Preparing Active Directory Domain Services
Topic Last Modified: 2009-06-05
The sections following this topic describe how to prepare Active Directory Domain Services (AD DS) for Office Communications Server.
Active Directory Preparation Tools
You must run Active Directory preparation tasks on a computer running Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2 with SP2, or Windows Server 2008. You cannot run Active Directory preparation tasks on a computer running Microsoft Windows 2000 Server or earlier, or on a computer running any client version of the Windows operating system.
Active Directory can be prepared by using either of the following tools:
- SetupEE.exe (for Enterprise Edition server consolidated configuration) or SetupSE.exe (for Standard Edition server) deployment tool
- LcsCmd.exe command-line tool
These tools are provided on the Office Communications Server CD. The LcsCmd.exe command-line deployment tool is installed when you install Office Communications Server 2007 R2 administrative tools.
The SetupEE.exe or SetupSE.exe deployment tool provides wizards that guide you through each Active Directory preparation task: Prep Schema, Prep Forest, and Prep Domain. This tool is useful for environments with a single domain and single forest topology, or other similar topology. It is not available for deploying Enterprise Edition server expanded configurations.
The LcsCmd.exe command-line tool supports Active Directory preparation tasks with the SchemaPrep, ForestPrep, and DomainPrep actions. You can use this tool to run tasks remotely or for more complex environments.
Running Active Directory Preparation Tasks on 32-bit Domain Controllers
To run Active Directory preparation tasks on computers running 32-bit operating systems, you must use the 32-bit version of the LcsCmd.exe command-line tool, which is included in the 32-bit version of OCScore.msi. You can find the 32-bit version of OCScore.msi on the installation media in the \support\i386 folder. By default, LcsCmd.exe is installed in the Program Files\Common Files\Microsoft Office Communications Server 2007 R2 folder. For details about running LcsCmd.exe, see Running LCSCmd.
You must install the 32-bit version of LcsCmd.exe manually. Only the 64-bit version can be installed from the SetupEE.exe or SetupSE.exe wizard.
To use the 32-bit version of LcsCmd.exe, follow the same procedures that you would for the 64-bit version, which are described in the topics listed later in this section.
Schema Batch Import Tool
The Prep Schema wizard in the Setup deployment tool and the LcsCmd.exe command-line tool extend the Active Directory schema on domain controllers running a 64-bit operating system. If you need to extend the Active Directory schema on a domain controller running a 32-bit operating system, or if you need to run the schema preparation step on a domain controller that is not the schema master, you can use the Ldifde.exe tool to import the schema file. The Ldifde.exe tool comes with most versions of the Windows operating system.
Running the schema preparation step on the schema master is the preferred approach.
To use Ldifde.exe to import the schema.ldf file on a domain controller that is the schema master, use the following format:
ldifde –i –v –k –s <DCName> -f schema.ldf –c DC=X <defaultNamingContext> -b <administrator account> <login domain> <password>
ldifde –i –v –k –s DC1 –f schema.ldf –c DC=X “DC=contoso,DC=com” –b Administrator contoso password
Use the –b parameter only if you are logged in as a different user. For details about the required user rights, see Administrative Rights and Roles.
To use Ldifde.exe to import the schema.ldf file on a domain controller that is not the schema master, use the following format:
ldifde –i –v –k -s <SchemaMasterFQDN> -f schema.ldf –c DC=X <rootDomainNamingContext> –j “<drive>:\ocs” –b <administrator account> <domain> <password>
For details about using Ldifde, see Knowledge Base article 237677, "Using LDIFDE to import and export directory objects to Active Directory," at http://go.microsoft.com/fwlink/?LinkId=132204.
Administrative Rights and Roles
The following table shows the administrative rights and roles required for each Active Directory preparation task.
User rights required for Active Directory preparation
|Procedure||Required administrative rights or roles|
Member of Schema Admins group or sufficient delegated rights and permissions to modify the schema
Member of EnterpriseAdmins group for the forest root domain
Member of EnterpriseAdmins or DomainAdmins group
Custom Container Permissions
If your organization uses custom containers instead of the three built-in containers (that is, Users, Computers, and Domain Controllers), the Authenticated Users group must have read access to the custom containers. If the Authenticated Users group does not have read access to the custom container, run LcsCmd.exe with the CreateLcsOuPermissions action as illustrated below to grant read permissions for each custom container.
lcscmd /Domain:<Domain FQDN> /Action:CreateLcsOuPermissions /OU:<distinguished name> /ObjectType:<User | Contact | InetOrgPerson | Computer | AppContact>
where /OU specifies the distinguished name (DN) of the OU, excluding the domain root portion of the DN.
Locked Down Active Directory Requirements
If permissions inheritance is disabled or authenticated user permissions must be disabled in your organization, you must perform additional steps during domain preparation. For details, see Preparing a Locked Down Active Directory Domain Services.