Prepare Schema, Prepare Forest & Prepare Domain Explained.

Prior to installation of Lync, Active directory need to be prepared for accepting this new application. There are three major pre-deployment process, which are performed in the active directory level.

Preparing the Schema

Will load four LDF files that can be found on the Installation Folder to your Schema. Schema partition holds the details of the attributes and its accepted values for the application we are going to install.

  1. ExternalSchema.ldf which is responsible for the interoperability between Lync Server and Exchange Server;
  2. ServerSchema.ldf which is Lync Server chema changes required;
  3. BackCompatSchema.ldf which provides compatibility with previous versions
  4. VersionSchema.ldf which only contains the Schema version update.

         Shell Cmd

Install-CsADServerSchema

Preparing the Forest

The forest preparation creates the global settings and all Universal Groups used by Lync Server, also the groups used by RBAC (all groups with CS prefix underneath Users).

Shell Command:

Enable-CsADForest

         Administrative Roles created during Forest Preparation

Role Tasks allowed Underlying Active Directory Group Exchange equivalent
CsAdministrator Can perform all administrative tasks and modify all settings, including creating roles and assigning users to roles. Can expand a deployment by adding new sites, pools, and services. CS Administrators Organization Management
CsUserAdministrator Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies. CS User Administrators Mail Recipients
CsVoiceAdministrator Can create, configure, and manage voice-related settings and policies. CS Voice Administrators Not applicable.
CsServerAdministrator Can manage, monitor, and troubleshoot servers and services. Can prevent new connections to servers, stop and start services, and apply software updates. Cannot make changes with global configuration impact. CS Server Administrators Server Management
CsViewOnlyAdministrator Can view the deployment, including user and server information, in order to monitor deployment health. CS View-Only Administrators View-Only Organization Management
CsHelpDesk Can view the deployment, including user’s properties and policies. Can run specific troubleshooting tasks. Cannot change user properties or policies, server configuration, or services. CS HelpDesk HelpDesk
CsArchivingAdministrator Can modify archiving configuration and policies. CS Archiving Administrators Retention Management, Legal Hold
CsResponseGroupAdministrator Can manage the configuration of the Response Group application within a site. CS Response Group Administrators Not applicable
CsLocationAdministrator Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and network identifiers, and associating these with each other. This role is always assigned with a global scope. CS Location Administrators Not applicable

Administrative Groups Created During Forest Preparation

Administrative group Description
RTCUniversalServerAdmins Allows members to manage server and pool settings, including all server roles, global settings, and users.
RTCUniversalUserAdmins Allows members to manage user settings and move users from one server or pool to another.
RTCUniversalReadOnlyAdmins Allows members to read server, pool, and user settings.

Infrastructure Groups Created During Forest Preparation

Infrastructure group Description
RTCUniversalGlobalWriteGroup Grants write access to global setting objects for Lync Server.
RTCUniversalGlobalReadOnlyGroup Grants read-only access to global setting objects for Lync Server.
RTCUniversalUserReadOnlyGroup Grants read-only access to Lync Server user settings.
RTCUniversalServerReadOnlyGroup Grants read-only access to Lync Server settings. This group does not have access to pool level settings, only to settings specific to an individual server.
RTCUniversalSBATechnicians Grants read-only access to Lync Server configuration and are placed in the Local Administrators group of the survivable branch appliances during installation.

       

       Service Groups Created during Forest Preparation

Service group Description
RTCHSUniversalServices Includes service accounts used to run Front End Server and Standard Edition servers. This group allows servers read/write access to Lync Server global settings and Active Directory user objects.
RTCComponentUniversalServices Includes service accounts used to run A/V Conferencing Servers, Web Services, Mediation Server, Archiving Server, and Monitoring Server.
RTCProxyUniversalServices Includes service accounts used to run Lync Server Edge Servers.
RTCUniversalConfigReplicator Includes servers that can participate in Lync Server Central Management store replication.
RTCSBAUniversalServices Grants read-only access to Lync Server settings, but allows for configuration for the installation of a survivable branch server and survivable branch appliance deployment.

Forest preparation then adds service and administration groups to the appropriate infrastructure groups, as follows:

  • RTCUniversalServerAdmins is added to RTCUniversalGlobalReadOnlyGroup, RTCUniversalGlobalWriteGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.
  • RTCUniversalUserAdmins is added as a member of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.
  • RTCHSUniversalServices, RTCComponentUniversalServices and RTCUniversalReadOnlyAdmins are added as members of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

           

 

               Preparing the Domain

The domain preparation will create additional permissions on the domain in three different places: Users, Computers, domain and root folder container. Bear in mind that the Domain must be prepared only if it will host Lync enabled users and/or Lync Servers.

In order to prepare using PowerShell, you can run the following cmdlet:

Shell Command:

Enable-CsADDomain

Note:

Domain can also be reversed, in order to do that we can use the Disable-CsADDomain cmdlet however it only works if there is not a Front-End or AV Conferencing Server active in the domain.

By Anoop Karikuzhiyil Babu

Started his career with Exchange 2003 as a Microsoft Support Engineer, later moved to Microsoft Enterprise Unified Communication Team as Premier Engineer. Post handling numerous Premier environments and deployments, currently settled as a Solution Architect for Messaging and Collaboration in United Arab Emirates largest Tier3 Datacenter.