We have a W2k8r2 forest. One rootdomain 2 child domains.
About 400 Windows 7 clients. We are outsourcing our desktop enviroment. Other thing is that we going to use Skype for business hosted by also another party.
We will have now 3 forest to consider. Our forest, lets call it local.com. Forest for our vdi
desktops,vdi.com, and forest for Skype for business, Skype.com.
Skype.com is going to be a resource forest. They only need to know where the user accounts reside,
to host a synchronized representation of active user objects, but no logon-enabled user accounts. A authentication selective trust between Skype.com and
the forest holding the active user accounts will be established
OK.
Now vdi.com. They are going to host the vdi desktops and all the applications (ex.
outlook 2010) on it. They want to setup a 1 way nontransitive selective external trust with us, local.com.
vdi.com is going to migrate our user accounts in their domain. Users will have a new upn,
@vdi.com. Exchange 2010 server is in the local.com domain
How to make single sign on work? How will for example steve@vdi.com connect to the mailbox of steve@local.com? And how about the delegate permissions on mailboxes and the addins that connect to several services in thelocal.com domain?
Thanks