Lync server 2013 simple central forest user provision through Linked mailboxes


I would like to share Lync user provisioning steps in central forest Lync topology without FIM. I have deployed a central forest Lync topology. Lync 2013 servers are hosted in ‘Green.com’ forest and wanted enable users from an additional forest called ‘Blue.com’.

1. DNS Zone Replication Between Forests :

Open DNS manager in ‘green.com’ forest and create a secondary DNS zone for blue.com.

  

Provide blue.com  domain controller FQDN or IP address on the window as below. Make sure that domain controller is reachable. Open all required network ports between the domain controllers.

 Once replication is completed , you should be able to see both zones as seen below.

2. Forest Trust Creation :

 Open active directory domain and trusts console from green.com forest and create a new trust.

 Select trust type as forest trust and direction should be two way. Make sure that it is completed successfully.

3. Linked Mailbox Provisioning :

 Open exchange 2013 admin center and select new Linked mailbox option as seen below.

Select the trusted forest as blue.com from the drop down list and click next.  

 Linked mailbox wizard will show all the account from blue.com forest. Select the account from the list as seen below. Click OK and it will provision a linked mailbox.

Linked mailbox will create a disabled account in green.com forest. It would have been associated with the mailbox.

 Install Lync resource kit on one of the frontend server. Run the SIDMap script to map the SID between the forests.

 SIDmap will associate the SID and you will get a popup message as below.

4. Client Testing

 Once it is completed, launch the Lync client from blue.com forest. Select the sign-in address as user@green,com with blue.com account credentials. You might need to import the root CA certificate in the client machine if it is not trusted.

 I was able to access Lync client and Linked mailbox from blue.com forest.

  

Comments (6)

  1. Red Erik says:

    Hi Saleesh,
    great work and post. I have a couple of question:
    1) The user in Green Ad can remain disabled ?
    2) The user in Green AD should be enabled to use Lync (Lync control Panel) ?
    and the most important question
    3) is it possible to use contacts instead of disabled users (to overcame the linked mailbox procedure) using the same way the msExchMasterAccountSid as the msRTCSIP-OriginatorSid ?

    Regards.

    Red.

  2. Anonymous says:

    Thank you Saleesh, this will make my life much easier without having to roll out full FIM for a temporary multi-forest setup.

  3. Thanks for posting this Saleesh, just found it in my dig for more info on resource forests and multi forest deployments.

  4. Thanks a lot....It worked says:

    It worked for me....Thanks a lot for your support. Tested on 15th May 2015 on Lync 2013.

  5. Marco Schilder says:

    This worked perfectly fine on Skype for Business with CU of August 2015.

Skip to main content