Supported Active Directory Topologies
Topic Last Modified: 2011-02-23
Microsoft Lync Server 2010 communications software supports the same Active Directory Domain Services (AD DS) topologies as Microsoft Office Communications Server 2007 R2 and Microsoft Office Communications Server 2007. The following topologies are supported:
Single forest with single domain
Single forest with a single tree and multiple domains
Single forest with multiple trees and disjoint namespaces
Multiple forests in a central forest topology
Multiple forests in a resource forest topology
The following figure identifies the icons used in the illustrations in this section.
Key to topology illustrations
Single Forest, Single Domain
The simplest Active Directory topology supported by Lync Server 2010, a single domain forest, is a common topology.
The following figure illustrates a Lync Server deployment in a single domain Active Directory topology.
Single domain topology
Single Forest, Multiple Domains
Another Active Directory topology supported by Lync Server is a single forest that consists of a root domain and one or more child domains. In this type of Active Directory topology, the domain where you create users can be different from the domain where you deploy Lync Server. However, if you deploy a Front End pool, you must deploy all the Front End Servers in the pool within a single domain. Lync Server support for Windows universal administrator groups enables cross-domain administration.
The following figure illustrates a deployment in a single forest with multiple domains. In this figure, a user icon shows the domain where the user account is homed, and the arrow points to the domain where the Lync Server pool resides. User accounts include the following:
User accounts within the same domain as the Lync Server pool
User accounts in a different domain from the Lync Server pool
User accounts in a child domain of the domain with the Lync Server pool
Single forest with multiple domains
Single Forest, Multiple Trees
A multiple-tree forest topology consists of two or more domains that define independent tree structures and separate Active Directory namespaces.
The following figure illustrates a single forest with multiple trees. In this figure, a user icon shows the domain where the user account is homed, a solid line points to a Lync Server pool that resides in the same or a different domain, and a dashed line points to Lync Server pool that resides in a different tree. User accounts include the following:
User accounts within the same domain as the Lync Server pool
User accounts in a different domain from (but the same tree as) the Lync Server pool
User accounts in a different tree from the Lync Server pool
Single forest with multiple trees
Multiple Forests, Central Forest
Lync Server 2010 supports multiple forests that are configured in a central forest topology. Central forest topologies use contact objects in the central forest to represent users in the other forests. The central forest also hosts user accounts for any users in this forest. A directory synchronization product, such as Microsoft Identity Integration Server (MIIS), Microsoft Forefront Identity Manager (FIM) 2010, or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1), manages the life cycle of user accounts within the organization: When a new user account is created in one of the forests or a user account is deleted from a forest, the directory synchronization product synchronizes the corresponding contact in the central forest.
A central forest has the following advantages:
Servers running Lync Server are centralized within a single forest.
Users can search for and communicate with other users in any forest.
Users can view presence of other users in any forest.
The directory synchronization product automates the addition and deletion of contact objects in the central forest as user accounts are created or removed.
The following figure illustrates a central forest topology. In this figure, there are two-way trust relationships between the domain that hosts Lync Server, which is in the central forest, and each user-only domain, which is in a separate forest. The schema in the separate user forests does not need to be extended.
Central forest topology
Multiple Forests, Resource Forest
In a resource forest topology, one forest is dedicated to running server applications, such as Microsoft Exchange Server and Lync Server. The resource forest hosts the server applications and a synchronized representation of the active user object, but it does not contain logon-enabled user accounts. The resource forest acts as a shared services environment for the other forests where user objects reside. The user forests have a forest-level trust relationship with the resource forest. When you deploy Lync Server in this type of topology, you create one disabled user object in the resource forest for every user account in the user forests. If Microsoft Exchange is already deployed in the resource forest, the disabled user accounts might already exist. A directory synchronization product, such as MIIS, Microsoft Forefront Identity Manager (FIM) 2010, or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1), manages the life cycle of user accounts. When a new user account is created in one of the user forests or a user account is deleted from a forest, the directory synchronization product synchronizes the corresponding user representation in the resource forest.
This topology can be used to provide a shared infrastructure for services in organizations that manage multiple forests or to separate the administration of Active Directory objects from other administration. Companies that need to isolate Active Directory administration for security reasons often choose this topology.
This topology provides the benefit of limiting the need to extend the Active Directory schema to a single forest (that is, the resource forest).
The following diagram illustrates a resource forest topology.
Resource forest topology