The resource forest hosts disabled user accounts (used to enable access to Lync services). It is required that the msRTCSIP-OriginatorSID attribute for the disabled accounts maps to the ObjectSID of the account in the user forest. The resource forest topology has a higher level of isolation between Lync and the users' forest, but the increased security also implies increased administrative complexity.
This can be summarized as follows:
We have to select a topology (central or resource forest)
We have to configure forest trusts to enable users' authentication into the resource forest
Also, if we have not talked about this aspect before, we have to add another point to the list.
We have to select a tool (automatic or manual) to create a match between the information required in the resource forest and the ones available in the user forest
If we have already deployed Exchange in our resource forest, we can take advantage of the attribute msExchMasterAccountSid
that works...