This section describes the global settings and objects, and the universal service and administration groups that are created by the forest preparation step.

Active Directory Global Settings and Objects

If you decide to store global settings in the System container, forest preparation adds a new Microsoft container under the root domain System container and adds a new RTC Service object under the System\Microsoft object. If you decide to store global settings in the Configuration container, forest preparation uses the existing Services container and adds a new RTC Service object under the Configuration\Services object. Under the RTC Service object, forest preparation adds a global settings object of type msRTCSIP-GlobalContainer. The global settings object holds all the settings that apply to the Office Communications Server deployment.

Forest preparation also adds a new msRTCSIP-Domainobject for the root domain in which the procedure is run.

Active Directory Universal Service and Administration Groups

Forest preparation creates universal groups based on the domain that you specify and adds access control entries (ACEs) for these groups. This step creates the universal groups in the User containers of the domain that you specify. The following groups are added:

Service groups:

  • RTCHSUniversalServices — includes service accounts used to run Front-End Server and allows servers read/write access to Office Communications Server global settings and Active Directory user objects.

  • RTCComponentUniversalServices — includes service accounts used to run conferencing servers, Web Components Server, Mediation Server, Archiving Server, and Monitoring Server.

  • RTCProxyUniversalServices — includes service accounts used to run Office Communications Server Edge Servers.

  • RTCUniversalGuestAccessGroup — grants users access to meeting content for conferences. This group is used by internal users who have Active Directory credentials and are connecting remotely, as well as by anonymous users who do not have Active Directory credentials.

  • RTCArchivingUniversalServices — includes service accounts used to run Office Communications Server Archiving Servers.

Administration groups:

  • RTCUniversalServerAdmins — allows members to manage server and pool settings.

  • RTCUniversalUserAdmins — allows members to manage user settings and move users from one server or pool to another.

  • RTCUniversalReadOnlyAdmins — allows members to read server, pool, and user settings.

Infrastructure groups:

  • RTCUniversalGlobalWriteGroup — grants write access to global setting objects for Office Communications Server.

  • RTCUniversalGlobalReadOnlyGroup — grants read-only access to global setting objects for Office Communications Server.

  • RTCUniversalUserReadOnlyGroup — grants read-only access to Office Communications Server user settings.

  • RTCUniversalServerReadOnlyGroup — grants read-only access to Office Communications Server settings. This group does not have access to pool level settings, only to settings specific to an individual server.

Forest preparation then adds service and administration groups to the appropriate infrastructure groups, as follows:

  • RTCUniversalServerAdmins is added to RTCUniversalGlobalReadOnlyGroup, RTCUniversalGlobalWriteGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

  • RTCUniversalUserAdmins is added as a member of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

  • RTCHSUniversalServices, RTCComponentUniversalServices and RTCUniversalReadOnlyAdmins are added as members of RTCUniversalGlobalReadOnlyGroup, RTCUniversalServerReadOnlyGroup, and RTCUniversalUserReadOnlyGroup.

Forest preparation creates both private and public ACEs. It creates private ACEs on the global settings container used by Office Communications Server. This container is used only by Office Communications Server and is located either in the Configuration container or the System container in the root domain, depending on the options you specify. The public ACEs created by forest preparation are listed in the following table.

Public ACEs created by Forest Preparation

RTCUniversalGlobalReadOnlyGroup

Read root domain System Container (not inherited) *

X

Read Configuration’s DisplaySpecifiers container (not inherited)

X

Note:
*ACEs that are not inherited do not grant access to child objects under these containers. ACEs that are inherited grant access to child objects under these containers.

On the Configuration container, under the Configuration naming context, forest preparation performs the following tasks:

  • Adds an entry {AB255F23-2DBD-4bb6-891D-38754AC280EF}for the RTC propertypage under the adminContextMenu and adminPropertyPages attributes of the language display specifier for users, contacts, and InetOrgPersons (for example, CN=user-Display,CN=409,CN=DisplaySpecifiers).

  • Adds an RTCPropertySetobject of type controlAccessRightunder Extended-Rightsthat applies to the User and Contact classes.

  • Adds an RTCUserSearchPropertySetobject of type controlAccessRightunder Extended-Rightsthat applies to User, Contact, OU, and DomainDNS classes.

  • Adds msRTCSIP-PrimaryUserAddressunder the extraColumnsattribute of each language organizational unit display specifier (for example, CN=organizationalUnit-Display,CN=409,CN=DisplaySpecifiers) and copies the values of the extraColumnsattribute of the default display (for example, CN=default-Display, CN=409,CN=DisplaySpecifiers).

  • Adds msRTCSIP-PrimaryUserAddress, msRTCSIP-PrimaryHomeServer, and msRTCSIP-UserEnabledfiltering attributes under the attributeDisplayNamesattribute of each language display specifier for Users, Contacts, and InetOrgPerson objects (for example, in English: CN=user-Display,CN=409,CN=DisplaySpecifiers).