Supported Active Directory Topologies (2007 R2 Beta)
Office Communications Server relies on Active Directory® Domain Services (AD DS) to store global settings and groups necessary for the deployment and management of Office Communications Server. Office Communications Server 2007 R2 supports the same Active Directory topologies as Office Communications Server 2007.
Office Communications Server can be deployed in a locked-down Active Directory environment. For details about the special considerations involved in deploying Office Communications Server in a locked-down environment, see Preparing a Locked Down Active Directory Domain Services.
This section describes the Active Directory topologies supported by Office Communications Server 2007 R2. For details about operating system and domain functional level requirements for Active Directory Domain Services, see Environmental Requirements. For details about preparing Active Directory Domain Services for Office Communications Server installation, see Preparing Active Directory Domain Services for Office Communications Server 2007 R2.
Office Communications Server supports single forest and multiple forest Active Directory environments. Larger organizations that have multiple business units may decide to deploy a separate Active Directory forest for each unit, thereby providing autonomy with respect to schemas and security. Each business unit can extend its schema without affecting other business units, and administrators in one business unit cannot be administrators in another business unit.
The Active Directory topologies supported by Office Communications Server are as follows:
- Single forest with single domain
- Single forest with a single tree and multiple domains
- Single forest with multiple trees and disjoint namespaces
- Multiple forests in a central forest topology
- Multiple forests in a resource forest topology
The following diagram identifies the icons used in the illustrations in this section.
The simplest Active Directory topology supported by Office Communications Server, a single domain in a single tree, is a common configuration in smaller organizations.
The following diagram illustrates an Office Communication Server deployment in a single domain Active Directory topology.
Another Active Directory topology supported by Office Communications Server is a single forest that consists of a root domain and one or more child domains. In this type of Active Directory topology, the domain where you create users can be different from the domain where you deploy Office Communications Server. However, an Enterprise pool must be deployed within a single domain. Office Communications Server support for Windows Universal administrator groups enables cross-domain administration.
The following diagram illustrates an Office Communication Server deployment in a single forest with multiple domains. This diagram illustrates user accounts within the same domain as the Office Communications Server pool, user accounts in a different domain from the Office Communications Server pool, and user accounts in a child domain of the domain with the Office Communications Server pool.
A multiple-tree forest topology consists of two or more root domains that define independent tree structures and separate DNS namespaces.
The following diagram illustrates a single forest with multiple trees. This diagram illustrates user accounts that are homed in the same domain as the Office Communications Server pool, user accounts that are homed in a different domain from the Office Communications Server pool, and user accounts that are homed in a different tree from the Office Communications Server pool. In this diagram, the heavy, dashed lines illustrate user accounts that are homed in a different tree from the Office Communications Server pool.
Office Communications Server 2007 R2 supports multiple forests that are configured in a central forest topology. Central forest topologies use Contact objects in the central forest to represent users in the other forests. Microsoft Identity Integration Server (MIIS) manages the lifecycle of user accounts within the organization: when a new user account is created in one of the forests or a user account is deleted from a forest, MIIS synchronizes the corresponding Contact representation in the central forest.
A central forest has the following advantages:
- Servers running Office Communications Server are centralized within a single forest.
- Users can search for and communicate with other users in any forest.
- Users can view other users’ presence in any forest.
- MIIS automates the addition and deletion of Contact objects in the central forest as user accounts are created and removed.
The following is a disadvantage of a central forest topology:
- Contact objects must be SIP enabled in the central forest.
The following diagram illustrates a central forest topology. In this diagram, there are two-way trust relationships between the domain that hosts Office Communications Server, which is in the central forest, and each user-only domain, which are in separate forests. The schema in the separate user forests does not need to be extended.
In a resource forest topology, one forest is dedicated to running server applications, such as Microsoft® Exchange Server and Office Communications Server. The resource forest hosts the server applications but no logon-enabled user accounts. The other forests are user forests: they host enabled user accounts but no servers. The user forests have a forest-level trust relationship with the resource forest. When you deploy Office Communications Server in this type of topology, you create one disabled user account in the resource forest for every user account in the user forests. If Exchange Server is already deployed in the resource forest, the disabled user accounts might already exist. For example, users already exist in the resource forest and are enabled for Exchange mailboxes. Before users can use Office Communications Server, the user accounts in the resource forest must be enabled for the Office Communications Server service.
This topology can be used to retain an existing Active Directory forest or to separate the administration of Active Directory objects from other administration. Companies that need to isolate Active Directory administration for security reasons often choose this topology.
This topology provides the benefit of limiting the need to extend the Active Directory schema to a single forest (the resource forest).
The following diagram illustrates a resource forest topology.