OCS 2007 R2 Cross/Multi Forest

Hi Experts,

Microsoft only officially supports 2 cross forest OCS 2007 models, resource forest and central forest but they essentially rely on having connectivity with a central node to be up at all times.

We have a multi forest topology running server 2008 r2. It is a mesh satelite network and the nature of our network means we cant gurantee connectivity to a central site at all times. We have OCS 2007 R2 deployed in each forest so "internal" ocs works fine, we want to have cross forest ocs communication when the links are up. We have configured edge servers in each forest and have federation allowed but the edge servers dont see each other.

Has anyone had two ocs enviroments talking to each other before, or has any ideas on how to achive this.

Who is Participating?
npomeeAuthor Commented:
Two of our forests/pools were working fine, the third just refused to work, so we rebuilt it and it worked. There must have been a bad cert or configuration somewhere that we missed.

Thanks for the replys
BusbarSolutions ArchitectCommented:
Hi there.
this is not cross forest implementation, as I know you have OCS in each forest then you just want OCS servers to talk to each other.
If my understanding is correct then you will need an edge server ans some extra accessories:
- certificate at the edge server that is trusted by other edges you can use internal CA but you will have to install the root CA certificate on each edge.
- you will need to configure the edge to federate either staticly or using DNS records, if you choose the other one then you will need to creat _sipfereatedtls_tcp record for each domain, those recrds must be resolvable on each edge server.
then you are fine.
npomeeAuthor Commented:
Thats kinda what we have setup but just cant seem to get them to connect to each other. Do you have any more info on how to do this??
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

BusbarSolutions ArchitectCommented:
you need to go through those steps for each edge and add each other edge
I've set this up countless time, and the problems are typically either (1) firewall or routing configuration or (2) incorrect internal OCS configuration for Federation.

Are the Edge servers configured to handle incoming connections from both the Internet and other 'internal' OCS Edge Servers?  Have you configured the routes to go over the Internet or are you attempting to route traffic between the Edge server in each forest across an internal or perimeter network?
npomeeAuthor Commented:
Thanks for the reply on technet as well,

Our network is only a lab for now, so firewalls are disabled. The network is not connected to the internet, afaik all the internal routing is fine as our other network services are good. As for configuring the edge servers to handle incoming connections from other edges servers, we have have allowed them to federate with other domains, and allowed autodiscovery, we have also manually added each domain and access edge server into the allow tab of the configuration is there anything else that is required?

BusbarSolutions ArchitectCommented:
autodiscovery requires SRV DNS records, have you configured them
npomeeAuthor Commented:
we have tcp srv records for _sipfederationtls and _sipinternaltls both pointing to our FE server
npomeeAuthor Commented:
Ok have been doing alot of playing around, have made some progress. Doing a FE validation for sip logons and testing connectivity between internal and federated users the only error we get is

Attempting to establish SIP dialog from admin2@domain2.com to sip:admin1@domain1.com using pool01.domain2.com Maximum hops: 2
Check two-party IM: Discovered a new SIP server in the path.
Maximum hops: 3
Received a failure SIP response: User sip:admin1@domain1.com @ Server pool01.domain2.com
Received a failure SIP response: [
SIP/2.0 504 Server time-out
FROM: "ADMIN2"<sip:admin2@domain2.com>;tag=a5dd85a9c6dfdf8449;epid=epid11
TO: <sip:admin1@domain1.com>;tag=78B49713A265CC7BAF26784B4B29373B
CALL-ID: e8ceb9fee98544a79c29ea1303a442c3
VIA: SIP/2.0/TLS;branch=z9hG4bKc9ff2da2;ms-received-port=55397;ms-received-cid=5C100
AUTHENTICATION-INFO: NTLM rspauth="010000000000000084D4FF0B9DB3E825", srand="2C1B48EE", snum="13", opaque="C3A00586", qop="auth", targetname="OCS01.domain2.com", realm="SIP Communications Service"
ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=ocs02.domain2.com;ms-source-verified-user=verified;ms-source-network=federation
ms-diagnostics: 1007;reason="Temporarily cannot route";source="edge.domain2.com";ErrorType="Connect Attempt Failure";WinsockFailureDescription="The peer did not respond to the connection attempt";WinsockFailureCode="10060(WSAETIMEDOUT)";Peer="edge.domain1.com"

OCS01 is the front end servers
OCS02 is the internal interface for the edge servers
EDGE is the external access interface for the edge servers
admin1 and 2 are sip enabled users in their respective pools, they have been configured to allow external/federation etc
BusbarSolutions ArchitectCommented:
have you configured the edge ports and settings to accept federated connections
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.