Preparing Active Directory Domain Services

 

Topic Last Modified: 2012-10-14

In Microsoft Lync Server 2010 communications software, you can use the Lync Server Deployment Wizard to prepare Active Directory Domain Services (AD DS), or you can use Lync Server Management Shell cmdlets directly. You can also use the ldifde.exe command line tool directly on your domain controllers, as described later in this topic.

The Lync Server Deployment Wizard guides you through each Active Directory preparation task. The Deployment Wizard runs Lync Server Management Shell cmdlets. This tool is useful for environments with a single domain and single forest topology, or other similar topology.

Important

You can deploy Lync Server 2010 in a forest or domain where domain controllers run 32-bit versions of some operating systems (for details, see Active Directory Infrastructure Requirements). However, you cannot use the Lync Server Deployment Wizard to run schema, forest, and domain preparation in these environments because the Deployment Wizard and supporting files are 64-bit only. Instead, you can use ldifde.exe and the associated .ldf files on a 32-bit domain controller to prepare the schema, forest and domain. See the section “Using Cmdlets and Ldifde.exe” later in this topic.

You can use Lync Server Management Shell cmdlets to run tasks remotely or for more complex environments.

Active Directory Preparation Prerequisites

You must run Active Directory preparation steps on a computer running Windows Server 2008 R2 (64-bit) or Windows Server 2008 with SP2 (64-bit). Active Directory preparation requires Lync Server Management Shell and OCSCore, which are not supported on Windows Server 2003.

The following components are required to run Active Directory preparation tasks:

  • Lync Server Core components (OCScore.msi)

    Note

    If you plan to use Lync Server Management Shell for Active Directory preparation, you must run the Lync Server Deployment Wizard first to install Core components.

  • Microsoft .NET Framework 3.5 with Service Pack 1 (SP1) (64-bit)

    Note

    For Windows Server 2008 R2, .NET Framework 3.5 with Service Pack 1 (SP1) (64-bit) is installed as part of Server Manager. For Windows Server 2008, the file dotnetfx35.exe is supplied for you in the \Setup\AMD64 directory of the installation media or download.

  • Remote Server Administration Tools (RSAT)

    Note

    Some RSAT tools are required if you run Active Directory preparation steps on a member server rather than on a domain controller. For Windows Server 2008 R2 and Windows Server 2008, install the AD DS snap-ins and command-line tools and the Active Directory Module for Windows PowerShell from the AD DS and AD LDS Tools node.

  • Microsoft Visual C++ 2008 Redistributable package (64-bit)

    Note

    Setup prompts you to install this prerequisite if it is not already installed on the computer. The package is supplied for you, and you will not have to acquire it separately.

  • Windows PowerShell V2 (64-bit)

Administrator Rights and Roles

The following table shows the administrative rights and roles required for each Active Directory preparation task.

User Rights Required for Active Directory Preparation

Procedure Rights or roles

Schema preparation

Member of Schema Admins group for the forest root domain and administrator rights on the schema master

Forest preparation

Member of Enterprise Admins group for the forest

Domain preparation

Member of Enterprise Admins or Domain Admins group for the specified domain

Active Directory Preparation Cmdlets

The following table compares the Lync Server Management Shell cmdlets used to prepare AD DS to the LcsCmd commands used to prepare AD DS in Microsoft Office Communications Server 2007 R2.

Cmdlets Compared to LcsCmd

Cmdlets LcsCmd

Install-CsAdServerSchema

Lcscmd /forest /action:SchemaPrep /SchemaType:Server

Get-CsAdServerSchema

Lcscmd /forest /action:CheckSchemaPrepState

Enable-CsAdForest

Lcscmd /forest /action:ForestPrep

Disable-CsAdForest

Lcscmd /forest /action:ForestUnprep

Get-CsAdForest

Lcscmd /forest /action:CheckForestPrepState

Enable-CsAdDomain

Lcscmd /domain /action:DomainPrep

Disable-CsAdDomain

Lcscmd /domain /action: DomainUnprep

Get-CsAdDomain

Lcscmd /domain /action:CheckDomainPrepState

Locked Down Active Directory Requirements

If permissions inheritance is disabled or authenticated user permissions must be disabled in your organization, you must perform additional steps during domain preparation. For details, see Preparing a Locked-Down Active Directory Domain Services.

Custom Container Permissions

If your organization uses custom containers instead of the three built-in containers (that is, Users, Computers, and Domain Controllers), you must grant read access to the custom containers for the Authenticated Users group. Read access to the containers is required for domain preparation. For details, see Running Domain Preparation.

Using Cmdlets and Ldifde.exe

The Prepare Schema step in the Lync Server Deployment Wizard and the Install-CsAdServerSchema cmdlet extend the Active Directory schema on domain controllers running a 64-bit operating system. If you need to extend the Active Directory schema on a domain controller running a 32-bit operating system, you can run the Install-CsAdServerSchema cmdlet remotely from a member server (recommended approach). If you need to run schema preparation directly on the domain controller, however, you can use the Ldifde.exe tool to import the schema files. The Ldifde.exe tool comes with most versions of the Windows operating system.

If you use Ldifde.exe to import the schema files, you must import all four files, regardless of whether you are migrating from a previous version or performing a clean installation. You must import them in the following sequence:

  1. ExternalSchema.ldf

  2. ServerSchema.ldf

  3. BackCompatSchema.ldf

  4. VersionSchema.ldf

Note

The four .ldf files are located in \Support\Schema directory of your installation media or download.

To use Ldifde.exe to import the four schema files on a domain controller that is the schema master, use the following format:

ldifde -i -v -k -s <DCName> -f <Schema filename> -c DC=X <defaultNamingContext> -j logFilePath -b <administrator account> <logon domain> <password>

For example:

ldifde -i -v -k -s DC1 -f ServerSchema.ldf -c DC=X "DC=contoso,DC=com" -j C:\BatchImportLogFile -b Administrator contoso password

Note

Use the b parameter only if you are logged in as a different user. For details about the required user rights, see the "Administrator Rights and Roles" section earlier in this topic.

To use Ldifde.exe to import the four schema files on a domain controller that is not the schema master, use the following format:

ldifde -i -v -k -s <SchemaMasterFQDN> -f <Schema filename> -c DC=X <rootDomainNamingContext> -j logFilePath -b <administrator account> <domain> <password>

For details about using Ldifde, see Microsoft Knowledge Base article 237677, "Using LDIFDE to import and export directory objects to Active Directory," at https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=237677.