Microsoft, Office Communications Server

Office Communications Server 2007 R2 (OCS) – Multiple domain forest

Hello!
Well, I’ve been wanting to install Exchange 2007 and OCS 2007 R2 into a multi domain environment for a wee while now. When I say multiple domains, I mean parent and children.

Exchange 2007 was a doddle. No problems there at all. Each user can be assigned to their own logon domain and everything seamlessly works. Presuming your DNS configuration is sane.

I’ve finally got this working 100% seamlessly. Sadly, under the hood it’s a little bit messy – but no different to the way it had to be done to get Exchange 2003 working in a similar environment.

Unfortunately, at this moment in time, Office Communications Server (all versions) doesn’t really support multiple domains well, at all. If this lives in the parent domain, such as parent.com and your users live in child1.parent.com and child2.parent.com then the user logging into OCS technically has to be parent.com.

The one thing that OCS does provide is an ADSI variable that lets you link the SID (security identifier) of the user on child.parent.com to the user on the parent domain. This user doesn’t even have to be enabled.

Whilst this is a welcomed workaround that at least allows you to ‘seamlessly’ authenticate, it does pose a few other problems around managing your users and any Active Directory data that you may utilise – such as job title, manager, phone number.. you get the drift.

To get around these and calm down the nightmare a little, I wrote a script that will basically keep things in sync for the admins. Unfortunately, I cannot post the script here as my employer technically owns it.
What I can do, is tell you what variables are involved:

  1. msRTCSIP-PrimaryUserAddress
  2. msRTCSIP-OriginatorSid
  3. msRTCSIP-PrimaryHomeServer
  4. msRTCSIP-UserEnabled
  5. msRTCSIP-OptionFlags
  1. The primary user address is basically the sip address. It’s possible to populate this from the sAMAccountName plus the parent domain suffix. Remember the sip: prefix.
  2. The originator SID has to match up with the actual SID from the user in the child domain.
  3. Primary home server is the distinguished name of your OCS server. Kinda.
    Example: CN=LC Services,CN=Microsoft,CN=ServerName,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=parent,DC=com
  4. UserEnabled: This generally should be set to TRUE. 🙂
  5. OptionFlags: For some strange reason, I kept getting errors about the server being temporarily unavailable until I set this to 256.

Now these are just the required variables specific to OCS. You can also add things in such as mail, title, telephoneNumber, sn, givenName and so on.. you know the script.

It’s probably a good idea to scan all the domains and delete any ghost/dead users that no longer exist on the children as well as creating new ones that do.

Advertisements

One thought on “Office Communications Server 2007 R2 (OCS) – Multiple domain forest

  1. I am implementing OCS 2007 R2 and I have one AD 2003 native domain and a secondary non-AD domain which is being used as for our primary email addresses.

    for example:
    AD Domain: newyorkcity.org
    Secondary Domain: nyc.org

    Is there a way to allow for auto-sign in for Communicator over the second domain?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s