You can configure the Skype for Business Server User Management feature in a multi-forest environment by performing the following main configuration steps:
-
Applying the Master Account Management policy: During this step, you must adjust the Forest Mode policy setting in the Built-in Policy - Skype for Business - Master Account Management Policy Object, then link that Policy Object to the Active Directory domains or containers in the user forest that contain the master accounts of the login-enabled user accounts you want to manage with Active Roles.
-
Applying the User Management policy: During this step, you must link the Built-in Policy - Skype for Business - User Management Policy Object to the Active Directory domains or containers in the Skype for Business Server forest that contains the shadow accounts.
In case of a central forest, you must also link the Built-in Policy - Skype for Business - User Management Policy Object to Active Directory domains or containers in the Skype for Business Server forest that hold login-enabled user accounts you want to manage with Active Roles.
To configure Skype for Business Server User Management in a multi-forest environment, apply the Built-in Policy - Skype for Business - Master Account Management Policy Object to user accounts in Active Directory forests that are external to the Skype for Business Server forest.
To enable the Skype for Business Server User Management feature:
-
Configure the Policy Object according to the Skype for Business Server forest mode in your organization (resource forest or central forest).
-
Link the Policy Object to the domains or containers in the external user forest(s) holding the user accounts you want to manage with Active Roles.
To configure the Master Account Management Policy Object
-
In the Active Roles Console, navigate to Configuration > Policies > Administration > Builtin.
-
In the details pane, double-click the Built-in Policy - Skype for Business - Master Account Management Policy Object.
-
In the Properties dialog that appears, go to the Policies tab, and double-click the entry in the list of policies.
-
In the Properties dialog that appears, go to the Forest Mode tab and select the option that matches the Skype for Business Server forest mode in your Skype for Business Server deployment (see Skype for Business Server forest mode).
-
(Optional) Review the rest of the policy settings if needed:
-
On the Shadow Account tab, view or change the container and default description for new shadow accounts.
-
On the Master Account tab, view or change the attribute to store a reference to shadow account.
-
On the Synced tab, view or change the list of synchronized properties.
-
On the Substituted tab, configure your custom list of substituted properties in addition to the default list.
-
On the Back-synced tab, view or change the list of back-synchronized properties.
For detailed description of the policy settings, see Master Account Management policy settings for Skype for Business Server User Management.
To link the Master Account Management Policy Object to an Organizational Unit or domain
-
In the Active Roles Console, navigate to Configuration > Policies > > Builtin.
-
In the details pane, right-click the Built-in Policy - Skype for Business - Master Account Management Policy Object, then click Policy Scope.
-
In the dialog that appears, click Add, then select the Organizational Unit or domain.
You can configure the Skype for Business Server User Management feature for user accounts in the Skype for Business Server forest with the Built-in Policy - Skype for Business - User Management Policy Object. To enable the feature, link the policy to domains or containers in the Skype for Business Server forest that contains the shadow accounts of the users.
If your organization uses a central forest topology, also link the policy to Active Directory domains or containers in the Skype for Business Server forest that contains the login-enabled Skype for Business user accounts you want to manage with Active Roles.
To link the User Management Policy Object to an Organizational Unit or domain
-
In the Active Roles Console, navigate to Configuration > Policies > Administration > Builtin.
-
In the details pane, right-click the Built-in Policy - Skype for Business - User Management Policy Object, then click Policy Scope.
-
In the dialog that appears, click Add, then select the Organizational Unit or domain.
By default, the Policy Object has all policy settings configured. To change the policy settings, use the Active Roles Console.
To view or change the settings of the User Management Policy Object
-
In the Active Roles Console navigate to Configuration > Policies > Administration > Builtin.
-
In the details pane, double-click the Built-in Policy - Skype for Business - User Management Policy Object.
-
In the Properties dialog that appears, go to the Policies tab, and double-click the entry in the list of policies.
-
In the Properties dialog box that appears, do any of the following:
-
On the Server tab, specify how you want Active Roles to select a computer running Skype for Business Server.
-
On the SIP User Name tab, configure a rule for generating the SIP user name in the user SIP address.
-
On the SIP Domain tab, configure a rule to restrict selection of a SIP domain for the user SIP address.
-
On the Pool tab, configure a rule to restrict selection of an Enterprise Edition Front End pool or Standard Edition server to which Skype for Business Server users can be assigned.
-
On the Telephony tab, configure a rule to restrict selection of a Telephony option for Skype for Business Server users.
For more information on the policy settings, see Skype for Business Server User Management policy settings.
If you already manage Skype for Business Server resources with Active Roles Add-on for Skype for Business Server, you can update your deployment to use the Skype for Business Server User Management feature. The procedure has the following main steps:
-
Identify the Active Directory topology option used by the add-on. For more information on how Skype for Business User Management works with the supported forest types, see the following sections:
If your organization uses a multi-forest environment, take note of the Distinguished Name of the container in which the add-on creates the shadow accounts.
-
Uninstall Active Roles Add-on for Skype for Business Server from Active Roles Add-on Manager. Then, uninstall the add-on from the computer where it is installed.
-
Upgrade to the latest version of Active Roles. For more information, see the Active Roles Quick Start Guide.
-
Deploy the Skype for Business Server User Management feature. Depending on the Active Directory topology option used by the add-on, see the applicable section for more information:
The following instructions provide more detailed information on the procedure.
NOTE: The instructions apply to Active Roles Add-on for Skype for Business Server 2.1.
NOTE: The instructions apply to Active Roles Add-on for Skype for Business Server 2.1.
To identify the Active Directory topology option used by the Skype for Business Server Add-on
-
In the Active Roles Console, select Applications > Active Roles Add-on for Skype for Business Server.
-
In the Configure Add-on area of the details pane, review the add-on settings:
-
The Active Directory topology option is selected in the Active Directory topology box.
-
If a multi-forest option is selected, the Distinguished Name of the container in which the add-on creates shadow accounts is specified in the Container for shadow accounts/contacts box.
If the add-on was configured with the resource forest or central forest option, you must configure and apply the Built-in Policy - Skype for Business - Master Account Management Policy Object.
To configure and apply the Master Account Management Policy Object
-
In the Active Roles Console, navigate to Configuration > Policies > Administration > Builtin.
-
In the details pane, double-click the Built-in Policy - Skype for Business - Master Account Management Policy Object.
-
In the Properties dialog that appears, go to the Policies tab, and double-click the entry in the list of policies.
-
In the Properties dialog that appears, go to the Forest Mode tab and select the option that matches the Active Directory topology option that was used by the add-on.
-
If the add-on was configured with the option Multiple forests - Resource forest, then select the Resource forest option on the Forest Mode tab.
-
If the add-on was configured with the option Multiple forests - Central forest, then select the Central forest option on the Forest Mode tab.
-
Go to the Shadow Account tab and configure the policy to use the container for shadow accounts that was used by the add-on. To do so, click This container > Browse, and select the container.
-
Close the Properties dialog for the policy entry by clicking OK.
-
In the Properties dialog box for the Policy Object, click Apply, go to the Scope tab, then click the Scope button on that tab.
-
In the dialog that appears, add the containers that hold the master accounts you managed using the add-on, then click OK.
-
Close the Properties dialog box for the Policy Object by clicking OK.
TIP: The Skype for Business Server User Management feature will identify the existing master accounts, enabling Active Roles to manage their shadow accounts for Skype for Business Server in the same way as when using the add-on. To speed up the identification of the existing master accounts, you can run the Master Account Management scheduled task manually:
-
In the Active Roles Console, navigate to the following container:
Configuration/Server Configuration/Scheduled Tasks/Builtin
-
Right-click the Skype for Business - Master Account Management scheduled task.
-
Select All Tasks, then click Execute.