You can configure the Skype for Business Server User Management feature both for single-forest and multi-forest environments.
You can configure the Skype for Business Server User Management feature both for single-forest and multi-forest environments.
In case of single forest, Skype for Business Server must be deployed in the forest that holds login-enabled accounts for Skype for Business Server users. For more details, see Single forest topology for Skype for Business Server User Management.
In case of multiple forests, Skype for Business Server must be deployed in the Skype for Business Server forest only. Do not deploy Skype for Business Server in external user forests or extend the Active Directory schema with Skype for Business Server attributes in those forests. For more details about multi-forest topology options, see Resource forest topology for Skype for Business Server User Management and Central forest topology for Skype for Business Server User Management.
The multi-forest topology option requires a one-way trust relationship between the Skype for Business Server forest and each user forest so that users can authenticate to the user forest but access services in the Skype for Business Server forest.
NOTE: Make sure to configure a forest trust instead of an external trust. An external trust relationship supports only NTLM, while a forest trust supports both NTLM and Kerberos, posing no limitations to Skype for Business client authentication options.
Trusts are configured as one-way to prevent unauthorized access to the user forest from the Skype for Business Server forest. For details, see How Domain and Forest Trusts Work in the Windows Security Collection documentation.
In case of central forest deployment, you must grant Skype for Business Server contact management rights on the container that will hold shadow accounts (contacts enabled for Skype for Business Server in the Skype for Business Server forest). Otherwise, Skype for Business Server security groups will not have sufficient rights to manage contact objects, resulting in a lack of access when Active Roles attempts to enable a shadow account for Skype for Business Server.
To grant Skype for Business Server contact management rights, run the following command in Skype for Business Management Shell.
Grant-CsOUPermission -OU "<DN-of-container>" -ObjectType "contact"
Replace <DN-of-container> with the Distinguished Name of the container where you want to store shadow account, for example:
OU=Shadow Accounts,DC=Skype for BusinessServer,DC=lab
If the domain has permission inheritance enabled (which is the default case), then you can supply the Distinguished Name of the domain as well, rather than container:
Grant-CsOUPermission -OU "DC=Skype for BusinessServer,DC=lab" -ObjectType "contact"
NOTE: You must be a domain administrator to run the Grant-CsOUPermission cmdlet locally.
To configure the Skype for Business Server User Management feature, you must install the following Active Roles components in your Active Directory environment:
Administration Service
Web Interface
Active Roles Console
Install these components on the member servers of the account forest or in the Skype for Business Server forest. For installation instructions, see the Active Roles Installation Guide.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center