A computer that is running Lync Server 2010 may stop responding with RtcSrv.exe consuming 100 percent of CPU resources in Multi Forest deployment.

Scenario:

There are two AD forests. Let’s say Forest-A and Forest-B. We have Lync in Forest-B. User has AD accounts in both Forest-A and Forest-B. Users in Forest-A login to their domain with integrated credentials as any one does, but use Forest-B AD user credentials to login to Lync. There is no trust relationship between the forests. There is a need to establish the trust between the two forests. Once trust is established, users notice that the Lync client keeps disconnecting often. Upon troubleshooting, we found out RtcSrv.exe on Forest-B Lync Front end server was using 100% CPU resources.

Here is the call flow of user while logging in to Lync client before the trust relationship:

·       Forest-A user logins to his/her local PC with his/her forest-A domain account, Lync tries to start up and pass users integrated AD credentials to Lync Server.

·       Lync Server doesn’t authenticate with this credentials since it doesn’t know about Forest-A, and will prompt for User credentials.

·       User provides Forest-B credentials where Lync accepts it and sign in happens successfully.

Here is the call flow of user while logging in to Lync client after trust relationship established between the AD forests:

·       Forest-A user logins to his/her local PC with Forest-A domain account, Lync tries to start up and use integrated user credentials to Lync Server.

·       Since its trusted forest, Lync Server forwards integrated account info to Forest-B DC.

·       Forest-B DC knows its trusted partner and will query Forest-A DC where Forest-A DC validates its identity.  

·       Even though it’s a valid AD account, it’s not authorized or Lync as it is not enabled for this account.

·       User will prompt for credentials where the user will enter Forest-B credentials to login to Lync.

As this authentication process putting lot of load on Front-end serve, the RtcSrv.exe takes up all the CPU resource. Hence users keep getting disconnected form the Lync client.

Resolution:

Make user to provide logon credentials to Lync rather than using integrated windows Credentials. You can configure this using Lync ADM template.

 “DisableNTCredentials”

"0 = Windows credentials are sent. Lync authenticates the user based on the same credentials used to log on to Windows. (Default).

1 = Windows credentials are not sent. User is required to provide logon credentials to Lync."