Running Domain Preparation


Topic Last Modified: 2011-04-11

Domain preparation is the final step in preparing Active Directory Domain Services (AD DS) for Microsoft Lync Server 2010. The domain preparation step adds the necessary access control entries (ACEs) to universal groups that grant permissions to host and manage users within the domain. Domain preparation creates ACEs on the domain root and three built-in containers: User, Computers, and Domain Controllers.

If you are migrating from Office Communications Server 2007 R2 to Lync Server 2010, the Lync Server Deployment Wizard may indicate that domain preparation is already complete. You do not need to run domain preparation again. Permissions were not changed from Office Communications Server 2007 R2 to Lync Server 2010.

You can run domain preparation on any computer in the domain where you are deploying Lync Server. You must prepare every domain that will host Lync Server or users.

If permissions inheritance is disabled or authenticated user permissions are disabled in your organization, you must perform additional steps during domain preparation. For details, see Preparing a Locked-Down Active Directory Domain Services.

If your organization uses organizational units (OU) instead of the three built-in containers (that is, Users, Computers, and Domain Controllers), you must grant read access to the OUs for the Authenticated Users group. Read access to the containers is required for domain preparation. If the Authenticated Users group does not have read access to the OU, run the Grant-CsOuPermission cmdlet as illustrated in the following code examples to grant read permissions for each OU.

Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU > 
Grant-CsOuPermission -ObjectType "user","contact",inetOrgPerson" -OU "ou=Redmond,dc=contoso,dc=net"

For details about the Grant-CsOuPermission cmdlet, see the Lync Server Management Shell documentation.

For details about the ACEs created on the domain root and in the Users, Computers, and Domain Controllers containers, see Changes Made by Domain Preparation.