As we have seen in the previous recipe, a Lync resource forest requires a continuous synchronization between the accounts in the users' forests and the disabled accounts that must be provided in the forest in which Lync services exist. A directory synchronization product, such as Microsoft Forefront Identity Manager (FIM) 2010 R2, is a useful solution to transmit modifications from the user forests to the resource forest (for example, creating or deleting an account in the former one will automatically create or delete the disabled account in the latter). In the following schema, we can see a possible outline for a resource forest deployment with FIM (Identity Manager is not joined to the user and resource forest to show there is no need to insert it inside the existing forests):
This section will be dedicated to the configuration of FIM in a resource forest scenario.
To install FIM 2010 R2, it is required to have a SQL server installation available. We can co-host the database on the FIM server or have a dedicated database server. In our scenario, we have a dedicated forest FIMDomain.Lab. The server that will host both FIM and the SQL 2012 database for it is FIM.FIMDomain.Lab. In the following screenshot, we can see a high-level overview of the deployment:
FIM installation will require a service account, which we will call FIMService. It requires no special permissions.
- The first step is to install SQL Database Engine Services and Reporting Services – Native. The selection is shown in the following screenshot:
We will not see how to install SQL Server 2012; however, there are many dedicated resources, such as the TechNet post Installation How-to Topics at http://msdn.microsoft.com/en-us/library/cc281837(v=sql.110).aspx.
- We will install the Synchronization Service. We are able to launch the setup from the installation media (for example,
D:) usingD:Synchronization ServiceSynchronization Service.msi. The installer will open the Welcome page. Select Next. - Then, select I accept the terms in the License Agreement and click on Next.
- We have to select an installation path and then click on Next.
- The Service Database Connection screen will ask for information about our SQL database. If we co-hosted SQL on the FIM server (installing it with the default settings), we will be able to just click on Next. If we have deployed a separate SQL server, we have to insert the connection information, as shown in the following screenshot:
- FIM installation will require the information about the service account (FIMService). We have to insert the username, password, and domain, and then click on Next.
- As we can see in the following screenshot, FIM will automatically create new security groups. We can just leave the defaults and click on Next:
- The next step will propose the creation of firewall rules to allow access from the clients to the FIM server. Depending on our server configuration, we can decide if we want to flag it or not:
- Select Next and then Install in the following screen. During the installation, a backup of the encryption file (with a
.binextension) will be created. We should keep it in a safe place outside of the server. - At the end of the installation process, we have to select Finish. A logoff and logon will be required to activate the membership of the FIM security groups.
- We have to copy the contents of the
LcsSyncfolder from a Lync 2013 Resource Kit installation to the FIM server. In our example, the path of the Resource Kit isC:Program FilesMicrosoft Lync Server 2013ResKit. The path where we have to copy the content of the previously mentioned folder on the FIM server is theC:Program FilesMicrosoft Forefront Identity Manager2010Synchronization ServiceExtensionsfolder, and can be seen in the following screenshot:
- In our user's forest, we have an OU named ActiveUsers (OU=ActiveUsers,DC=ForestB,DC=lab), which contains the accounts we will import in the resource forest.
- On the FIM server, we have to edit the
lcscfg.xmlfile in the previously mentionedExtensionsfolder. Thetarget-OUvalue must be equal to the value of the OU that contains the active accounts in the user forest (in our example, OU=ActiveUsers,DC=ForestB,DC=lab). Thelcsaname parameter will be used during the configuration of the management agent. In the following screenshot, we can see the edited file:
- Launch the Synchronization Service Manager window, select Metaverse Designer, click on Actions, and select Import Metaverse Schema, as shown in the following screenshot:
- Select the
Lcsmvschema.xmlfile fromC:Program FilesMicrosoft Forefront Identity Manager2010Synchronization ServiceExtensions, as we can see in the following screenshot:
- Select Tools, click on Options, and select Enable metaverse rules extension flag. Click on Browse and select lcssync.dll. Click on OK as shown in the following screenshot:
- In the Options screen, select the Enable Provisioning Rules Extension option and then click on OK. The option is shown in the following screenshot:
FIM is based on two base components: the metaverse and the connector space. The metaverse is a MetaDirectory (a system to collect, aggregate, and store data from various directories and data sources, such as Active Directory). The metaverse is stored in five SQL tables where information is organized using a schema (details about the FIM schema are available in Understanding Custom Resource and Attribute Management at http://technet.microsoft.com/en-us/library/ff519007(v=ws.10).aspx). FIM uses management agents to update data in the metaverse and in the data sources. The other component, connector space, is a temporary storage area for entities (objects). Data is modified, deleted, or added in the connector space before flowing to the metaverse or the data sources. A modified "shadow copy" of the data source is stored here by management agents.