Chat now with support
Chat with Support

Active Roles 7.6.1 - Solutions Guide

Active Roles Solutions Overview Exchange Resource Forest Management Configuration Transfer Wizard Solution Active Roles SPML Provider Skype for Business Server Solution
Introducing Skype for Business Server User Management Supported Active Directory topologies User Management policy Master Account Management policy Access Templates for Skype for Business Server Deploying the Solution Managing Skype for Business Server Users
Management Pack for SCOM

Multiple forests

In case of multiple forests, Skype for Business Server must be deployed in the Skype for Business Server forest only. You don’t need to deploy Skype for Business Server in external user forests or extend the Active Directory schema with Skype for Business Server attributes in those forests. For further details about multi-forest topology options, see Multiple forests - Resource forest and Multiple forests - Central forest earlier in this document.

Active Directory forest trust

The multi-forest topology option requires a one-way trust relationship between the Skype for Business Server forest and each user forest so that users can authenticate to the user forest but access services in the Skype for Business Server forest. Create a “forest” trust instead of an “external” trust because an external trust only supports NTLM, while a forest trust supports both NTLM and Kerberos, and therefore won’t limit Skype for Business client authentication options.

Trusts are configured as one-way to prevent unauthorized access to the user forest from the Skype for Business Server forest. For details, see "How Domain and Forest Trusts Work" at http://technet.microsoft.com/library/cc773178.aspx.

Skype for Business Server contact management rights

In case of central forest deployment, you need to grant Skype for Business Server contact management rights on the container that is intended to hold shadow accounts (contacts enabled for Skype for Business Server in the Skype for Business Server forest). Otherwise, Skype for Business Server security groups do not have sufficient rights to manage contact objects, which causes an “access is denied” condition when Active Roles attempts to enable a shadow account for Skype for Business Server.

To grant Skype for Business Server contact management rights, use the following command in Skype for Business Server Management Shell:

Grant-CsOUPermission -OU "<DN of container>" -ObjectType "contact"

Replace <DN of container> with the Distinguished Name of the container that is intended to hold shadow accounts, for example: OU=Shadow Accounts,DC=Skype for BusinessServer,DC=lab. If the domain does not have permission inheritance disabled (which is the default case), then you can supply the Distinguished Name of the domain rather than container:

Grant-CsOUPermission -OU "DC=Skype for BusinessServer,DC=lab" -ObjectType "contact"

You must be a domain administrator in order to run the Grant-CsOUPermission cmdlet locally.

Active Roles deployment

Active Roles deployment

The following Active Roles components must be installed in your Active Directory environment:

  • Administration Service
  • Web Interface
  • Active Roles console

You can install these components on member servers in a user forest or in the Skype for Business Server forest. For installation instructions, see the Active Roles Quick Start Guide.

Log on as Active Roles Admin

Log on as Active Roles Admin

To configure Skype for Business Server User Management, log on as Active Roles Admin. This ensures that you have sufficient rights to make the necessary configuration changes. Assuming the default configuration of the Active Roles Administration Service, you should log on with a domain user account that is a member of the Administrators group on the computer running the Administration Service.

Register domains with Active Roles

Skype for Business Server User Management requires the following domains to be registered with Active Roles:

  • At least one domain that holds computers running the Front End Server or Standard Edition Server role in your Skype for Business Server deployment
  • Domains that hold logon-enabled users you are going to administer with Skype for Business Server User Management
  • In case of multi-forest topology, the domain in the Skype for Business Server forest that holds shadow accounts for Skype for Business Server users

When registering a domain, you are prompted to choose which account you want the Administration Service to use to access the domain. You can either specify a so-called override account or let the Administration Service use its service account. With either option, the account must have sufficient rights in the domain you are registering. At a minimum, the account must have the following rights:

  • In the domain that holds Skype for Business Server computers, a member of the RTCUniversalUserAdmins group
  • In the user domains, a member of the Account Operators group
  • In the shadow accounts domain, a member of the Account Operators group

    For a central forest deployment, the account must also have the rights to create, view, modify and delete contact objects in the shadow accounts domain. It will suffice to make the account a member of the Domain Admins group.

    For instructions on how to register domains with Active Roles, see “Adding and removing managed domains” in the Active Roles Administrator Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating