6. Scroll down to select Service Location (SRV).

Understanding Live Communications Server 2005 GPO Settings Client management and meeting client management goals as set forth by the executive and managing sponsor(s) supporting the LCS investment are perhaps some of the more complex tasks that an administrator will have to perform. Through the Group Policy feature of Active Directory, and through the administration template, rtcclient.adm, included in LCS 2005 with SP1, this process greatly reduces the need to go desktop to desktop to meet some of the requirements. Additionally, Microsoft Office Communicator comes with its own template, communicator.adm. In this section, the configuration settings of the default rtcclient.adm file are covered at a high level. This template can be applied to either the local system policy, through GPEdit.msc, or through an Active Directory Group Policy object. Because this chapter focuses on Active Directory, this section concentrates on utilizing the Active Directory Group Policy Object Editor to leverage the administrative changes allowed through the administration template and your organization s investment in Active Directory and Live Communications Server 2005 with Service Pack 1. If your organization has implemented the Group Policy Management Console, the steps to creating a GPO are similar. At the end of the section, a brief example of this is included. In instances where resource forests are used, the Group Policy object needs to be configured in the same domain in which the workstation and user account are located. If the workstation is not a member of a domain, Group Policy will not be applied for either the user configuration settings or the computer configuration settings. Using the rtcclient.adm Administrative Template The rtcclient.adm template that will be reviewed in this section is included as part of LCS 2005 with Service Pack 1. This is the default template used for administering Windows Messenger 5.x clients within the Active Directory environment. The rtcclient.adm administrative template is installed in the %windir%inf directory when either LCS 2005 Enterprise or Standard Edition is installed on a server, and when the LCS 2005 administration tools are installed on a workstation or server. Generally this directory is C:windowsinf or C:winntinf. This section begins with a table listing the settings associated with this template. After a description of the settings, the section provides a brief description of what the template feature allows the administrator to perform. The Computer Configuration Settings modify policy registry keys and registry values in the following path: HKEY_Local_Machine SoftwarePoliciesMicrosoftMessengerClient Likewise, the User Configuration Settings modify policy registry keys and registry values in the following path: HKEY_Current_User SoftwarePoliciesMicrosoftMessengerClient 82 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

6. Scroll down to select Service Location (SRV).

6. Scroll down to select Service Location (SRV). 7. Click the Create Record button. 8. The New Resource Record window will open, as shown in Figure 4-9. Figure 4-9 9. In the Service field, type _SIPINTERNALTLS. 10. Leave the Protocol field as _TCP and enter the protocol port as 5061. 11. In the Host offering this service field, enter the name of the host. 12. Click OK. Deploying LCS in Multiple Domains While most LCS deployments for single domains are accomplished in labs and proof of concept environments, in the real world most organizations have multiple domain name spaces due to separation of entities, purpose of the domain (test, development, production, and so on), or for security reasons. Using an LCS director, you can support multiple SIP URIs and multiple domains for automatic configuration using the Certificate Subject Alternative Name. The Subject Alternative Name is a field property of the certificate that can be set when ordering your certificate and completing the certificate provisioning process. Figure 4-10 shows a sample certificate with the Subject Alternative Name. 80 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

6. Scroll down to select Service Location (SRV).

Figure 4-10 You may already be familiar with the Common Name or Friendly Name of a certificate. If not, it s the primary name of the certificate. The client using a defined SIP URI such as user@company2.com using autoconfig is looking for a DNS matching record of company1.com. The same goes for user@company3 .com and user@company4.com. However, suppose that the primary use of this LCS deployment is for user@company.com and this type of convoluted deployment is going to leverage one LCS environment for these multiple domains, SIP namespaces, and SIP URIs. In this case, you set the certificate for your LCS director s TLS listening address port of 5061. Apply the certificate with a Server Authentication EKU and a common/friendly name of lcs.company.com (which matches the DNS host record for this entry). Then, in the Subject Alternative Name field, re-enter the original name or lcs.company.com and enter your company2.com, company3.com, and company4.com entries. Then you are set and can enable multiple SIP URIs and namespaces for one entry, one port. LCS DNS Best Practices The following items highlight DNS best practices when deploying LCS: . Deploy LCS within a central or resource forest if available. Having a solid and controlled, centrally managed infrastructure will speed up the deployment process. . Choose a simple SIP URI. The SIP (Session Initiation Protocol) URI (Uniform Resource Identifier) is the ID that your users will use to log in to Communicator or Windows Messenger 5.1. Using the organization s e-mail address is the most common choice for the SIP URI and results in easier deployment of DNS host A records. . Always verify your records before you install and deploy LCS. Make sure that you have the appropriate DNS host A records and SRV records applied. 81 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Figure 4-5 To create a DNS host A

automatic configuration, you will need to create a DNS SRV record to enable the client to sign into the LCS service using the TLS protocol. If you enable only TCP connectivity to your LCS environment, you will need to create a DNS SRV record for the TCP connection. The following table outlines the required DNS SRV records based upon the transport and client application used: LCS Use Protocol Example of DNS SRV Record Client Application Type Internal TCP _SIPINTERNAL._TCP.COMPANY.COM Communicator Internal TCP _SIP._TCP.COMPANY.COM Windows Messenger 5.1 Internal TLS _SIPINTERNALTLS._TCP.COMPANY.COM Communicator Internal TLS _SIP._TLS.COMPANY.COM Windows Messenger 5.1 External TLS _SIP._TLS.COMPANY.COM Both Federation TLS _SIPFEDERATIONTLS._TCP.COMPANY.COM Communicator The following steps demonstrate an example of creating a DNS SRV record for an internal TLS connection for Microsoft Office Communicator: 1. Log in to a server that has access to the DNS server that resides within your LCS infrastructure. 2. From the Windows Start menu, select All Programs.Administrative Tools, and click DNS (refer to Figure 4-6). 3. Expand the tree menu on the left to display the domain to which you are deploying LCS. 4. From the Actions menu, select Other New Records (refer to Figure 4-7). 5. The Resource Record Type window will open, as shown in Figure 4-8. Figure 4-8 79 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Figure 4-5 To create a DNS host A

3. Expand the tree menu on the left to display the Domain on which you are deploying LCS. 4. From the Actions menu, select New Host (A), as shown in Figure 4-7. Figure 4-7 5. The New Host window will open (refer to Figure 4-5). 6. In the Name field, enter the name of the LCS server or the LCS pool name. Just enter the name of the server or pool, not the FQDN of the pool or server. The grayed out FQDN field will automatically create the FQDN for you. 7. In the IP address field, enter the address as follows: . If the DNS host A record is for a server, enter the IP address of the server. . If the DNS host A record is for a pool, enter the IP address of either the load balancer or a LCS pool server, depending on whether you have deployed only one pool server or a load-balanced pool. 8. Click the Add Host button. DNS SRV Records To complete the automatic configuration process, DNS SRV records must be applied within DNS. The purpose of a DNS SRV record is to assign a specific protocol for the connection. As an example, most of us know of Transmission Control Protocol (TCP). TCP is a specific protocol that is used to send data packets. Transport Layer Security (TLS) is another protocol used to send data packets over a secured connection. SRV records provide actual network service records to enable you to find network resources within a specific domain based on the connection or protocol type. LCS uses DNS SRV records for automatic configuration so that when the client performs its DNS query and finds the associated DNS host A record, the client will be connected to a DNS SRV record to identify the protocol that the client will use to communicate between users. If you enable TLS within your LCS infrastructure and you are using 78 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Figure 4-5 To create a DNS host A

Figure 4-5 To create a DNS host A record for your server or pool, complete the following steps: 1. Log in to a server that has access to the DNS server that resides within your LCS infrastructure. 2. From the Windows Start menu, select All Programs.Administrative Tools, and click DNS (see Figure 4-6). Figure 4-6 77 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

An example of this is the RTCUserSearchPropertySet, which

Figure 4-3 When you create a DNS host A record, the key properties you fill out are the name and IP address of the record. When creating a DNS host A record for an LCS Server, you create the record and give it the name of the server. The fully qualified domain name (FQDN) of the server should match the FQDN field of the record, as shown in Figure 4-4. Figure 4-4 When creating a DNS host A record for an LCS pool, you create the record and give it the name of the pool. The fully qualified domain name (FQDN) of the pool should match the FQDN field of the record, as shown in Figure 4-5. LCS 2005 SP1 Environment Client is signed in Active Directory DNS DNS service routes communication to LCS environment Performs DNS lookup for SIP URI alias @company.com 76 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

An example of this is the RTCUserSearchPropertySet, which

An example of this is the RTCUserSearchPropertySet, which is located in the Extended Rights container. The Extended Rights container is a subordinate of the Configuration container for the forest. The RTCUserSearchPropertySet contains information about the user, including the user s name and SIP URI. This object is used by administrators and end-users alike. The well-known security principle Authenticated Users has a default read ACL assigned to it. This is what allows users to search for other LCS-enabled users in the forest. The search methodology differs slightly where the Address Book Service has been deployed. In addition to allowing users to search for other SIP-enabled users, this key also allows the server to search for users and their SIP URI, enabling users to authenticate. Because the domain global groups used to administer LCS implementations in the domain are not from a well-known GUID, do not rename the group or move it out of the Users container. If, for whatever reason, one of the global groups is deleted accidentally, insert the LCS 2005 with SP1 CD, and rerun the Prep Domain command. If a group is missing, then the Prep Domain command will not have the checkmark. Instead, it will be blue and can be selected. Optionally, you can use the command-line tool: :SetupI386>LcsCmd /domain /action:DomainPrep. This command will rerun the Prep Domain, creating the missing groups; and it will re-apply the domain ACLs and ACEs to that group. Local permissions may need to be changed. Implementing Domain Add to Forest Root Whenever a forest contains multiple domains, the Domain Add to Forest Root procedure needs to be performed. This function sets permissions for the child domain to enable access to objects in the forest root domain. This process grants permissions in the forest root to child domain administrators, child domain servers and Enterprise pools, and message queues to be able to access Live Communications Server information stored in the root. To perform the Domain Add to Forest Root, you must have Domain Admins access in the child domain and Enterprise Admins access in the forest root domain. The Domain Add to Forest Root function is available through the deployment tool. Optionally, the command-line tool, LcsCmd.exe, can be used to perform the Domain Add to Forest Root. Note that in the following example, forest.local signifies the forest domain and domain.forest.local signifies the child domain: :SetupI386>LcsCmd/domain:forest.local/action:DomainAdd/refdomain:domain .forest.local Working with Resource Forest and Multi-Forest Scenarios Some organizations maintain several forests used primarily for resources, with one of the forests being utilized for user accounts. Generally these are found in larger organizations. These forests are remnants of upgraded NT4 domains and the domains have not been collapsed. Some organizations make the conscious choice to keep their applications and their user accounts separate. Either way, it works well for the organization and Microsoft has recognized this. While this is not relevant to the Prep Domain, it is important to mention that in some hosted LCS scenarios, or scenarios in which access to some domains in an enterprise forest are restricted, some papers may advise adding a Deny to the Authenticated Users ACL. Do not add a Deny to the ACL, as a Deny is explicit and could both prevent users from logging in and prevent administrators from making changes. 74 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

An example of this is the RTCUserSearchPropertySet, which

Tools such as Microsoft Identity Integration Server (MIIS) and the MIIS Active Directory Identity Integration Feature Pack (IIFP) may be utilized to synchronize a user account in one forest with a user account or contact object in another forest. Microsoft has put together a great document regarding this centralized, or resource forest, model. Within the LCS 2005 with SP1 Resource Kit is a directory, C:Program FilesMicrosoft LC 2005ResKit LcsSync, that contains documentation and example XML files for implementing the resource forest model utilizing MIIS. The resource kit contains a document that provides guidance for implementing this model. This document, Deploying_in_a_Multiple_Forest_Environment.doc, is also located in the LcsSynch directory along with the example XML files mentioned. Live Communications Server 2005 SP1 and DNS LCS uses DNS to enable automatic connectivity to LCS Standard Edition or Enterprise Edition servers without manually configuring the client to communicate with a specific Internet Protocol (IP) address or fully qualified domain name (FQDN) of a server. LCS also uses DNS to enable federation and Public Instant Messaging Connectivity (PIC) to provide communication between LCS Access Proxy servers, as mentioned in Chapter 1. To enable automatic configuration of the Microsoft Office Communicator 2005 client, you need to create the appropriate DNS records to identify the servers and protocols used to connect the client to the specified LCS server. This section identifies the required DNS records used by LCS to ensure a successful deployment. DNS Host A Records When installing LCS, the initial steps to deploy the software include preparing your Active Directory for LCS. In doing so, you will update the Active Directory schema, create new LCS properties and accounts within the Active Directory domain and forest, and create an LCS pool (if using LCS Enterprise Edition). When you create the LCS pool or install a LCS Standard Edition server, you need to have a residing DNS host A record for the pool available in DNS prior to this step or you will receive a warning in your LCS installation log file. This does not prevent you from creating an LCS pool or server, but you will still need to create the record before Communicator 2005 automatic configuration will work. The client, when enabled with automatic configuration, will perform a DNS query, searching for the name of the server or pool in DNS. If the host A record is not present, the client will not be able to sign in to the service. The query is performed using the lookup of the data listed after the @ sign portion of the user s sign-in name. For example, if the user s sign-in name is john.doe@company.com, the client will look for a corresponding DNS host A record for company.com. Figure 4-3 displays the flow of the client querying DNS for the host A record of the LCS server or pool. To enable automatic configuration and to create a DNS host A record for your LCS Server or pool, you must create the a record like the following: Company Name = ConnectedInnovation.com DNS A Host Record for a pool = LCS.ConnectedInnovation.com DNS A Host Record for a Server = Server1.ConnectedInnovation.com 75 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

To extend the Active Directory schema to support

Implementing Prep Forest The Prep Forest command, also referred to as ForestPrep, readies the Active Directory forest to support Live Communications Server with Service Pack 1. Like the Prep Schema command, the Prep Forest command only needs to be run once in the Active Directory forest. To prepare the Active Directory forest to support Live Communications Server with Service Pack 1, the account being used to prepare the forest must be a member of the Enterprise Admins group and should also be a member of the built-in local Administrators group for the forest root domain. As mentioned in the preceding section, there may be scenarios in which only a single domain exists within an enterprise environment. During the Prep Forest, a new container named RTC Service, of the type msRTCSIP-Service, is added to the SystemMicrosoft container within Active Directory. If the Microsoft container does not already exist, it is created as part of the Prep Forest function. The RTC Service container will repose the LCS configuration information for the forest, SIP domains hosted in the forest, LCS pools, and LCS servers. To see this change, click View.Advanced Features within Active Directory Users and Computers. These changes can be seen in Figure 4-2. Figure 4-2 Below the RTC Service container are two additional containers: a Global Settings container of the type msRTCSIP-GlobalContainer; and Pools, of the type MSRTCSIP-Pools. Subordinate to the Global Settings container is a GUID of type msRTCSIP-Domain. While this might not make sense at first glance, this GUID actually references the forest root domain, and is the first SIP domain. You can see the domain that this represents by launching the LCS 2005 administration tools (Start.All Programs.Administration Tools.Live Communications Server 2005) and right-clicking on the forest. In addition, once your LCS Servers and Enterprise pools have been configured, the msRTCSIP-TrustedServer objects will be stored there as well. Other items, which may not be readily noticeable, are added to the Configuration container for the Active Directory. An example of this is the addition of a GUID, {AB255F23-2DBD-4bb6-891D-38754AC280EF}, to the User-Display properties located under the Configuration container. In this example, the Configuration 72 Chapter 4
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services