none
Multiple forests, resource topology: Cannot find the object "CrossRef" in Active Directory

    Question

  • Hi,

    I have two separate AD forests in my infrastructure (ABC.com & XYZ.local).

    ABC.com has just a single domain
    XYZ.local has a child domain; live.XYZ.local

    There is a two-way domain trust in place between all domains in both forests.

    Users exist in ABC.com and in live.XYZ.local, but not in the parent XYZ.local.

    I have chosen the "Multiple Forests, Resource" topology for my deployment. 

    I have installed Lync in XYZ.local, ran schema preparation, forest preparation and domain preparation without any issue. However, when I come to run only the domain preperation in ABC.com (where users are homed), the previous steps (schema, forest etc.) appear as incomplete, thus I am unable to proceed to prepare the domain. 

    From my understanding of my topology (that being 'Multiple Forests, Resource...'), the Lync server must be installed in a Resource domain (i.e. XYZ.local), with schema prep and forest prep. Then, on my other forest, in the domain which contains users (ABC.com), upon launching the Lync 2010 Deployment Wizard, the task "Determining Active Directory state" should detect that my Resource domain has a schema prep and forest prep, thus allow me to jump straight to the domain prep in my user forest.

    However, this is not the case. 

    I tried running the domain prep with PowerShell but received an error;

    Error: Cannot find the object "CrossRef" in Active Directory

    Now, I have seen this error on some existing TechNet forums, but they relate to the prep of child domains in a single forest. This is not the same for me. I have two forests, with users in one but not the other.

    Can anyone think what I may be doing wrong, or if possibly there is an issue here I am unaware of?

    Regards,
    Christian

    Saturday, October 05, 2013 9:24 PM

Answers

  • Hi,

    in resource forrest model, you do not prep the user domain. the Lync server will be installed on the resource domain and user objects will be replicated from the user domain and be created in the resource domain with the relevant attributes.

    below is the article from Technet describe the topology. i have written a blog about creating users in resource forrest using Powershell instead of FIM. could be helpful for you

    http://technet.microsoft.com/en-us/library/gg398173.aspx

    http://thamaraw.com/2012/08/15/substitution-for-fim-in-lync-server-resource-forrestdomain-deployment/

    Sunday, October 06, 2013 2:01 AM

All replies

  • Hi,

    in resource forrest model, you do not prep the user domain. the Lync server will be installed on the resource domain and user objects will be replicated from the user domain and be created in the resource domain with the relevant attributes.

    below is the article from Technet describe the topology. i have written a blog about creating users in resource forrest using Powershell instead of FIM. could be helpful for you

    http://technet.microsoft.com/en-us/library/gg398173.aspx

    http://thamaraw.com/2012/08/15/substitution-for-fim-in-lync-server-resource-forrestdomain-deployment/

    Sunday, October 06, 2013 2:01 AM
  • Check the steps to deploy Lync Server 2010 in resource forest topology at

    http://technet.microsoft.com/en-us/library/gg670911(v=ocs.14).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, October 07, 2013 8:25 AM
  • Hi Praveen,

    Many thanks for your prompt response. From my understanding, I should run the AD preparations (Schema, Forest, Domain) only in the Resource forest, thus no preps in my user forest. The only work I need to do to bring in my user objects from my user forest is with your PowerShell cmdlets or alternatively using FIM.

    As it stands for me, I have the following work complete;

    My Resource forest (XYZ.local) has been fully prepped (Schema, Forest, Domain)

    My User forest (ABC.com) has no prep complete.

    To wrap this up, I just need to create disabled users of ABC.com in XYZ.local.

    Is this all that I need to do now?

    Regards,
    Christian

    Monday, October 07, 2013 9:48 AM
  • That sounds right ,check this article to check your scenario.

    http://technet.microsoft.com/en-us/library/gg670911(v=ocs.14).aspx


    Praveen | MCSE Messaging 2003

    Monday, October 07, 2013 11:47 AM
  • Thanks again. So I am certain that my scenario is Case 2. Can you provide me with any help on creating these disabled user accounts using FIM?

    The article (http://technet.microsoft.com/en-us/library/gg670913(v=ocs.14).aspx) mentions I "...must create a custom management agent by using Microsoft Forefront Identity Manager 2010 or Microsoft Identity Lifecycle Manager 2007 FP1" to synchronize the user accounts from the different forests as disabled user accounts to the forest where Lync Server is deployed.

    Do you have any instructions on how i create a custom management agent?

    Monday, October 07, 2013 11:51 AM
  • Once the disabled account is created run the (sidmap.wsf)Sid mapping tool after you create Lync account for disabled users.

    Sid mapping tool is available in resource kit.

    http://technet.microsoft.com/en-us/library/gg670903(v=ocs.14).aspx


    Praveen | MCSE Messaging 2003


    Monday, October 07, 2013 12:09 PM
  • How do I create the disabled account? I assume this is part of FIM that will create it for me, or am I to manually create them with ADUC?
    Monday, October 07, 2013 1:38 PM
  • check the blog that i posted above. it can be done using Powershell scripts or FIM. my blog explains how to do it using Powershell

    Monday, October 07, 2013 2:44 PM
  • What happens when a new user account is created in the user forest; do I need to manually re-run your PowerShell, or does it keep a consistent sync?
    Monday, October 07, 2013 2:47 PM
  • Hi Thamara,

    I ran your PS cmdlets up until the following:

    Get-ADUser -SearchScope Subtree -SearchBase $domain -Filter ‘memberOf -RecursiveMatch $ADSrcGrp.DistinguishedName’ -Server $DC -Properties ObjectSID,name,samAccountName,displayName,givenName,surName,mail | ForEach-Object {New-ADUser -Name $_.name -SamAccountName $_.samAccountName -DisplayName $_.displayName -GivenName $_.givenName -SurName $_.surName -EmailAddress $_.mail -otherAttributes @{‘msRTCSIP-OriginatorSid’=$_.ObjectSID} -Path “OU=AU,DC=fabrikam,DC=local” -UserPrincipalName “$($_.samaccountname)@fabrikam.local” -AccountPassword (ConvertTo-SecureString -AsPlainText “P@ssw0rd” -Force) -PasswordNeverExpires $true -Enabled $false}

    However, the users have not been created over my in Resource forest. I of course amended the paths to my environment. There were no errors in PowerShell.

    Can you think of what may have gone wrong? 

    To clarify - I ran the above cmdlets on my Resource forest with a domain admin account.

    Regards,
    Christian

    Monday, October 07, 2013 8:42 PM
  • There are stuff that you missed above like importing the AD module and referring to an AD group to get the users ID s in resource forest. those has to be there first. and post the error code that you get in here

    Monday, October 07, 2013 11:19 PM
  • Dear Christian, plz dont complicate yourself. try to enable lync for a single account first then do it for all.

    Reply me with the below queries and check wet these things are in place,

    1)Do u have exchange in the org??if yes where is it, in resource forest or user forest?? 

    2)u will have disabled account where your lync is installed, ull enable lync for the disabled account which wre lync is installed.

    3)If exchange is installed in resource forest then disabled acct will b already there.

    4)If no exchange in the resource forest then use LcsSync tool to sync users as contact objects. Populate the required attribute, msRTCSIP-OriginatorSID

    http://technet.microsoft.com/en-us/library/gg670906(v=ocs.14).aspx


    Praveen | MCSE Messaging 2003

    Tuesday, October 08, 2013 6:47 AM
  • I actually ran all your scripts, including the Import-Module. I realise that I was following your guide too closely, as I noticed you had a security group "lync_users", but you did not mention adding the users to it. Only until I looked back at what it was trying to do, I realised it was importing an empty sec. group. I simply added the users to the "lync_users" group and I can now see my users as disabled in my Resource.

    Also - there is a typo on "mcRTCSIP..." as it is "msRTC..." but still a great guide! If you could update the guide I think it will help people in future.

    Tuesday, October 08, 2013 1:05 PM
  • Hi Praveen,

    1) I do not have Exchange in my Resource forest. Exchange is still in the User forest. It will be moved at some point, so I don't already have disabled users.

    4) What is LcsSync tool? The page does not seem to want to load for me - http://technet.microsoft.com/en-us/library/gg670906(v=ocs.14).aspx. Can you explain a little on this?

    Regards,
    Christian

    Tuesday, October 08, 2013 1:06 PM
  • Good to know that u got it working using Thamara's script. 

    LcsSync tool is the same tool which are mentioned before for SID mapping. Link is working just remove the dot at the end.

    http://technet.microsoft.com/en-us/library/gg670906(v=ocs.14).aspx

    http://technet.microsoft.com/en-us/library/gg670903(v=ocs.14).aspx


    Praveen | MCSE Messaging 2003

    Tuesday, October 08, 2013 1:15 PM
  • the LyncSync tool will only work if you have Exchange in resource forest. check the below thread. and thank for pointing out the Typo and user group configuration, i'll do the needful to fix it

    http://technet.microsoft.com/en-us/library/gg670903(v=ocs.14).aspx

    Tuesday, October 08, 2013 2:40 PM
  • Thanks! Now that I have my disabled users in my Resource forest, I will see if they work with Lync this evening. Hopefully post back positive information tomorrow.
    Tuesday, October 08, 2013 4:38 PM
  • Hi Thamara,

    If I rerun the PowerShell, will it cause any harm to the users I have already copied over? I.e. when I rerun the PS, will it replace anything in ADSIEDIT that Lync will rely on?

    Can you see any issue if I had the PS running every 15 minutes, to pick up new user objects created in the User forest?

    Regards,
    Christian

    Tuesday, October 08, 2013 9:20 PM
  • it will skip over what already replicated to the resource end and will create if any new objects found in the user forest

    Tuesday, October 08, 2013 10:47 PM
  • Great, thanks!
    Friday, October 11, 2013 2:22 PM
  • Hi Thamara,

    In my test lab, where your PowerShell worked for me, my DCs were all Windows 2008 R2. However, in my live environment, the DC in my user forest is Windows 2003 native. When I run the commands, I receive the below PowerShell error:

    Get-ADGroup : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running...

    I don't see AD web services on this DC. Does 2003 support this?

    Can you help?

    Regards,
    Christian

    Monday, October 21, 2013 5:07 PM