-->

Sunday, October 8, 2017

Exchange/SFB - UM Cross Forest with Selective Trust - Part 1

This will be a series on integrating Exchange Unified Messaging and Skype For Business in a cross-forest scenario, with a Selective Trust configured.
My Exchange 2016 environment resides in a Resource Forest with a Selective Trust configured to ensure security between our US and Rest-of-World (ROW) forests.

Our Skype For Business resides in the Accounts Forest, because management didn't want multiple SFB environments in multiple Resources Forests. I was overruled on that (not-so-smart) decision.

This causes some problems when configuring Dial Plans with Unified Messaging because the SFB servers need to be able to authenticate against Exchange in order to configure Auto Attendants.

When running the OCSUmUtil in the Accounts Forest with a Selective Trust, the Dial Plans will come up empty. This is because the SFB servers are blocked from authenticating on the Resource Forest and can't read the config.


To allow authentication, the following groups from the Accounts Forest need to be set as "Allowed to Authenticate" on the Exchange servers and the Domain Controllers in the Resource Forest:

RTCComponentUniversalServices

RTCUniversalServerAdmins

RTCUniversalUserAdmins


To easily add those groups and keep a clean Active Directory I suggest following my
previous post on creating a Selective Trust Security Group in the Accounts Forest.

And then follow
my other post to set the Selective Trust auth permissions.

If you just want to hurry and add those to allowed to auth, do the following:

1. Log onto a domain controller in your Resource Forest

2. Open Active Directory Users and Computers (ADUC)

3. Click View

4. Select Advanced Features

5. Browse to the OU where the Exchange Server(s) you are trying to authenticate to

6. Right-click the Exchange server objects, then select Properties, then the Security tab

7. Add the RTCComponentUniversalServices; RTCUniversalServerAdmins; RTCUniversalUserAdmins groups

8. Grant Allowed to authenticate rights

9. Click Apply, then OK.

10. Browse to the Domain Controllers OU.

11. Browse to the OU where the DC's you are trying to authenticate to

12. Right-click the DC objects, then select Properties, then the Security tab

13. Add the RTCComponentUniversalServices; RTCUniversalServerAdmins; RTCUniversalUserAdmins groups

14. Grant Allowed to authenticate rights

15. Click Apply, then OK

Now give it some time for replication.

In the next post I'll show you to configure the UM certs to allow SFB and Exchange to communicate over TLS.

1 comment: