cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Planning Multi-Forest Environments for Hybrid Skype for Business deployments
By
Thomas Binder
Published Mar 27 2017 07:31 AM 7,360 Views
Thomas Binder
Microsoft
‎Mar 27 2017 07:31 AM

Planning Multi-Forest Environments for Hybrid Skype for Business deployments

‎Mar 27 2017 07:31 AM

Understanding how to establish a hybrid connection between Skype for Business on premises and online can be challenging when customers use multiple forests. The Skype for Business product group has worked hard the last couple of months to unblock additional scenarios and make the existing documentation clearer.


The authoritative documentation can be found here but we wanted to include a quick summary in this blog article:

 

  • For either a single user forest or multiple user forest deployment, there must be a single deployment of Skype for Business Server.
  • Lync Server 2010, Lync Server 2013 and Skype for Business Server 2015 are supported in this topology (please note that availability of features depends on server version you are using).
  • Exchange can be deployed on premises only, in hybrid or online only.
  • Exchange Server can be deployed in one or more forests, which may or may not include the forest containing Skype for Business Server. For details on support for and limitations with co-existence between Exchange and Skype for Business in various combinations of on-premises and online, see Feature Support in Plan to integrate Skype for Business and Exchange.
  • Exchange Server 2013 and Exchange Server 2016 are supported in this topology.
  • Cloud PBX is supported in complex forest scenarios (as long as all Cloud PBX requirements are met: https://technet.microsoft.com/en-us/library/mt455212.aspx).
  • We used to state that “central forests” were not supported. Since the definition of central forest was quite ambiguous, we replaced it with the following wording and hope to unlock additional scenarios: When Skype for Business Server is deployed in one forest (a resource forest) but provides functionality to users in one or more other forests (account forests), users in other forests must be represented as disabled user objects in the forest where Skype for Business Server is deployed. An identity management product, such as Microsoft Identity Manager, needs to be deployed and configured to provision and synchronize the users from the account forests into the forest where Skype for Business Server is deployed. Users must be synchronized into the forest hosting Skype for Business server as disabled user objects. They cannot be synchronized as Active Directory contact objects, because Azure Active Directory Connect will not properly sync contacts into Azure AD for use with Skype.
    Regardless of any multi-forest configuration, the forest hosting Skype for Business server can also provide functionality for any enabled users that exist in the same forest.

Call to action

  • Get familiar with the updated TechNet documentation
  • If you are in complex forest scenario and were blocked from Skype for Business Hybrid, reevaluate your situation based on the updated documentation
  • Any questions or feedback? Discuss with us in our Community.

 

6 Comments
Antony Millington
Copper Contributor
‎Mar 28 2017 08:23 AM
‎Mar 28 2017 08:23 AM

Hi Thomas,

 

thanks for this useful summary. The main issue here is that the tool for synchronising contacts for hybrid is contained within the 'Skype for Business 2105 Resource Kit Tools' download. The tool, LCSSync provides a metaverse rules extension DLL called 'lcssync.dll'. This contains provisioning rules for copying users from the user forest into the resource forest but they are provisioned as Contacts, not disabled user objects. Is there any plans based on the information above to now reissue this DLL (or even just provide the source code so we can modify it ourselves) so it follows the advice given above?

0 Likes
Like
Thomas Binder
Microsoft
‎Mar 30 2017 12:24 AM
‎Mar 30 2017 12:24 AM

Hi Anthony, unfortunately the Resource Kit is provided as is. While I will try to find out if there are any changes planned, we would expect customers with such complex environments to have the skills required to create the rules themselves.

hth,thomas

0 Likes
Like
NADIR KHAN
Copper Contributor
‎Sep 22 2017 12:58 AM
‎Sep 22 2017 12:58 AM

Hi Thomas,

 

Another good work, Thanks.

 

we are using FIM to sync users object from user forest to resource foest (where Lync server 2013 is deployed) as Contact object. is there still limitation with Azure AD connect to Sync Contact object form resource forest to Azure AD?

 

0 Likes
Like
Thomas Binder
Microsoft
‎Oct 03 2017 02:13 AM
‎Oct 03 2017 02:13 AM

@NADIR KHAN, isn't this covered here?

 

When Skype for Business Server is deployed in one forest (a resource forest) but provides functionality to users in one or more other forests (account forests), users in other forests must be represented as disabled user objects in the forest where Skype for Business Server is deployed. An identity management product, such as Microsoft Identity Manager, needs to be deployed and configured to provision and synchronize the users from the account forests into the forest where Skype for Business Server is deployed. Users must be synchronized into the forest hosting Skype for Business server as disabled user objects. They cannot be synchronized as Active Directory contact objects, because Azure Active Directory Connect will not properly sync contacts into Azure AD for use with Skype.
Regardless of any multi-forest configuration, the forest hosting Skype for Business server can also provide functionality for any enabled users that exist in the same forest.

0 Likes
Like
Antony Millington
Copper Contributor
‎Nov 08 2017 05:20 AM
‎Nov 08 2017 05:20 AM

Hi Nadir,

 

yes Thomas is correct.. your scenario is covered in the text he has repasted - this is the issue why I asked about lcssync.dll as this is how this metaverse rules extension dll works (it creates contact objects) and I guess you are using that. Without the source code you would need to rewrite a new DLL. After more testing I found that actually you can modify the rules in AADConnect so it can pick up and project Lync user contact objects as well - problem is that it probably isn't a good idea to start messing with the rules in AADC even though MS do give you access (via the Synchronisation Rules Editor). Writing a new DLL from scratch needs Microsoft Visual Basic .NET or C# skills so not a simple task. Hopefully when everyone moves to Teams this complexity will all go away!

 

0 Likes
Like
Hamed245
Copper Contributor
‎Nov 26 2023 01:02 AM
‎Nov 26 2023 01:02 AM

Hi Thomas,

Thank you for your article, let me explain our scenario in this regards. We have two forests which are trusted (two-way), one of them is on-premise (resource forest: Skype,  Exchange and so on) and another one is account forest that connected to MS 365 via Microsoft EntraID. Now I wanna implement scenario that users in forest account can login with their account into the resource forest and use skype for business. Is it possible ? if so could you please help me in this regards.

Thanks in advance

 

0 Likes
Like
Version history
Last update:
‎Mar 27 2017 07:38 AM
Updated by: