Lync server 2013 simple central forest user provision through Linked mailboxes

I would like to share Lync user provisioning steps in central forest Lync topology without FIM. I have deployed a central forest Lync topology. Lync 2013 servers are hosted in ‘Green.com’ forest and wanted enable users from an additional forest called ‘Blue.com’.

1. DNS Zone Replication Between Forests :

Open DNS manager in ‘green.com’ forest and create a secondary DNS zone for blue.com.

  

Provide blue.com  domain controller FQDN or IP address on the window as below. Make sure that domain controller is reachable. Open all required network ports between the domain controllers.

 Once replication is completed , you should be able to see both zones as seen below.

2. Forest Trust Creation :

 Open active directory domain and trusts console from green.com forest and create a new trust.

 Select trust type as forest trust and direction should be two way. Make sure that it is completed successfully.

3. Linked Mailbox Provisioning :

 Open exchange 2013 admin center and select new Linked mailbox option as seen below.

Select the trusted forest as blue.com from the drop down list and click next.  

 Linked mailbox wizard will show all the account from blue.com forest. Select the account from the list as seen below. Click OK and it will provision a linked mailbox.

Linked mailbox will create a disabled account in green.com forest. It would have been associated with the mailbox.

 Install Lync resource kit on one of the frontend server. Run the SIDMap script to map the SID between the forests.

 SIDmap will associate the SID and you will get a popup message as below.

4. Client Testing

 Once it is completed, launch the Lync client from blue.com forest. Select the sign-in address as <user@green,com> with blue.com account credentials. You might need to import the root CA certificate in the client machine if it is not trusted.

 I was able to access Lync client and Linked mailbox from blue.com forest.

Comments

  • Anonymous
    January 01, 2003
    Hi Saleesh,
    great work and post. I have a couple of question:
    1) The user in Green Ad can remain disabled ?
    2) The user in Green AD should be enabled to use Lync (Lync control Panel) ?
    and the most important question
    3) is it possible to use contacts instead of disabled users (to overcame the linked mailbox procedure) using the same way the msExchMasterAccountSid as the msRTCSIP-OriginatorSid ?

    Regards.

    Red.
  • Anonymous
    January 01, 2003
    Thank you Saleesh, this will make my life much easier without having to roll out full FIM for a temporary multi-forest setup.
  • Anonymous
    January 01, 2003
    Thanks for posting this Saleesh, just found it in my dig for more info on resource forests and multi forest deployments.
  • Anonymous
    May 15, 2015
    It worked for me....Thanks a lot for your support. Tested on 15th May 2015 on Lync 2013.
  • Anonymous
    July 10, 2015
    The comment has been removed
  • Anonymous
    October 22, 2015
    This worked perfectly fine on Skype for Business with CU of August 2015.