Prepare Schema, Prepare Forest & Prepare Domain Explained.
Prior to installation of Lync, Active directory need to be prepared for accepting this new application. There are three major pre-deployment process, which are performed in the active directory level.
Preparing the Schema
Will load four LDF files that can be found on the Installation Folder to your Schema. Schema partition holds the details of the attributes and its accepted values for the application we are going to install.
- ExternalSchema.ldf which is responsible for the interoperability between Lync Server and Exchange Server;
- ServerSchema.ldf which is Lync Server chema changes required;
- BackCompatSchema.ldf which provides compatibility with previous versions
- VersionSchema.ldf which only contains the Schema version update.
Shell Cmd
Install-CsADServerSchema
Preparing the Forest
The forest preparation creates the global settings and all Universal Groups used by Lync Server, also the groups used by RBAC (all groups with CS prefix underneath Users).
Shell Command:
Enable-CsADForest
Administrative Roles created during Forest Preparation
Role | Tasks allowed | Underlying Active Directory Group | Exchange equivalent |
CsAdministrator | Can perform all administrative tasks and modify all settings, including creating roles and assigning users to roles. Can expand a deployment by adding new sites, pools, and services. | CS Administrators | Organization Management |
CsUserAdministrator | Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies. | CS User Administrators | Mail Recipients |
CsVoiceAdministrator | Can create, configure, and manage voice-related settings and policies. | CS Voice Administrators | Not applicable. |
CsServerAdministrator | Can manage, monitor, and troubleshoot servers and services. Can prevent new connections to servers, stop and start services, and apply software updates. Cannot make changes with global configuration impact. | CS Server Administrators | Server Management |
CsViewOnlyAdministrator | Can view the deployment, including user and server information, in order to monitor deployment health. | CS View-Only Administrators | View-Only Organization Management |
CsHelpDesk | Can view the deployment, including user’s properties and policies. Can run specific troubleshooting tasks. Cannot change user properties or policies, server configuration, or services. | CS HelpDesk | HelpDesk |
CsArchivingAdministrator | Can modify archiving configuration and policies. | CS Archiving Administrators | Retention Management, Legal Hold |
CsResponseGroupAdministrator | Can manage the configuration of the Response Group application within a site. | CS Response Group Administrators | Not applicable |
CsLocationAdministrator | Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and network identifiers, and associating these with each other. This role is always assigned with a global scope. | CS Location Administrators | Not applicable |
Administrative Groups Created During Forest Preparation
Administrative group | Description |
RTCUniversalServerAdmins | Allows members to manage server and pool settings, including all server roles, global settings, and users. |
RTCUniversalUserAdmins | Allows members to manage user settings and move users from one server or pool to another. |
RTCUniversalReadOnlyAdmins | Allows members to read server, pool, and user settings. |
Infrastructure Groups Created During Forest Preparation
Infrastructure group | Description |
RTCUniversalGlobalWriteGroup | Grants write access to global setting objects for Lync Server. |
RTCUniversalGlobalReadOnlyGroup | Grants read-only access to global setting objects for Lync Server. |
RTCUniversalUserReadOnlyGroup | Grants read-only access to Lync Server user settings. |
RTCUniversalServerReadOnlyGroup | Grants read-only access to Lync Server settings. This group does not have access to pool level settings, only to settings specific to an individual server. |
RTCUniversalSBATechnicians | Grants read-only access to Lync Server configuration and are placed in the Local Administrators group of the survivable branch appliances during installation. |
Service Groups Created during Forest Preparation
Service group | Description |
RTCHSUniversalServices | Includes service accounts used to run Front End Server and Standard Edition servers. This group allows servers read/write access to Lync Server global settings and Active Directory user objects. |
RTCComponentUniversalServices | Includes service accounts used to run A/V Conferencing Servers, Web Services, Mediation Server, Archiving Server, and Monitoring Server. |
RTCProxyUniversalServices | Includes service accounts used to run Lync Server Edge Servers. |
RTCUniversalConfigReplicator | Includes servers that can participate in Lync Server Central Management store replication. |
RTCSBAUniversalServices | Grants read-only access to Lync Server settings, but allows for configuration for the installation of a survivable branch server and survivable branch appliance deployment. |
Forest preparation then adds service and administration groups to the appropriate infrastructure groups, as follows:
- RTCUniversalServerAdmins is added to RTCUniversalGlobalReadOnlyGroup, RTCUniversalGlobalWriteGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.
- RTCUniversalUserAdmins is added as a member of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.
- RTCHSUniversalServices, RTCComponentUniversalServices and RTCUniversalReadOnlyAdmins are added as members of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.
Preparing the Domain
The domain preparation will create additional permissions on the domain in three different places: Users, Computers, domain and root folder container. Bear in mind that the Domain must be prepared only if it will host Lync enabled users and/or Lync Servers.
In order to prepare using PowerShell, you can run the following cmdlet:
Shell Command:
Enable-CsADDomain
Note:
Domain can also be reversed, in order to do that we can use the Disable-CsADDomain cmdlet however it only works if there is not a Front-End or AV Conferencing Server active in the domain.