Enabling LCS When AD Permissions Inheritance Is Blocked Companies often lock down their environment to control who can do what on a forest and/or domain level. Lockdown means an administrator does not rely on the settings and options that Microsoft specified during the forest and domain preparation steps, for security reasons. The administrator deletes a set of entries and stops the OU structure from self-replicating its settings from the top down. Active Directory permission inheritance can also be blocked when you are using tools that set the Active Directory permissions, such as NetIQ s Directory and Resource Administrator or bv-Control for Microsoft Active Directory. Both tools hold their information in a central database and just apply it to the Active Directory. The tools do that from the top down, so there is no need to have that inherited automatically from the Active Directory. The following sections cover deployment issues you may face and how to overcome them. Authenticated Users ACE Removed The authenticated users ACE is removed from a domain s default container, such as System, Users, Computer, or Domain Controllers. Microsoft Office Live Communications Server 2005 Prep Domain adds direct ACEs on relevant default containers on that domain to remove the reliance of Live Communications Server 2005 on these authenticated users ACEs. However, note that removing authenticated users Read ACEs on the forest root main containers blocks the deployment of Live Communications Server 2005 in a child domain. This scenario cannot be addressed by LCS in its default configuration. The workaround is to add Read ACEs on these root domain containers for the Domain Admins from the child domains that will be activating the Live Communications Server. Custom Organizational Unit Custom organizational unit (OU) containers are created to hold user and computer objects with permission inheritance disabled. Live Communications Server provides an optional CreateLcsOuPermissions procedure, available from the LcsCmd.exe command-line deployment tool. This procedure enables an administrator to add the remaining Live Communications Server ACEs to objects in specified OU containers to which the inheritance is blocked. In order to successfully accomplish this, you must specify the type of objects in the OU container (e.g., computer, user, InetOrgPerson) so that the procedure adds only the relevant ACEs for that object type. There is also an option for selecting OU type of contacts for supporting the central forest topology scenario. You have to run this procedure, CreateLcsOuPermissions, on every OU with users enabled for Live Communications Server 2005, and every OU with computers hosting Live Communications Server 2005. This is required for the successful deployment, operation, and administration of Live Communications Server 2005. Figure 9-1 shows the Security tab of the Computers Properties dialog, which indicates the default permission set on that OU. To access the Security tab in Active Directory Users and Computers, select Advanced Settings from the View menu. 198 Chapter 9
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
namespace that LCS is deployed within, you can create a listing of this alternate namespace within the LCS Forest Global Settings. If these are users from another domain altogether and they are trying to connect into a centrally deployed LCS environment, you can either use an LCS director to route these users and/or deploy a new certificate on each LCS server and modify this new certificate s subject alternative name (SAN) to include the additional domains you are supporting. More information on the SAN field of a certificate can be found in Chapter 4. . Why are users unable to communicate with their contacts that are hosted on another LCS server? This problem is usually related to TLS configuration. When you deploy more than one LCS server within an environment, you must enable an MTLS connection entry so that these servers can communicate with one another. MTLS, as described in Chapter 4, provides mutual authentication between servers. Please ensure that you have created an MTLS connection, as described in Chapter 4, on each LCS server in your environment. . Why can t I see the presence of my contacts when everyone is signed in? Usually this is attributed to network connectivity issues. Make sure that your Active Directory domain controller is functioning properly, that you can connect to your LCS servers without delayed responses, and that you have configured DNS correctly, as described in Chapter 4. If each of these settings has been correctly configured and you are using LCS Enterprise Edition with a hardware load balancer, ensure that the load balancer has been configured properly. Sometimes the load balancer is not set up correctly between LCS EE pool servers, which can cause SIP messages to disconnect, such as the BENOTIFY method, which is used for presence awareness. . What should I do when the LCS service does not start after activation? First, verify that the LCS service is running. Then, start looking for errors in activation logs and the Windows Server Application event log. Try connecting to the DB using the service account credentials and make sure no one has altered any of the permissions. . I don t seem to have enough privileges in Active Directory. Make sure that your account is a member of RTCDomainServerAdmins; and if you just ran DomainPrep, log off and log on again. This is required in order for Domain Prep granted permissions to take effect. . I am trying to deploy in a multi-forest environment and the trusts do not seem to work using Kerberos. In order for a Kerberos trust between forests to work correctly, both forests must be in Windows Server 2003 native mode. If one or both forests are running in Windows 2000 Server mixed mode, you must use NTLM as the authentication protocol. . I can t sign in with Microsoft Office Communicator 2005 with automatic configuration. This is usually related to a missing DNS host A record for the LCS server or pool; a missing DNS SRV record, as mentioned in Chapter 4; or a misconfigured TLS certificate. Please check DNS to ensure that you have a valid DNS host A record and SRV records matching what we outlined in Chapter 4, as well as a properly configured certificate infrastructure, also covered in Chapter 4. 196 Chapter 9
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
Microsoft has provided a Live Communications Server 2005 Enterprise and Standard Edition Quick Start Guide that provides comprehensive information to enable a timely install. In our experience, an LCS environment can be set up, assuming that all software, hardware, network, and security components are enabled, in several hours if provided with an account with autonomous control. Such an installation would encompass only 20,000 users or less. Mobile Communications Communicator Mobile, known by its nickname CoMo, enables mobile operatives and vehicle transports with the power of unified communications on the go. As Microsoft has entered into automotive technology solutions, LCS client applications can be easily implemented within a mobile transport. This solution would coincide with the development of a mobile client, but would also include an integrated display panel to provide a user interface and input devices. Enabling LCS within a mobile transport provides secure Instant Messaging, audio, telephony, and video communications that are both monitored and archived. This solution provides a definitive solution for mobile and covert operations. Scenarios that include military raids, searches and rescues, target identifications, and other covert operations are greatly enhanced using Live Communications Server 2005. Enabling secured Instant Messaging, and audio and video communications, provides a better communications capability to both the base and field operators. Summary This chapter described several enterprise deployment lessons that have been learned from real-world scenarios. It also covered new ideas and concepts for implementing Live Communications Server 2005 SP1 in different environments, and various solutions were offered for challenging deployments. It also examined migrating from existing enterprise Instant Messaging platforms. In the next chapter, you will look at troubleshooting tasks within Live Communications Server 2005 SP1. 193 Enterprise Implementation Lessons Learned
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
Troubleshooting This chapter provides useful troubleshooting information related to Microsoft Office Live Communications Server 2005 SP1 and Communicator 2005. It includes a series of commonly asked questions and material that I and my co-authors believe is necessary to understand in order to deploy LCS and Communicator in a real-world environment, rather than a lab. Additional resource material is provided toward the end of this chapter, including a list of website links for obtaining support for LCS and Communicator online. General Troubleshooting (FAQs) Following are a few commonly asked questions specifically related to the configuration of Live Communications Server and Microsoft Office Communicator: . The Create Pool process fails when I try to complete the command. Why? This is usually due to SQL Server connectivity. You should run Create Pool on the SQL Server itself or on an LCS server that has the SQL Server DMO files installed on it. Also make sure that you have appropriate permissions to create these databases on the SQL Server itself. . Why can t I complete Prep Schema? This is usually due to Active Directory permissions. Prep Schema requires a user to have write permissions on the Active Directory schema to complete the task. Ensure that you have either Enterprise Administrator rights or write permissions to the schema. These are not commonly given out lightly in enterprise environments. . How can users with alternate login IDs/SIP URIs connect to my LCS environment? You can allow users who have alternate SIP URIs to connect to an LCS environment in a couple of different ways. If they are users within the same Active Directory domain and they have an e-mail alias that they want to use as their SIP URI that differs from the SIP
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
Locate and Communicate-Mapping Solutions In my professional opinion, a contact locator combined with the ability to provide IM and Voice over Internet Protocol (VoIP) is one of the most vital and utilized solutions for U.S. military and private sector agency use. Having the ability to track an asset or ops team located in a remote part of the world or only a few blocks away using a myriad of connections including GSM, GPRS, and GPS communications is simply awesome. This solution may sound complex, but combining the power of Microsoft Live Communications Server 2005 and Microsoft MapPoint 2005 provides a supported and moderately configurable solution to this scenario. Using the integration capability of LCS and MapPoint or Microsoft Virtual Earth, tracking an asset using location-based services and then communicating to the user via Live Communications Server 2005 SP1 using either secured VoIP or IM, while providing monitored and archived service, can be accomplished with ease. Protecting Communications Live Communications Server provides a secure Instant Messaging platform by utilizing Transport Layer Security (TLS) and Session Initiation Protocol (SIP). SIP is the structured message itself, while TLS is the transport in which the communication is carried. For U.S. military and private sector agencies, this level of security is desperately needed, as tapped communications are common. TLS provides the latest in secured communications since its predecessor, SSL, and provides a layer of encryption over the communication wire itself. For military and private sector agencies that require communication transmissions to be run on customized ports, LCS offers the functionality to modify the port used between LCS clients and servers. Logging of Instant Messaging Conversations Live Communications Server provides the ability to monitor and report Instant Messaging conversations through the LCS IM Archiving Service. The IM Archiving Service requires an additional server to support it, and the actual IM messages are stored in a SQL Server database. The LCS IM Archiving Service works by implementing an MSMQ (Microsoft Message Queue) service within the environment to capture Instant Messaging communications and then store them in a SQL Server database for recording and reporting purposes. This is a feature that can be turned on or off based on the required use of the service. Enabling the Live Communications Server 2005 IM Archiving Service will enable all LCS client communications to be stored in a back-end SQL Server database or SAN environment for reporting and recording purposes. This service is critical when communicating secret-level information, as the IM Archiving Service provides accountability and control. Deploying LCS for a Limited Duration Live Communications Server 2005 deployments can be accomplished in limited implantation time frames. The ability to deploy quickly for special operations is critical, as is the ability to tear down an LCS environment. 192 Chapter 8
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
lcsimpac.wsf Last but not least, this script is used to convert the users Exchange IM permissions to their equivalent Live Communications Server presence permissions. It migrates the contacts to their respective LCS server. The Exchange IM access control lists (ACLs) are retrieved from Active Directory, and the users contacts from the files generated earlier by lcsmon.wsf. To run the script you must be logged on with Domain Administrator rights or be in the RTCDomainUserAdmins group. The script must run on a Standard Edition Server or on the Enterprise Edition pool back-end database. Further Information For further details on how to migrate users from Exchange IM to Live Communications Server, and for a more detailed view of the scripts that can be used, refer to the Microsoft Office Live Communications Server 2005 SP1 Resource Kit in the subfolder called Migration. The Live Communications Server 2005 SP1 Resource Kit can be found on the Microsoft LCS web site, at www.microsoft.com/lcs. Implementing LCS for Military and Private Sector Environments The purpose of this section is to provide guidance for the implementation of Live Communications Server for military and private sector use. The following topics are covered: . Satellite connectivity . Locate and communicate-Mapping Solutions . Protecting communications . Archiving communications . Deploying LCS for a limited duration . Mobile communications . Mobile clients . LCS within military transport . LCS for covert operations While policy will determine the ability to deploy LCS in the manner discussed in this section, this material provides an overview of how secured Instant Messaging can be a preferred communication tool for military and private sector operations. Deploying the appropriate devices and secured protocols will enable special forces and individual operations to be completed without compromising the security of the operation. 190 Chapter 8
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
Scripts Provided by Microsoft Microsoft provides four scripts to help the administrator perform certain steps described in the previous sections. Space not does permit a detailed description here, but it does offer a rough overview of how the scripts are used. lcsish.wsf lcsish.wsf has two uses. One is to generate a list of Exchange IM users in a specified Active Directory container. This script must be run from the command line with the following parameters: /eimdn and /genuserfile As the name indicates, this script goes to the specified Active Directory container and writes those users out to a specified file. The specified file is created in Unicode format. The output is written directly to the command console and you can redirect that to a file by using redirection. You can also use lcsish.wsf with these parameters: /userfile and /eimdn This initializes the file share and creates the user files, including permissions on the file so that only the user is able to open his or her own text file. lcsmon.wsf This script must be placed in the share created with lcsish.wsf and can only run from there. This script is used by every user, either by sending a link to the script or by using a login script. The script exports the user s contacts from the registry to the file created earlier for the user. It uses the user s login credentials to run the script and to validate the user against the Exchange IM server. If the user is not logged on to the domain, the script can be used with the /user switch with the user s name and FQDN, in the form user@fqdn. lcssipen.wsf The next script performs the steps to acquire a list of users to be enabled. It uses the /homeserverdn switch to determine which Enterprise Pool or Standard Edition Server should be used for the user, as well as a SIP mapping switch to determine and change the mapping of Exchange IM SIP domains to Live Communications Server SIP domains. If /force is not specified, the user will be skipped. The /onlysipenable switch can be used to only set the value in the msRTCSIP-UserEnabled attribute to TRUE. Another switch, /sipenable, is used to set the attribute msRTCSIP-UserEnabled to TRUE if provided, or FALSE if not. As with all the other scripts, everything is logged to the screen; to redirect the output, use the normal redirection option lcssipen.wsf param1 param2 paramx > logfile.txt. 189 Enterprise Implementation Lessons Learned
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
This approach consists of eight steps: 1. Capacity planning 2. Deploying the Live Communications Server Client Microsoft Office Communicator 3. Generating a list of Exchange IM users 4. Gathering and exporting user contact lists 5. Homing users 6. Importing user contact lists and permissions to Live Communications Server 7. Using dual contacts 8. Removing Exchange IM after a transition period Gradual Migration Importing Users Contacts and Permissions This migration path is mostly designed for large organizations with a significant number of IM users. The idea is to migrate users in batches over a period of time (days, weeks, or even longer). The intention is to make the migration seamless for users and enable them to use IM regardless of whether they or their contacts have been migrated. There are many reasons for doing it this way, including deployment of a pilot population, the time involved to install client computers, and the learning curve needed for help desk and support teams as they are trained on the new software. The migration process is more or less identical to that described earlier in the two immediate migration scenarios. Organizations just carry out the process over a longer period of time. Gradual Migration without Importing Users Contacts and Permissions As with the previous example, medium and large organizations with a significant base of Exchange IM users may find that a gradual migration is a more prudent and realistic path. The transition should be, as in the previous example, seamless and with nearly no user interaction. This approach provides two main benefits. One, users won t see dual contact entries, as they would when both Exchange IM and Live Communications Server services are enabled during the transition period. Two, IT administrators can confirm that everyone can log on to Live Communications Server services before actually needing to do so. The concept behind this migration path is similar to the previous one; however, the contact lists are migrated after all users are enabled and migrated to Live Communications Server. After all the users are enabled for Live Communications Server, you need to verify that they can log on, and that their contact lists and permissions have been migrated and the Exchange IM services disabled. In cases where a user s contacts list is not properly migrated, the administrator can migrate it again, because a copy of the user s contact list is stored in the file server that was stored during the export process. 188 Chapter 8
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
Keeping these differences in mind, we will split the migration into four scenarios: . The section Immediate Migration without Importing Users Contacts and Permissions explains how to migrate all users in a single phase without migrating users contacts and permissions. . The section Immediate Migration with Importing Users Contacts and Permissions explains how to migrate all users in a single phase along with migrating users contacts and permissions . The section Gradual Migration Importing Users Contacts and Permissions explains how to gradually migrate users with their contacts and permissions. . The section Gradual Migration without Importing Users Contacts and Permissions explains how to gradually migrate users without their contacts and permissions until all users are deployed on LCS. Generally, small organizations make use of an immediate migration strategy over the weekend. Mid-size and large organizations will probably use a gradual migration strategy. Immediate Migration without Importing Users Contacts and Permissions An immediate migration has the advantage of moving all users to LCS at once. It is an aggressive path and has a minimal risk because the Exchange IM service is kept operational for a certain amount of time to allow users to switch back in case of unforeseen issues. With this approach, users have to migrate their contacts themselves. The period of time during which you have two IM environments could be very short. This approach consists of four steps: 1. Capacity planning 2. Deploying the Live Communications Server Client Microsoft Office Communicator 3. Homing users 4. Removing Exchange IM after a transition period Immediate Migration with Importing Users Contacts and Permissions This migration path is most achievable in small or mid-size organizations, and as noted earlier it can typically be done during a weekend or overnight. Although it is an aggressive migration path, it presents minimal risk because the Exchange IM service can, and should, be kept operational for a short period of time to resolve unforeseen issues. System administrators must help users automate the transfer of contact lists from Exchange IM to Live Communications Server. 187 Enterprise Implementation Lessons Learned
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services
Figure 8-6 IBM Sametime Migration As mentioned in Chapter 2, LCS has entered the enterprise domain in which existing technologies such as IBM Sametime have dominated. This section demonstrates some of the tasks that are required for an enterprise customer who has decided to migrate from the IBM Sametime messaging environment to Microsoft Live Communications Server 2005. Within this scenario, we identify a customer who is currently using Microsoft Exchange as the enterprise e-mail solution and is decommissioning IBM Domino servers to migrate to Live Communications Server. The ability to migrate existing Sametime users as well as their respective Instant Messaging buddies/contacts is a critical requirement for this deployment. Requirements The following table outlines the requirements set forth by the customer within the provided scenario described in the overview of this section: Features Required Software IBM Sametime to LCS Migration Live Communications Server 2005 with Service Pack1 Enterprise or Standard Edition. Live Communications Server 2005 with Service Pack1 Resource Kit 185 Enterprise Implementation Lessons Learned
Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services