Deploying in a Multiple Forest Environment

Published March 2007

Configuring Microsoft Office Communications Server 2007 (Public Beta) in a Multiple-Forest Environment

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release.

This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of

the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products,

domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real

company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying

with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document

may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this

document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give

you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Windows Vista, Active Directory, and SQL Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

ContentsContents...........................................................................................3

Introduction......................................................................................1

Central Forest Topology...............................................................1

Resource Forest Topology............................................................1

Part 1: Deploying Office Communications Server in a Central Forest Topology...........................................................................................1

Prerequisites................................................................................2

Step 1 Configure MIIS...................................................................4

Step 2 Enable Contacts for Communications Server 2007 Public Beta...................................................................................................14

Keeping Information Synchronized.............................................15

Understanding How Attributes Are Synchronized......................19

Troubleshooting the Central Forest Topology.............................23

Part 2: Deploying Office Communications Server in a Resource Forest Topology.........................................................................................26

Prerequisites..............................................................................26

Step 1 Create Disabled User Accounts.......................................27

Step 2 Enable Disabled User Accounts for Office Communications Server........................................................................................28

IntroductionA multiple forest topology is often used in enterprises that have a need for multiple forests in the Active Directory® Domain Services to provide security or organizational boundaries. This document assumes that you have decided upon a multiple forest topology. For more guidance on when a multiple forest topology is appropriate and how to deploy, please see the documentation for the Microsoft® Windows Server® operating system.

To support a multiple-forest environment, Microsoft Office Communications Server 2007 (Public Beta) must be deployed in only one forest in your topology, which is designated as the central forest or the resource forest. Deploying and synchronizing Communications Server 2007 across multiple forests is not supported.

Central Forest TopologyIn a central forest topology, Office Communications Servers in the central forest provide services to users and groups in the central forest, as well as to users and groups in all other forests, which are called user forests.

The central forest deployment offers the benefits of centralized administration and minimizes complexity in a multiple forest environment.

Part 1 of this guide explains how to configure Office Communications Server 2007 to support users, groups, and distribution group expansion in a central forest environment. It briefly describes the multiple-forest environment, but it assumes that you have already deployed the hardware and software so that you are ready to create and propagate user data so that a user in any forest can connect to Office Communications Server and communicate with any user in any connected forest.

Resource Forest TopologyIn a resource forest topology, Office Communications Server is deployed in one forest, a resource forest that hosts Office Communications Servers but does not host any logon enabled user accounts.

Outside of the resource forest, user forests hosts enabled user accounts but no Office Communications Servers. Within the resource forest, a corresponding disabled user account exits for each user account in the user forests.

Part 2 of this guide explains how to configure Office Communications Server 2007 to support a resource forest topology.

2 Deploying Communications Server 2007 in a Multiple Forest Environment

Part 1: Deploying Office Communications Server in a Central Forest Topology

This section explains how to configure Office Communications Server in a central forest topology.

PrerequisitesTo support a central forest topology, the following prerequisites are required.

Microsoft Identity Integration Server In order to synchronize data across your forests, you must deploy Microsoft Identity Integration Server. The following QFE is required for proper cross-forest synchronization: http://www.microsoft.com/downloads/details.aspx?familyid=FA9DBB67-4654-4C94-B073-AA59676130AF&displaylang=en. For information on how to deploy MIIS, see the Microsoft Identity Integration Server documentation.

Office Communications Server deployed in your central forest. If you have not deployed Communications Server, see the Microsoft Office Communications Server Planning Guide and the Microsoft Office Communications Server Deployment Series.

The central forest can be an existing forest that hosts existing Communications Servers, users, groups, and contacts, or you can create an entirely new forest.

The central forest should normally be the one that hosts the largest number of users. Connectivity between the central forest and other forests should also be highly available. Figure 1 shows how an example organization, Contoso, configured an Enterprise pool in its central forest.

Deploying Communications Server 2007 in a Multiple Forest Environment 3

Figure 1 Example of a Multiple Forest topology

After you have deployed Communications Server in the central forest, you do the following:

1. Configure the Microsoft Identity Integration Server.

2. Enable contacts for Communications Server.


Step 1 Configure MIISAfter you have deployed Communications Server 2007, modify the configuration of the Microsoft Identity Integration Server (MIIS) that is responsible for synchronizing User objects as contacts across all forests.

Configure the MIIS Server in the one of two ways:

If you do not have Exchange deployed in a cross-forest topology, deploy and configure Communications Server sync, the Lcssync tool available in the Communications Server 2007 Resource Kit. The remainder of this section focuses on using Communications Server sync.

If Microsoft Exchange Server is deployed in a cross-forest topology, use the GAL (global address list) sync tool with the logic for Communications Server Sync. Exchange uses GAL sync to synchronize contact information in the GAL between forests. In this situation, an update to the GAL sync tool is required because MIIS does not support the coexistence of two different synchronization agents.

Communications Server Sync configures the management agent of each forest except the central one in order to synchronize its user and group information with MIIS. MIIS generates a metaverse object that represents each user or group and it then synchronizes each user or group object as a contact in the central forest. Since all Communications Server users and groups are synchronized as contacts (including the user’s or group’s object SID) in every other forest, users can still communicate with each other across forest boundaries after the MIIS server has been reconfigured and users can still take advantage of distribution group expansion across forests. The following figure illustrates how MIIS was reconfigured in the Contoso environment.


Figure 2 Configuring the MIIS Server

As Figure 2 illustrates, the MIIS server is configured to do the following:

Import the User objects and Group objects from two user forests as MIIS metaverse objects.

Export the metaverse objects to the central forest as Contact objects.

To install and configure Communications Server Sync tool, Lcssync, perform the following steps (each step is explained in detail in the subsequent sections):

1. Ensure that .NET 2.0 Framework is installed on the server running MIIS.

2. Install Communications Server Sync (Lcssync) from the Resource Kit.

3. Extend the metaverse schema in MIIS.

4. Configure extensions in MIIS.

5. Configure object deletion rules in MIIS.

6. Create the management agent for the central forest.

7. Create the management agent for all user forests.

8. Import, synchronize, and provision Communications Server objects.

Install the .NET 2.0 Framework on the MIIS ServerThe Communications Server Sync tool, LCSSync requires .NET Framework 2.0.


You can install the .NET Framework Version 2.0 from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyID=9655156b-356b-4a2c-857c-e62f50ae9a55&displaylang=en.

Deploying Communications Server Sync ToolBefore you can configure the Communications Server Sync tool, install the required files on your MIIS server. The files required for the Communications Server Sync tool are included in the Lcssync directory of the Communications Server 2007 Resource Kit.

To deploy the Communications Server Sync tool1. On the MIIS computer, in the Communications Server 2007 Resource Kit, go to the

Lscssync directory.

2. Copy all the files in this directory to the following directory on the MIIS Server: %drive%:\Program Files\Microsoft Identity Integration Server\Extensions.

3. In the Active Directory® Domain Services, create an organization unit, or verify that a target organizational unit for your Contact objects exists on the Communications Server in the central forest.

4. Go to the \Microsoft Identity Integration Server\Extensions folder, and then open Lcscfg.xml.

5. Use the following format to modify the <target-ou> tag to include the target organization unit of the central forest:

<rules-extension-properties><lcssync-mas><lcsma name="Lcs Central Forest"><target-ou>OU=contacts,DC=yourdomain,DC=com</target-ou></lcsma></lcssync-mas></rules-extension-properties><target-ou>path to contact organizational unit</target OU>

For example:

<target-ou>OU=contactsDC=contosoDC=com</target OU>

6. If necessary, you can modify Logging.xml to change the file name and logging level. The example below shows the default values in the xml:

<logging> <use-single-log>false</use-single-log> <file-name>lcssync.log</file-name> <logging-level>1</logging-level></logging>

http://www.microsoft.com/downloads/details.aspx?FamilyID=9655156b-356b-4a2c-857c-e62f50ae9a55&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=9655156b-356b-4a2c-857c-e62f50ae9a55&displaylang=en


Extending the Metaverse Schema in MIISAfter you have installed the Communications Server Sync tool on the MIIS Server, extend the metaverse schema so that the Communications Server attributes can be synchronized.

To extend the metaverse schema1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to

Microsoft Identity Integration Server, and then click Identity Manager.

2. Click Metaverse Designer.

3. On the Actions menu, click Import Metaverse Schema.

4. Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcsmvschema.xml.

5. When the schema import operation has completed successfully, click OK.

Configuring Extensions for the Communications Server Sync toolAfter you have extended the metaverse schema, configure the extensions for the Communications Server Sync tool. The way that you configure the extensions determines how synchronization is handled for Communications Server objects that are synchronized by MIIS.

To configure extensions for the Communications Server Sync tool1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to


2. On the Tools menu, click Options.

3. Select the Enable metaverse rules extension check box.

4. Click Browse.

5. Under Files, select Lcssync.dll.

Figure 3 Configure Extensions


6. Select the Enable Provisioning Rules Extension check box, and then click OK.

Configuring the Object Deletion Rule in MIISAfter you have configured extensions for the Communications Server Sync tool, configure the rule that determines what MIIS will do when a User object is deleted in a forest and how it will synchronize the deletion with the central forest. If a User object is deleted in a user forest, the corresponding Contact object that is used by Communications Server in the central forest must also be deleted. Configuring the object deletion rule ensures that MIIS and the Communications Server handle this situation correctly.

To configure the Object Deletion Rule1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to


2. Click Metaverse Designer. The Identity Manager window should appear as shown in Figure 4.

Figure 4 Configure Object Deletion Rule in Metaverse Designer

3. Under Object types, right-click person.

4. In the adjacent Actions pane, click Configure Object Deletion Rule.


5. In the Configure Object Deletion Rule dialog box, which is shown in Figure 5, click Rules Extension, and then click OK.

Figure 5 Configure Object Deletion Rule

Creating the Management Agent for the Central ForestAfter you have configured the Communications Server Sync tool, create a management agent for the Communications Server Sync tool in the central forest.

To create a management agent for the Communications Server Sync tool in the central forest1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to


2. Click Management Agents.

3. On the Actions menu, click Import Management Agent.

4. Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcscentralforestma.xml, and then click Open. The Create Management Agent dialog box appears.


Figure 6 Create Management Agent

5. In Name, type a name for the management agent. This name must be identical to the name that is specified in the <lcsma name => tag in Lcscfg.xml.

6. Click Next.

7. Enter the user name and password of a member of the DomainAdmins group on the Communications Server in the central forest.

8. Click Next.


Figure 7 Partitions Matching

9. In Partitions Matching, under Update Partitions, select the partition that needs to be updated, and in Existing Partitions, select the partition that contains the distinguished name of your central forest.

10. Click Match.

11. In Existing Partitions, select each unmatched partition and click Deselect.

12. Click OK.

13. In Select directory partitions, clear the check boxes for all domains except for the domain that has the target organizational unit that you specified in Lcscfg.xml when you deployed the Communications Server Sync tool.

14. Click Containers.

15. In Select Containers, select the OU container where contacts will be stored, and then click OK.

16. Click Next.

17. On the Select Objects page, accept the default values, and then click Next.

18. On the Select Attributes page, accept the default values, and then click Next.


19. On the Configure Connector Filter page, accept the default values, and then click Next.

20. On the Configure Join and Projection Rules page, accept the default values, and then click Next.

21. On the Configure Attribute Flow page, accept the default values, and then click Next.

22. On the Configure Deprovisioning page, accept the default values, and then click Next.

23. On the Configure Extensions page, verify that Lcssync.dll is selected, and then click Finish.

Creating Management Agent for the User ForestsAfter you have created the management agent in the central forest, create a management agent for all user forests.

To create a management agent for the Communications Server Sync tool in all user forests1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to



3. On the Actions menu, click Import Management Agent.

4. Select %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\Lcsuserforestma.xml, and then click Open.

5. In the Name box, type a unique name for the management agent.

6. Click Next.

7. Enter the user name and password of a member of the DomainAdmins group on the Communications Server in the user forest.

8. Click Next.

9. In Partitions Matching, under Update Partitions, select the partition that needs to be updated, and in Existing Partitions select the partition that contains the distinguished name of your user forest.

10. Click Match

11. In Existing Partitions, select each unmatched partition, and then click Deselect.

12. Click OK.

13. Click Next.

14. In Select directory partitions, clear the check boxes for all domains except the first domain where the organization unit where the Users and Groups objects in this forest exist. MIIS will synchronize these User objects and Group objects as contacts in the central forest.

15. Click Containers.

16. In Select Containers, select the OU container where contacts will be stored, and then click OK.


17. Repeat steps 14 through 16 for each domain that contains users and groups that will use the Communications Servers in the central forest.

18. Click Next.

19. On the Select Objects page, accept the default values, and then click Next.

20. On the Select Attributes page, accept the default values, and then click Next.

21. On the Configure Connector Filter page, accept the default values, and then click Next.

22. On the Configure Join and Projection Rules page, accept the default values, and then click Next.

23. On the Configure Attribute Flow page, accept the default values, and then click Next.

24. On the Configure Deprovisioning page, accept the default values, and then click Next.

25. On the Configure Extensions page, verify that Lcssync.dll is selected, and then click Finish.

Importing, Synchronizing, and Provisioning Communications Server Objects

After you have created management agents for all forests in your environment, synchronize user and contact information. During this initial synchronization, import Active Directory data for each forest into the connector space, synchronize this data in the metaverse, and then export this data from the metaverse to the central forest.

Import Active Directory Objects for Each Forest into the Connector SpaceFor each forest, import data stored in its Active Directory into the forest’s Connector Space. Perform this step on the central forest and all user forests in your environment.

To import Active Directory data into the Connector Space from the central forest1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to



3. Right-click the management agent for the central forest, and then click Run.

4. Click Full Import, and then click OK.

To import Active Directory data into the Connector Space from each user forest 1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to



3. Right-click the management agent for your first user forest, and then click Run.

4. Click Full Import, and then click OK.

5. Repeat steps 1 through 4 for each user forest in your environment.


Synchronize the MetaverseAfter you have imported Active Directory data from the central forest and each user forest in your environment, synchronize the metaverse with the data in each forest.

To synchronize the metaverse for central forest information1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to



3. Right-click the management agent for the-central forest, and then click Run.

4. Click Full Sync, and then click OK.

To synchronize the metaverse for your user forests1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to




4. Click Full Sync, and then click OK.

5. Repeat steps 1 through 4 for each user forest in your environment.

Provision the Central ForestAfter synchronizing the information imported from all user forests, you export all the information from the metaverse to the central forest. This process is known as provisioning.

To provision the central forest1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to



NoteYou must synchronize the metaverse with data from the central forest before you synchronize with the user forests.



4. Click Export, and then click OK.

After you provision the central forest, you should verify that Contact objects have been created for each User object in the user forests. You must then enable these contacts for Communications Server 2007.

Step 2 Enable Contacts for Communications Server 2007 Public Beta

Users cannot use Communications Server until they are enabled for Office Communications Server service. After you have synchronized Active Directory for users, groups, and contacts across all your forests, enable the contacts that you created in the central forest for Communications Server.

If all contacts have an e-mail address that corresponds to their SIP address, you can enable all contacts simultaneously. If not all the contacts have an e-mail address that corresponds to their Sip address, or if you want to host these users on different servers or pools, configure each contact individually.

To enable all contacts for Communications Server1. In the central forest, log on to a Communications Server 2007 as a member of the

RTCUniversalUserAdmins group.

2. Start Active Directory Users and Computers: Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Go to the organizational unit where you created your contacts.

4. Select all contacts, right-click the highlighted area, and then click Enable users for Communications Server.

To enable an individual contact for Communications Server1. In the central forest, log on to a Communications Server 2007 as a member of the

RTCUniversalUserAdmins group.

2. Start Active Directory Users and Computers: Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Go to the organizational unit where you created your contacts.

4. Right-click the contact that you want to enable, click Properties, and then click the Communications tab.

5. Select the Enable user for Office Communications Server check box.

6. In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this contact and select the SIP domain that is used by your Communications Servers. For example, [email protected].

7. In Server or pool, select the Communications Server where you want to host the contact.


Keeping Information SynchronizedAfter initial synchronization, you can perform incremental synchronizations to update only data that has changed since the previous synchronization. For example, if a new user account is added in a user forest, you would synchronize only this new user data and create a contact for this user in the central forest.

Import Active Directory Objects for Each Forest into the Connector SpaceFor each forest, you import data that is stored in the Active Directory into the forest’s connector space. You must perform this step for each user forest in which user information has changed.

To import Active Directory data into the Connector Space 1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to




4. Click Delta Import, and then click OK.

5. Repeat steps 1 through 4 for each forest where Active Directory changes have occurred (where users, groups, or contacts have been changed, added, or deleted).

Synchronize the MetaverseAfter you have imported new Active Directory data for each user forest in your environment, you synchronize the information for each forest in the metaverse.

To synchronize the metaverse for your central forest1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to



NoteYou must synchronize information from the central forest before synchronizing information from user forests.


3. Right-click the management agent for your central forest, and then click Run.

4. Click Delta Sync, and then click OK.

To synchronize the metaverse for your user forests1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to




4. Click Delta Sync, and then click OK.

5. Repeat steps 1 through 4 for each forest where changes have occurred.

Provision the Central ForestAfter you have synchronized the new data that was imported from all user forests, you provision the central forest so that Contact objects are created, updated, or deleted for each change in the user forest and any new contacts are enabled for Communications Server.


To provision the central forest1. On the MIIS computer, start Identity Manager: Click Start, point to All Programs, point to




4. Click Export, and then click OK.


Understanding How Attributes Are SynchronizedAfter you install and run the Communications Server Sync tool as described in “Step 1 Configuring MIIS” earlier in this guide, attributes on the User and Contact objects will be modified as follows.

Contact Attributes Added through Schema Prep

Because the Active Directory schema in the central forest was extended during the Communications Server 2007 installation, the Contact objects in the central forest have the following new attributes:

ms-RTC-SIP-PrimaryHomeServer

ms-RTC-SIP-IsMaster

ms-RTC-SIP-TargetHomeServer

Attributes Synchronized by Communications Server Sync

Communications Server Sync synchronize all of the following attributes:

objectSid

telephoneNumber

displayName

givenName

sn (surname)

physicalDeliveryOfficeName

l (city)

st (state)

country

title

mail

company

cn

The following table shows how attributes are mapped from a user object to a Contact object using the example user, UserA.

Table 1 The attributes on the User and Contact objects

Attribute User A Contact for User A

Cn UserA UserA

ObjectSID sidA


ms-RTC-SIP-OriginatorSID

sidA


telephoneNumber 555-1234 555-1234

displayName User A User A

givenName Dylan Dylan

surname Miller Miller


4500 4500

l (city) Redmond Redmond

st (state) WA WA

Country U.S.A U.S.A

Title Director Director

Mail [email protected] [email protected]

Company Contoso Contoso

Group Attributes

Communications Server Sync and updated GAL sync synchronize all of the following attributes:

objectSid

mail

displayName

groupType

Table 2 The attributes on the Group and Contact objects

Attribute Group A Contact for Group A

Cn GroupA GroupA

ObjectSID sidA


sidA

displayName GroupA GroupA


groupType Distribution Group - Universal

ms-RTC-SIP-SourceObjectType

Distribution Group - Universal



Troubleshooting the Central Forest Topology Use this section to help troubleshoot problems that you may encounter. For general MIIS information, consult the MIIS documentation on the Microsoft Web site at: http://www.microsoft.com/windowsserversystem/miis2003/techinfo/default.mspx.

Note Only using Kerberos for or both NTLM and Kerberos for authentication of contacts in the central forest is not supported.

If a 401error appears in the logs, there may be an authentication problem.

Check the Contact object by using LDP.exe, and ensure all the SIP attributes are populated, al Contact objects must have msRTCSIP-OriginatorSid set, or authentication will fail.

If the contact is not created properly, check the MIIS logs.

If needed, set the LcsSync logging level to 3, as explained in “Deploying Communications Server Sync Tool” earlier in this guide. Synchronize the contact again to find out why the Contact object is not being created.

Verify that credentials (user name and password) from the original user forest are used: If the central forest is in the Contoso domain, and the User object is replicated from the Northwind Traders domain to Contoso as a Contact object, Northwind Traders credentials must be used for sign-in.

Check the cross-forest trust relationship. The central forest must trust incoming credentials from the user forest.

Verify that you are not using either Kerberos or both Kerberos and NTLM as your authentication protocol in the central forest. You must be using only the NTLM protocol.

If client receives a 404 error, there is a replication problem.

Verify that the Contact object is properly SIP-enabled and that it exists in the Communications Server 2007 database.

Use Dbanalyze.exe, which is available in the Microsoft Office Communications Server 2007 Resource Kit, to get the user report for this particular user. Ensure that the user exists in the database.

Check Communications Server logs for any “RTC User Replicator” errors or warnings.

Communicator Log FilesUse the Communicator log files to troubleshoot client issues.

Open the files communicator0.log and Communicator-uccp-0.log found under <Drive>:\Documents and Settings\%User%\Tracing

Issue: SIP-enabled Contact object cannot sign in

http://www.microsoft.com/windowsserversystem/miis2003/techinfo/default.mspx


MIIS ErrorsThe following table lists some common MIIS errors and describes the possible causes and resolution.

Error Constant Description

no-start-no-domain-controller The run step failed to start because the domain controller could not be contacted by the server. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the next step will not be attempted again and any placeholder objects will not be removed.

Verify that the domain controller is connected to the network.

If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no step is currently running but a run step has been run in the past.

no-start-no-partition-delete The run step failed to start because domain or naming context has been deleted. The next step in the run profile will not run and obsolete data will not be removed. If an import run step returned this value, the next step will not be retried and any placeholder objects will not be removed.

Verify that the specified partition still exists.

If this string is the value for the MIIS_ManagementAgent.RunStatus property, then no run step is currently running but a run step has been run in the past.

no-start-partition-not-configured The run step failed to start because the required partition is not selected in Configure Directory Partitions dialog box of the management agent properties. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the next step will not be retried and any placeholder objects will not be removed.

Verify that the appropriate partition is selected.

For more information see "Configure directory partitions" in the Microsoft Identity Integration Server 2003 Help.

If this string is the value for the MIIS_ManagementAgent.RunStatus property,


then no run step is currently running but a run step has been run in the past.

no-start-partition-rename The run step failed to start because the selected partition in Configure Directory Partitions dialog box of the management agent properties has been renamed. Verify that the appropriate partition is selected.

For more information, see "Configure directory partitions" in the Microsoft Identity Integration Server 2003 Help.


stopped-extension-dll-file-not-found

The run step stopped because the specified assembly name could not be found. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the step will not be attempted again the any placeholder objects will not be removed.

Check the event log for the assembly name that the server was trying to load. Next, in Properties, in the Configure Rules Extensions dialog box of the management agent or in Configure Rules Extensions on the Metaverse Rules Extensions tab, specify the correct assembly name to prevent this return value.

For more information, see "Configure rules extensions" for management agent rules extensions or "Configure provisioning for metaverse rules extensions" in the Microsoft Identity Integration Server 2003 Help.


stopped-server This error can be returned when Microsoft SQL Server™ is stopped and you are trying to run Management Agents.

The run step stopped because of an unknown server error. The next step in the run profile will not run and obsolete data will not be removed. If an import step returned this value, the processing of retries and cleanup of placeholder objects will not be performed.


Resolve the server error.


stopped-out-of-memory The run step stopped because of insufficient server memory. The next step in the run profile will not run and obsolete data will not be removed. If an import run step returned this value, the processing of retries and cleanup of placeholder objects will not be performed.

Increase the server memory.

stopped-extension-dll-load The run step stopped because the specified assembly name cannot be loaded due to an unknown error. The next step in the run profile will not run and obsolete data will not be removed. If an import run step returned this value, the processing of retries and cleanup of placeholder objects will not be performed. Check the event log for the assembly name that the server was trying to load.

Part 2: Deploying Office Communications Server in a Resource Forest Topology

This section explains how to configure Office Communications Server in a resource forest topology. As explained earlier, in a resource topology, a single resource forest contains all Office Communications Servers and disable user accounts for each logon enabled account in a user forest.

As explained earlier, a resource forest topology is an Active Directory® Domain Services topology used to deploy Office Communications Server and often Exchange in one Active Directory forest while all log-on enabled user accounts are located in a separate Active Directory forest. The resource forest hosts only servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. The SID (security identifier) of a disabled user account in the resource forest is mapped to the corresponding primary user account in the other forest to allow for single sign on. These disabled


user accounts are enabled for Office Communications Server and mail-enabled for Exchange if it is deployed.

PrerequisitesTo support a resource forest topology, you must have deployed Office Communications Server deployed in your resource forest and configured at least a one-way trust between the resource forest and all user forests (such that the resource forest trusts all user forests).

If you have not deployed Communications Server, see the Microsoft Office Communications Server Planning Guide and the Microsoft Office Communications Server Deployment Series.

Figure 8 shows how an example organization, Contoso, configured an Enterprise pool in its resource forest.

Figure 8 Example of a Resource Forest Topology

After you have deployed Communications Server in the resource forest, you do the following:

Create disabled accounts with the corresponding attributes for each user account in the user forests. This process will vary depending on whether or not you have Microsoft Exchange Server deployed in the resource forest, as explained in the following section.

Enable these disabled accounts for Office Communications Server.


Step 1 Create Disabled User AccountsFor each user account in a user forest, you must create a corresponding disabled user account in the resource forest. This process varies depending on whether or not Exchange Server is deployed in your resource topology:

If Exchange is deployed in your resource forest, the disabled user accounts will already exist and many of the necessary attributes on the disabled user accounts will already be populated. You can run a script to update the attributes that are not automatically updated by Exchange Server.

If you do not have Exchange Server deployed in your resource topology, then you must create the disabled accounts and manually copy the required attributes from the user accounts in each user forest to the corresponding disabled user account in the resource forest. This method can introduce problems that are difficult to fix. As an alternative, consider deploying Office Communications Server in the central forest topology. For more information, see Part 1: Deploying Office Communications Server in a Central Forest Topology.

Step 2 Enable Disabled User Accounts for Office Communications Server

Users cannot use Communications Server until they are enabled for the Office Communications Server service. After you have created the disabled user accounts for each user in the user forests, you must enable these accounts for the Office Communications Server service.

If all disabled user accounts have an e-mail address that corresponds to their SIP address, you can enable all disabled user accounts simultaneously. If not all the disabled user accounts have an e-mail address that corresponds to their SIP address, or if you want to host these users on different servers or pools, configure each disabled user account individually.

To enable all disabled user accounts for Communications Server1. In the resource forest, log on to a computer running the Office Communications Server 2007

service as a member of the RTCUniversalUserAdmins group.

2. Start Active Directory Users and Computers: Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Go to the organizational unit where you created your disabled user accounts.

4. Select all user accounts, right-click the selection, and then click Enable Users for Communications Server.

5. Follow the steps in the Enable Users Wizard to complete the task.

6. Open the Office Communications Server Administrative Tools and verify that that the users were enabled for the specified pool.

To enable an individual disabled user account for Communications Server1. In the resource forest, log on to a computer running the Office Communications Server 2007

service as a member of the RTCUniversalUserAdmins group.


2. Start Active Directory Users and Computers: Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Go to the organizational unit where you created your disabled user accounts.

4. Right-click the contact that you want to enable, click Properties, and then click the Communications tab.

5. Select the Enable users for Office Communications Server check box.

6. In the Sign-in name box, type the sign-in name (also known as the SIP URI) for this user account and select the SIP domain that is used by your Communications Servers. For example, [email protected].

7. In Server or pool, select the Office Communications Server where you want to host the user account.

8. Click Configure.

9. In the User Options dialog box, select the appropriate settings required for your deployment and click OK. Click OK again to apply the changes and close the user properties.

Step 3 Populating the Required Attributes for Office Communications Server

The following table shows the attributes that must be mapped from a user object in the user forest to a corresponding disabled user object in the resource forest using the example user, UserA.

Table 3 The attributes on the User and Contact objects

Attribute User A in User Forest Disabled user account for User A in a Resource Forest

Cn Dylan Dylan

ObjectSID

Note In a deployment that include Exchange, set the ObjectSID attribute to the value from the msExchMasterAccountSID attribute.

sidDylan


sidDylan


telephoneNumber 555-1234 555-1234

displayName Dylan Miller Dylan Miller

givenName Dylan Dylan


Surname Miller Miller


4500 4500

l (city) Redmond Redmond

st (state) WA WA

Country U.S.A U.S.A

Title Director Director


Company Contoso Contoso

Using the SIP Mapping Tool to Populate Attributes in a Resource Forest

To allow single sign-on when a disabled user account is enabled for an Exchange Server mailbox, use the SID Mapping Tool to map the SID (security identifier) of a disabled user account in the resource forest to the corresponding primary user account in the user forest. The SID Mapping Tool is delivered as part of the Office Communications Server 2007 Resource Kit.

To run the SID Mapping Tool1. Log on to a server joined to an Active Directory domain in the resource forest using an

account that is a member of the DomainAdmins group.

2. If necessary, install the Office Communications Server 2007 Resource Kit. You can download the resource kit from the same Web site you used to download Office Communications Server 2007. After you download the resource kit, see the Office Communications Server Resource Kit readme for more information.

3. From the command prompt, configure the Microsoft Windows® Scripting Host to use cscript by running the following command.

wscript //h:cscript

Click OK in the confirmation box.

4. Change the path of the command prompt by running the following command:

cd “%programfiles%\Office Communications Server 2007\Reskit\LCSSync”

5. Review the accounts in the resource forest that will be updated by running the following command:

sidmap.wsf /OU:<DN of container with disabled user accounts> /query

where:

/OU specifies the distinguished name (DN) of the container with the disable user accounts. To represent the DN, use the following format:

OU=<name>,DC=<domain name>,DC=<subdomain name>

NoteIn resource forest deployments with Exchange Server, all of the attributes are already populated except for the ones beginning with the ms-RTC-SIP prefix. Populate these attributes using the SID mapping tool.

In resource forest deployments without Exchange Server, you must manually populate the required attributes on each disabled user account in your resource forest. This method can introduce problems that are difficult to fix. In these deployments, use the Central Forest topology instead. For more information, see Part 1: Deploying Office Communications Server in a Central Forest Topology.


For example, OU=Acounting,DC=contoso,DC=com

/query limits the SID Mapping Tool to only query the resource forest and not populate the attributes.

The command returns a list of disabled user accounts in the resource forest.

6. Populate the attributes in the resource forest by running the following command:

sidmap.wsf /OU:<DN of container with disabled user accounts> [/logfile:<path\filename>]

Where /logfile is an optional parameter that saves the results of your operation to a file for your records. This log file is automatically populated with a list of logon-disabled and Office Communications Server-enabled users.