Topic Last Modified: 2012-10-29

Domain preparation is the final step in preparing Active Directory Domain Services for Lync Server 2013. The domain preparation step adds the necessary access control entries (ACEs) to universal groups that grant permissions to host and manage users within the domain. Domain preparation creates ACEs on the domain root and three built-in containers: User, Computers, and Domain Controllers.

You can run domain preparation on any computer in the domain where you are deploying Lync Server. You must prepare every domain that will host Lync Server or users.

If permissions inheritance is disabled or authenticated user permissions are disabled in your organization, you must perform additional steps during domain preparation. For details, see Preparing a Locked-Down Active Directory Domain Services.

If your organization uses organizational units (OU) instead of the three built-in containers (that is, Users, Computers, and Domain Controllers), you must grant read access to the OUs for the Authenticated Users group. Read access to the containers is required for domain preparation. If the Authenticated Users group does not have read access to the OU, run the Grant-CsOuPermission cmdlet as illustrated in the following code examples to grant read permissions for each OU.

Copy Code
Grant-CsOuPermission -ObjectType <User | Computer | InetOrgPerson | Contact | AppContact | Device> -OU <DN of the OU > 
Copy Code
Grant-CsOuPermission -ObjectType "user","contact",inetOrgPerson" -OU "ou=Redmond,dc=contoso,dc=net"

For details about the Grant-CsOuPermission cmdlet, see the Lync Server Management Shell documentation.

For details about the ACEs created on the domain root and in the Users, Computers, and Domain Controllers containers, see Changes Made by Domain Preparation.

In This Section