Category Archives: Quick Reference Guide

Understanding User Mapping in a Skype for Business Resource Forest

31 Monday Aug 2015

Posted by in Quick Reference Guide, SIDMap, Skype for Business

6 Comments

Tags

, , , ,

Resource Forests and Skype for Business

Lync Resource Forest

Final Solution

In this particular deployment the customer has requested that Skype for Business be installed in a new forest to provide access to users across multiple legacy domains.

Single Sign On is required (Using the users credentials in the User Forest to authenticate to Skype user account resource in the Resource Forest)

Users will continue using their existing credentials in their current forests to sign on to Skype for Business (located in the new Forest).

To make thing interesting, the customer has started a migration to office 365 for mail. This means that UM will be delivered via Office365.

What is considered as a Resource Forest model?

In the resource forest model, a separate forest is used to manage resources. Resource forests do not contain user accounts other than those required for service administration and those required to provide alternate access to the resources in that forest if the user accounts in the organizational forest become unavailable. Forest trusts are established so that users from other forests can access the resources contained in the resource forest.

Deploying Skype for Business in a resource forest while users (and the associated user authentication) exist in their respective user forests, is supported.

In fact, there are 2 potential scenarios that are supported.

Scenario 1

Lync Resource Forest

Scenario 1: Skype for Business and Exchange in the same Resource Forest

Both the Skype for Business Servers and the Microsoft Exchange Server are deployed in the same Active Directory forest (Resource Forest) while all logon-enabled user accounts are located in a separate Active Directory forest (user forest).

In this case the resource forest hosts only servers and do not contain any primary user accounts. The primary user accounts from the user forests are represented as disabled user accounts in the resource forest.

The ObjectSID of the primary user account (from the user forest) is mapped to the corresponding disabled user account’s msRTCSIP-OriginatorSID attribute in the resource forest (aka user mapping) to allow for single sign in.

These disabled user accounts are enabled for Skype for Business and mail-enabled for Exchange.

NOTE

Microsoft recommendation is that if Exchange is deployed, then it is best to deploy Skype for Business in the same forest as Exchange.

Scenario 2

Lync Resource Forest

Scenario 2: Skype for Business and Exchange in different Forests

In this scenario, Skype for Business Server and Microsoft Exchange Server are deployed in different forests. Microsoft recommend that Microsoft Forefront Identity Manager or Microsoft Identity Lifecycle Manager be used to synchronize users from the different user forests as disabled user accounts to the resource forest where Skype for Business Server is deployed.

To enable Exchange Unified Messaging (UM) and other Skype for Business Server to office integration scenarios, the msRTCSIP-PrimaryUserAddress has to be added to both Microsoft Exchange Server and Skype Server forests user attribute proxyAddresses (so that the proxyAddresses attribute is the same in both forests) . A two-way trust should be established between both forests.

Understanding User Mapping

To assist with the explanation I will be referring to the user account in the user forest as the Primary User Account, and the disabled user account in the Resource Forest as the Resource User Account.

The Lync 2013 ResKit ships with a script called SIDMap.wsf, its primary function is mapping users between User and Resource Forests…sort of but not quite..

Actually it only copies the msExchMasterAccountSid attribute to the msRTCSIP-OriginatorSID attribute on the Resource User Account

The Resource User Account msExchMasterAccountSid attribute is populated from the objectSID of the Primary User account (still following?).

So in Scenraio 1 you would have to copy the objectSID of the Primary User Account in the User Forest to the Resource User Account  msRTCSIP-OriginatorSID attribute of the disabled user in the Resource Forest.

This effectively Maps the Resource User Account back to the Primary User Account. Of course it needs to be done for each user.

The result, you have the ability to sign in to Skype for Business in the Resource Forest with credentials from the User Forest.

References

https://technet.microsoft.com/en-us/library/dn933910.aspx

http://blog.danovich.com.au/2009/11/05/improving-the-sidmap-wsf-script-for-ocs-attribute-synchronization/

https://actionxp.wordpress.com/2011/09/04/deploy-lync-server-2010-in-a-resource-forest-topology-part-1-2-2-2/

Advertisement

Call Pickup – How to

01 Thursday May 2014

Posted by in Call PickUp, How To, Quick Reference Guide

Leave a comment

What is Lync Call PickUp?

The ability to Pick Up a ringing endpoint by means for dialling a pickup code. This feature was added in Lync 2013 CU1

Feature Scope

  • Calls coming in to any member of a call pickup group can be answered by dialing an access code for that group (you will need to be in earshot of the ringing call to know about it).
  • Any Lync user can answer a call to a call pickup group by dialing the call pickup access code associated with that group. 
  • Currently you cannot prevent the call from being Picked Up by any users.
  • Calls have to be directly to the Pickup Group member, to qualify for Picking Up (can’t be a RGS Call, Delegate Call, Team Call, Simultaneous Ring etc.)
  • Users may belong to just 1 pickup group

How to configure Call Pickup

1. Call Pickup is an extension of SEFAUtil, so this needs to be configured and working. See here for setup of SEFAUtil.

2. To setup Call Pickup (which leverages the Lync Call Park Orbit functionality, add the Call Pickup Group and associated code:

New-CsCallParkOrbit -Identity “Night Bell” -Type GroupPickup -NumberRangeStart “*999” -NumberRangeEnd “*999” -CallParkService “” 


NOTE
  • If you can’t set the Type its probably because you dont have a minimum of CU1 installed
  • In the command above we have used the code *999 as the pickup code. If you use * or # the number needs to be greater than 100.
3. Add a user to the Call Pickup Group. This is done from SEFAUtil as follows:

SEFAUtil.exe /enablegrouppickup:”*999″ /server:”” sipuri@domain.com


You can check the assignment of the user to the Pickup Group with:

SEFAUtil.exe  /server:”” sipuri@domain.com

If you would prefer a GUI then James Cussen has developed just what the doctor ordered, he calls it the Lync 2013 Call Pickup Group Manager, it can be found here.

TMG – Quick Reference Guide

25 Monday Mar 2013

Posted by in Quick Reference Guide, TMG

Leave a comment

Good old TMG..
Just a quick reference guide when the grey stuff gets fuzzy 🙂

  • The published site is the public external web FQDN
  • Use browse to find the internal Front End Pool, tests the DNS resolution that way
  • Check the box to forward the original host header
  • Set the radio button so that requests appear to come from TMG


Add the public names (of course these will match the public A records requested)
What you need is:-

  • meet and dialin (often times I’ll merge these two)
  • lyncdiscover for the 2013 and mobile clients
  • external web services (same as published site)

The TMG won’t be doing any pre-authentication, but client will need to authenticate directly to the Front End

Bridge the ports so that http traffic to port 80 goes to 8080 and https traffic to port 443 goes to 4443. If not using 80 you can ignore the http bridge.

On the listener ensure that the authentication is set to “No Authentication”
If you not using 80 then disable here

Remember
Even after publishing the firewall rule, check the Monitoring tab to make sure the configuration has been successfully synced