Scenario 2 Part 1.2.2&your Digital Footprint

Posted By admin On 29/12/21

Deploy Lync Server 2010 in a Resource Forest Topology (Part 1)

Scenario 2 part 1.2.2&your digital footprints

The Lync system is normally running in the same forest of user accounts. However, in some situation, we have to put it in a resource forest. For example:

Scenario 2 Part 1.2.2&your Digital Footprint Software


SOLUTIONS TO HOMEWORK ASSIGNMENT #4, MATH 253 1. Prove that the following di erential equations are satis ed by the given functions: (a) @2u @x 2 @2u @y + @2u @z.

1. The account forest functional level is lower than Windows 2003. For example, Windows 2000, or windows 2000 mixed. Lync Server deployment requires Windows 2003 forest functional level.

Scenario 2 Part 1.2.2&your Digital Footprint Worksheet

2, 4; B: 0, 2; 3. −6246−4 −2 −2 −4 −6 2 4 6 y x 4. −3123−2 −1 −1 −2 2 1 3 4 y x Vocabulary Check 1. (a) v horizontal real number line (b)vi vertical real number line (c) i point of intersection of vertical axis and horizontal axis (d)iv four regions of the coordinate plane (e) iii directed distance from the axis (f)ii. Part 2: Capture and Analyze ICMP Data in Wireshark 131 Lab—Using Wireshark to Examine Ethernet Frames 136 Mininet Topology 136 Objectives 136 Background/Scenario 136 Required Resources 137 Part 1: Examine the Header Fields in an Ethernet II Frame 137 Part 2: Use Wireshark to Capture and Analyze Ethernet Frames 139 Reflection 142. 2-2 Final Project Part 1 2-2 Final Project Part 1 Milestone One: Interview & Scenario Questions Camielle High Southern New Hampshire University Role & Information on Agency My role in this fictional case scenario will be a Case Manager working for WomenRising Inc. Scenario Authors Guide Part II v0.2.pdf - Google Drive.

2. There are multiple forests in your company and users in other forests wants to use your Lync server with SSO.

3. Due to some security consideration, you want to separate resources into different forests.

There is one Microsoft Technet document talking about it.

Deploying Lync Server 2010 in a Multiple Forest Environment

I am here to show a detail procedure and a real sample about how to do this.


Scenario 2 Part 1.2.2&your Digital Footprint System

Some basic concepts first:

a. Account Forest

The forest hosts Users and Groups.

b. Resource Forest

In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts servers running Lync Server 2010 but does not host any logon-enabled user accounts.

Outside the resource forest, account forests host enabled user accounts but no servers running Lync Server 2010. Within the resource forest, a corresponding disabled user account exists for each user account in the user forests.

c. AD Attribute mapping

The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 service.

If the account is also enabled for mail-enabled for Microsoft Exchange Server, the ObjectSID should already be copied to msExchMasterAccountSid attribute. So you can use a tool called LcsSync (sidmap.wsf

) to help you copy the ObjectSID value from the AD attribute (msExchMasterAccountSid) to the attribute (msRTCSIP-OriginatorSid) for every disabled user in the forest.

d. Trust between account forest and resource forest

1. It does not require the 2 forests to be the same functional level. For example, the account domain can be Windows 2000 mixed, the resource forest can be Windows 2008. So we might not be able to build a “Forest type” trust. So the “External type” of forest trust is best option to support this.

Here is a list for trust type between forests.

Trust type






One-way or two-way

Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust. For more information, see When to create an external trust.


Transitive or nontransitive

One-way or two-way

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For more information, see When to create a realm trust.



One-way or two-way

Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest. For more information, see When to create a forest trust.



One-way or two-way

Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees. For more information, see When to create a shortcut trust.

2. Since we are going to use the msRTCSIP-OriginatorSid attribute of resource forest object to map the ObjectSID value of account forest object, we need to disable the “security identifier (SID) filter quarantining” on the forest trust. The netdom command is used to perform this job.

Command to disable “curity identifier (SID) filter quarantining”.

For example, the contoso forest (resource forest) TRUST the fabrikam forest (account forest), to disable the SID filtering on the trust:

netdom trust /domain:fabrikam.local /quarantine:No /userD:fabrikamadministrator

/passwordD:* /userO:contosoadministrator /passwordO:*

3. If Lync server is in resource forest, Exchange server is in account forest, and if we need to enable Exchange Unified Messaging (UM) and other Lync Server to office integration scenarios, the msRTCSIP-PrimaryUserAddress has to be added to list of proxyAddresses in both Microsoft Exchange Server and Lync Server forests, and a two-way trust should be established between both forests.

But if UM feature is not required, or Lync and Exchange are both in the resource forest, a one-way trust is good enough.

Now let’s show the topology of the sample system. The following diagram shows how the organization Fabrikam has:

Scenario 2 Part 1.2.2&your Digital Footprints

  • Account forest: shanghai.fabrikam.local. All user accounts and groups, and Exchange mailboxes are in this forest. (Domain controller: DC01.shanghai.fabrikam.local.)
  • Resource forest: The Lync server is running in the (Domain controller: Lync server:
  • Email addresses:, @Fabrikam.local
  • SIP addresses are same email addresses.
  • Assume the UM feature is not required here, so a one-way trust is built ( trust
  • SID filtering is disabled on the trust.
  • FIM 2010 is used to synchronize the required accounts to the resource forest as a disable account, and flow necessary attributes to them.
  • Test clients: client01, client02
  • No firewall is blocked between the 2 forests.