Substitution for FIM in Lync Server Resource Forrest\Domain Deployment

Deploying Lync Server in Multi Forrest\Domain require a FIM (Forefront Identity Manager) to replicate the Object SID from user domain to resource domain.

IC444772FIM requires license for a SQL Instance additional WIndows Server and FIM it self. This article describes how to create users in resource domain by copying the attributes from customer domain. Also enable the users in Lync and configure Enterprise Voice by getting the Line URI from a .csv file.

Before getting to users creation, a Trust relationship (Oneway Forests Trust) need to be configured between two domain which will require to get the attributes from customer domain. I’m not going to cover the Trust relationship configuration in this article. below are the users configured in customer domain. notice the “Lync _Users” group. only the users which are added in to this group will get created.


notice the ObjectSid of the “Demo Eight” user


Once the trust relationship is configured with the resource domain and active, run the below command in windows Powershell as an Administrator. change the domain names appropriately ( = Customer Domain, Domain)

Import-Module ActiveDirectory

$domain = “dc=contoso,dc=com”

$DC = “”

$ADSrcGrp = Get-ADGroup -SearchScope Subtree -SearchBase $domain -Server $DC -LDAPFilter “(name=lync_users)”

Get-ADUser -SearchScope Subtree -SearchBase $domain -Filter ‘memberOf -RecursiveMatch $ADSrcGrp.DistinguishedName’ -Server $DC -Properties ObjectSID,name,samAccountName,displayName,givenName,surName,mail | ForEach-Object {New-ADUser -Name $ -SamAccountName $_.samAccountName -DisplayName $_.displayName -GivenName $_.givenName -SurName $_.surName -EmailAddress $_.mail -otherAttributes @{‘msRTCSIP-OriginatorSid’=$_.ObjectSID} -Path “OU=AU,DC=fabrikam,DC=local” -UserPrincipalName “$($_.samaccountname)@fabrikam.local” -AccountPassword (ConvertTo-SecureString -AsPlainText “P@ssw0rd” -Force) -PasswordNeverExpires $true -Enabled $false}

Users will be created in the below configured OU as disabled users.


notice the msRTCSIP-originatorsid value of “Demo Eight” user.


Now to enable user in to Lync Server. run the below script to enable the user to Lync Server. Specify the Line URI s in to the .csv file to configure Enterprise Voice in to enabled users

Get-CsAdUser -OU “OU=AU,DC=contoso,DC=com” | Enable-CsUser -RegistrarPool “lyncfe01.fabrikam.local” -SipAddressType firstlastname -SipDomain

import-csv “c:\Script\EV_Users.csv” | Select-Object * | foreach-object {set-csuser -identity $_.identity -sipaddress $_.SipAddress -LineURI $_.LineURI -EnterpriseVoiceEnabled $True}

this is what the content of the .csv file should looks like

SIPAddress LineURI Identity tel:+612001 Demo Five tel:+612002 Demo Six tel:+612003 Demo one

All the users should be now enabled for lync and enabled for Enterprise Voice with a Line URI


now it’s time to test a user to verify that all works fine.


Client signed in successfully with the end user credentials.


DHCP Options Configuration for Aries Family IP Phones

Microsoft Certified IP Phones (Aries family Phone) are the certifies and optimized devices that supports Microsoft Lync Server 2010\2013. There are tho methods that you can get these devices configured to work with Lync Server.

1. USB Tether with a Laptop or a Desktop PC

2. Login using a PIN and an Extension number

the 1st method is the recommended as it’s “Better Together” with the Lync client. Once connected over the USB, it’ll allow the phone to get calendar information from Outlook and display on phone and it allow the user to make and answer calls seamlessly between the PC client and the Phone.

But, there are situations that a Phone has to be deployed standalone without a PC (Conference Rooms, Common area). Situations like this, using a PIN to register the phone could be very useful. Below are the instructions to configure DHCP to get the phone registered by  using a PIN.

Before begin, copy the DHCPUtil.exe and DHCP Configscript.bat files to DHCP server. You can find them in C:\program Files\Common Files\Microsoft Lync Server 2010\2013

If it’s Lync Server 2013, you might need to install the VC++ on DHCP server. you can find this on installation media of Lync Server 2013.

As shown in below snapshot. Verify that the NTP server and Time Server options are configured in Scope Options and Server Options. Make sue that those options are configured with the IP address of the DHCP Server. Not the loop back IP address.


test2Open the command prompt as an administrator. navigate to the folder that you saved the files copied from the Lync Server (DHCPUtil and DHCP ConfigScript). run the command,

DHCPUtil.exe -sipserver <FQDN of the lync FE Server> -webserver <FQDN of the lync FE Server> -DHCP ConfigScript

This command will configure Option 120 and Option 43 in DHCP server.

test4Open the DHCP management console and look in the server Options and Scope Options for the new Options. Note that it might take sometime to appear depending on the performance of the Server.


In Lync Server, The Line URI for the user should be configured as tel:+6145678;ext=5678. This will specify the “extension” value and in the registering process, this Extention value will be used against the PIN.