Lync Deployment Options and the Multi
Download
Report
Transcript Lync Deployment Options and the Multi
Lync MVP Pub Trivia Night – Invitation Only
Want to join Lync MVPs and speakers at an
exclusive Pub Trivia Night tomorrow?
Tweet a photo from a Lync session using the hashtag
#LyncTEE for your chance to attend!
Two entries are randomly selected each day.
Test your Lync knowledge with questions created by MVPs.
Free food and drinks! Great prizes! *See official rules online.
If you don’t score an invite, you can compete on Twitter with
@msftLync tomorrow at 7pm for your chance to win a Surface Pro 3!
TechEd Europe
#LyncTEE
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com
Motivation: Why Multi-Forest?
Cloud First
All Workloads
Partners
Customers committing
to the cloud
1. Exclusively cloud
2.Hybrid
Want both Exchange
and Lync online with all
the features
Partners are eager to
offer fully functional
managed Lync services
Hybrid On-Premises and Cloud
❶ Lync and Exchange in different environments
MPLS
Internet
Hybrid On-Premises and Cloud
❷ Some Lync users on Premises, some Lync users online
PSTN
MPLS
Internet
The Multi-Forest Architecture
For customers who want their online users to benefit
from Enterprise Voice
PSTN
MPLS
Internet
Key Components
Deploying Lync in a Multi-Forest Architecture (Partner Hosted Lync with Exchange Hybrid)
http://www.microsoft.com/en-us/download/details.aspx?id=44276
❶ Exchange entirely Online
❷ Exchange is hybrid
PSTN
CA
Lync
Services
MPLS
Domain
Controller
Certificate
Authority
Domain
Controller
Lync
edge
Internet
Deployment in Three Steps
1. Build Trust
2. Replicate user information
3. Enable Exchange support for UM
Step 1: Build Trust
Two types of trust relationship are required; an AD forest trust for Lync and a federation trust for Exchange Online.
In both cases, enabled user accounts reside in the Customer user forest and the Exchange Online resource forest; while
disabled user accounts reside in the Lync resource forest.
PSTN
CA
Lync
Services
MPLS
Domain
Controller
Certificate
Authority
Domain
Controller
Lync
edge
Internet
Step 2: Replicate User Information
•
•
FIM, or an application with similar functionality is used for Active Directory synchronization between the Customer user
forest and the Lync resource forest
O365 DirSync is used for Active Directory synchronization between the Customer user forest and the Exchange Online
resource forest
FIM
(Forefront Identity Manager)
or 3rd-Party solution
PSTN
CA
Lync
Services
MPLS
Domain
Controller
Domain
Controlle
r
Lync
edge
Internet
AADsync
http://msdn.microsoft.com/en-us/library/azure/dn800989.aspx
Blog: http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx
Certificate
Authority
Step 3: Provision Mailbox Accounts for Exchange Online
The provisioning process for a new user must trigger a series of tasks that create corresponding disabled user accounts in the
Lync resource forest and enabled user accounts in the Exchange Online resource forest, enables them for some or all of the
Lync features, creates Exchange mailboxes, pushes UM settings to the Lync disabled user account and sets the appropriate
UM server values based on the UM dial plan they have
1. User Forest: Create enabled user accounts in the
Exchange Online resource forest
2. Lync Resource Forest: Configure the Exchange
enabled user accounts
3. Create an Exchange Mailbox
4. Synchronize Exchange Online resource forest
enabled user account with the corresponding
enabled user account in the Customer user forest
5. Enable Lync EUM routing
6. Confirm Attribute Mapping (Customer user forest
to Exchange Online resource forest)
7. Confirm Attribute Mapping required for Exchange
Rich Coexistence (Customer user forest)
Enable for UM support
Set-CsAccessEdgeConfiguration -UseDnsSrvRouting AllowFederatedUsers 1 -EnablePartnerDiscovery 0
New-CsHostingProvider -Identity UMOnline -Enabled $True
-EnabledSharedAddressSpace $True -HostsOCSUsers $False
-ProxyFQDN “xxxxx.um.outlook.com" -IsLocal $False VerificationLevel UseSourceVerification
Set-CsHostedVoicemailPolicy -Destination
xxxxx.um.outlook.com -Organization “xxxxx.com"
Extract from Published Guidance
Two three-forest architectures described
Lync Server Dedicated with Exchange Online (Multi-tenant)
Lync Server Dedicated with Exchange Hybrid (on-prem
and Exchange Online Multi-tenant)
Implementation Details
Step 1: Changes to Global DNS
1.
2.
Create/Modify internal DNS Records
Create/Modify External DNS Records
Step 2: Configure customer User Forest
1.
2.
3.
4.
5.
6.
7.
8.
Update Root CA (Certificate Authority)
Configure the Customer user forest for SSO (single sign on) with Exchange Online
Establish Directory Synchronization with the Lync Resource Forest Active Directory
Automate Lync Identity Management Process
Establish Directory Synchronization with the Exchange Online Resource forest Active Directory
Automate Exchange Identity Management Process
Order Certificates for Lync and Exchange
Configure DNS to locate services in the Lync and Exchange Online resource forests
Ongoing ID Mgt.
Step 1: Create New AD Accounts
1.
2.
3.
4.
Step 2: Provision Accounts for Lync
1.
2.
3.
4.
5.
Step 3: Configure Lync Resource Forest
1.
2.
3.
4.
5.
6.
7.
Establish Trust
Update Root CA
Configure DNS to locate Services in the customer user forest and exchange online
resource forest
Prepare the lync resource forest Active Directory for Lync
Install and Configure Lync Server Using Microsoft Best Practices
Install and Configure PSTN Connectivity
Configure the Lync Resource Forest for Exchange Online UM
6.
7.
Choose your domain and set up user accounts
Set up email
Set up your team site and documents
Set up mobile access
Set up online communication tools
Get everybody ready
Meet compliance requirements
Create disabled user accounts in the Lync resource forest from the customer user
forest
Enable the Lync disabled user accounts from the Lync resource forest
Configure disabled user accounts for Exchange Online UM
Enable the disabled user accounts to receive UM messages
Synchronize Lync resource forest disabled user account with Customer user
forest account
Optional: Enable OWA for IM integration
Confirm Attribute Mapping (Customer user forest to Lync resource forest)
Step 3: Provision Mailbox Accounts for Exchange Online
1.
2.
3.
4.
Step 4: Configure Exchange Online Resource Forest
1.
2.
3.
4.
5.
6.
7.
Create New AD user accounts from an authoritative source
Add attributes manually
Add Exchange Online URL to IE Trusted Sites list
Wait for AD replication to complete before moving to the next step
5.
6.
7.
User Forest: Create enabled user accounts in the Exchange Online resource
forest
Lync Resource Forest: Configure the Exchange enabled user accounts
Create an Exchange Mailbox
Synchronize Exchange Online resource forest enabled user account with the
corresponding enabled user account in the Customer user forest
Enable Lync EUM routing
Confirm Attribute Mapping (Customer user forest to Exchange Online resource
forest)
Confirm Attribute Mapping required for Exchange Rich Coexistence (Customer
user forest)
Resources
Design Guide
Deploying Lync in a Multi-Forest Architecture (Partner Hosted Lync with Exchange Hybrid)
Rick Varvel, Mohamad Saleem and Dave Howe
http://www.microsoft.com/en-us/download/details.aspx?id=44276
AADsync
http://msdn.microsoft.com/en-us/library/azure/dn800989.aspx
Blog: http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx
Azure Active Directory Synchronization Services or AAD Sync is the new synchronization service that will allow customers to do
the following:
• Synchronize multi-forest Active Directory environments without needing the full blow features of Forefront Identity Manager 2010 R2.
• Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user
attributes (only 7!)
• Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
Building upon MIIS, ILM, and FIM, the Azure Active Directory Sync Services provides the next platform for connecting to data
sources, synchronizing data between data sources, as well as the provisioning and deprovisioning of identities.
Lync Server with Exchange Online (Multitenant)
Lync Server with Exchange Hybrid (Online
Multitenant with on-premises)
Fabrikam.com
Contoso.com
PSTN
MPLS
Internet
Teched-Contoso.com
Record Type
Name
Points To …
A
autodiscover.contoso.com
IP of Reverse Proxy Server or CAS Array VIP in the
Exchange resource forest Perimeter Network
A
owa.contoso.com
IP of Reverse Proxy Server or CAS Array VIP in the
Exchange resource forest Perimeter Network
A
mail.contoso.com
IP of Reverse Proxy Server or CAS Array VIP in the
Exchange resource forest Perimeter Network
MX
mail.contoso.com
IP of Exchange Edge server (SMTP transport) in the
Exchange resource forest Perimeter Network
SRV
_autodiscover._tcp.contoso.com
mail.contoso.com A record which in turn, points to the IP of
Reverse Proxy Server or CAS Array VIP in the Exchange
resource forest Perimeter Network
Record Type
Name
Points To …
A
sip.contoso.com
IP of Access Edge Server / VIP in Lync resource forest
Perimeter Network
A
meet.contoso.com
IP of Reverse Proxy Server / VIP in Lync resource forest
Perimeter Network
A
autodiscover.contoso.com
IP of Reverse Proxy Server / VIP in Lync resource forest
Perimeter Network
A
lyncdiscover.contoso.com
IP of Reverse Proxy Server / VIP in Lync resource forest
Perimeter Network
SRV
_sip._tls.contoso.com (5061)
sip.contoso.com A record, which in turn, points to the IP of
Access Edge Server / VIP in Lync resource forest Perimeter
Network
SRV
_sipfederationtls._tcp.contoso.com
sip.contoso.com A record, which in turn, points to the IP of
Access Edge Server / VIP in Lync resource forest Perimeter
Network
Contoso.com
UPN: TechED-Contoso.com
SIP:[email protected]
SMTP:[email protected]
User Forest
SIP:[email protected]
SMTP:[email protected]
Fabrikam.com
Lync Forest
Cn
lyncUser1
lyncUser1
ObjectSID
SIDlyncUser1
Not used
msRTCSIP-OriginatorSID
Not used
SIDlyncUser1
telephoneNumber
1 425 555-1234
1 425 555-1234
displayName
lyncUser1
lyncUser1
givenName
lyncUser1
lyncUser1
l (city)
Redmond
Redmond
st (state)
WA
WA
Country
U.S.A
U.S.A
Mail
proxyAddresses
msExchUCVoicemailSettings
[email protected]
EUM:[email protected];phonecontext=TESTDP01.contoso.com
eum:51212;phone-context=TESTDP01.contoso.com
SMTP:[email protected]
sip:[email protected]
ExchangeHostedVoiceMail=1
This value originates from the disabled user account in the Exchange
Online resource forest and must be populated manually or through
DirSync
For example: [email protected]
SIP proxy address
For example: sip:[email protected]
EUM:[email protected];phonecontext=TESTDP01.contoso.com
eum:51212;phone-context=TESTDP01.contoso.com
SMTP:[email protected]
This value is only set for Lync users that have Online mailboxes
LyncHostedVoiceMail=1
(Enabled by Lync)
LyncHostedVoiceMail=0
(Disabled by Lync)
ExchangeHostedVoiceMail=1
(Enabled by Exchange)
ExchangeHostedVoiceMail=0
(Disabled by Exchange)
User Forest
Con-DC.Contoso.com
Con-Ex.Contoso.com
Con-Dirsync-ADFS.Contoso.com
Con-FIM.Contoso.com
TMG.Contoso.com
Lync Hosted Forest
Fab-DC.Fabrikam.com
Fab-Lync.Fabrikam.com
Fab-Edge.Fabrikam.com
O365
TechEDContoso.onmicrosoft.com
TechED-Contoso.com (Vanity
Domain)
Partner Hosted
Lync Forest
SE Pool Server
Lync SE PoolLyncServer
Lync Edge Server
Lync Edge
Server
DirSync Server
DirSync Server
Domain Controller
Domain
Controller
Fabrikam.com
Lync Reverse Proxy
Lync Reverse
Proxy
ADFS Server
ADFS Server
User Forest
Contoso.com
Domain Controller
Domain
Controller
Con
Server
ExchangeExchange
20132013
Server
Create a new user and sync with Azure AD
Enable the user for Exchange Online
Enable the user for Exchange UM
Sync with Azure AD to get the Hosted Voicemail attribute
Replicate the user details to Lync forest