OCS 2007 R2 Cross/Multi Forest

Hi Experts,

Microsoft only officially supports 2 cross forest OCS 2007 models, resource forest and central forest but they essentially rely on having connectivity with a central node to be up at all times.

We have a multi forest topology running server 2008 r2. It is a mesh satelite network and the nature of our network means we cant gurantee connectivity to a central site at all times. We have OCS 2007 R2 deployed in each forest so "internal" ocs works fine, we want to have cross forest ocs communication when the links are up. We have configured edge servers in each forest and have federation allowed but the edge servers dont see each other.

Has anyone had two ocs enviroments talking to each other before, or has any ideas on how to achive this.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BusbarSolutions ArchitectCommented:
Hi there.
this is not cross forest implementation, as I know you have OCS in each forest then you just want OCS servers to talk to each other.
If my understanding is correct then you will need an edge server ans some extra accessories:
- certificate at the edge server that is trusted by other edges you can use internal CA but you will have to install the root CA certificate on each edge.
- you will need to configure the edge to federate either staticly or using DNS records, if you choose the other one then you will need to creat _sipfereatedtls_tcp record for each domain, those recrds must be resolvable on each edge server.
then you are fine.
npomeeAuthor Commented:
Thats kinda what we have setup but just cant seem to get them to connect to each other. Do you have any more info on how to do this??
BusbarSolutions ArchitectCommented:
you need to go through those steps for each edge and add each other edge
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

I've set this up countless time, and the problems are typically either (1) firewall or routing configuration or (2) incorrect internal OCS configuration for Federation.

Are the Edge servers configured to handle incoming connections from both the Internet and other 'internal' OCS Edge Servers?  Have you configured the routes to go over the Internet or are you attempting to route traffic between the Edge server in each forest across an internal or perimeter network?
npomeeAuthor Commented:
Thanks for the reply on technet as well,

Our network is only a lab for now, so firewalls are disabled. The network is not connected to the internet, afaik all the internal routing is fine as our other network services are good. As for configuring the edge servers to handle incoming connections from other edges servers, we have have allowed them to federate with other domains, and allowed autodiscovery, we have also manually added each domain and access edge server into the allow tab of the configuration is there anything else that is required?

BusbarSolutions ArchitectCommented:
autodiscovery requires SRV DNS records, have you configured them
npomeeAuthor Commented:
we have tcp srv records for _sipfederationtls and _sipinternaltls both pointing to our FE server
npomeeAuthor Commented:
Ok have been doing alot of playing around, have made some progress. Doing a FE validation for sip logons and testing connectivity between internal and federated users the only error we get is

Attempting to establish SIP dialog from admin2@domain2.com to sip:admin1@domain1.com using pool01.domain2.com Maximum hops: 2
Check two-party IM: Discovered a new SIP server in the path.
Maximum hops: 3
Received a failure SIP response: User sip:admin1@domain1.com @ Server pool01.domain2.com
Received a failure SIP response: [
SIP/2.0 504 Server time-out
FROM: "ADMIN2"<sip:admin2@domain2.com>;tag=a5dd85a9c6dfdf8449;epid=epid11
TO: <sip:admin1@domain1.com>;tag=78B49713A265CC7BAF26784B4B29373B
CALL-ID: e8ceb9fee98544a79c29ea1303a442c3
VIA: SIP/2.0/TLS;branch=z9hG4bKc9ff2da2;ms-received-port=55397;ms-received-cid=5C100
AUTHENTICATION-INFO: NTLM rspauth="010000000000000084D4FF0B9DB3E825", srand="2C1B48EE", snum="13", opaque="C3A00586", qop="auth", targetname="OCS01.domain2.com", realm="SIP Communications Service"
ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=ocs02.domain2.com;ms-source-verified-user=verified;ms-source-network=federation
ms-diagnostics: 1007;reason="Temporarily cannot route";source="edge.domain2.com";ErrorType="Connect Attempt Failure";WinsockFailureDescription="The peer did not respond to the connection attempt";WinsockFailureCode="10060(WSAETIMEDOUT)";Peer="edge.domain1.com"

OCS01 is the front end servers
OCS02 is the internal interface for the edge servers
EDGE is the external access interface for the edge servers
admin1 and 2 are sip enabled users in their respective pools, they have been configured to allow external/federation etc
BusbarSolutions ArchitectCommented:
have you configured the edge ports and settings to accept federated connections
npomeeAuthor Commented:
Two of our forests/pools were working fine, the third just refused to work, so we rebuilt it and it worked. There must have been a bad cert or configuration somewhere that we missed.

Thanks for the replys

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.