leedesmond’s blog

The “Multiple Forests, Resource Forest”* is one of several supported topologies in Active Directory. This requires the setting up of a separate resource forest hosting enterprise applications - such as Exchange 2007/2010 and OCS 2007 R2 - with disabled user accounts or contacts matching logon-enabled users in the user forests. Changes and impact to the latter are minimal, and account provisioning / management can be automated with tools such as Identity Lifecycle Manager 2007 FP1 (ILM).

If you deploy certificates on OCS 2007 R2 server roles (in the resource forest) from CAs that are not listed in the Trusted Root Certification Authorities on the local machine (in the user forest), the now infamous message is likely to surface and remain unresolved even after the certificate has been added to the correct certificate store.

————————–
Office Communicator
————————–
There was a problem verifying the certificate from the server. Please contact your system administrator.
————————–
OK
————————–

The error may persist even after you specify the IP address of the user’s home (R2 front-end) server. The trick is to enable DNS resolution for the resource forest in the user forest via DNS forwarders or stub zones from where the user is running MOC R2. This enables the sign-in address** (the user account/contact SIP domain) to correctly resolve to the account with matching FQDN in the resource forest. Subsequently, it is business as usual to specify the resource_forest\user_account and password for a successful sign in to OCS 2007 R2.

* multiple forests in a resource forest topology
** user account in the resource forest does not necessarily be disabled (possible security risk)

HowTo: Office Communicator 2007 R2 in Multiple Forests, Resource Forest Topology

Leave a Reply

Search

Tags

Archives

Pages