Deploying Lync Server 2010 in a Multiple Forest Environment
Topic Last Modified: 2011-08-18
A multiple forest topology is often used in organizations that have a need for multiple forests in Active Directory Domain Services (AD DS) to help provide security or organizational boundaries. This document assumes that you have decided upon a multiple forest topology. For more guidance about when a multiple forest topology is appropriate and how to deploy it, see the Windows Server operating system documentation.
Multi-forest deployment of Microsoft Lync Server 2010 communications software can be in a:
Central forest
Resource forest
Central Forest
In a central forest topology, servers running Lync Server 2010 in the central forest provide services to users and groups in the central forest, in addition to users and groups in all other forests, which are called user forests. The central forest deployment offers the benefits of centralized administration and minimizes complexity in a multiple forest environment.
To support a central forest topology, the following prerequisites are required:
Microsoft Forefront Identity Manager 2010, Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 (FP1), or Microsoft Identity Integration Server 2003 SP2 — In order to synchronize data across your forests, you must deploy one of these life cycle manager tools.
To synchronize the necessary attributes from user forests to a central forest, Lync Server provides a tool called LcsSync.
Resource Forest
In a resource forest topology, Lync Server 2010 is deployed in one forest, a resource forest that hosts servers running Lync Server 2010 but does not host any logon-enabled user accounts.
Outside the resource forest, user forests host enabled user accounts but no servers running Lync Server 2010. Within the resource forest, a corresponding disabled user account exists for each user account in the user forests.
The resource forest hosts only enterprise application servers and does not contain any primary user accounts. The primary user accounts from other forests are represented as disabled user accounts. An ObjectSID of primary user account (from account forest) is mapped to corresponding disabled user account msRTCSIP-OriginatorSID attribute. These disabled user accounts are enabled for Lync Server 2010 and mail-enabled for Microsoft Exchange Server if it is deployed.