locked
Configuring OCS between two domains RRS feed

  • Question

  • Hi,

     

    Does anyone knows how can I do to install OCS 2007 in one domain and some  clients in another domain without install an edge server? Is this possible? I have to try both scenarios: two domains in the same forest and two domains in different forests, but with a trust between them...

     

    Tks.

    Monday, April 16, 2007 4:30 PM

Answers

  • You have at least a couple options.  It sounds like you want to keep the OCS server(s) in only one domain, which is generally preferred.  If it's a single forest all you have to do is schema/forest/domain prep and install OCS.  If the other domain is in the same forest then you just need to run domain prep and then you should be able to enable users in that domain for OCS.

     

    If you have two separate domains that are not in the same forest then it's a little more complex.  You'll need a second account in the domain/forest that contains OCS for the users that are not in that forest.  You can either leave the account enabled and provide the password to those users or you can disable the accounts and populate their MSRTCSIP-OriginatorSID attributes with the SIDs of the real login accounts for those users (you must have a trust in place for this to work).

     

    Obviously there are DNS and certificate considerations here as well, but hopefully this information is beneficial.

     

    Z

    Tuesday, April 17, 2007 8:39 PM
    Moderator

All replies

  • You have at least a couple options.  It sounds like you want to keep the OCS server(s) in only one domain, which is generally preferred.  If it's a single forest all you have to do is schema/forest/domain prep and install OCS.  If the other domain is in the same forest then you just need to run domain prep and then you should be able to enable users in that domain for OCS.

     

    If you have two separate domains that are not in the same forest then it's a little more complex.  You'll need a second account in the domain/forest that contains OCS for the users that are not in that forest.  You can either leave the account enabled and provide the password to those users or you can disable the accounts and populate their MSRTCSIP-OriginatorSID attributes with the SIDs of the real login accounts for those users (you must have a trust in place for this to work).

     

    Obviously there are DNS and certificate considerations here as well, but hopefully this information is beneficial.

     

    Z

    Tuesday, April 17, 2007 8:39 PM
    Moderator
  • hi! tks for your reply.. I will test and after I will post here if it works!
    Thursday, April 19, 2007 2:50 PM
  • This problem was happening in beta 3 and now in public beta this is not happenning. I can use oc in different domains without any additional configuration.Now I'm trying to join users that are located in another location in just a workgroup. Some problems are occuring but if you have any ideas please let me know.

    Tks for your help.
    Friday, April 27, 2007 3:40 PM
  • Hi Iloureiro,

    Can you start a new thread with the issue in your last post? Can you elaborate on what the issue is and post any errors or logs you may have?

    Monday, April 30, 2007 11:22 PM
  • Hi, I'm having the same issue. I've setup a resource forest as outlined in the multiple forest documentation. The MSRTCSIP-OriginatorSID in the resource forest is populated from the user forest SIDs. I have users that are disabled on the resource forest with exchange 2007 installed. I'm able to sign into OCS 2007 using communicator web access but it fails when I try using the Commuicator 2007 (fat client).

    When I sniff the network, i see a 401 unauthorized error. I'm logging into my fat client as:

    sign-in address: Name1@resourcedomain.com
    username: userdomain\Name1

    Am I missing something? Thank you.

    -Trung
    Thursday, May 3, 2007 4:26 PM
  • Though I've never seen it documented anywhere, in my experience the e-mail address field must be populated on the disabled user account for this to function properly.  I just configured my OCS environment for this configuration, and I could logon as soon as I populated the e-mail address and restarted the OCS services.


    Z

    Thursday, May 3, 2007 8:29 PM
    Moderator
  • I did this too... but I had to configure a second dns in client to point to the same dns that ocs uses. In a client that is not part of te domain (workgroup) I had to import the certificate used too.
    Friday, May 4, 2007 12:22 PM
  • It's easier to configure DNS forwarding on your existing DNS servers rather than reconfigure all your clients.  For example, my OCS domain is called ocs.local, so I configured forwarding for that domain only to point to the OCS environment.
    Friday, May 4, 2007 12:35 PM
    Moderator
  • Thanks everyone for your input. My disabled users already have their email address filled with the sip uri. I also had DNS forwarders enabled in both directions just to be safe. I did have LCS 2005 installed in the domain previously as well so I'm not sure if there is any residue. Do you have any other suggestions? Also while sniffing the network, I'm using TCP communications so that I can read the data, I noticed there are TCP Checksum Incorrect errors from the client to the OCS server prior to the 401 unauthorized.

    Also, I'm testing client connectivity by logging into communicator beta with a disabled account on the OCS domain.

    -Trung
    Monday, May 7, 2007 1:50 PM
  • I also see a 403 Forbidden error - "Credentials provided are not authorized to act as specified from URI"; source="ocs server".

    For example, my pool name is ocspool but the server name is ocs. Does the server name and the pool name have to be the same? I do have a DNS entry that points the ocspool and the ocs server to the same IP address.
    Monday, May 7, 2007 3:55 PM
  • hi guys,

     

    i had the same problem with a multi forst environment and a client from a different domain. when i changed the config to authenticate only with ntlm in ocs the client successfully connected 

    Tuesday, May 29, 2007 6:58 PM
  • Thanks SG but how do I go about configuring OCS to do NTLM authenticate only. It usually says NTLM/Kerberos. I've looked for that setting but to no avail.

     

    Wednesday, May 30, 2007 11:35 AM
  • On the Front-End Properties on the Pool Level, you should have a Authentication TAB. On the Authentication Protocol choose NTLM only.

     

    I Think that when you have a resource forest topology (Using trusts to benefit Integrated Authentication, through the MSRTCSIP-OriginatorSID) you can only use NTLM Authentication.

    Friday, June 1, 2007 10:27 AM
  • Hi,
    I'm also trying to configure OCS between 2 domains.

    From one part, I have a server with the first domain : mocs.local , containing DNS server and MOCS 2007
    On the other part and on the same LAN, I have a server with a new domain : mocs2.local

    I also have 2 client computers with 2 different users, one for the first domain and the other for the second one :
    user1 for mocs.local
    user3 for mocs2.local

    There is an approval between these 2 domains but I'm only able to connect to Office Communicator using the 2nd client computer which use user3 that I've created in the first domain but which has no link to the user3 in the 2nd domain.

    Well, this is quite useless I admit, I was just wondering if I could make a link between the user3 in the 2 domains so I can connect to Office Communicator using user3@mocs2.local even if the MOCS is configured on the 1st server

    Tuesday, June 19, 2007 8:23 AM
  •  

    Hey, I have the same senario as just discusses above, but having some problem let me write it in details with a bit backgroud how this OCS is functioning in my enviornment and where its creating problem!!1

     

    Well I too have a single forest with two domains in two different trees ( Means there is no child relations between our domains, I have deployed OCS 2007 Enterprise at my "DOMAIN A" and configured and tested it, its working perfectly.

    I set a DNS Forwarder on my "DOMAIN B" DNS Server for the DNS Server of my "DOMAIN A".

     

    After completing above steps I can Successfully login to OCS using Office communicator 2007 on automatic Configuration setting by using USER of "DOMAIN A".

     

    After that I enabled a user of "DOMAIN B" to uses that same POOL created on "DOMAIN A" and this operation ends successfully, but when I tried to login from USER ACCOUNT of "DOMAIN B" USER it says

    "CANNOT SIGN IN TO COMMUNICATOR, BECAUSE THE SIGN-IN ADDRESS WAS NOT FOUND. PLEASE VERIFY YOUR SIGN-IN ADDRESS AND TRY AGAIN.

     

    Same computer of "DOMAIN B" let me to LOGIN from account of USER belong to "DOMAIN A" but do not allow me to LOG IN from "DOMAIN B" account.

     

    Please if any one have some suggestion about it, kindly reply soon.

     

    Thank you.

     

    Kazim Raza

    Thursday, September 13, 2007 1:36 PM
  •  

    Hi,

     

    I'll configure OCS 2007 in an environment with two domains in different forests. The problem is there isn't a trust relationship between them. This is essencial? Or I can configure it without this trust? How can I do this?

     

    Tks.

    Monday, October 15, 2007 6:28 PM