3. Want to join Lync MVPs and speakers at an exclusive Pub Trivia Night tomorrow? Tweet a photo from a Lync session using the hashtag #LyncTEE for your chance to attend! Two entries are randomly selected each day. Test your Lync knowledge with questions created by MVPs. Free food and drinks! Great prizes! *See official rules online. Lync MVP Pub Trivia Night – Invitation Only TechEd Europe #LyncTEE If you don’t score an invite, you can compete on Twitter with @msftLync tomorrow at 7pm for your chance to win a Surface Pro 3!

4. www.microsoft.com/learning http://developer.microsoft.com http://microsoft.com/technet http://channel9.msdn.com/Events/TechEd

6. Motivation: Why Multi-Forest? Partners Partners are eager to offer fully functional managed Lync services All Workloads Want both Exchange and Lync online with all the features Cloud First Customers committing to the cloud 1.Exclusively cloud 2.Hybrid

7. Hybrid On-Premises and Cloud ❶ Lync and Exchange in different environments Partner Hosted Private Cloud Customer Premises (user Forest) MPLS Internet

8. Hybrid On-Premises and Cloud ❷ Some Lync users on Premises, some Lync users online Partner Hosted Private Cloud Customer Premises (user Forest) PSTN MPLS Internet

9. The Multi-Forest Architecture For customers who want their online users to benefit from Enterprise Voice Partner Hosted Private Cloud Customer Premises PSTN MPLS Internet User Forest

10. Key Components Partner Hosted Private Cloud Customer Premises PSTN MPLS Internet User Forest Lync Services Lync edge CA Domain Controller Dirsync Services Certificate Authority Domain Controller Exchange Edge Exchange Server Directory Services Deploying Lync in a Multi-Forest Architecture (Partner Hosted Lync with Exchange Hybrid) http://www.microsoft.com/en-us/download/details.aspx?id=44276 ❶ Exchange entirely Online ❷ Exchange is hybrid

11. Deployment in Three Steps 1.Build Trust 2.Replicate user information 3.Enable Exchange support for UM

12. Step 1: Build Trust Exchange Online (Office 365) Customer Premises MPLS Internet PSTN Certificate Authority Domain Controller Exchange Edge Lync Services Lync edge CA Directory Services Exchange Server Domain Controller Forest Trust (Passthru) Federated Trust (token-based) Partner Hosted Private Cloud Two types of trust relationship are required; an AD forest trust for Lync and a federation trust for Exchange Online. In both cases, enabled user accounts reside in the Customer user forest and the Exchange Online resource forest; while disabled user accounts reside in the Lync resource forest. DirSync Services

13. Step 2: Replicate User Information Exchange Online (Office 365) Customer Premises MPLS Internet PSTN Certificate Authority Domain Controlle r Exchange Edge Lync Services Lync edge CA Directory Services Exchange Server Domain Controller Partner Hosted Private Cloud FIM, or an application with similar functionality is used for Active Directory synchronization between the Customer user forest and the Lync resource forest O365 DirSync is used for Active Directory synchronization between the Customer user forest and the Exchange Online resource forest FIM (Forefront Identity Manager) or 3 rd -Party solution DirSync AADsync http://msdn.microsoft.com/en-us/library/azure/dn800989.aspx Blog: http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx Dirsync Services

14. Step 3: Provision Mailbox Accounts for Exchange Online Set-CsAccessEdgeConfiguration -UseDnsSrvRouting - AllowFederatedUsers 1 -EnablePartnerDiscovery 0 New-CsHostingProvider -Identity UMOnline -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFQDN “xxxxx.um.outlook.com" -IsLocal $False - VerificationLevel UseSourceVerification Set-CsHostedVoicemailPolicy -Destination xxxxx.um.outlook.com -Organization “xxxxx.com" 1.User Forest: Create enabled user accounts in the Exchange Online resource forest 2.Lync Resource Forest: Configure the Exchange enabled user accounts 3.Create an Exchange Mailbox 4.Synchronize Exchange Online resource forest enabled user account with the corresponding enabled user account in the Customer user forest 5.Enable Lync EUM routing 6.Confirm Attribute Mapping (Customer user forest to Exchange Online resource forest) 7.Confirm Attribute Mapping required for Exchange Rich Coexistence (Customer user forest) The provisioning process for a new user must trigger a series of tasks that create corresponding disabled user accounts in the Lync resource forest and enabled user accounts in the Exchange Online resource forest, enables them for some or all of the Lync features, creates Exchange mailboxes, pushes UM settings to the Lync disabled user account and sets the appropriate UM server values based on the UM dial plan they have Enable for UM support

15. Extract from Published Guidance Two three-forest architectures described Lync Server Dedicated with Exchange Online (Multi-tenant)Lync Server Dedicated with Exchange Hybrid (on- prem and Exchange Online Multi-tenant)

16. Implementation Details Step 1: Changes to Global DNS 1.Create/Modify internal DNS Records 2.Create/Modify External DNS Records Step 2: Configure customer User Forest 1.Update Root CA (Certificate Authority) 2.Configure the Customer user forest for SSO (single sign on) with Exchange Online 3.Establish Directory Synchronization with the Lync Resource Forest Active Directory 4.Automate Lync Identity Management Process 5.Establish Directory Synchronization with the Exchange Online Resource forest Active Directory 6.Automate Exchange Identity Management Process 7.Order Certificates for Lync and Exchange 8.Configure DNS to locate services in the Lync and Exchange Online resource forests Step 3: Configure Lync Resource Forest 1.Establish Trust 2.Update Root CA 3.Configure DNS to locate Services in the customer user forest and exchange online resource forest 4.Prepare the lync resource forest Active Directory for Lync 5.Install and Configure Lync Server Using Microsoft Best Practices 6.Install and Configure PSTN Connectivity 7.Configure the Lync Resource Forest for Exchange Online UM Step 4: Configure Exchange Online Resource Forest 1.Choose your domain and set up user accounts 2.Set up email 3.Set up your team site and documents 4.Set up mobile access 5.Set up online communication tools 6.Get everybody ready 7.Meet compliance requirements Step 1: Create New AD Accounts 1.Create New AD user accounts from an authoritative source 2.Add attributes manually 3.Add Exchange Online URL to IE Trusted Sites list 4.Wait for AD replication to complete before moving to the next step Step 2: Provision Accounts for Lync 1.Create disabled user accounts in the Lync resource forest from the customer user forest 2.Enable the Lync disabled user accounts from the Lync resource forest 3.Configure disabled user accounts for Exchange Online UM 4.Enable the disabled user accounts to receive UM messages 5.Synchronize Lync resource forest disabled user account with Customer user forest account 6.Optional: Enable OWA for IM integration 7.Confirm Attribute Mapping (Customer user forest to Lync resource forest) Step 3: Provision Mailbox Accounts for Exchange Online 1.User Forest: Create enabled user accounts in the Exchange Online resource forest 2.Lync Resource Forest: Configure the Exchange enabled user accounts 3.Create an Exchange Mailbox 4.Synchronize Exchange Online resource forest enabled user account with the corresponding enabled user account in the Customer user forest 5.Enable Lync EUM routing 6.Confirm Attribute Mapping (Customer user forest to Exchange Online resource forest) 7.Confirm Attribute Mapping required for Exchange Rich Coexistence (Customer user forest) Ongoing ID Mgt.

17. Resources Design Guide Deploying Lync in a Multi-Forest Architecture (Partner Hosted Lync with Exchange Hybrid) Rick Varvel, Mohamad Saleem and Dave Howe http://www.microsoft.com/en-us/download/details.aspx?id=44276 AADsync http://msdn.microsoft.com/en-us/library/azure/dn800989.aspx Blog: http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx Azure Active Directory Synchronization Services or AAD Sync is the new synchronization service that will allow customers to do the following: Synchronize multi-forest Active Directory environments without needing the full blow features of Forefront Identity Manager 2010 R2. Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!) Configuring multiple on-premises Exchange organizations to map to a single AAD tenant Building upon MIIS, ILM, and FIM, the Azure Active Directory Sync Services provides the next platform for connecting to data sources, synchronizing data between data sources, as well as the provisioning and deprovisioning of identities.

19. Lync Server with Exchange Online (Multi- tenant) Lync Server with Exchange Hybrid (Online Multitenant with on-premises)

20. Partner Hosted Private Cloud Customer Premises PSTN MPLS Internet User Forest Teched-Contoso.com Fabrikam.com Contoso.com

22. Record TypeNamePoints To … Aautodiscover.contoso.com IP of Reverse Proxy Server or CAS Array VIP in the Exchange resource forest Perimeter Network Aowa.contoso.com IP of Reverse Proxy Server or CAS Array VIP in the Exchange resource forest Perimeter Network Amail.contoso.com IP of Reverse Proxy Server or CAS Array VIP in the Exchange resource forest Perimeter Network MXmail.contoso.com IP of Exchange Edge server (SMTP transport) in the Exchange resource forest Perimeter Network SRV_autodiscover._tcp.contoso.com mail.contoso.com A record which in turn, points to the IP of Reverse Proxy Server or CAS Array VIP in the Exchange resource forest Perimeter Network

23. Record TypeNamePoints To … Asip.contoso.com IP of Access Edge Server / VIP in Lync resource forest Perimeter Network Ameet.contoso.com IP of Reverse Proxy Server / VIP in Lync resource forest Perimeter Network Aautodiscover.contoso.com IP of Reverse Proxy Server / VIP in Lync resource forest Perimeter Network Alyncdiscover.contoso.com IP of Reverse Proxy Server / VIP in Lync resource forest Perimeter Network SRV_sip._tls.contoso.com (5061) sip.contoso.com A record, which in turn, points to the IP of Access Edge Server / VIP in Lync resource forest Perimeter Network SRV_sipfederationtls._tcp.contoso.com sip.contoso.com A record, which in turn, points to the IP of Access Edge Server / VIP in Lync resource forest Perimeter Network

26. CnlyncUser1 ObjectSIDSIDlyncUser1Not used msRTCSIP-OriginatorSIDNot usedSIDlyncUser1 telephoneNumber1 425 555-1234 displayNamelyncUser1 givenNamelyncUser1 l (city)Redmond st (state)WA CountryU.S.A

27. Mail lyncUser1@contoso.com This value originates from the disabled user account in the Exchange Online resource forest and must be populated manually or through DirSync For example: lyncUser1@contoso.comlyncUser1@contoso.com proxyAddresses EUM:lyncUser1@contoso.com;phone- context=TESTDP01.contoso.com eum:51212;phone-context=TESTDP01.contoso.com SMTP:lyncUser1@contoso.com sip:lyncUser1@contoso.com SIP proxy address For example: sip:lyncUser1@contoso.com EUM:lyncUser1@contoso.com;phone- context=TESTDP01.contoso.com eum:51212;phone-context=TESTDP01.contoso.com SMTP:lyncUser1@contoso.com msExchUCVoicemailSettings ExchangeHostedVoiceMail=1 This value is only set for Lync users that have Online mailboxes LyncHostedVoiceMail=1 (Enabled by Lync) LyncHostedVoiceMail=0 (Disabled by Lync) ExchangeHostedVoiceMail=1 (Enabled by Exchange) ExchangeHostedVoiceMail=0 (Disabled by Exchange)

30. User Forest Contoso.com Domain Controller Exchange 2013 Server ADFS Server DirSync Server Domain Controller Lync Reverse Proxy Lync Edge ServerLync SE Pool Server User Forest Con-DC.Contoso.com Con-Ex.Contoso.com Con-Dirsync-ADFS.Contoso.com Con-FIM.Contoso.com TMG.Contoso.com Lync Hosted Forest Fab-DC.Fabrikam.com Fab-Lync.Fabrikam.com Fab-Edge.Fabrikam.com O365 TechEDContoso.onmicrosoft.com TechED-Contoso.com (Vanity Domain)