locked
Active directory preparation was not showing from child domain RRS feed

  • Question

  • Hello All,

    We are in the mid of OCS deployment in single forest. We have prepared the schema, forest and domain but while deploying OCS, forest is showing unprepared from child domain however it is showing prepared from root domain.

    Environment.

    We have root domain with 10 different trees and we are deploying OCS in one of the trees but solution will be used by other domains in future. We are having windows 2003 functional level at root domain while it 200 in child domain where we are deploying the solution. any early solution will be most appreciated.


    HCL OCS Team
    Monday, February 2, 2009 1:38 PM

All replies

  • Have you verified that AD replication (10 trees w/ 200 domains is very large) has succesfully propegated all changes?  In an environment that size I'd easy wait a couple hours between Forest and Domain prep steps just for good measure.

    Do you perform the domain prep steps on a member of the child domain where you plan to have OCS installed, or were all 3 prep steps run against the root domain only?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, February 2, 2009 6:22 PM
    Moderator
  • Hello,

    We have already waited for  long time and sure that this not replication problem. Also we have dome active directory preparation on child domain, so this is not that case as well.

    One thing which i coming in my mind that child domain functional level is windows 2000 native while root domain's functional level windows 2003. Will this make any impact

    Also to check the delegation, we are part of below groups
    RTCUnviversalserverAdmin
    RTCUnversalUserReadOnlyGroup
    RTCUniversalServerReadOnlyGroup
    RTCUniversalGlobalwritegroup
    RTCUniversalGlobalReadOnlyGroup

    Please let me know why are we still not able to see active directoy preparated however it is actually prepared at root domain. Also needs to inform we have couple of windows 2000 domain controllers.
    Tuesday, February 3, 2009 2:16 PM
  • Did you already run domain prep in all of the child domains? If I’m not misunderstanding, you run the schema in one of your ten forests. Then you
     run forest prep in the root domain and then you do the domain prep in the root domain, at this step you are OK. Then when you tried to run domain
     prep in one of the child domain, you can’t see anymore the forest prep done, I’m a right?

    Try to run in all child domains the domain prep, have you ever validate the creation of objects by the forest prep once is done from the root domain?
    Do you have any lock down structure of AD in your child domains?

    Here are some extracts of  OCS_ADGuide.doc maybe can help in something , validate the infrastructure requirements

    Greets¡


    Prep Forest Overview

    The Prep Forest step creates Office Communications Server objects in the forest root domain Systems container, if the default option is selected, or in the configuration container, if you choose. These objects contain global settings and information about your Office Communications Server deployment. Prep Forest also creates Office Communications Server objects in the configuration container, which contain property sets and display specifiers used by Office Communications Server.

    Prep Forest must be run once in each Active Directory forest where you plan to deploy Office Communications Server. For the specific steps and credentials required to run this procedure, see the Active Directory Preparation section later in this guide.

    Creates Active Directory global settings and objects

    Creates Active Directory groups used by Office Communications Server

    Active Directory Global Settings and Objects

    Prep Forest creates global settings and objects used by Office Communications Server, as follows:

    Creates the global settings in the Active Directory objects in either the system container of the root domain or the configuration container, based on the choice you select.

    If you choose to store global settings in the System container in the root domain (recommended), adds a new Microsoft container under System of the root domain and adds a new RTC Service object under the System\Microsoft object. If you choose to store global settings in the Configuration container of the root domain, the existing Services container is used, but adds a new RTC Service object under the Configuration\Services object.

    Adds Global Settings object of type msRTCSIP-GlobalContainer under the RTC Service object. The Global Settings object holds all settings that apply through the Office Communications Server 2007 deployment.

    Adds a new msRTCSIP-Domain object for the root domain in which Prep Forest is run. The domain can be specified in either command-line or GUI deployment.

    Active Directory Universal Service and Administration Groups

    Prep Forest also creates universal groups based on the domain you specify to host universal groups and adds access control entries (ACE) for these groups. Prep Forest creates the following:

    Universal groups in the User containers of the domain you specify to host universal groups used by Office Communications Server, as follows:

    Service groups

    RTCHSUniversalServices

    RTCComponentUniversalServices

    RTCArchivingUniversalServices

    RTCProxyUniversalServices

    RTCUniversalGuestAccessGroup grants users access to meeting content for conferences. This group is used by internal users with Active Directory credentials who are connecting remotely, as well as anonymous users who do not have Active Directory credentials.

    Administration groups

    RTCUniversalServerAdmins allows members to manage server and pool settings.

    RTCUniversalUserAdmins allows members to manage user settings and move users from one server or pool to another

    RTCUniversalReadOnlyAdmins allows members to read server, pool, and user settings.

    Infrastructure groups

    RTCUniversalGlobalWriteGroup grants write access to global setting objects for Office Communications Server.

    RTCUniversalGlobalReadOnlyGroup grants read-only access to global setting objects for Office Communications Server.

    RTCUniversalUserReadOnlyGroup grants read-only access to Office Communications Server user settings.

    RTCUniversalServerReadOnlyGroup grants read-only access to Office Communications Server settings. This group does not have access to pool level settings only settings specific to an individual server.

    Adds the administrator groups to the correct infrastructure groups:

    RTCUniversalServerAdmins is added to RTCUniversalGlobalReadOnlyGroup, RTCUniversalGlobalWriteGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

    RTCUniversalUserAdmins is added as a member of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

    RTCHSUniversalServices, RTCComponentUniversalServices and RTCUniversalReadOnlyAdmins are added as members of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

    Prep Forest creates private ACEs on the global settings container used by Office Communications Server 2007. This container is used by Office Communications Server only and is located in the System container in the root domain or the configuration container (depending on the options you specify). The public ACEs created by Prep Forest are listed in the following table:

    Table 1.   ACEs added by Prep Forest

     

    RTCUniversalGlobalReadOnlyGroup

    Read root domain System Container (not inherited)*

    X

    Read Configuration’s DisplaySpecifiers container

    (not inherited)

    X

     

    *ACEs that are not inherited do not grant access to child objects under these containers. ACEs that are inherited grant access to child objects under these containers.

    Prep Forest performs the following tasks on the configuration container, under the configuration naming context.

    Adds an entry {AB255F23-2DBD-4bb6-891D-38754AC280EF} for the RTC property page under the adminContextMenu and adminPropertyPages attributes of the language display specifier for users, contacts, and InetOrgPersons (for example, CN=user-Display,CN=409,CN=DisplaySpecifiers).

    Adds an RTCPropertySet object of type controlAccessRight under Extended-Rights that applies to the User and Contact classes.

    Adds an RTCUserSearchPropertySet object of type controlAccessRight under Extended-Rights that applies to User, Contact, OU, and DomainDNS classes.

    Add msRTCSIP-PrimaryUserAddress under the extraColumns attribute of each language organizational unit display specifier (for example, CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers) and copies the values of the extraColumns attribute of the default display (for example, CN=default-Display, CN=409,CN=DisplaySpecifiers).

    Adds msRTCSIP-PrimaryUserAddress, msRTCSIP-PrimaryHomeServer, and msRTCSIP-UserEnabled filtering attributes under the attributeDisplayNames attribute of each language display specifier for Users, Contacts, and InetOrgPerson objects (for example, in English: CN=user-Display,CN=409,CN=DisplaySpecifiers).

     

     

     

     

    Infrastructure Requirements

    Before you prepare Active Directory for Office Communications Server 2007, ensure that your Active Directory infrastructure meets the following prerequisites.

    Domain controllers run Microsoft Windows® 2000 Server SP4 (Service Pack 4), Microsoft Windows Server® 2003 SP1, or Windows Server 2003 R2 or later operating systems. (Windows Server 2003 R2 is recommended).

    Global catalog servers run Windows 2000 Server SP4, Windows Server 2003 SP1, or Windows Server 2003 R2 or later. (Windows Server 2003 R2 is recommended).

    All domains in which you deploy Office Communications Server use Windows 2000 Server native mode or later operating system. You cannot deploy Office Communications Server in a mixed mode domain.
    Office Communications Server 2007 supports the native mode universal groups in the Microsoft Windows Server 2003 and Windows 2000 Server operating systems. Members of universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest. Universal group support, combined with administrator delegation, simplifies managing an Office Communications Server 2007 deployment. For example, it is no longer necessary to add one domain to another in order to enable an administrator to manage both. Eliminating the domain-add requirement also simplifies deployment.

    Tuesday, February 3, 2009 4:37 PM