Installing Lync 2013 into a domain with multiple child domains

Good Afternoon All

This post relates to the installation of Lync 2013 into a domain where theres multiple child domains associated. The blog posting goes through the schema, forest, domain preparation steps as these are different when implementing into a child domain.
Following the ‘step 1’ preparation steps the remaining installation steps are the normal steps which you can find in one of my other blog posts.

Complete Lync 2013 Installation Guide including – Pre Reqs, Enterprise Edition Pool, SQL Mirroring and Witness, Archiving/Monitoring, Persistent Chat, Edge Setup and XMPP integration PART 1 of 6

In this lab scenario i will be preparation my child domain (named Child1) for Lync 2013, along with child1 i also have a overarching root domain and another child domain called child2. In the scenario in child2 i have Lync 2010 installed.
This scenario is more common than you might expect where a company might have merged but for one reason or another? maybe finincal the two companies although joined in name might operate in silos. So for clarity the below is my lab set up

Root domain is called rootnorthernlync.local
child1 is called child1.northernlync.local (Lync 2013)
child2 is called child2.northernlync.local (Lync 2010)

Its also worth noting that in this scenario users of Lync 2010 arent required to have access to the Lync 2013 deployment.By this i mean both child domains dont require the ability to share the user contacts in AD.

ok lets start by a root domain screen shot.


This shows something of importance.. As you can see i already have the member groups within the root domain from my Lync 2010 deployment in the child2 child domain.

So the first question then? why are the member groups in the root domain and not in the child2 domain where Lync 2010 is installed.??

Simply put Lync shares the member groups across all domains therefore its an installation requirement for these to be prepared in the top level root of your domain and not the child. (further into this lab i will attempt to install the member groups into the child domain so that you can see the error relating to do this) PLUS how to properly install these member group attributes without issues.

Next step then is to login into a machine which is a member of the child1 domain so that i can start my Lync 2013 installation


Its worth nothing i stupidly named my Lync2013 machine in the VM build child1. so as you can see i have child1 in the child1.rootnothernlync.local domain.

Also below is the AD member groups before the lync 2013 preparation steps. (this should be the same after the prepare steps as well)


Now lets run in the Lync 2013 deployment wizard. (of course at this stage you need .net4.5 and Powershell 3.0 (Restart required) if you are installing into a windows2008r2 server link in my lab.


Ok so next we are going to select Prepare Active Directory (Make sure you have the necessary rights to preform the preparation steps)


select Run on the step 1, and then select next and the next prepare schema dialog option

***Dependant on how big your organisation is, the schema prep can take a far few minutes to complete.


Once your replication has completed as per step2. then onto step 3

The below screenshot is the required prerequisites for step3.. Check the arrowed prereq?! At this point as you know our Lync 2013 machine is attached to the child1 domain and not the root domain as the prereq states. ALSO you might not have access to a machine on the root domain.. so what are you to do? see below

Firstly im going to just select run and leave the option for the local domain to show you the error message it throws. plus this will give you an idea on what you need to do next.


See the error.?? not really any idea what the issue is do we? Hopefully the log file will tell us more.


so to fix this is.. firstly if you have access to a machine on the root domain and you want to go through the pain of installing the Lync 2013 deployment wizard then you could run the preparation steps on that machine.

For this lab we are going to powershell the command into the root from our child1 domain.

Enable-CsAdForest [-GroupDomain <FQDN of the domain in which to create the universal groups>]

in our lab case this is the PS we will be running from the lync management shell

Enable-CsAdForest -GroupDomain rootnorthernlync.local

**Dont forget to run the management shell as adminsitrator



you will not get any confirmation that its completed with the -verbose on the end of your command.

Anyhow lets jump back to the deployment wizard now and see what the status now says?



So lets continue on with the wizard for step5.Note: this will just run without any special powershell command etc.

Once this complete, jump back the main wizard window.


As you can see our preparation steps are now complete, and we can continue on with a Standard or Enterprise deployment.

Last step below is the screenshot of the root member groups now we have run in the 2013 prereqs.


As you can see the new 2013 CS member groups are there..

Well thats it for this blog posting. If youve got to this stage and your continuing on to deploy Lync 2013, check out my other deployment guides. (part 1 is at the top of this blog posting)

I hope this blog post has helped some of you out there.


Iain Smith

One thought on “Installing Lync 2013 into a domain with multiple child domains

  1. Hi Iain,

    We have been trying to something similar in a test environment to understand how Lync might work across multiple domains, but I am seeing the same error when preparing the Forest of Lync no matter how I run Enable-CsAdForest.

    I have a root domain with two child domains, just as you have in your scenario. I am trying to install Lync 2013 in one of the child domains onto a member server joined to the child domain.

    I can log into Lync Server using the credentials of the administrator of the root domain (hence a member of the “Enterprise Admins”, but by default, this admin is NOT a member of the child “Domain Admins” group. If I run the PS CmdLet on this server, I get the error as indicated above, i.e. “Error: Computer is not a member of the root domain. For security reasons, this action must be run on a root domain computer.”

    I have read other posts saying there the ONLY way to do this is to run this from a machine joined to the root domain, so who on earth did you manage to do this via the Lync Server which is joined to the child domain?

    Many thanks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s