Preparing Active Directory Domain Services (2007 R2 Beta)
[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]
The sections that follow describe how to perform the steps for preparing Active Directory Domain Services for Office Communications Server.
Active Directory Preparation Tools
Important
You must run Active Directory preparation tasks on a computer running Windows Server 2003 SP1 or later, Windows Server 2003 R2 or later, or Windows Server 2008. You cannot run Active Directory preparation tasks on a computer running Windows 2000 Server or earlier, or on a computer running any client version of the Windows operating system.
Active Directory can be prepared by using either of two tools:
- Setup.exe deployment tool
- LcsCmd.exe command-line tool
Both tools are provided on the Office Communications Server CD.
The Setup.exe deployment tool provides wizards that guide you through each Active Directory preparation task: Prep Schema, Prep Forest, and Prep Domain. This tool is useful for environments with a single domain and single forest topology, or other similar topology. This tool is not available for deploying Enterprise Edition expanded configurations.
The LcsCmd.exe command-line tool supports Active Directory preparation tasks with the SchemaPrep, ForestPrep, and DomainPrep actions. This tool is useful for running tasks remotely or for more complex environments. You must use this tool for Enterprise Edition expanded configuration deployments.
Administrative Rights and Roles
The following table shows the administrative rights and roles required for each Active Directory preparation task.
User rights required for Active Directory preparation
Procedure | Required administrative rights or roles |
---|---|
Schema preparation |
Member of Schema Admins group and Administrator rights on the schema master |
Forest preparation |
Member of EnterpriseAdmins or DomainAdmins group for the forest root domain |
Domain preparation |
Member of EnterpriseAdmins or DomainAdmins group |
Custom Container Permissions
If your organization uses custom containers instead of the three built-in containers (Users, Computers, and Domain Controllers), the Authenticated Users group must have read access to the custom containers. If the Authenticated Users group does not have read access to the custom container, use LcsCmd.exe as illustrated below to run the CreateLcsOuPermissions command to grant read permissions for each custom container.
lcscmd /Domain:<Domain FQDN>
/Action:CreateLcsOuPermissions
/OU:<distinguished name>
/ObjectType:<User | Contact | InetOrgPerson | Computer | AppContact>
where /OU specifies the distinguished name of the OU, excluding the domain root portion of the distinguished name.
Locked Down Active Directory Requirements
If permissions inheritance is disabled or authenticated user permissions must be disabled in your organization, you must perform additional steps during domain preparation. For more information, see Preparing a Locked Down Active Directory Domain Services.
See Also
Setup.exe
Using Setup to Run Schema Preparation
Using Setup to Run Forest Preparation
Using Setup to Run Domain Preparation
LcsCmd.exe
Using LcsCmd to Run Schema Preparation