As we have seen in the previous recipe, a Lync resource forest requires a continuous synchronization between the accounts in the users' forests and the disabled accounts that must be provided in the forest in which Lync services exist. A directory synchronization product, such as Microsoft Forefront Identity Manager (FIM) 2010 R2, is a useful solution to transmit modifications from the user forests to the resource forest (for example, creating or deleting an account in the former one will automatically create or delete the disabled account in the latter). In the following schema, we can see a possible outline for a resource forest deployment with FIM (Identity Manager is not joined to the user and resource forest to show there is no need to insert it inside the existing forests):
This section will be dedicated to the configuration of FIM in a resource forest scenario.
To install FIM 2010 R2, it is required to have a SQL server installation available. We can co-host the database on the FIM server or have a dedicated database server. In our scenario, we have a dedicated forest FIMDomain.Lab. The server that will host both FIM and the SQL 2012 database for it is FIM.FIMDomain.Lab. In the following screenshot, we can see a high-level overview of the deployment:
FIM installation will require a service account, which we will call FIMService. It requires no special permissions.
We will not see how to install SQL Server 2012; however, there are many dedicated resources, such as the TechNet post Installation How-to Topics at http://msdn.microsoft.com/en-us/library/cc281837(v=sql.110).aspx.
D:
) using D:Synchronization ServiceSynchronization Service.msi
. The installer will open the Welcome page. Select Next..bin
extension) will be created. We should keep it in a safe place outside of the server.LcsSync
folder from a Lync 2013 Resource Kit installation to the FIM server. In our example, the path of the Resource Kit is C:Program FilesMicrosoft Lync Server 2013ResKit
. The path where we have to copy the content of the previously mentioned folder on the FIM server is the C:Program FilesMicrosoft Forefront Identity Manager2010Synchronization ServiceExtensions
folder, and can be seen in the following screenshot:lcscfg.xml
file in the previously mentioned Extensions
folder. The target-OU
value must be equal to the value of the OU that contains the active accounts in the user forest (in our example, OU=ActiveUsers,DC=ForestB,DC=lab). The lcsa
name parameter will be used during the configuration of the management agent. In the following screenshot, we can see the edited file:Lcsmvschema.xml
file from C:Program FilesMicrosoft Forefront Identity Manager2010Synchronization ServiceExtensions
, as we can see in the following screenshot:FIM is based on two base components: the metaverse and the connector space. The metaverse is a MetaDirectory (a system to collect, aggregate, and store data from various directories and data sources, such as Active Directory). The metaverse is stored in five SQL tables where information is organized using a schema (details about the FIM schema are available in Understanding Custom Resource and Attribute Management at http://technet.microsoft.com/en-us/library/ff519007(v=ws.10).aspx). FIM uses management agents to update data in the metaverse and in the data sources. The other component, connector space, is a temporary storage area for entities (objects). Data is modified, deleted, or added in the connector space before flowing to the metaverse or the data sources. A modified "shadow copy" of the data source is stored here by management agents.