SIDmapping.wsf in 2008 Active Directory RRS feed

  • Question

  • We are implementing OCS in a resoure forest with a 2008 AD as a top level forest. After creating forest trusts with the underlying forests we will have to map the user SID's of the accouns in the user forests with the SID's in the top level forest. To do this we need to apply SID mapping using the sidmapping.wsf script from the OCS resource kit. Unfortunately the script seems to only work with a 2003 AD. Has anyone got it running with a 2008 AD?

    According to my colleague the sid mapping script is not working in AD 2008. He is not able to run the script (there is no error as well).

    Has anyone been successful in changing the script to let it run from a 2008 AD?

    Are there any security settings that needs to be changed to make the script run? It has been run by the forest admin.
    Tuesday, September 29, 2009 12:51 PM

All replies

  • Hello Thomas,

    What is the error you are getting? Have you extended the 2008 AD schema for exchange? In my test environment I am able to run the script on a windows 2008 server without any change. Please elaborate more on your failure so that we can be able to help out.

    Tuesday, October 13, 2009 8:22 AM
  • Hi Antenehe,

    Ware not getting any errors. The script is just not running. But my colleague has informed me that he has not implemented the Exchange Schema in the top level forest so that explains why the script wouldn't run. It is missing the necessary AD attributes.

    So now my question is: can we do SID mapping without having the Exchange schema enroled? In this case we have to add the attributes manually in the top level forest?


    Tuesday, October 13, 2009 9:39 AM
  • Hi Thomas

    All you need to do is to add the users sid (from the user domain) as msRTCSIP-OriginatorSid to corresponding user object in the resource forrest.

    Tuesday, October 13, 2009 10:06 AM
  • Hi Thomas,

    If AD schema is not extended for Exchange then you can't run sipmapping tool. What it does is it copied the value of the attribute msExchMasterAccountSid to msRTCSIP-OriginatorSid. If you do not have exchange then your scenario seems like a central forest topology so why don't you follow the central forest steps in the Multi forest deployment guide. If you do not have the guide please look it at


    Wednesday, October 14, 2009 8:44 PM
  • Hi Antenehe,

    Yep. We have considdered a central forest topology. The customer will not implement MIIS so we will have to use their current meta directory applications to do the trick.

    Friday, October 16, 2009 7:12 AM