To extend the Active Directory schema to support

container is part of a single forest/domain structure named domain.forest.local. This specifier would be visible under the adminContextMenu properties of the Display Specifiers container. This container is located in CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domain, DC=forest,DC=local. This property is generally viewed only through the ADSIEdit tool. Additional items added to the Active Directory Configuration container include the following: . An RTCPropertySet object of type controlAccessRight under Extended-Rights that applies to the User and Contact classes . An RTCUserSearchPropertySet object of type controlAccessRight under Extended-Rights that applies to User, Contact, OU, and DomainDNS classes . An msRTCSIP-PrimaryUserAddress under the extraColumns attribute of each language organizational unit display specifier (CN=organizationalUnit-Display,CN=409,CN= DisplaySpecifiers) and copies the values of the extraColumns attribute of the default display (CN=organizationalUnit-Display, CN=409,CN=DisplaySpecifiers) . The msRTCSIP-PrimaryUserAddress, msRTCSIP-PrimaryHomeServer, and msRTCSIPUserEnabled filtering attributes under the attributeDisplayNames attribute of each language display specifier for Users, Contacts, and InetOrgPerson objects (for example, in English: CN=user-Display,CN=409,CN=DisplaySpecifiers) To run the Prep Forest command you need Enterprise Admins permissions. Insert the LCS 2005 with SP1 CD into your CD-ROM drive. The deployment tool should launch. When it does, click the Standard Edition Server menu item or the Enterprise Pool menu item. This will bring up the part of the tool that performs the preparations. The tool should launch and check the deployment state. Once it completes there should be a checkbox next to Prep Schema. Here you will click Prep Forest in order to prepare the Active Directory Forest for LCS 2005 with SP1. Once it has completed, a notification window will appear, notifying you of the success or failure of the installation. On this notification window is a button that enables you look at the log. This is particularly useful if the process failed. Optionally, you can utilize the command-line tool: :SetupI386>LcsCmd /forest /action:ForestPrep. Once this has completed, you are ready to prepare your child domains with the Prep Domain and Domain Add to Forest Root functions. Implementing Prep Domain The primary purpose of the Prep Domain step is to create the domain global security groups that were reviewed in the Active Directory Groups section earlier in this chapter. In addition to creating these groups, the Prep Domain also creates access control lists (ACLs) for these groups so that they can be used to administer users. The permissions needed for the account being used to perform the Prep Domain function are Domain Admins for the domain the Prep Domain is being performed. The Prep Domain should be performed for every domain that will host LCS 2005 with SP1 servers as well as the forest root domain. When the Prep Domain function is run in the forest root domain, it extends ACLs to LCS server and user properties that are only in the forest root domain. 73 Preparing Your Environment for Live Communications Server 2005
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

To extend the Active Directory schema to support

To extend the Active Directory schema to support Live Communication Server with Service Pack 1, the account being used to extend the schema must be a member of the Schema Admins group and a member of the built-in local Administrators group for the domain in which the Schema Master FSMO role is located. In many large enterprise environments, this is likely the forest root domain. In SMB and midsize enterprise environments, there is likely only a single Active Directory domain. In either scenario, the Schema Master FSMO role holder and a Global Catalog server should be accessible. Once these permissions have been granted, you are ready to prepare the schema. As mentioned earlier, once the LCS 2005 with SP1 CD is launched, click the Standard Edition Server menu item or the Enterprise Pool menu item. This brings up the part of the tool that performs the preparations. Here you click Prep Schema. Once it has completed, a notification window will appear, notifying you of success or failure. This notification window also has a button that enables you look at the log, which is particularly useful if the process failed. Optionally, you can utilize the command-line tool: :Setupi386LcsCmd.exe /forest /action:SchemaPrep Once the schema update has completed, the changes need to replicate to other Active Directory domain controllers in the forest. The time needed for the changes to replicate is largely dependent upon the Active Directory site hierarchy and link speed between sites. While the deployment tool will show you the status of the Prep Schema function, the status may also be checked with the command-line utility LcsCmd.exe. The syntax of this tool is :Setupi386 LcsCmd.exe /forest /action:CheckSchemaPrepState /l:c:LCSSchemaCheck.html. Once this tool has finished running, open the resultant log file, C:LSCSchemaCheck.html, and review the Schema Prep state. It should note LCS 2005 with SP1 if the schema update has completed successfully. At this point you have successfully extended the schema for LCS 2005 with SP1 and you should be ready to perform the Prep Forest step. If the Schema Master FSMO role holder is not available, you may receive one of two generic messages during the Prep Schema step. The error message is Failure [0x8007203A] The server is not operational in the LCS 2005 deployment log, or Action failed with error code 0x8007203A. The server is not operational. Likewise, if the Remote Registry service is installed or disabled, you will receive the error message Failure [0x80070035] The network path was not found in the deployment log, and a pop-up Action failed with error code 0×80070035. The network path was not found. These are two of the most common errors noted in the support newsgroups regarding the Active Directory schema preparations. It is much easier to add the account performing the Prep Schema, Prep Forest, and Prep Domain tasks for the forest root domain to the Schema Admins, Enterprise Admins, and Domain Admins groups as well as the built-in local Administrators group for the forest root domain in which these preps will be performed. 71 Preparing Your Environment for Live Communications Server 2005
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

These groups are used for administration of the

While several methods may be utilized to prepare Active Directory for the installation of the first LCS 2005 SP1 server, the GUI-based deployment tool is the easiest. However, it is possible to utilize a commandline tool, LcsCmd.exe, or functions within the LCS 2005 administration tools to perform the prep forest and prep domain commands. In order to get to the Prep menu items, insert the LCS 2005 with SP1 CD. If Autolaunch is disabled, browse to :setupi386 and launch Setup.exe. If your LCS 2005 with SP1 CD is the Standard Edition CD, then click the Standard Edition Server menu item. If your LCS 2005 with SP1 CD is the Enterprise Edition CD, then click the Enterprise Pool menu item. This will bring up a screen like the one shown in Figure 4-1. Figure 4-1 The process starts with a cursory review of the preparation state, followed by the Prep Schema command. Implementing Prep Schema The Active Directory schema is updated via a routine that imports a Lightweight Directory Interchange Format, or LDIF, file into the directory. Some organizations have established change control procedures that may require the review of the updates being made to the Active Directory environment. The LDIF file, schema_lcs2005.ldf, is located in the Setupi386 folder and may be viewed with any text viewer, such as notepad.exe. The LCS 2005 SP1 schema is the same for Live Communications Server 2005 with SP1 Standard Edition and Enterprise Edition. 70 Chapter 4
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

These groups are used for administration of the

These groups are used for administration of the local server, be it a home server, Access Proxy, back-end server, Archiving server, or director. The relevance to Active Directory is that the domain groups, created during the domain prep step, will be nested into these local groups on the server(s). These groups are RTC ABS Server Local Group, RTC Local Administrators, RTC Local User Administrators, RTC Server Applications, and RTC Server Local Group. The domain global group must be nested into the system s Local Group. The following table shows the Local Group and the domain global group that is a member. Server Local Group Domain Group RTC ABS Service Local Group DOMAINRTCABSDomain Services RTC Archiving Agents DOMAINRTCSHDomainServices DOMAINRTCProxyDomainServices RTC Archiving Services DOMAINRTCArchivingDomainServices RTC Local Administrators DOMAINRTCDomainServerAdmins RTC Local User Administrators DOMAINRTCDomainUserAdmins RTC Server Applications No default domain group is nested. RTC Server Local Group DOMAINRTCHSDomainServices User Authentication Live Communications Server with SP1 utilizes two authentication protocols to authenticate domain users enabled for Live Communications: Kerberos and NT LAN Manager (NTLM). With Kerberos, the client connects to the Key Distribution Center (KDC) in this case, a domain controller in their domain to obtain their Kerberos ticket, which allows them to authenticate to the LCS server. With NTLM, the authentication traffic can be wrapped in a Session Initiation Protocol (SIP) packet and the user can be authenticated even if they do not have access to a domain controller. Generally, the NTLM protocol is used when external users, or remote users, do not have access to a domain controller. These are generally users who access the LCS environment through either an Access Proxy server connected to the Internet, a customer s office via a direct link, or even a development lab that does not interface with the production Active Directory. This NTLM traffic is encrypted and sent, via the SIP protocol, to the LCS home server, which authenticates the user with the domain controller. Do not install an Access Proxy on a domain controller. Placing a domain controller on the Internet is dangerous, compromises security, and is definitely not advised. Doing so would negate any benefit that the Kerberos authentication protocol would provide. 68 Chapter 4
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

These groups are used for administration of the

As long as we re on the topic of security and authentication, there is one caveat that folks working in environments with two-factor authentication, smart-card authentication, and random token authentication will want to note: The LCS Service account(s), generally LCService, and the service account for the SQL 2000 back-end server should not be enabled for smart cards. A smart card type of authentication system will change the password frequently, and does not update service accounts on systems. As such, the LCService account and the SQL Service account will quickly become locked out, generally causing the associated services to not start up, or to stop functioning. Preparing Active Directory for LCS 2005 SP1 Preparing the Active Directory is a relatively simple process made possible through the new LCS 2005 deployment tools. The Active Directory domain controllers and global catalog servers require either Windows Server 2003 or Windows 2000 Server with Service Pack 4. It is important to note that large enterprise environments and environments with multiple Active Directory sites, large Active Directory infrastructures, or Active Directory domain controllers located across slow links will have to plan for replication traffic, as the changes need to propagate across the Active Directory sites. If the target schema has been extended for LCS 2005 previously, LCS 2005 with SP1 adds additional enhancements that require a schema extension in order to enable and support those features. Thus, a schema extension will have to be performed. Understanding Administration Tools Prior to performing any of the preparations to the forest or the domain(s), it is recommended that the LCS 2005 administration tools be installed on a domain controller or administrative workstation or administrative server, whichever is used by your support organization. When installed, the LCS 2005 administration tools give designated administrators access to the Live Communications tab within the Active Directory Users and Computers application, once the domain prep has been completed for that domain. The changes to Active Directory, which create the tab and define the possible settings, are added as part of the schema prep process. While you do not have to install the LCS 2005 administration tools in advance, you should do so on domain controllers and administrative workstations. This will make administration easier and reduce confusion once the Live Communication tab is available, advice based upon experience in the Microsoft support newsgroup microsoft.public.livecomm.general. Note that you can t install the server application with the administration tools pre-installed on the target LCS server(s). In addition, the LCS 2005 server application should not be installed on a domain controller, as it is not a recommended configuration. In order to install the administration tools, insert the LCS 2005 with SP1 CD. If Autolaunch is disabled, browse to :setupi386 and launch Setup.exe. Click the Administration Tools menu option. This will launch the LCS 2005 Administration Tools installer. As you go through the installer, you will notice that the administration tools default to C:Program FilesCommon FilesMicrosoft LC 2005. It is not possible to change the installation path of these files. In addition to installing in that location, the tools also install an administration template for Active Directory Group Policy. That template, rtcclient.adm, as well as a partner template that ships with Microsoft Office Communicator, communicator.adm, are covered later in this chapter. 69 Preparing Your Environment for Live Communications Server 2005
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. msRTCSIP-Registrar: This class is used to define

Active Directory Groups Live Communications Server 2005 with SP1 adds six domain global groups and two domain local groups within Active Directory, two of which are utilized for day-to-day operations: RTCDomainUserAdmins and RTCDomainServerAdmins and are global security groups. The remaining four domain global groups are leveraged by LCS services. These groups RTCABSDomainServices, RTCArchivingDomainServices, RTCHSDomainServices, and RTCProxyDomainServices are also global security groups. The two domain local security groups are RTC Local Administrators and RTC Local User Administrators. In addition to these six domain groups and two domain local security groups, seven security groups are local to the server and are used to nest the domain security groups. Depending on the services that you install, you may not see all of the groups on your server or in Active Directory. The six domain global security groups are added during the domain prep process and are created in the Users container within Active Directory. Because they do not have a static well-known GUID assigned, like the Domain Admins and Schema Admins groups, they are searched for by name and should be left in the Users container and should not be renamed. This section describes the functions of each of these groups: . RTCABSDomainServices: This group provides access for the Address Book Service account(s). The Address Book Service is a new feature that provides an offline address book that Microsoft Office Communicator clients can utilize to search for other users enabled for LCS. The RTCABSDomainServices group is assigned permissions to the LCS user database and to Active Directory, allowing the offline address book to build. Only the service account(s) assigned to the Address Book Service need to be added to this group. 66 Chapter 4 . msRTCSIP-EnableFederation . msRTCSIP-SearchMaxResults . msRTCSIP-SearchMaxRequests . msRTCSIPMaxNumOutstandingSearchPerServer . msRTCSIP-DomainName . msRTCSIP-DomainData . msRTCSIP-TrustedServerFQDN . msRTCSIP-TrustedServerData . msRTCSIP-BackEndServer . msRTCSIP-PoolType . msRTCSIP-PoolDisplayName . msRTCSIP-FrontEndServers . msRTCSIP-PoolData . msRTCSIP-EdgeProxyFQDN . msRTCSIP-EdgeProxyData . msRTCSIP-SchemaVersion . msRTCSIP-ArchivingEnabled . msRTCSIP-ArchiveDefault . msRTCSIP-ArchiveFederationDefault . msRTCSIP-ArchivingServerData . msRTCSIP-TrustedServerVersion . msRTCSIP-ArchiveDefaultFlags . msRTCSIPArchiveFederationDefaultFlags . msRTCSIP-OptionFlags . msRTCSIP-Line . msRTCSIP-LineServer . msRTCSIP-PoolVersion
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. msRTCSIP-Registrar: This class is used to define

. RTCArchivingDomainServices: This group is used to provide access for the LCS Archiving Service account(s). It is assigned database access permissions to the LCSIMArchive and LcsLog SQL databases when the Archiving Service is installed. The default account used for archiving in LCS is the LCArchivingService, which is a member of this group. It is entirely possible to add the LCService account to the RTCArchivingDomainServices group and leverage it for this group as well as the RTCDomainServerAdmins group. . RTCDomainServerAdmins: This group is one of two groups that administrators leverage for day-to-day management of the LCS environment. It provides access to implement and modify forestwide settings such as the SIP Domains, Access proxies, federation, and archiving. These users can install and administer Enterprise pools and Standard Edition servers. RTCDomainServerAdmins also have permissions to implement and maintain additional services and features, including implementation of Public IM Connectivity. In addition to these responsibilities, the RTCDomainServerAdmins group also has full permissions for managing users. This group is one of only two groups that have default access to the rtc and rtcconfig databases. If the server admins will be SIP-enabling user accounts, they will need to utilize the RTCDomainUserAdmins group. . RTCDomainUserAdmins: Much like the RTCDomainServerAdmins group, the RTCDomainUserAdmins admin group is another group commonly used for day-to-day administration of the LCS environment. In this case, the RTCDomainUserAdmins permissions will likely be assigned to the account management team or the help desk, as well as to the members of RTCDomainServerAdmins, who will be tasked with SIP-enabling and managing user accounts. A member of the RTCDomainUserAdmins group has the rights and privileges to enable a user for access to a Live Communications Server or Enterprise Pool, to enable a user to federate with an outside partner, or to enable a user to remotely access the environment. The RTCDomainUserAdmins group also has the rights to enable a user account for archiving, if the archiving service is implemented. Likewise, what the RTCDomainUserAdmins group can enable it can also disable or remove. . RTCHSDomainServices: This group enables service accounts, such as the LCService account, to access information in Active Directory and in the LCS database. Specifically, the RTCHSDomainServices group is granted database access permissions to the rtc and rtcconfig databases. The LCService account is the default account name utilized for Live Communications services, and it is created when you activate an Enterprise Edition pool or a Standard Edition server. This account is made a member of the RTCHSDomainServices group. In addition, this group is granted rights to read from and write to the Microsoft Message Queue (MSMQ), which is used to archive IM conversations to the Archiving server. Likewise, the RTCProxyDomainServices are granted similar permissions. . RTCProxyDomainServices: This group is used to give accounts utilized for an LCS 2005 with SP1 Proxy server or Access Proxy server the access to submit messages to the MSMQ so that they can be written to a LCS 2005 with SP1 Archiving server within the forest. Local Server Groups While not a part of the Active Directory groups that are created during the domain prep, five groups are created locally on the LCS 2005 servers during product installation. Two additional local security groups are created when the Archiving Service is installed. 67 Preparing Your Environment for Live Communications Server 2005
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. msRTCSIP-Registrar: This class is used to define

. msRTCSIP-Registrar: This class is used to define attributes and settings used by the registrar service, which is leveraged for presence, including client subscription to presence (adding a contact). . msRTCSIP-Search: This class is used to define attributes and settings used for search operations against the Active Directory, including the number of results that may be returned by a directory search. . msRTCSIP-Server: This class is used to define and hold the settings for each LCS server in the forest. . msRTCSIP-Service: This class is used to define information related to the LCS service in the forest. It is responsible for the global settings and the msRTCSIP-Domain containers, located in the Implementing Prep Forest section of this chapter. . msRTCSIP-TrustedServer: This class is used to define and hold attributes related to trusted servers, as well as the msRTCSIP-TrustedServerData attribute, which has been defined for later use. There are 54 schema attributes associated with these 15 classes. These attributes enable enterprise settings to be stored in, and read from and/or written to, Active Directory. This allows information to be shared across an enterprise environment in a common system, rather than requiring a separate server be configured just to store the Live Communications Server settings. The following new schema attributes are being added: 65 Preparing Your Environment for Live Communications Server 2005 . msRTCSIP-PrimaryUserAddress . msRTCSIP-UserEnabled . msRTCSIP-PrimaryHomeServer . msRTCSIP-TargetHomeServer . msRTCSIP-OriginatorSid . msRTCSIP-UserExtension . msRTCSIP-FederationEnabled . msRTCSIP-InternetAccessEnabled . msRTCSIP-EnterpriseServices . msRTCSIP-PoolAddress . msRTCSIP-ServerData . msRTCSIP-MaxNumSubscriptions PerUser . msRTCSIP-MinRegistrationTimeout . msRTCSIP-DefRegistrationTimeout . msRTCSIP-MaxRegistrationTimeout . msRTCSIP-MinPresenceSubscription Timeout . msRTCSIP-MinPresenceSubscription Timeout . msRTCSIP-DefPresenceSubscription Timeout . msRTCSIP-MaxPresenceSubscription Timeout . msRTCSIP-MinRoamingData SubscriptionTimeout . msRTCSIP-DefRoamingData SubscriptionTimeout . msRTCSIP-MaxRoamingData SubscriptionTimeout . msRTCSIP-NumDevicesPerUser . msRTCSIP-EnableBestEffortNotify . msRTCSIP-UserDomainList . msRTCSIP-GlobalSettingsData . msRTCSIP-DefaultRouteToEdgeProxy . msRTCSIP-DefaultRouteToEdge ProxyPort
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

and Davis present to the customer and Bailey

Active Directory Schema As it applies to Live Communications Server 2005 with Service Pack 1, the Active Directory schema is extended to hold the 15 classes and 54 attributes associated with LCS. This section describes the changes made to the Active Directory schema. Later in the chapter, the methods related to how those changes are instantiated and verified will be reviewed. Generally, a service pack does not require a schema extension. However, in an effort to improve the product and add new features to LCS, a schema extension is included with Service Pack 1. The original LCS 2005 schema, as well as the schema additions for Service Pack 1, have been rolled up into a single schema update that is part of the LCS 2005 with SP1 installation CD. The schema preparation does not increase the Active Directory database, or ndts.dit file, significantly. However, when all users in a medium-size organization are enabled for Live Communications, expect to see an increase of approximately 12 to 15 percent. The Active Directory schema is extended with new classes and attributes associated with LCS 2005 with SP1. A total of 15 classes are created in the Active Directory schema: . msRTCSIP-Archive: This class is used to define and hold settings related to the LCS Archiving Service servers in the forest associated with your Live Communications Server with Service Pack 1 deployment. . msRTCSIP-ArchivingServer: This class is used to define and hold settings specific to each LCS Archiving server. . msRTCSIP-Domain: This class is used to define and hold settings for the domains that are configured as part of the forestwide LCS deployment. . msRTCSIP-EdgeProxy: This class is used to represent Access Proxy servers, which are part of the LCS deployment but are generally not domain members in Active Directory because the LCS Access proxy resides in the demilitarized zone (DMZ) or perimeter network and many organizations block Active Directory connectivity to the DMZ. . msRTCSIP-EnterpriseServerSettings: This class is used to define settings for LCS servers within the LCS deployment, including whether a server hosts Enterprise Services, or homes users. . msRTCSIP-Federation: This class is used to define and hold settings related to federation. This includes relationships between organizations federating connections as well as federation to the Public IM Connectivity (PIC) providers. . msRTCSIP-GlobalContainer: This class is used to define and hold settings related to the LCS deployment in a forest. Several of the classes listed in this section are subordinate to this class. . msRTCSIP-Pool: This class is used to represent an LCS 2005 Standard server, which is also considered a single-server pool. . msRTCSIP-Pools: This class is used to define and hold settings related to LCS 2005 Enterprise Edition pool deployments. . msRTCSIP-PoolService: This class is used to define attributes and settings related to the pool to which a user is homed, specifying the service connection point of the pool. 64 Chapter 4
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

and Davis present to the customer and Bailey

and Davis present to the customer and Bailey responds to technical questions using the Live Meeting Question Manager feature. When the meeting is over, each customer agrees to trial the product. Davis ends the Communicator session, closing out the meeting. Within two hours, Davis created a presentation with the collaborative assistance of his development team and presented it to his top customers without having to leave his home. Summary The integrated features of LCS, Communicator, and Live Meeting within the Microsoft Office system described in this chapter have given you an overview of what is available in terms of features and functionality. In addition, you have seen how these combined products increase productivity, reduce travel, and save time immensely. Please note that for the integrated features described in this chapter to work correctly, you must install Microsoft Office 2003 with Service Pack 2. You also looked at a typical sample scenario, which highlighted the Better Together principle of Unified Communications within the Microsoft Office system. In the next chapter, you will learn how to plan for your LCS deployment to enable this functionality within your own environment. 62 Chapter 3
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services