After the schema has been updated, the
Deployment Wizard enables the remaining AD preparation steps. The next
step is to prepare the forest for the Lync Server installation, which
creates global configuration settings and universal security groups
required for the Lync deployment. The forest prep step must be
performed by a user that is currently a member of the Enterprise Admins
group. Continuing with the Deployment Wizard, the following steps are
used to prepare the forest:
Tip
Replication of the forest prep changes can be
verified by simply using the Active Directory Users and Computers
console to determine whether the Lync security groups have been
created. In the Users container at the root of the domain chosen in
step 2, 11 new groups named with the “CS” prefix should be present, for
example, CSAdministrator.
Domain Prep
After the forest is prepared, the final AD
preparation task is to prepare the domain for Lync Server. Unlike the
previous two steps, domain prep must be performed on every domain that
will host either Lync servers or Lync users. The domain prep step
configures the permissions required for the universal security groups
created in the previous step, and must be performed by a user that is
currently a member of the Domain Admins group for the domain that the
tool is run against. Continuing with the Deployment Wizard, the
following steps are used to prepare the domain:
1. Click Run on Step 5: Prepare Current Domain.
2. Click Next. This action will invoke the Install-CSAdDomain PowerShell command, which creates the security group access control entries required by Lync.
3.
When the command has finished executing, click View Log to review the
log file and ensure that no errors or warnings were generated during
domain preparation.
4. When finished, click Finish to complete the procedure and return to the Deployment Wizard.
5. Verify that the
changes introduced during domain prep have replicated throughout the AD
forest before installing the first Lync Server into the environment.
Tip
Replication of the domain prep changes can be verified using the Lync Server Management Shell, using the following command: Get-CsAdDomain. If the domain prep changes have replicated successfully, the cmdlet returns a value of LC_DOMAIN_SETTINGS_STATE_READY.
Lync Server 2013 Security Groups
After the Active Directory preparation steps
previously described have been completed, a number of new AD security
groups are introduced. The groups can be divided into four primary
categories: service groups, administration groups, infrastructure
groups, and role-based access control (RBAC) groups. The purpose of
each security group is described next.
Lync Server 2013 service groups include the following:
• RTCHSUniversalServices—Includes
service accounts that can be used to run the Front End services and
grants Lync servers read/write access to Lync Server global settings
and Active Directory user objects.
• RTCComponentUniversalServices—Includes service accounts that can be used to run Lync conferencing and web components services.
• RTCProxyUniversalServices—Includes service accounts that can be used to run a Lync proxy service.
• RTCSBAUniversalServices—Grants read access to the Lync deployment for survivable branch appliance installation.
Lync Server 2013 administration groups include the following:
• RTCUniversalServerAdmins—Allows members to manage server and pool settings.
• RTCUniversalUserAdmins—Allows members to manage user settings and move users from one server or pool to another.
• RTCUniversalReadOnlyAdmins—Allows members to read server, pool, and user settings.
• RTCUniversalSBATechnicians—Grants
read access to the Lync deployment, as well as local administrative
access to a survivable branch appliance during installation.
Lync Server 2013 infrastructure groups include the following:
• RTCUniversalConfigReplicator—Allows Lync servers to participate in replication of the Lync configuration.
• RTCUniversalGlobalWriteGroup—Grants write access to global settings for Lync Server.
• RTCUniversalGlobalReadOnlyGroup—Grants read-only access to global settings for Lync Server.
• RTCUniversalUserReadOnlyGroup—Grants read-only access to Lync Server user settings.
• RTCUniversalServerReadOnlyGroup—Grants read-only access to individual Lync Server settings.
Lync Server 2013 RBAC groups include the following:
• CSAdministrator—Grants full administrative access to the Lync Server 2013 environment.
• CSArchivingAdministrator—Grants access to the archiving-related Lync settings and policies.
• CSHelpDesk—Grants read-only access to Lync user properties and policies, along with access to specific troubleshooting functions.
• CSLocationAdministrator—Grants access to the E911 management functions of Lync.
• CSPersistentChatAdministrator—Grants access to the Lync Persistent Chat admin cmdlets.
• CSResponseGroupAdministrator—Grants access to configure the Response Group application within Lync.
• CSResponseGroupManager—Grants access to manage limited configuration of Lync Response Groups that have been assigned.
• CSServerAdministrator—Grants access to manage, monitor, and troubleshoot Lync servers and services.
• CSUserAdministrator—Grants access to enable, disable, and move Lync users, as well as assign existing policies.
• CSViewOnlyAdministrator—Grants read-only access to the Lync deployment for monitoring purposes.
• CSVoiceAdministrator—Grants access to create, configure, and manage voice-related Lync settings and policies.
