Preparing Active Directory Domain Services for Office Communications Server2007r2

Microsoft Office Communications Server2007R2

Preparing Active Directory Domain Services for Office Communications Server2007R2

Published: May 2009

Updated: October 2009

Updated: April 2010

For the most up-to-date version of the Preparing Active Directory Domain Services for Office Communications Server 2007 R2 documentation and the complete set of the Microsoft® Office Communications Server 2007 R2 online documentation, see the Office Communications Server TechNet Library at

Note: In order to find topics that are referenced by this document but not contained within it, search for the topic title in the TechNet library at

1

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Copyright © 2010 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Outlook, SQL Server, Visio, Visual C++, Windows, Windows Media, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

1

Contents

Preparing Active Directory Domain Services.

Active Directory Infrastructure Requirements

Overview of Active Directory Domain Services Preparation

Changes for Office Communications Server 2007 R2

Forest Preparation Changes

Domain Preparation Changes

Schema Preparation

Forest Preparation

Domain Preparation

Preparing Active Directory Domain Services

Active Directory Preparation Tools

Running Active Directory Preparation Tasks on 32-bit Domain Controllers

Schema Batch Import Tool

Administrative Rights and Roles

Custom Container Permissions

Locked Down Active Directory Requirements

Deciding Where to Store Global Settings

Evaluating Global Settings Locations

Migrating Global Settings Container

1. Migrating the Tree Structure

2. Copying Global Settings Attributes

3. Setting Permissions

4. Updating DN References to the Global Settings Tree

5. Updating msRTCSIP-PrimaryHomeServer DN References

6. Verifying that Migration Is Successful

7. Removing Global Settings Tree from the System Container

Using the Global Settings Migration Tool to Move to Configuration Container

Using Setup to Run Schema Preparation

Using Setup to Run Forest Preparation

Using Setup to Run Domain Preparation

Using LcsCmd to Run Schema Preparation

Using LcsCmd to Run Forest Preparation

Using LcsCmd to Run Domain Preparation

Preparing a Locked Down Active Directory Domain Services

Authenticated User Permissions Are Removed

Permissions Inheritance Is Disabled on Computers, Users, or InetOrgPerson Containers

Set Permissions for User, InetOrgPerson, and Contact Objects after Running Domain Preparation

Set Permissions for Computer Objects after Running Domain Preparation

Active Directory Domain Services Reference

Changes Made by Forest Preparation

Active Directory Global Settings and Objects

Active Directory Universal Service and Administration Groups

Changes Made by Domain Preparation

Using WMI to Configure New Users

Working with Active Directory Attributes

Active Directory Attributes to WMI Properties Mapping

Active Directory Domain Services Classes and Descriptions

Active Directory Classes for Office Communications Server

Active Directory Domain Services Attributes and Descriptions

Active Directory Attributes for Office Communications Server

msRTCSIP-SchemaVersion

User Objects

Contact Objects

Computer Objects

Delegating Office Communications Server Setup and Administration

Delegating Setup

Delegating Server Administration

Delegating User Administration

Delegating Read-Only Server Administration

Appendix: Preparing Active Directory Domain Services

Active Directory Domain Services Requirements

Supported Active Directory Topologies

Single Forest, Single Domain

Single Forest, Multiple Domains

Single Forest, Multiple Trees

Multiple Forests, Central Forest

Multiple Forests, Resource Forest

Installing Administrative Tools

Installing Remote Server Administration Tools for Windows Server 2008

Accounts and Permissions Requirements

Administrative Credentials

Security Levels

Exchange UM Security Levels

Media Gateway Security

1

Preparing Active Directory Domain Services.

Before you deploy and operate Microsoft Office Communications Server2007R2, you must prepare the Active Directory Domain Services (ADDS) by extending the schema and then creating and configuring objects. The schema extensions add the Active Directory classes and attributes that are required by Office Communications Server.

The topics in this section describe how to prepare Active Directory Domain Services for deploying Office Communications Server2007R2, and for delegating setup and administration permissions. It also provides a reference of the Active Directory schema required by Office Communications Server2007R2.

Note:

For the most up-to-date version of this documentation, see “Preparing Active Directory Domain Services for Office Communications Server2007R2” in the Office Communications Server 2007 R2TechNet Library. To find a topic that is referenced by this document, but not contained within it, search on the topic title in TechNet.

In This Document

Active Directory Infrastructure Requirements

Overview of Active Directory Domain Services Preparation

Preparing Active Directory Domain Services

Preparing a Locked Down Active Directory Domain Services

Delegating Office Communications Server Setup and Administration

Active Directory Domain Services Reference

Appendix: Preparing Active Directory Domain Services

Active Directory Infrastructure Requirements

Before you start the process of preparing Active Directory Domain Services (ADDS) for Office Communications Server 2007 R2, ensure that your Active Directory infrastructure meets the following prerequisites:

All domain controllers in the forest where you deploy Office Communications Server run Windows Server2003with SP1, Windows Server2003R2, or Windows Server2008.

Note:

The operating system running on the domain controllers can be either 32-bit edition or 64-bit edition.

All global catalog servers in the forest where you deploy Office Communications Server run Windows Server2003with SP1, Windows Server2003R2, or Windows Server2008.

All domains in which you deploy Office Communications Server are raised to a domain functional level of Windows Server2003 or Windows Server2008. You cannot deploy Office Communications Server 2007 R2 in a Microsoft Windows 2000 mixed, Windows 2000 native, or Windows 2003 interim domain.

The forest in which you deploy Office Communications Server is raised to a forest functional level of Windows Server2003 or Windows Server2008. You cannot deploy Office Communications Server 2007 R2 in a Windows 2000 mixed, Windows 2000 native, or Windows 2003 interim forest.

Note:

To change your domain or forest functional level, see “Raising domain and forest functional levels” at

Office Communications Server2007R2 supports the universal groups in the Windows Server2003 and Windows Server2008 operating systems. Members of universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest. Universal group support, combined with administrator delegation, simplifies the management of an Office Communications Server deployment. For example, it is not necessary to add one domain to another to enable an administrator to manage both.

Overview of Active Directory Domain Services Preparation

To prepare Active Directory Domain Services (AD DS) for your Office Communications Server deployment, you must perform three steps in sequence.

Important:

Before you begin the steps to prepare AD DS for your deployment, it is important to consider where you want to store the global settings for Office Communications Server, because the location can affect performance. You select the location for global settings in the forest preparation step. For details about making the selection, see Deciding Where to Store Global Settings.

The following table describes the steps required to prepare Active Directory Domain Services for Office Communications Server.

Active Directory Preparation Steps

Step / Description / Where run
1. / Schema Preparation / Extends the Active Directory schema by adding new classes and attributes that are used by Office Communications Server / Against the schema master in the root domain of each forest where Office Communications Server will be deployed
Note:
You do not need to run this step in the root domain if you have permissions on the schema master. In a resource forest topology, run this step only in the resource forest, not in any user forests. In a central forest topology, run this step only in the central forest, not in any user forests.
2. / Forest Preparation / Creates global settings and universal groups that are used by Office Communications Server / In the root domain of each forest where Office Communications Server will be deployed
Note:
You do not need to run this step in the root domain if you have the proper user rights. For details about the user rights required for this procedure, see Preparing Active Directory Domain Services. In a resource forest topology, run this step only in the resource forest, not in any user forests. In a central forest topology, run this step only in the central forest, not in any user forests.
3. / Domain Preparation / Adds permissions on objects to be used by members of universal groups / On a member server in each domain where Office Communications Server will be deployed

Changes for Office Communications Server 2007 R2

In Office Communications Server 2007 R2, you run the same Active Directory preparation steps that you did for Live Communications Server 2005 with Service Pack 1 (SP1) and for Office Communications Server 2007. However, there are some changes in the steps. This section identifies the changes for Office Communications Server 2007 R2.

Forest Preparation Changes

The forest preparation step includes the following changes:

New containers are added under the RTC Service object:

Application Contacts

Location Contact Mappings

Conference Directories

New presence policies and settings are added to Global Settings:

Default Policy

Service: Medium

The default location for global settings is changed from the System container to the Configuration container.

The minimum supported forest functional level is changed from Windows 2000 native to Windows Server 2003.

Domain Preparation Changes

The domain preparation step includes the following changes:

Permissions are granted to the new resources added in the forest.

The minimum supported domain functional level is changed from Windows 2000 native to Windows Server 2003.

Schema Preparation

Schema preparation is the first step in preparing Active Directory Domain Services (ADDS) for Office Communications Server 2007 R2.

The schema preparation step extends the Active Directory schema to include classes and attributes that are specific to Office Communications Server. It is run once, against the schema master, for each Active Directory forest where you plan to deploy Office Communications Server.

Note:

In a resource forest topology, this step is run only in the resource forest, not in any user forests. In a central forest topology, this step is run only in the central forest, not in any user forests.

Office Communications Server 2007 R2 introduces some new Active Directory classes and attributes. For a description of all the classes and attributes specific to Office Communications Server, see Active Directory Domain Services Reference.

For the detailed steps and user rights required for this procedure, see Preparing Active Directory Domain Services.

Forest Preparation

Forest preparation is the second step in preparing Active Directory Domain Services (ADDS) for Office Communications Server.

The forest preparation step creates the following for use by Office Communications Server:

Active Directory global settings and objects

Active Directory universal groups

This step creates objects that contain global settings and information about your Office Communications Server deployment. Global settings are stored either in the Configuration container or in the System container of the forest root domain. This step also creates objects that contain property sets and display specifiers used by Office Communications Server, and stores them in the Configuration container.

Forest preparation must be performed once for each Active Directory forest where you plan to deploy Office Communications Server.

Note:

In a resource forest topology, run this step only in the resource forest, not in any user forests. In a central forest topology, run this step only in the central forest, not in any user forests.

Before you perform the forest preparation step, you must decide where to store global settings — in the root domain System container or in the Configuration container. For details about how to make this decision, see Deciding Where to Store Global Settings.

For the detailed steps and user rights required for this procedure, see Preparing Active Directory Domain Services.

For a description of the global settings and objects and the universal groups created by forest preparation, see Changes Made by Forest Preparation.

Domain Preparation

Domain preparation is the third step in preparing Active Directory Domain Services (AD DS) for Office Communications Server 2007 R2.

The domain preparation step adds to universal groups the necessary access control entries (ACEs) that grant permissions to host and manage users within the domain. Domain preparation creates ACEs on the domain root and three built-in containers: Users, Computers, and Domain Controllers. If your organization uses custom containers instead of these three built-in containers, see Preparing Active Directory Domain Services for details about how to grant the required permissions.

Domain preparation must be performed once in each domain where you plan to deploy Office Communications Servers and where your Office Communications Server users reside.

Note:

If permissions inheritance is disabled or authenticated user permissions must be disabled in your organization, you must perform additional steps during domain preparation. For details, see Preparing a Locked Down Active Directory Domain Services.

For detailed steps and user rights required to perform domain preparation, see Preparing Active Directory Domain Services.

For details about the ACEs created on the domain root and in the Users, Computers, and Domain Controllers containers, see Changes Made by Domain Preparation.

Preparing Active Directory Domain Services

The sections following this topic describe how to prepare Active Directory Domain Services (ADDS) for Office Communications Server.

Active Directory Preparation Tools

Important:

You must run Active Directory preparation tasks on a computer running Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2 with SP2, or Windows Server 2008. You cannot run Active Directory preparation tasks on a computer running Microsoft Windows 2000 Server or earlier, or on a computer running any client version of the Windows operating system.

Active Directory can be prepared by using either of the following tools:

SetupEE.exe (for Enterprise Edition server consolidated configuration) or SetupSE.exe (for Standard Edition server) deployment tool

LcsCmd.exe command-line tool

These tools are provided on the Office Communications Server CD. The LcsCmd.exe command-line deployment tool is installed when you install Office Communications Server 2007 R2 administrative tools.

The SetupEE.exe or SetupSE.exe deployment tool provides wizards that guide you through each Active Directory preparation task: Prep Schema, Prep Forest, and Prep Domain. This tool is useful for environments with a single domain and single forest topology, or other similar topology. It is not available for deploying Enterprise Edition server expanded configurations.

The LcsCmd.exe command-line tool supports Active Directory preparation tasks with the SchemaPrep, ForestPrep, and DomainPrep actions. You can use this tool to run tasks remotely or for more complex environments.

Running Active Directory Preparation Tasks on 32-bit Domain Controllers

To run Active Directory preparation tasks on computers running 32-bit operating systems, you must use the 32-bit version of the LcsCmd.exe command-line tool, which is included in the 32-bit version of OCScore.msi. You can find the 32-bit version of OCScore.msi on the installation media in the \support\i386 folder. By default, LcsCmd.exe is installed in the Program Files\Common Files\Microsoft Office Communications Server 2007 R2 folder. For details about running LcsCmd.exe, see Running LCSCmd.

Note:

You must install the 32-bit version of LcsCmd.exe manually. Only the 64-bit version can be installed from the SetupEE.exe or SetupSE.exe wizard.

To use the 32-bit version of LcsCmd.exe, follow the same procedures that you would for the 64-bit version, which are described in the topics listed later in this section.

Schema Batch Import Tool

The Prep Schema wizard in the Setup deployment tool and the LcsCmd.exe command-line tool extend the Active Directory schema on domain controllers running a 64-bit operating system. If you need to extend the Active Directory schema on a domain controller running a 32-bit operating system, or if you need to run the schema preparation step on a domain controller that is not the schema master, you can use the Ldifde.exe tool to import the schema file. The Ldifde.exe tool comes with most versions of the Windows operating system.