Active Directory Domain Services (known as Active Directory in
Windows Server 2003) functions as the directory service for Windows
Server 2003 and Windows Server 2008 networks. Active Directory
Domain Services also serves as the foundation on which the Office
Communications Server 2007 R2 security infrastructure is built. The
purpose of this section is to describe how Office Communications
Server uses Active Directory Domain Services to create a
trustworthy environment for IM, Web conferencing, media, and voice.
For details about Office Communications Server extensions to Active
Directory Domain Services and about preparing your environment for
Active Directory Domain Services, see
Office Communications Server 2007 R2 uses Active Directory Domain Services to store:
- Global settings that all Office Communications Server 2007 R2
servers in a forest require.
- Service information that identifies the roles of all Office
Communications Server 2007 R2 servers in a forest.
- User settings.
Active Directory Domain Services
Preparation
 Note: |
|---|
| It is recommended that you deploy global settings to the
Configuration container over the System container. If you are
migrating from an earlier release and have used the System
container but plan to use the Configuration container, you MUST
move the settings in the System container BEFORE you do any upgrade
preparations. To migrate your System container settings to the
Configuration container, see Microsoft Office Communications Server
2007 Global Settings Migration Tool at
|
When deploying Office Communications Server, the first step is to prepare Active Directory Domain Services. Preparing Active Directory Domain Services for Office Communications Server consists of the following three steps:
-
Prep Schema. This task extends the schema in Active
Directory Domain Services to include classes and attributes
specific to Office Communications Server 2007 R2. Prep Schema can
be performed only by schema administrators or by a local
administrator on the schema master.
-
Prep ForestThis task creates global settings and objects in
the forest root domain, along with the universal service and
administrative groups that govern access to these settings and
objects.
-
Prep Domain. This task adds the necessary access control
entries (ACEs) to universal groups that grant permissions to host
and manage users within the domain. Prep Domain is required in all
domains where you want to deploy Office Communications Servers and
any domains where your Office Communications Server users reside.
For detailed information about each of these Active
Directory preparation steps, see
Universal Groups
During Prep Forest, Office Communications Server creates various universal groups within Active Directory Domain Services that have permission to access and manage global settings and services. These universal groups include:
-
Administrative groups. These groups define the fundamental
administrator roles for an Office Communications Server network.
During Prep Forest, these administrator groups are added to Office
Communications Server infrastructure groups.
-
Infrastructure groups. These groups provide permission to
access specific areas of the Office Communications Server
infrastructure. They function as components of administrative
groups, and you should not modify them or add users to them
directly.
-
Service groups. These groups are service accounts that are
required to access various services provided by Office
Communications Server.
The following table describes Office Communications Server universal groups and their privileges.
Table 1. Universal Groups Created by Office Communications Server 2007 R2
| Administrative group | Privileges |
|---|---|
|
RTCUniversalServerAdmins |
Manage all Office Communications Server objects and settings in a forest, including all server roles, global settings, and users. |
|
RTCUniversalUserAdmins |
Manage all users in a forest who are enabled for Office Communications Server. |
|
RTCUniversalReadOnlyAdmins |
Read-only access to all servers and users. |
|
Infrastructure group |
Privileges |
|
RTCUniversalGlobalReadOnlyGroup |
Read-only access to global settings. |
|
RTCUniversalGlobalWriteGroup |
Write access to global settings. |
|
RTCUniversalUserReadOnlyGroup |
Read-only access to user settings. |
|
RTCUniversalServerReadOnlyGroup |
Read-only access to server settings. |
|
Service group |
Privileges |
|
RTCHSUniversalServices |
The service account used to run the Office Communications Server 2007 R2 Standard Edition servers and Enterprise Edition front-end servers. This group authorizes these servers to read and write global settings and user objects. |
|
RTCArchivingUniversalServices |
The service account used to run the Office Communications Server 2007 R2 Archiving Servers and to access the services database. |
|
RTCProxyUniversalServices |
The service account used to run the Office Communications Server 2007 R2 Proxy Server. |
|
RTCComponentsUniversalServices |
The service account used to run the Office Communications Server 2007 R2 conferencing servers, Web Components Servers, and Mediation Servers. |
|
RTCUniversalGuestAccessGroup |
Read-only access to meeting content for conferences. This group is used by internal users with Active Directory credentials who are connecting remotely, as well as by external users who do not have Active Directory credentials. |
Server Information
During activation, Office Communications Server publishes server information to the three following locations in Active Directory Domain Services:
- A service connection point (SCP) on each Active Directory
computer object corresponding to a physical computer on which
Office Communications Server is installed.
- Server objects created in the container of the
msRTCSIP-Poolsclass.
- Trusted server lists.
Service Connection Points
Each Office Communications Server object in Active Directory Domain Services has an SCP called RTC Services, which in turn contains a number of attributes that identify each computer and specify the services that it provides. Among the more important SCP attributes are serviceDNSName, serviceDNSNameType, serviceClassname, and serviceBindingInformation. Third-party asset management applications can retrieve server information across a deployment by querying against these and other SCP attributes.
Active Directory Server
Objects
Each Office Communications Server role has a corresponding Active Directory object whose attributes define the services provided by that role. When a Standard Edition server is activated, or when an Enterprise Edition pool is created, Office Communications Server creates a new msRTCSIP-Poolobject in the msRTCSIP-Poolscontainer. The msRTCSIP-Poolclass specifies the fully qualified domain name (FQDN) of the pool, along with the association between the front-end and back-end components of the pool. (A Standard Edition server is regarded as a logical pool whose front and back ends are collocated on a single computer.)
Trusted Server Lists
During Prep Forest, Office Communications Server creates containers for holding lists of trusted servers. During activation, Office Communications Server publishes the FQDN of every server to its appropriate container. A trusted server is one that meets the following criteria:
- The FQDN of the server occurs in one of the trusted server
lists stored in Active Directory Domain Services, as described in
the preceding section.
- The server presents a valid certificate from a trusted CA. The
FQDN on this certificate matches the FQDN for that server in one of
the trusted server lists. For details about how Office
Communications Server uses certificates, see
Public Key
Infrastructure for Office Communications Server 2007 R2.
If either of these criteria is missing, the server is not trusted and connection with it is refused. This double requirement prevents a possible, if unlikely, attack in which a rogue server attempts to take over a valid server’s FQDN.
The use of multiple trusted server lists represents a departure from earlier versions of Live Communications Server, which maintained only a single trusted server list. Each server in the list is represented as a globally unique identifier (GUID) in the Global Settings container. With the addition of new server roles in Office Communications Server 2007 R2, new containers are defined to hold the GUIDs of different server roles. These new containers and their respective trusted server lists are shown in the following table.
Table 2. Trusted Server Lists and Their Active Directory Containers
| Trusted server list | Active Directory container |
|---|---|
|
Standard Edition servers and Enterprise pool Front End Servers |
RTC Service/Global Settings |
|
Conferencing Servers |
RTC Service/Trusted MCUs |
|
Web Components Servers |
RTC Service/TrustedWebComponentsServers |
|
Mediation Servers and Communicator Web Access Servers (also 3rd-party SIP servers) |
RTC Service/Trusted Services |
|
Proxy Servers |
RTC Service/Trusted Proxies |
Trusted server lists duplicate FQDN entries that are also found on individual Office Communications Server objects. The purpose of this redundancy is to prevent possible spoofing of trusted servers. This can conceivably occur because Active Directory Domain Services allows individual users to modify the attributes on the computer objects corresponding to their personal computers. Most organizations do not allow users to make such modification on their work computers, but trusted server lists add an additional layer of security by making such modifications available only to members of RTCUniversalServerAdmins.