Hey Guys,

I just setup my Lync server and it works great for Domain A where everything important is located.

I have a Domain B setup at another location which is unfortunately not on the same forest (even though it should be in my opinion).  My issue is that I can add users to the Lync Server Control Panel from Domain B just fine however I cannot get a user on a pc in Domain B to log into the Lync client at all.  It doesn't work with a user I created on Domain B but does work if I am logged in to windows as Domain B logging into a Lync account created for Domain A.

In addition users on Domain A cannot search users on Domain B but can add them manually and the users information comes up.  What have missed here to not allow users on Domain B to log into Lync?

This is Lync 2013 btw

In that case, Domain A would act as a resource forest.  You'd want to create a disabled account in Domain A that matches the user account of the user in Domain B and populate the msRTCSIP-OriginatorSID attribute with the SID of the user account from Domain B. 

http://www.microsoft.com/en-us/download/details.aspx?id=44276

Would I need to change anything on the Lync server to say that Domain A is going to be the Resource Forest?

Where do I find the msRTCSIP-OriginatorSID attribute?

Nothing specific to the Lync server, but you'll need to Lync enable the accounts you create in Domain A that match the domain B users.  That attribute can be found via ADSIEdit, the attribute editor in Active Directory Users and Computers, or you can reach it via script/PowerShell.

Follow Saleesh's blog: http://blogs.technet.com/b/saleesh_nv/archive/2014/06/07/lync-2013-resource-forest-deployment-with-manual-sync-part-1.aspx through part 3 and you'll see it.

Hey Guys,

I just setup my Lync server and it works great for Domain A where everything important is located.

I have a Domain B setup at another location which is unfortunately not on the same forest (even though it should be in my opinion).  My issue is that I can add users to the Lync Server Control Panel from Domain B just fine however I cannot get a user on a pc in Domain B to log into the Lync client at all.  It doesn't work with a user I created on Domain B but does work if I am logged in to windows as Domain B logging into a Lync account created for Domain A.

In addition users on Domain A cannot search users on Domain B but can add them manually and the users information comes up.  What have missed here to not allow users on Domain B to log into Lync?

This is Lync 2013 btw

Have you created forest trust between 2 domains. when searching for users in B domain you will need to change the location

Ok so I figured out the attributes and copying the string needed. I took the Hex string from the SID of Domain B and created a new user in Domain A and pasted the string into the msRTCSIP-OriginatorSIDattribute.

So my understanding is that with the hex string in place the SID username of the user in Domain A would share with Domain B and I would add the disabled user in Domain A to the Lync Control Panel and it would then in turn find its way to the user in Domain B.  Am I correct?

Yes, if trusts are in place as Bulent correctly added... that's it in a nutshell. 

Yea the Trusts are in place but still wont search anyone on Domain B.

I did create a duplicate user on Domain A and copied the attributes you mentioned earlier from Domain B to Domain A but still cant login with a user account from Domain B.  Pretty odd

You wouldn't see Domain B users, but you should see the Domain A copies.  You may have to start up the logger and double-check the guides to make sure you've got everything in there correctly.  There are a few blogs out there such as Saleesh's that I mentioned that are good walkthroughs to see if you missed something.

Hey Guys,

I just setup my Lync server and it works great for Domain A where everything important is located.

I have a Domain B setup at another location which is unfortunately not on the same forest (even though it should be in my opinion).  My issue is that I can add users to the Lync Server Control Panel from Domain B just fine however I cannot get a user on a pc in Domain B to log into the Lync client at all.  It doesn't work with a user I created on Domain B but does work if I am logged in to windows as Domain B logging into a Lync account created for Domain A.

In addition users on Domain A cannot search users on Domain B but can add them manually and the users information comes up.  What have missed here to not allow users on Domain B to log into Lync?

This is Lync 2013 btw

Have you created forest trust between 2 domains. when searching for users in B domain you will need to change the location

• Proposed as answer by Bulent Sahin 10 hours 21 minutes ago

Hey Guys,

I just setup my Lync server and it works great for Domain A where everything important is located.

I have a Domain B setup at another location which is unfortunately not on the same forest (even though it should be in my opinion).  My issue is that I can add users to the Lync Server Control Panel from Domain B just fine however I cannot get a user on a pc in Domain B to log into the Lync client at all.  It doesn't work with a user I created on Domain B but does work if I am logged in to windows as Domain B logging into a Lync account created for Domain A.

In addition users on Domain A cannot search users on Domain B but can add them manually and the users information comes up.  What have missed here to not allow users on Domain B to log into Lync?

This is Lync 2013 btw

Have you created forest trust between 2 domains. when searching for users in B domain you will need to change the location

• Proposed as answer by Bulent Sahin Monday, March 23, 2015 9:01 PM

Hey Guys,

I just setup my Lync server and it works great for Domain A where everything important is located.

I have a Domain B setup at another location which is unfortunately not on the same forest (even though it should be in my opinion).  My issue is that I can add users to the Lync Server Control Panel from Domain B just fine however I cannot get a user on a pc in Domain B to log into the Lync client at all.  It doesn't work with a user I created on Domain B but does work if I am logged in to windows as Domain B logging into a Lync account created for Domain A.

In addition users on Domain A cannot search users on Domain B but can add them manually and the users information comes up.  What have missed here to not allow users on Domain B to log into Lync?

This is Lync 2013 btw

Have you created forest trust between 2 domains. when searching for users in B domain you will need to change the location

• Proposed as answer by Bulent Sahin Monday, March 23, 2015 9:01 PM

Hey Guys,

I just setup my Lync server and it works great for Domain A where everything important is located.

I have a Domain B setup at another location which is unfortunately not on the same forest (even though it should be in my opinion).  My issue is that I can add users to the Lync Server Control Panel from Domain B just fine however I cannot get a user on a pc in Domain B to log into the Lync client at all.  It doesn't work with a user I created on Domain B but does work if I am logged in to windows as Domain B logging into a Lync account created for Domain A.

In addition users on Domain A cannot search users on Domain B but can add them manually and the users information comes up.  What have missed here to not allow users on Domain B to log into Lync?

This is Lync 2013 btw

Have you created forest trust between 2 domains. when searching for users in B domain you will need to change the location

• Proposed as answer by Bulent Sahin Monday, March 23, 2015 9:01 PM

Hi,

From your description above, the Lync topology should be Multiple Forests, Central Forest.

If it is the case, please check the configuration with the help of the link below:

https://technet.microsoft.com/en-us/library/gg670912%28v=ocs.14%29.aspx?f=255&MSPPError=-2147217396

Please check the Lync client log file, check if there is any 401/404 errors. If there is any 401 error, there may be an authentication issue. If there is any 404 error, there may be a replication issue.

You can troubleshooting the central forest topology with the help of the link below, the link is for Lync Server 2010 but similar for Lync Server 2013 as well:

https://technet.microsoft.com/en-us/library/gg670890(v=ocs.14).aspx

Best Regards,
Eason Huang

Ok here is what I did.  With the new account created in Domain A with the SID information matching Domain D in the Attributes I created the user in control panel with Domain A's information.  I created Domain B's exchange account as well to try to get the paper trail working.

I then RDP's into a computer at Domain B and launched Domain B's user account.  When launching Lync I used the following:

DomainAusername@DomainA.local

DomainB\DomainBuseraccount

DomainBpassword

And it worked!  The only downside is, and it just may be a time thing, It wont communicate to exchange to populate the conversation history in outlook.

Great job!  Exchange is a separate animal here.  It's using EWS for this on the backend: http://lyncuc.blogspot.com/2013/01/lync-and-exchange-web-services-ews-and.html

You'll need to ensure that the EWS information is populated when you ctrl-right click the Lync icon in the taskbar and choose Configuration Information.  You should also confirm on the DomainA account that at least the mail attribute is populated with the email address.  Where does the Exchange mailbox live?

The Exchange server is in Domain A.

I think its working now.  I did check the Domain A attributes and updated the mail attribute to point to the email setup for the Domain B user and after a minute or two I tested it and I do see the conversation history in Outlook on Domain B.  Looks like that all working correctly now.  Weird process for it all.

Now to tackle mobile Lync lol

Thanks for you guys help!

Great to hear!  Great job!