Tuesday 4 February 2014

Lync 2013 Resource Forest FIM Syncronization Guide

When company's buy other companies one of the big challenges from an IT side is managing multiple environments. In most cases a two-way trust is configured between both forests and most times it stay's this way until something like "Hey we want Lync" comes around.

In these kind of environments putting Lync Server into a resource forest makes the most sense. We can synchronize users from both forests into contact objects, and makes adding additional environments (more company purchase's) much more simplified.

In this post I am going to be going over how we can leverage FIM (Forefront Identity Manager) to synchronize user forest information into contact objects in the Lync resource forest. This method is recommended when you have multiple user forests and a ton (100s. 1000s, 10,000s) of users.

Guide Topology Overview

NOTE: The purpose of this Guide is to demonstrate the configuration of FIM for the use of user synchronization using Lync Server 2013 in a multiple forest configuration. It does not provide best practices on SQL, Windows or Lync configuration(s) or sizing.

The Forefront Identity Manager Server in this post will be running Windows Server 2008 R2 SP1. Also note that SQL is required for FIM, I installed SQL 2008 R2 on the FIM Server and will leverage that.

I have 3 forests total

LMLAB-A.COM = User Forest
LMLAB-B.COM = User Forest
LYNCMEBLOG.COM = Resource Forest (Lync 2013 Standard Edition)

More information on creating trusts (http://technet.microsoft.com/en-us/library/cc816590(v=ws.10).aspx)

Forefront Identity Manager prerequisites

Windows Server 2008 R2 SP1
SQL Server 2008+ (To install the FIM DB)
.NET FrameWork 4.5 (This is required to run the Lync FIM extensions)



Step 1: Forefront Identity Manager 2010 R2 Installation

Insert/Mount the FIM installation media, and open the FIMSplash.htm file and click "Install Synchronization Service"



Once the installer launches, click Next and accept the terms.



Specify your SQL Server and Instance name.


Click Next until installation begins, and wait for completion.



Step 2: Import LcsSync Folder into FIM Server

Download the Lync Server 2013 ResourceKit Install it into the default directory. Once the Resource Kit is installed go to %Program Files%\Microsoft Lync Server 2013\ResKit\LcsSync folder and copy all contents into the %Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions folder on the FIM Server.



Edit the lcscfg.xml file as shown below. NOTE: The “lcsma name” you choose here must be used when importing the Central Forest MA into FIM as demonstrated in Step 5.


Step 3: Extend Metaverse Shchema for Lync Attributes

Next, we need to extend the metaverse schema so the Lync Server attributes can be synchronized.

Open the “Synchronization Service Manager”, Click Metaverse Designer, at the top click Actions and “Import Metaverse Schema”. Select the Lcsmvschema.xml from the %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\ folder where you imported the LcsSync files.





Next, click Tools -> Options, Select “Enable metaverse rules extension”, then click Browse. In the list of files, select lcssync.dll
 
Next select “Enable Provisioning Rules Extension”. Then click OK to close the Options window.


Step 4: Configure Object Deletion Rule
If a user object is deleted in a user forest, the corresponding contact object that is used by Lync Server in the recourse forest must also be deleted, a big reason why this is a favourable configuration in large organizations.

In the Synchronization Service Manager, click Metaverse Designer. Under the Object types right click person, on the right hand side in the Actions menu click "Configure Object Deletion Rule"


In the Configure Object Deletion Rule dialog box, click Rules Extension, then click OK.

Step 5: Create Lync Resource Forest Management Agent

Now we are ready to create the Management Agents that will synchronize the objects from the LMLAB-A forest to the Lync resource forest LYNCMEBLOG.COM

Click Management Agents at the top, which should bring you at a blank management agent screen. At the top click Actions, Import Management Agent.


Make your way to the extensions folder where you copied the LcsSync directory (%drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\) and import the "lcscentralforestma.xml" file and click Ok.

A new window will open "Create Management Agent" with a default name "Lcs Central Forest". This name must be the lcsma name  you specified in Step 2.


Once you click Next, you will see the connect to Active Directory screen. Replace all the FABRIKAM information with your Lync resource forest information, and click Next.


On the next screen is where we match the imported template partition with our partition of our Lync resource forest. Click the FRABIKAM partition on the left, then click your root partition from the left and click Match.



Next, click Deselect for the other partitions in the list. Until you deselect everything you will not be able to click Ok at the bottom. then click Ok.


Next window will allow you to specify a specific domain controller and OU level filtering.

To select the OU you wish to put your synchronized contact objects click Containers


In the select containers window select the OU you wish to have your synced objects reside. then click OK.

At this point we are done with the configuration of the Management Agent, the rest has already been configured by Microsoft, you can click Next and accept all the defaults to the end, and click Finish.

Notice on the bottom screen (Configure Extensions) the Rules extension name has already been populated to lcssync.dll which we defined in Step 3.



Step 6: Create User Forest Management Agent

This step of creating the User Forest MA is the same at the previous step, except we are just defining our User Forest (LMLAB-A.COM) instead of our Lync Forest (LYNCMEBLOG.COM)


This time we will select "lcsuserforestma.xml", then click Open.


For the name of the Management Agent can be anything, it does not tie into any other configuration. But I will advise to keep the names as the forest. Only because once you start adding more User Forest Management Agents, it starts to get confusing if you don't have a common naming convention.


Next window we will enter in our User Forest Active Directory information, then click Next.


The same can be done on the next window for Partition Matching. Match your existing root partition with the one already defined for NWTraders as we did in step 5. Then deselect the other partitions in the list so we can click OK.



This next step is an important one, this is where you will select the OU(s) where your current enabled users reside. Click Containers and select all the OU(s) that contain users that you wish to Lync enable.




Once you have selected all the OU(s) you wish to synchronize, click OK to close the container selection window, then click Next on the directory partitions window. 

Again at this point everything else is preconfigured, we can click Next all the way to the end, then click Finish.


ERROR: While clicking next through the "Configure Attribute Flow" you might receive an error 

'msExchUserHoldPolicies' of 'inetOrgPerson' is no longer available.

In order to get past this you will need to remove the attribute flow for msExchUserHoldPolicies

Expand "Object Type: inetOrgPerson, select msExchangeUserHoldPolicies and click Delete at the bottom.


And do the same for Object Type: user, select msExchangeUserHoldPolicies and click Delete at the bottom.


Now you can click Next to the end, then click Finish.

In the Management Agent window you will now see your Lync Forest Agent and your User Forest Agent(s). I went ahead and added LMLAB-B.COM but the process is the exact same for adding multiple User Forest Agents as defined in Step 6.


Step 7: Importing, Synchronizing and Provisioning

Here is a quick drill down of the Import, Synchronization and Provisioning in Step 7

#1 Lync Forest - Right click Lync Forest Management Agent, Click Run -> Full Import
#2 User Forest - Right click User Forest Management Agent, Click Run -> Full Import
#3 Lync Forest - Right click Lync Forest Management Agent, Click Run -> Full Sync
#4 User Forest - Right click User Forest Management Agent, Click Run -> Full Sync
#5 Lync Forest - Right click Lync Forest Management Agent, Click Run -> Export

This is the last step in synchronizing your user objects to the Lync Forest.


NOTE: During the import, synchronize and provisioning I am starting with the Lync Forest first, this is a requirement. If you do this in any other order the objects will not synchronize and provision correctly.

If we look at the Lync Resource Active Directory Users and Computers, and go to our OU that we specified in step 5 we have no users in that OU.



First we need to run a full import from the Lync resource forest and the user forest into the FIM connector space.

In the FIM Synchronization Service Manager, Management Agents, right click the Lync forest Management Agent and click Run...


In the Run Management Agent window, click Full Import then OK.



It should only take a few seconds to run, Refresh the agent by hitting F5, once its complete you will see to the left of the Management Agent the State of Idle. You will also see in the bottom left corder the Synchronization Statistics which will now have some values including Adds.



If you click Adds in the Synchronization Statistics box, you will see that the Distinguished Name of the OU you selected in step 5 has been added.



Next we will follow the same process for the User Forest Management Agent. right click the user forest Management Agent and click Run...


In the Run Management Agent window, click Full Import then OK.



It should only take a few seconds to run, Refresh the agent by hitting F5, once its complete you will see to the left of the Management Agent the State of Idle. You will also see in the bottom left corder the Synchronization Statistics which will now have some values including Adds.


If you click Adds in the Synchronization Statistics box, you will see the same user forest Distinguished Name's of the container and OUs that you specified. But now we also see the users that where in those OU(s).


Next we need to Synchronize the Metaverse with the data that was captured during the full import.

Right click your Lync forest Management Agent, and click Run...


 In the Run Management Agent window click Full Sync, and click OK.


Follow the same process but not on the User Forest Management Agent.


In the Run Management Agent window click Full Sync, and click OK.


And lastly we need to provision the Lync Resource Forest.

Right click your Lync forest Management Agent, and click Run...


n the Run Management Agent window click Export, and click OK.


In the Management Agents window in the bottom left corner "Export Statitics" click on Adds. Here you should see all the users that were in your User OU(s)

You can also confirm by looking in Active Directory Users and Computers in your Resource Forest OU you selected in step 5 and see the contact objects for your synchronized users.




Now our users from our user forest are synchronized as contact objects in the Lync 2013 resource forest. You can go ahead and enable these objects in Lync and test sign in.

 



24 comments:

  1. Nice blog, This blog gives accurate and precise information regarding lync. Thanks for sharing such a nice info with us and carry on with good continuation.
    lync

    ReplyDelete
  2. Great article, but can we decide how domain LMLAB-A.COM is in a ou and LMLAB-B.COM is in another ou?

    ReplyDelete
    Replies
    1. You will need to create multiple target Management Agents specifying different target OUs

      Delete
    2. Event with multiple agents, the OU where it writes is taken from lcscfg.xml and it seems that it can be only one. I think it is handwritten in lcssync.dll. The only workaround we have at the moment is to populate an attribute with desired tag to distinguish source domains, but still having all contact in one OU. Does anyone has a real workaround?

      Delete
  3. Hello
    Great Job, thanks
    I have one question regarding your implementation.
    You define in the central forest one OU to place the contacts synced from each user Forest.
    How can we define in what OU are you going to place the synced contacts imported. Do you need to create one management agent pointing to the central forest per each user Forest?
    In your example you just create one pointing to each forest. So I miss the step to put the contacts from you LMLAB-B.COM forest in the OU=Accounts,OU=LMLAB-B,DC=LYNCMEBLOG,DC=COM.

    ReplyDelete
  4. Good article - but as above comments how do you achieve LMLAB-A.COM is in one OU and LMLAB-B.COM is in another OU?

    ReplyDelete
    Replies
    1. You will need to create multiple target Management Agents specifying different target OUs

      Delete
  5. Hi
    I have followed this and it works great under normal circumstances, however.

    if I disable a user in the user forest, it correctly deletes the contact in the resource forest. if the user is subsequently re-enabled, it does not re create the contact.

    any help would be appreciated

    thanks

    ReplyDelete
  6. Thanks for the blog! Very good article...

    Do you think, there is a way to let FIM automatically enable user objects in lync after being synchronized?

    Thnks for any help!

    ReplyDelete
  7. greate article,
    question, does FIM have the option to limit the search for users in one forest to only that forest, and doesn't show other users from the other forests?

    ReplyDelete
  8. Hello,

    I have succeeded synchronization but i am still not able to create Lync users for the other domain. The user i am trying to create Lync account is not belonging to any security group. There 2 way trust between domains .I will appreciate for any help

    You cannot retry this operation: "Insufficient access rights to perform the operation
    00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".You do not have the appropriate permissions to perform this operation in Active Directory. One possible cause is that the Lync Server Control Panel and Remote Windows PowerShell cannot modify users who belong to protected security groups (for example, the Domain Admins group). To manage users in the Domain Admins group, use the Lync Server Management Shell and log on using a Domain Admins account.

    ReplyDelete
    Replies
    1. I solved and now working very good. This is a great article, helped too much. Thank you

      Delete
    2. Now I had problem with logging from mobile devices for the user forest accounts. does anyone know what is needed to make it work

      Delete
    3. Until i receive answer i solved all problems. If anyone need help about all the process; can find me from tolga@akozenler.com . Thank you again for the great article.

      Delete
  9. Hi,
    Thanks for the post, I have requirement where both company A and Company B are having Lync 2013, how do I achieve seamless federation, say company A should show company B user as internal user like if I search other company user it should show presence without adding into contact card, like Lync meeting rooms etc…

    Regards,
    SR

    ReplyDelete
    Replies
    1. if you want them to be able to view the status of each other without adding then you must have open federation for both companies

      Delete
  10. Hello,
    I have done 2 way trust between 2 forests after creating vpn connection. After that i have done the as this document.Users from user forest has been created as contacts on resource forest domain controller.But I am not able to see that other domain's users (contacts) in the list of users that i can enable. Do i have to transfer something more?

    ReplyDelete
    Replies
    1. if the other domain is child domain or in the same forest then you can view them in the user list. but if the user forest is in a different forest than the resource forest ; you cannot see them in enable users list. you must enable them via powershell.
      Enable-CsUser -Identity "Name Surname" -RegistrarPool poolname -SipAddress "sip:name.surname@sipdomain"

      Delete
  11. A very nice post, the way of communication is become very important in nowdays and this type of conferencing companies make the servicees better. One of same kind or Conferencing is Global UC . You Should go through it and check its services.

    ReplyDelete
  12. Hi,

    nice post. I think, I'm working on a FIM and Lync system designded by this post.
    I have one question, do you transport userAccountControl attribute from user forest into metaverse?

    Thanks for your answer.

    ReplyDelete
  13. Can you please let us know what type of topology it is ? i means to say is it Central Forest Topology or Resource Forest Topology?

    ReplyDelete
    Replies
    1. Hi,

      Lync is installed into a resource forest.
      An account from CUSTOMER AD becomes a contact in LYNC AD.

      Bye.

      Delete
    2. https://technet.microsoft.com/en-us/library/gg398173(v=ocs.15).aspx

      According to Technet, in Resource Forest Topology the user will be as a Disable User, and in Central Forest Topology the user will be add as a contact.

      Kindly guide me through this.Basically i am going to install FIM to deploy Lync in Multi Forest Topology so i wanna be clear before start the deployment. Thanks in advance.

      Delete
  14. Hi,
    Is this guide ok for Skype for Business please ?
    Thank you.

    ReplyDelete