Office Communications Server 2007 R2 (OCS) – Multiple domain forest 

Well, I’ve been wanting to install Exchange 2007 and OCS 2007 R2 into a multi domain environment for a wee while now. When I say multiple domains, I mean parent and children.

Exchange 2007 was a doddle. No problems there at all. Each user can be assigned to their own logon domain and everything seamlessly works. Presuming your DNS configuration is sane.

I’ve finally got this working 100% seamlessly. Sadly, under the hood it’s a little bit messy – but no different to the way it had to be done to get Exchange 2003 working in a similar environment.

Unfortunately, at this moment in time, Office Communications Server (all versions) doesn’t really support multiple domains well, at all. If this lives in the parent domain, such as and your users live in and then the user logging into OCS technically has to be

The one thing that OCS does provide is an ADSI variable that lets you link the SID (security identifier) of the user on to the user on the parent domain. This user doesn’t even have to be enabled.

Whilst this is a welcomed workaround that at least allows you to ‘seamlessly’ authenticate, it does pose a few other problems around managing your users and any Active Directory data that you may utilise – such as job title, manager, phone number.. you get the drift.

To get around these and calm down the nightmare a little, I wrote a script that will basically keep things in sync for the admins. Unfortunately, I cannot post the script here as my employer technically owns it.
What I can do, is tell you what variables are involved:

  1. msRTCSIP-PrimaryUserAddress
  2. msRTCSIP-OriginatorSid
  3. msRTCSIP-PrimaryHomeServer
  4. msRTCSIP-UserEnabled
  5. msRTCSIP-OptionFlags
  1. The primary user address is basically the sip address. It’s possible to populate this from the sAMAccountName plus the parent domain suffix. Remember the sip: prefix.
  2. The originator SID has to match up with the actual SID from the user in the child domain.
  3. Primary home server is the distinguished name of your OCS server. Kinda.
    Example: CN=LC Services,CN=Microsoft,CN=ServerName,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=parent,DC=com
  4. UserEnabled: This generally should be set to TRUE. 🙂
  5. OptionFlags: For some strange reason, I kept getting errors about the server being temporarily unavailable until I set this to 256.

Now these are just the required variables specific to OCS. You can also add things in such as mail, title, telephoneNumber, sn, givenName and so on.. you know the script.

It’s probably a good idea to scan all the domains and delete any ghost/dead users that no longer exist on the children as well as creating new ones that do.