Prep Domain Overview
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
The Prep Domain step adds the necessary ACEs to universal groups that grant permissions to host and manage users within the domain. Prep Domain is required in all domains where you want to deploy Office Communications Servers and any domains where your Office Communications Server users will reside. The task is run once in each domain.
Prep Domain creates ACEs on the domain root and three built-in containers: Users, Computers, and Domain Controllers. Table 2 and Table 3 list these ACEs. All ACEs are inherited, unless otherwise noted.
Table 2. ACES added to Domain Root
| RTCUniversal-UserrReadOnly-Group | RTCUniversal-ServerReadOnly-Group | RTCUniversal-UserAdmins | RTCHSUniversal-Services | AuthenticatedUsers | |
|---|---|---|---|---|---|
Read Container (not inherited) |
X |
X |
|
|
|
Read User PropertySet User-Account-Restrictions |
X |
|
|
|
|
Read User PropertySet Personal-Information |
X |
|
|
|
|
Read User PropertySet General-Information |
X |
|
|
|
|
Read User PropertySet Public-Information |
X |
|
|
|
|
Read User PropertySet RTCUserSearchProperty-Set |
X |
|
|
|
X |
Read User PropertySet RTCPropertySet |
X |
|
|
|
|
Write User Property Proxy-Addresses |
|
|
X |
|
|
Write User PropertySet RTCUserSearchProperty-Set |
|
|
X |
|
|
Write User PropertySet RTCPropertySet |
|
|
X |
|
|
Read PropertySet DS-Replication-Get-Changes of all Active Directory objects |
|
|
|
X |
|
Table 3. ACES added to the Users, Computers, and Domain Controller containers
| RTCUniversalUserReadOnlyGroup | RTCUniversalServerReadOnlyGroup | |
|---|---|---|
Read Container (not inherited) |
X |
X |
If your organization is using custom containers instead of the three built-in containers, the Authenticated Users group must have read access to the custom containers. If the Authenticated Users group does not have read access to the custom container, use LcsCmd.exe to run the CreateLcsOUPermissions command to grant read permissions on any custom containers.
Run a command similar to the following for each custom container:
lcscmd /Domain:<Domain FQDN> /Action:CreateLcsOuPermissions
/OU:<distinguished name>
/ObjectType:<User | Contact | InetOrgPerson | Computer>
The /OU switch specifies the distinguished name of the OU, excluding the domain root portion of the distinguished name.