Substitution for FIM in Lync Server Resource Forrest\Domain Deployment

Deploying Lync Server in Multi Forrest\Domain require a FIM (Forefront Identity Manager) to replicate the Object SID from user domain to resource domain.

IC444772FIM requires license for a SQL Instance additional WIndows Server and FIM it self. This article describes how to create users in resource domain by copying the attributes from customer domain. Also enable the users in Lync and configure Enterprise Voice by getting the Line URI from a .csv file.

Before getting to users creation, a Trust relationship (Oneway Forests Trust) need to be configured between two domain which will require to get the attributes from customer domain. I’m not going to cover the Trust relationship configuration in this article. below are the users configured in customer domain. notice the “Lync _Users” group. only the users which are added in to this group will get created.


notice the ObjectSid of the “Demo Eight” user


Once the trust relationship is configured with the resource domain and active, run the below command in windows Powershell as an Administrator. change the domain names appropriately ( = Customer Domain, Domain)

Import-Module ActiveDirectory

$domain = “dc=contoso,dc=com”

$DC = “”

$ADSrcGrp = Get-ADGroup -SearchScope Subtree -SearchBase $domain -Server $DC -LDAPFilter “(name=lync_users)”

Get-ADUser -SearchScope Subtree -SearchBase $domain -Filter ‘memberOf -RecursiveMatch $ADSrcGrp.DistinguishedName’ -Server $DC -Properties ObjectSID,name,samAccountName,displayName,givenName,surName,mail | ForEach-Object {New-ADUser -Name $ -SamAccountName $_.samAccountName -DisplayName $_.displayName -GivenName $_.givenName -SurName $_.surName -EmailAddress $_.mail -otherAttributes @{‘msRTCSIP-OriginatorSid’=$_.ObjectSID} -Path “OU=AU,DC=fabrikam,DC=local” -UserPrincipalName “$($_.samaccountname)@fabrikam.local” -AccountPassword (ConvertTo-SecureString -AsPlainText “P@ssw0rd” -Force) -PasswordNeverExpires $true -Enabled $false}

Users will be created in the below configured OU as disabled users.


notice the msRTCSIP-originatorsid value of “Demo Eight” user.


Now to enable user in to Lync Server. run the below script to enable the user to Lync Server. Specify the Line URI s in to the .csv file to configure Enterprise Voice in to enabled users

Get-CsAdUser -OU “OU=AU,DC=contoso,DC=com” | Enable-CsUser -RegistrarPool “lyncfe01.fabrikam.local” -SipAddressType firstlastname -SipDomain

import-csv “c:\Script\EV_Users.csv” | Select-Object * | foreach-object {set-csuser -identity $_.identity -sipaddress $_.SipAddress -LineURI $_.LineURI -EnterpriseVoiceEnabled $True}

this is what the content of the .csv file should looks like

SIPAddress LineURI Identity tel:+612001 Demo Five tel:+612002 Demo Six tel:+612003 Demo one

All the users should be now enabled for lync and enabled for Enterprise Voice with a Line URI


now it’s time to test a user to verify that all works fine.


Client signed in successfully with the end user credentials.


7 thoughts on “Substitution for FIM in Lync Server Resource Forrest\Domain Deployment

  1. Hi I am so delighted I found your website, I really found you byy error, while I was looking on Digg
    for something else, Anyways I am here now and would just like to say thanks forr a marvelous post and a all round thrilling blogg (I also love the theme/design),
    I don’t have time to read through it all at the minute but I have
    bookmarked it aand alswo added your RSS feeds, so when I have time I will be back to read much more, Please do keep up the excellent job.

  2. Thanks , I’ve just been searching for information approximately this subject for a while and yours is the best
    I’ve discovered till now. But, what about the conclusion? Are you certain concerning the source?

  3. We have a similar scenario, but we’re creating the disabled linked accounts via our Exchange Admin Console. This doesn’t pull over the {‘msRTCSIP-OriginatorSid’=$_.ObjectSID} part of your script, so our linked accounts are not Skype aware. Is there a quick and dirty PS command I could run against the OU on the Trusted domain with the trusted accounts, to pull their ObjectSID and add it to their linked trusting domain accounts msTRCSIP-OriginatorSid value?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s