17. Repeat steps 14 through 16 for each domain that contains users and groups that will use the Communications Servers in the central forest. 18. Click Next. 19. On the Select Objects page, accept the default values, and then click Next. 20. On the Select Attributes page, accept the default values, and then click Next. 21. On the Configure Connector Filter page, accept the default values, and then click Next. 22. On the Configure Join and Projection Rules page, accept the default values, and then click Next. 23. On the Configure Attribute Flow page, accept the default values, and then click Next. 24. On the Configure Deprovisioning page, accept the default values, and then click Next. 25. On the Configure Extensions page, verify that Lcssync.dll is selected, and then click Finish.

Importing, Synchronizing, and Provisioning Communications Server Objects After you have created management agents for all forests in your environment, synchronize user and contact information. During this initial synchronization, import Active Directory data for each forest into the connector space, synchronize this data in the metaverse, and then export this data from the metaverse to the central forest.

Import Active Directory Objects for Each Forest into the Connector Space For each forest, import data stored in its Active Directory into the forest’s Connector Space. Perform this step on the central forest and all user forests in your environment.

To import Active Directory data into the Connector Space from the central forest 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for the central forest, and then click Run.

4.

Click Full Import, and then click OK.

To import Active Directory data into the Connector Space from each user forest 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for your first user forest, and then click Run.

4.

Click Full Import, and then click OK.

5.

Repeat steps 1 through 4 for each user forest in your environment.

14

Deploying Communications Server 2007 in a Multiple Forest Environment

Synchronize the Metaverse After you have imported Active Directory data from the central forest and each user forest in your environment, synchronize the metaverse with the data in each forest.

Note You must synchronize the metaverse with data from the central forest before you synchronize with the user forests.

To synchronize the metaverse for central forest information 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for the-central forest, and then click Run.

4.

Click Full Sync, and then click OK.

To synchronize the metaverse for your user forests 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for your first user forest, and then click Run.

4.

Click Full Sync, and then click OK.

5.

Repeat steps 1 through 4 for each user forest in your environment.

Provision the Central Forest After synchronizing the information imported from all user forests, you export all the information from the metaverse to the central forest. This process is known as provisioning.

To provision the central forest 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for the central forest, and then click Run.

4.

Click Export, and then click OK.

After you provision the central forest, you should verify that Contact objects have been created for each User object in the user forests. You must then enable these contacts for Communications Server 2007.

Deploying Communications Server 2007 in a Multiple Forest Environment

15

Step 2 Enable Contacts for Communications Server 2007 Public Beta Users cannot use Communications Server until they are enabled for Office Communications Server service. After you have synchronized Active Directory for users, groups, and contacts across all your forests, enable the contacts that you created in the central forest for Communications Server. If all contacts have an e-mail address that corresponds to their SIP address, you can enable all contacts simultaneously. If not all the contacts have an e-mail address that corresponds to their Sip address, or if you want to host these users on different servers or pools, configure each contact individually.

To enable all contacts for Communications Server 1.

In the central forest, log on to a Communications Server 2007 as a member of the RTCUniversalUserAdmins group.

2.

Start Active Directory Users and Computers: Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

3.

Go to the organizational unit where you created your contacts.

4.

Select all contacts, right-click the highlighted area, and then click Enable users for Communications Server.

To enable an individual contact for Communications Server 1.

In the central forest, log on to a Communications Server 2007 as a member of the RTCUniversalUserAdmins group.

2.

Start Active Directory Users and Computers: Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

3.

Go to the organizational unit where you created your contacts.

4.

Right-click the contact that you want to enable, click Properties, and then click the Communications tab.

5.

Select the Enable user for Office Communications Server check box.

6.

In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this contact and select the SIP domain that is used by your Communications Servers. For example, [email protected].

7.

In Server or pool, select the Communications Server where you want to host the contact.

Keeping Information Synchronized After initial synchronization, you can perform incremental synchronizations to update only data that has changed since the previous synchronization. For example, if a new user account is added in a user forest, you would synchronize only this new user data and create a contact for this user in the central forest.

16

Deploying Communications Server 2007 in a Multiple Forest Environment

Import Active Directory Objects for Each Forest into the Connector Space For each forest, you import data that is stored in the Active Directory into the forest’s connector space. You must perform this step for each user forest in which user information has changed.

To import Active Directory data into the Connector Space 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for the central forest, and then click Run.

4.

Click Delta Import, and then click OK.

5.

Repeat steps 1 through 4 for each forest where Active Directory changes have occurred (where users, groups, or contacts have been changed, added, or deleted).

Synchronize the Metaverse After you have imported new Active Directory data for each user forest in your environment, you synchronize the information for each forest in the metaverse.

Note You must synchronize information from the central forest before synchronizing information from user forests.

To synchronize the metaverse for your central forest 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for your central forest, and then click Run.

4.

Click Delta Sync, and then click OK.

To synchronize the metaverse for your user forests 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for your first user forest, and then click Run.

4.

Click Delta Sync, and then click OK.

5.

Repeat steps 1 through 4 for each forest where changes have occurred.

Provision the Central Forest After you have synchronized the new data that was imported from all user forests, you provision the central forest so that Contact objects are created, updated, or deleted for each change in the user forest and any new contacts are enabled for Communications Server.

Deploying Communications Server 2007 in a Multiple Forest Environment

To provision the central forest 1.

On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

2.

Click Management Agents.

3.

Right-click the management agent for the central forest, and then click Run.

4.

Click Export, and then click OK.

17

Deploying Communications Server 2007 in a Multiple Forest Environment

18

Understanding How Attributes Are Synchronized After you install and run the Communications Server Sync tool as described in “Step 1 Configuring MIIS” earlier in this guide, attributes on the User and Contact objects will be modified as follows. Contact Attributes Added through Schema Prep Because the Active Directory schema in the central forest was extended during the Communications Server 2007 installation, the Contact objects in the central forest have the following new attributes: •

ms-RTC-SIP-PrimaryHomeServer

•

ms-RTC-SIP-IsMaster

•

ms-RTC-SIP-TargetHomeServer

Attributes Synchronized by Communications Server Sync Communications Server Sync synchronize all of the following attributes: •

objectSid

•

telephoneNumber

•

displayName

•

givenName

•

sn (surname)

•

physicalDeliveryOfficeName

•

l (city)

•

st (state)

•

country

•

title

•

mail

•

company

•

cn

The following table shows how attributes are mapped from a user object to a Contact object using the example user, UserA. Table 1 The attributes on the User and Contact objects Attribute

User A

Cn

UserA

ObjectSID

sidA

Contact for User A UserA

Deploying Communications Server 2007 in a Multiple Forest Environment

ms-RTC-SIPOriginatorSID

19

sidA

ms-RTC-SIPTargetHomeServer telephoneNumber

555-1234

555-1234

displayName

User A

User A

givenName

Dylan

Dylan

surname

Miller

Miller

physicalDeliveryOfficeN ame

4500

4500

l (city)

Redmond

Redmond

st (state)

WA

WA

Country

U.S.A

U.S.A

Title

Director

Director

Mail

[email protected]

[email protected]

Company

Contoso

Contoso

Group Attributes Communications Server Sync and updated GAL sync synchronize all of the following attributes: •

objectSid

•

mail

•

displayName

•

groupType

Table 2 The attributes on the Group and Contact objects Attribute

Group A

Cn

GroupA

ObjectSID

sidA

ms-RTC-SIPOriginatorSID

Contact for Group A GroupA

sidA

displayName

GroupA

groupType

Distribution Group Universal

GroupA

20

Deploying Communications Server 2007 in a Multiple Forest Environment

ms-RTC-SIPSourceObjectType Mail

Distribution Group Universal [email protected]

[email protected]

Deploying Communications Server 2007 in a Multiple Forest Environment

21

Troubleshooting the Central Forest Topology Use this section to help troubleshoot problems that you may encounter. For general MIIS information, consult the MIIS documentation on the Microsoft Web site at: http://www.microsoft.com/windowsserversystem/miis2003/techinfo/default.mspx. Note Only using Kerberos for or both NTLM and Kerberos for authentication of contacts in the central forest is not supported. Issue: SIP-enabled Contact object cannot sign in the logs, there may be an authentication problem.

•

•

If a 401error appears in

•

Check the Contact object by using LDP.exe, and ensure all the SIP attributes are populated, al Contact objects must have msRTCSIP-OriginatorSid set, or authentication will fail.

•

If the contact is not created properly, check the MIIS logs.

•

If needed, set the LcsSync logging level to 3, as explained in “Deploying Communications Server Sync Tool” earlier in this guide. Synchronize the contact again to find out why the Contact object is not being created.

•

Verify that credentials (user name and password) from the original user forest are used: If the central forest is in the Contoso domain, and the User object is replicated from the Northwind Traders domain to Contoso as a Contact object, Northwind Traders credentials must be used for sign-in.

•

Check the cross-forest trust relationship. The central forest must trust incoming credentials from the user forest.

•

Verify that you are not using either Kerberos or both Kerberos and NTLM as your authentication protocol in the central forest. You must be using only the NTLM protocol.

If client receives a 404 error, there is a replication problem. •

Verify that the Contact object is properly SIP-enabled and that it exists in the Communications Server 2007 database.

•

Use Dbanalyze.exe, which is available in the Microsoft Office Communications Server 2007 Resource Kit, to get the user report for this particular user. Ensure that the user exists in the database.

•

Check Communications Server logs for any “RTC User Replicator” errors or warnings.

Communicator Log Files Use the Communicator log files to troubleshoot client issues.

22

Deploying Communications Server 2007 in a Multiple Forest Environment

Open the files communicator0.log and Communicator-uccp-0.log found under :\Documents and Settings\%User%\Tracing

MIIS Errors The following table lists some common MIIS errors and describes the possible causes and resolution. Error Constant

Description

no-start-no-domain-controller

The run step failed to start because the domain controller could not be contacted by the server. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the next step will not be attempted again and any placeholder objects will not be removed. Verify that the domain controller is connected to the network. If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no step is currently running but a run step has been run in the past.

no-start-no-partition-delete

The run step failed to start because domain or naming context has been deleted. The next step in the run profile will not run and obsolete data will not be removed. If an import run step returned this value, the next step will not be retried and any placeholder objects will not be removed. Verify that the specified partition still exists. If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no run step is currently running but a run step has been run in the past.

no-start-partition-not-configured

The run step failed to start because the required partition is not selected in Configure Directory Partitions dialog box of the management agent properties. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the next step will not be retried and any placeholder objects will not be removed. Verify that the appropriate partition is selected. For more information see "Configure directory partitions" in the Microsoft Identity Integration Server 2003 Help. If this string is the value for the

Deploying Communications Server 2007 in a Multiple Forest Environment

23

MIIS_ManagementAgent.RunStatus property, then no run step is currently running but a run step has been run in the past. no-start-partition-rename

The run step failed to start because the selected partition in Configure Directory Partitions dialog box of the management agent properties has been renamed. Verify that the appropriate partition is selected. For more information, see "Configure directory partitions" in the Microsoft Identity Integration Server 2003 Help. If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no run step is currently running but a run step has been run in the past.

stopped-extension-dll-file-notfound

The run step stopped because the specified assembly name could not be found. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the step will not be attempted again the any placeholder objects will not be removed. Check the event log for the assembly name that the server was trying to load. Next, in Properties, in the Configure Rules Extensions dialog box of the management agent or in Configure Rules Extensions on the Metaverse Rules Extensions tab, specify the correct assembly name to prevent this return value. For more information, see "Configure rules extensions" for management agent rules extensions or "Configure provisioning for metaverse rules extensions" in the Microsoft Identity Integration Server 2003 Help. If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no run step is currently running but a run step has been run in the past.

stopped-server

This error can be returned when Microsoft SQL Server™ is stopped and you are trying to run Management Agents. The run step stopped because of an unknown server error. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the processing of retries and cleanup of placeholder objects will not be performed. Resolve the server error.

24

Deploying Communications Server 2007 in a Multiple Forest Environment

If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no run step is currently running but a run step has been run in the past. stopped-out-of-memory

The run step stopped because of insufficient server memory. The next step in the run profile will not run and obsolete data will not be removed. If an import run step returned this value, the processing of retries and cleanup of placeholder objects will not be performed. Increase the server memory.

stopped-extension-dll-load

The run step stopped because the specified assembly name cannot be loaded due to an unknown error. The next step in the run profile will not run and obsolete data will not be removed. If an import run step returned this value, the processing of retries and cleanup of placeholder objects will not be performed. Check the event log for the assembly name that the server was trying to load.

Part 2: Deploying Office Communications Server in a Resource Forest Topology This section explains how to configure Office Communications Server in a resource forest topology. As explained earlier, in a resource topology, a single resource forest contains all Office Communications Servers and disable user accounts for each logon enabled account in a user forest. As explained earlier, a resource forest topology is an Active Directory® Domain Services topology used to deploy Office Communications Server and often Exchange in one Active Directory forest while all log-on enabled user accounts are located in a separate Active Directory forest. The resource forest hosts only servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. The SID (security identifier) of a disabled user account in the resource forest is mapped to the corresponding primary user account in the other forest to allow for single sign on. These disabled user accounts are enabled for Office Communications Server and mail-enabled for Exchange if it is deployed.

Deploying Communications Server 2007 in a Multiple Forest Environment

Prerequisites To support a resource forest topology, you must have deployed Office Communications Server deployed in your resource forest and configured at least a one-way trust between the resource forest and all user forests (such that the resource forest trusts all user forests). If you have not deployed Communications Server, see the Microsoft Office Communications Server Planning Guide and the Microsoft Office Communications Server Deployment Series. Figure 8 shows how an example organization, Contoso, configured an Enterprise pool in its resource forest. Figure 8 Example of a Resource Forest Topology

After you have deployed Communications Server in the resource forest, you do the following: •

Create disabled accounts with the corresponding attributes for each user account in the user forests. This process will vary depending on whether or not you have Microsoft Exchange Server deployed in the resource forest, as explained in the following section.

•

Enable these disabled accounts for Office Communications Server.

Step 1 Create Disabled User Accounts For each user account in a user forest, you must create a corresponding disabled user account in the resource forest. This process varies depending on whether or not Exchange Server is deployed in your resource topology:

25

26

Deploying Communications Server 2007 in a Multiple Forest Environment

If Exchange is deployed in your resource forest, the disabled user accounts will already exist and many of the necessary attributes on the disabled user accounts will already be populated. You can run a script to update the attributes that are not automatically updated by Exchange Server. If you do not have Exchange Server deployed in your resource topology, then you must create the disabled accounts and manually copy the required attributes from the user accounts in each user forest to the corresponding disabled user account in the resource forest. This method can introduce problems that are difficult to fix. As an alternative, consider deploying Office Communications Server in the central forest topology. For more information, see Part 1: Deploying Office Communications Server in a Central Forest Topology.

Step 2 Enable Disabled User Accounts for Office Communications Server Users cannot use Communications Server until they are enabled for the Office Communications Server service. After you have created the disabled user accounts for each user in the user forests, you must enable these accounts for the Office Communications Server service. If all disabled user accounts have an e-mail address that corresponds to their SIP address, you can enable all disabled user accounts simultaneously. If not all the disabled user accounts have an email address that corresponds to their SIP address, or if you want to host these users on different servers or pools, configure each disabled user account individually.

To enable all disabled user accounts for Communications Server 1.

In the resource forest, log on to a computer running the Office Communications Server 2007 service as a member of the RTCUniversalUserAdmins group.

2.

Start Active Directory Users and Computers: Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3.

Go to the organizational unit where you created your disabled user accounts.

4.

Select all user accounts, right-click the selection, and then click Enable Users for Communications Server.

5.

Follow the steps in the Enable Users Wizard to complete the task.

6.

Open the Office Communications Server Administrative Tools and verify that that the users were enabled for the specified pool.

To enable an individual disabled user account for Communications Server 1.

In the resource forest, log on to a computer running the Office Communications Server 2007 service as a member of the RTCUniversalUserAdmins group.

2.

Start Active Directory Users and Computers: Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3.

Go to the organizational unit where you created your disabled user accounts.

4.

Right-click the contact that you want to enable, click Properties, and then click the Communications tab.

Deploying Communications Server 2007 in a Multiple Forest Environment

27

5.

Select the Enable users for Office Communications Server check box.

6.

In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this user account and select the SIP domain that is used by your Communications Servers. For example, [email protected].

7.

In Server or pool, select the Office Communications Server where you want to host the user account.

8.

Click Configure.

9.

In the User Options dialog box, select the appropriate settings required for your deployment and click OK. Click OK again to apply the changes and close the user properties.

Step 3 Populating the Required Attributes for Office Communications Server The following table shows the attributes that must be mapped from a user object in the user forest to a corresponding disabled user object in the resource forest using the example user, UserA. Table 3 The attributes on the User and Contact objects Attribute

User A in User Forest

Cn

Dylan

ObjectSID Note In a deployment that include Exchange, set the ObjectSID attribute to the value from the msExchMasterAccou ntSID attribute.

sidDylan

ms-RTC-SIPOriginatorSID

Disabled user account for User A in a Resource Forest Dylan

sidDylan

ms-RTC-SIPTargetHomeServer telephoneNumber

555-1234

555-1234

displayName

Dylan Miller

Dylan Miller

givenName

Dylan

Dylan

Surname

Miller

Miller

physicalDeliveryOfficeN ame

4500

4500

l (city)

Redmond

Redmond

st (state)

WA

WA

28

Deploying Communications Server 2007 in a Multiple Forest Environment

Country

U.S.A

U.S.A

Title

Director

Director

Mail

[email protected]

[email protected]

Company

Contoso

Contoso

Note In resource forest deployments with Exchange Server, all of the attributes are already populated except for the ones beginning with the ms-RTC-SIP prefix. Populate these attributes using the SID mapping tool. In resource forest deployments without Exchange Server, you must manually populate the required attributes on each disabled user account in your resource forest. This method can introduce problems that are difficult to fix. In these deployments, use the Central Forest topology instead. For more information, see Part 1: Deploying Office Communications Server in a Central Forest Topology.

Using the SIP Mapping Tool to Populate Attributes in a Resource Forest To allow single sign-on when a disabled user account is enabled for an Exchange Server mailbox, use the SID Mapping Tool to map the SID (security identifier) of a disabled user account in the resource forest to the corresponding primary user account in the user forest. The SID Mapping Tool is delivered as part of the Office Communications Server 2007 Resource Kit.

To run the SID Mapping Tool 1.

Log on to a server joined to an Active Directory domain in the resource forest using an account that is a member of the DomainAdmins group.

2.

If necessary, install the Office Communications Server 2007 Resource Kit. You can download the resource kit from the same Web site you used to download Office Communications Server 2007. After you download the resource kit, see the Office Communications Server Resource Kit readme for more information.

3.

From the command prompt, configure the Microsoft Windows® Scripting Host to use cscript by running the following command. wscript //h:cscript

Click OK in the confirmation box. 4.

Change the path of the command prompt by running the following command:

5.

Review the accounts in the resource forest that will be updated by running the following command:

cd “%programfiles%\Office Communications Server 2007\Reskit\LCSSync”

sidmap.wsf /OU: /query

Deploying Communications Server 2007 in a Multiple Forest Environment

29

where: •

/OU specifies the distinguished name (DN) of the container with the disable user accounts. To represent the DN, use the following format: OU=,DC=<domain name>,DC=<subdomain name>

For example, OU=Acounting,DC=contoso,DC=com •

/query limits the SID Mapping Tool to only query the resource forest and not populate the attributes.

The command returns a list of disabled user accounts in the resource forest. 6.

Populate the attributes in the resource forest by running the following command: sidmap.wsf /OU:  [/logfile:<path\filename>]

Where /logfile is an optional parameter that saves the results of your operation to a file for your records. This log file is automatically populated with a list of logon-disabled and Office Communications Server-enabled users.