Active Directory Domain Services for Skype for Business Server 2015

Skype for Business Server 2015

마지막으로 수정된 항목: 2016-04-06

Active Directory 도메인 서비스 functions as the directory service for Windows Server 2003, Windows Server 2008, Windows Server 2012, and Windows Server 2012 R2 networks. Active Directory 도메인 서비스 also serves as the foundation on which the 비즈니스용 Skype 서버 2015 security infrastructure is built. The purpose of this section is to describe how 비즈니스용 Skype 서버 2015 uses Active Directory 도메인 서비스 to create a trustworthy environment for IM, Web conferencing, media, and voice. For details about preparing your environment for Active Directory 도메인 서비스, see 비즈니스용 Skype 서버 2015 설치 in the Deployment documentation. For details about the role of Active Directory 도메인 서비스 in Windows Server networks, see the documentation for the version of the operating system you are using.

비즈니스용 Skype 서버 2015 uses Active Directory 도메인 서비스 to store:

  • Global settings that all servers running 비즈니스용 Skype 서버 2015 in a forest require.

  • Service information that identifies the roles of all servers running 비즈니스용 Skype 서버 2015 in a forest.

  • Some user settings.

Infrastructure requirements for Active Directory include the following:

  • Operating system requirements for domain controllers

  • Domain and forest functional level requirements

  • Global catalog domain requirements

For details, see 비즈니스용 Skype 서버 2015에 대한 환경 요구 사항 in the Deployment documentation.

During preparation of the forest, 비즈니스용 Skype 서버 2015 creates various universal groups within Active Directory 도메인 서비스 that have permission to access and manage global settings and services. These universal groups include:

  • Administrative groups. These groups define the fundamental administrator roles for a 비즈니스용 Skype 서버 network. During forest preparation, these administrator groups are added to 비즈니스용 Skype 서버 infrastructure groups.

  • Service groups. These groups are service accounts that are required to access various services provided by 비즈니스용 Skype 서버.

  • Infrastructure groups. These groups provide permission to access specific areas of the 비즈니스용 Skype 서버 infrastructure. They function as components of administrative groups, and you should not modify them or add users to them directly. During forest preparation, specific service and administration groups are added to the appropriate infrastructure groups.

For details about the specific universal groups created when preparing AD for 비즈니스용 Skype 서버, as well as the service and administration groups that get added to the infrastructure groups, see Changes made by forest preparation in Skype for Business Server in the Deployment documentation.

비즈니스용 Skype 서버 2015 supports the universal groups in the Windows Server 2012, as well as Windows Server 2003 operating systems for domain controllers. Members of universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest. Universal group support, combined with administrator delegation, simplifies the management of a 비즈니스용 Skype 서버 deployment. For example, it is not necessary to add one domain to another to enable an administrator to manage both.

In addition to creating universal service and administration groups and adding service and administration groups to the appropriate universal groups, forest preparation also creates Role-Based Access Control (RBAC) groups. For details about the specific RBAC groups created by forest preparation, see Changes made by forest preparation in Skype for Business Server in the Deployment documentation. For more information about RBAC groups, see Role-based access control (RBAC) for Skype for Business Server 2015.

Forest preparation creates both private and public ACEs and, adding ACEs for the universal groups it creates. It creates specific private ACEs on the global settings container used by 비즈니스용 Skype 서버. This container is used only by 비즈니스용 Skype 서버 and is located either in the Configuration container or the System container in the root domain, depending on where you store global settings.

The domain preparation step adds the necessary access control entries (ACEs) to universal groups that grant permissions to host and manage users within the domain. Domain preparation creates ACEs on the domain root and three built-in containers: User, Computers, and Domain Controllers.

For details about the public ACEs created and added by forest preparation and domain preparation, see Changes made by forest preparation in Skype for Business Server and Changes made by domain preparation in Skype for Business Server in the Deployment documentation.

Organizations often lock down Active Directory 도메인 서비스 (AD DS) to help mitigate security risks. However, a locked-down Active Directory environment can limit the permissions that 비즈니스용 Skype 서버 2015 requires. This can include removal of ACEs from containers and OUs and disabling of permissions inheritance on User, Contact, InetOrgPerson, or Computer objects. In a locked down Active Directory environment, permissions must be set manually on containers and OUs that require them.

During activation, 비즈니스용 Skype 서버 2015 publishes server information to the three following locations in Active Directory 도메인 서비스:

  • A service connection point (SCP) on each Active Directory computer object corresponding to a physical computer on which 비즈니스용 Skype 서버 2015 is installed.

  • Server objects created in the container of the msRTCSIP-Pools class.

  • Trusted servers specified in 토폴로지 작성기.

Each 비즈니스용 Skype 서버 2015 object in Active Directory 도메인 서비스 has an SCP called RTC Services, which in turn contains a number of attributes that identify each computer and specify the services that it provides. Among the more important SCP attributes are serviceDNSName, serviceDNSNameType, serviceClassname, and serviceBindingInformation. Third-party asset management applications can retrieve server information across a deployment by querying against these and other SCP attributes.

Each 비즈니스용 Skype 서버 2015 server role has a corresponding Active Directory object whose attributes define the services provided by that role. Also, when a Standard Edition 서버 is activated, or when an Enterprise Edition pool is created, 비즈니스용 Skype 서버 2015 creates a new msRTCSIP-Pool object in the msRTCSIP-Pools container. The msRTCSIP-Pool class specifies the fully qualified domain name (FQDN) of the pool, along with the association between the front-end and back-end components of the pool. (A Standard Edition 서버 is regarded as a logical pool whose front and back ends are collocated on a single computer.)

In 비즈니스용 Skype 서버 2015, trusted servers are the ones specified when you run 토폴로지 작성기 and publish your topology. The published topology, including all the server information, is stored in the Central Management store. Only servers defined in the Central Management store are trusted. In 비즈니스용 Skype 서버 2015, a trusted server is one that meets the following criteria:

If either of these criteria is missing, the server is not trusted and connection with it is refused. This double requirement prevents a possible, if unlikely, attack in which a rogue server attempts to take over a valid server’s FQDN.

Additionally, to enable Microsoft Office Communications Server 2007 R2 and Microsoft Office Communications Server 2007 deployments to communicate with 비즈니스용 Skype 서버 2015 servers, 비즈니스용 Skype 서버 2015 creates containers during forest preparation for holding lists of trusted servers for previous releases. The following table describes the containers created to enable compatibility with previous deployments.

Trusted Server Lists and Their Active Directory Containers for Compatibility with Previous Releases

Trusted server list Active Directory container

Standard Edition servers and Enterprise pool Front End Servers

RTC Service/Global Settings

Conferencing Servers

RTC Service/Trusted MCUs

Web Components Servers

RTC Service/TrustedWebComponentsServers

Mediation Servers and Communicator Web Access Servers, Application Server, Registrar with QoE, A/V Conferencing Service (also 3rd-party SIP servers)

RTC Service/Trusted Services

Proxy Servers

비즈니스용 Skype 서버 2015 does not support backward compatibility for proxy servers