Multiple forests - Central forest
The central forest topology refers to a multi-forest environment where a separate forest—Skype for Business Server forest—hosts servers running Skype for Business Server and may also host logon-enabled accounts. Outside the Skype for Business Server forest, user forests host logon-enabled user accounts but no servers running Skype for Business Server.
With the Skype for Business Server User Management policy applied to logon-enabled user accounts in the Skype for Business Server forest, Active Roles can enable and administer those user accounts for Skype for Business Server in the same way as in the Single forest case.
When creating a Skype for Business Server account for a user from an external forest, Active Roles creates a contact in the Skype for Business Server forest, establishes a link between the user account in the user forest (master account) and the contact in the Skype for Business Server forest (shadow account), and enables that contact for Skype for Business Server. The Master Account Management policy then ensures that the attributes of the contact are synchronized with the attributes of the user account, so that Skype for Business Server user properties can be administered on the user account via Active Roles. In the Skype for Business Server forest, the User Management policy detects the attribute changes replicated from the user account to the contact, and translates them to remote shell commands on Skype for Business Server, similarly to the Single forest case.
User Management policy
The User Management policy is intended for single-forest and multi-forest environments where logon-enabled accounts of Skype for Business Server users are defined in the Active Directory forest in which Skype for Business Server is deployed, as well as for multi-forest environments where logon-enabled master accounts of Skype for Business Server users are defined in external forests with each master account being represented by a shadow account (disabled user account or contact) in the Active Directory forest in which Skype for Business Server is deployed. The User Management policy enables Active Roles to perform user management tasks on Skype for Business Server.
The Policy Object that holds this policy is in the Configuration/Policies/Administration/Builtin container. The name of the Policy Object is Built-in Policy - Skype for Business - User Management. Depending upon your Active Directory topology, apply this Policy Object as follows to enable Skype for Business Server User Management in Active Roles.
Table 16: Applying the Built-in - Skype for Business - User Management Policy Object
Single forest |
Apply this Policy Object to
Active Directory domains or containers that hold user accounts you want to administer by using Skype for Business Server User Management in Active Roles. |
Multiple forests - Resource forest |
Apply this Policy Object to
Active Directory domains or containers in the Skype for Business Server forest that hold shadow accounts (disabled user accounts) for users from external forests you want to administer by using Skype for Business Server User Management in Active Roles. |
Multiple forests - Central forest |
Apply this Policy Object to
Active Directory domains or containers in the Skype for Business Server forest that hold logon-enabled user accounts you want to administer by using Skype for Business Server User Management in Active Roles
Active Directory domains or containers in the Skype for Business Server forest that hold shadow accounts (contacts) for users from external forests you want to administer by using Skype for Business Server User Management in Active Roles. |
User Management policy settings
The topics in this section cover the User Management policy settings.
Connection to Skype for Business Server
To administer Skype for Business Server users, Active Roles requires a connection to a computer running the following server role in your Skype for Business Server deployment: Front End Server (in case of Skype for Business Server Enterprise Edition) or Standard Edition Server. The computer must be from an Active Directory domain that is registered with Active Roles as a managed domain. By using the Server policy setting, you can specify how you want Active Roles to select a Skype for Business Server computer:
- Connect to any available server With this option, Active Roles attempts to connect to any Front End Server or Standard Edition Server that runs the Central Management Server in your Skype for Business Server deployment. If no Central Management Server role holders are available in the managed domains, then Active Roles attempts to connect to the first Front End Server or Standard Edition Server found in the managed domains.
- Connect to these servers only This option allows you to configure a list from which you want Active Roles to select a Skype for Business Server computer. You can:
- Add or remove computers from the list. Active Roles searches the managed domains for computers running the appropriate Skype for Business Server role, allowing you to select the desired computers.
- Set the default computer. Active Roles first attempts to connect to that computer.
- Reorder the list. Active Roles first attempts to connect to computers that are higher in the list.
Note that at least one of your Active Directory domains that hold computers running the Front End Server or Standard Edition Server must be registered with Active Roles as a managed domain. Otherwise, Active Roles is unable to discover your Skype for Business Server deployment, so Skype for Business Server User Management functions are unavailable.