Deploying Lync Server in Multi Forrest\Domain require a FIM (Forefront Identity Manager) to replicate the Object SID from user domain to resource domain.
FIM requires license for a SQL Instance additional WIndows Server and FIM it self. This article describes how to create users in resource domain by copying the attributes from customer domain. Also enable the users in Lync and configure Enterprise Voice by getting the Line URI from a .csv file.
Before getting to users creation, a Trust relationship (Oneway Forests Trust) need to be configured between two domain which will require to get the attributes from customer domain. I’m not going to cover the Trust relationship configuration in this article. below are the users configured in customer domain. notice the “Lync _Users” group. only the users which are added in to this group will get created.
notice the ObjectSid of the “Demo Eight” user
Once the trust relationship is configured with the resource domain and active, run the below command in windows Powershell as an Administrator. change the domain names appropriately (contoso.com = Customer Domain, fabrikam.com.com=Resource Domain)
Import-Module ActiveDirectory
$domain = “dc=contoso,dc=com”
$DC = “contoso-dc01.contoso.com:3268”
$ADSrcGrp = Get-ADGroup -SearchScope Subtree -SearchBase $domain -Server $DC -LDAPFilter “(name=lync_users)”
Get-ADUser -SearchScope Subtree -SearchBase $domain -Filter ‘memberOf -RecursiveMatch $ADSrcGrp.DistinguishedName’ -Server $DC -Properties ObjectSID,name,samAccountName,displayName,givenName,surName,mail | ForEach-Object {New-ADUser -Name $_.name -SamAccountName $_.samAccountName -DisplayName $_.displayName -GivenName $_.givenName -SurName $_.surName -EmailAddress $_.mail -otherAttributes @{‘msRTCSIP-OriginatorSid’=$_.ObjectSID} -Path “OU=AU,DC=fabrikam,DC=local” -UserPrincipalName “$($_.samaccountname)@fabrikam.local” -AccountPassword (ConvertTo-SecureString -AsPlainText “P@ssw0rd” -Force) -PasswordNeverExpires $true -Enabled $false}
Users will be created in the below configured OU as disabled users.
notice the msRTCSIP-originatorsid value of “Demo Eight” user.
Now to enable user in to Lync Server. run the below script to enable the user to Lync Server. Specify the Line URI s in to the .csv file to configure Enterprise Voice in to enabled users
Get-CsAdUser -OU “OU=AU,DC=contoso,DC=com” | Enable-CsUser -RegistrarPool “lyncfe01.fabrikam.local” -SipAddressType firstlastname -SipDomain contoso.com
import-csv “c:\Script\EV_Users.csv” | Select-Object * | foreach-object {set-csuser -identity $_.identity -sipaddress $_.SipAddress -LineURI $_.LineURI -EnterpriseVoiceEnabled $True}
this is what the content of the .csv file should looks like
| SIPAddress | LineURI | Identity |
| Sip:demo.five@contoso.com | tel:+612001 | Demo Five |
| sip:demo.six@contoso.com | tel:+612002 | Demo Six |
| sip:demo.one@contoso.com | tel:+612003 | Demo one |
All the users should be now enabled for lync and enabled for Enterprise Voice with a Line URI
now it’s time to test a user to verify that all works fine.
Client signed in successfully with the end user credentials.
The UC Techie 
Thanks for this. This is amazingly timely…I am assuming this will work the same in a two way trusted environment as well
Thanks Bryan. And yes it will work. This setup was initially configured as a 2-Way trust to support Exchange UM integration with a Exchange sitting on customer domain.
Quick Question…Why do these users get created in the Lync domain as disabled users?
Asa apart of the object mapping process, it does create an identical contact object and map relevant attributes with the customer forest
Hi I am so delighted I found your website, I really found you byy error, while I was looking on Digg
for something else, Anyways I am here now and would just like to say thanks forr a marvelous post and a all round thrilling blogg (I also love the theme/design),
I don’t have time to read through it all at the minute but I have
bookmarked it aand alswo added your RSS feeds, so when I have time I will be back to read much more, Please do keep up the excellent job.
Thanks , I’ve just been searching for information approximately this subject for a while and yours is the best
I’ve discovered till now. But, what about the conclusion? Are you certain concerning the source?
We have a similar scenario, but we’re creating the disabled linked accounts via our Exchange Admin Console. This doesn’t pull over the {‘msRTCSIP-OriginatorSid’=$_.ObjectSID} part of your script, so our linked accounts are not Skype aware. Is there a quick and dirty PS command I could run against the OU on the Trusted domain with the trusted accounts, to pull their ObjectSID and add it to their linked trusting domain accounts msTRCSIP-OriginatorSid value?
Thanks