Active Directory Domain Services (known as Active Directory in Windows Server 2003) functions as the directory service for Windows Server 2003 and Windows Server 2008 networks. Active Directory Domain Services also serves as the foundation on which the Office Communications Server 2007 R2 security infrastructure is built. The purpose of this section is to describe how Office Communications Server uses Active Directory Domain Services to create a trustworthy environment for IM, Web conferencing, media, and voice. For details about Office Communications Server extensions to Active Directory Domain Services and about preparing your environment for Active Directory Domain Services, see Preparing Active Directory Domain Services for Office Communications Server 2007 R2in the Deployment documentation. For details about the role of Active Directory Domain Services in Windows Server 2003 and Windows Server 2008 networks, see your Windows Server 2003 or Windows Server 2008 documentation.

Office Communications Server 2007 R2 uses Active Directory Domain Services to store:

Active Directory Domain Services Preparation

Note:
It is recommended that you deploy global settings to the Configuration container over the System container. If you are migrating from an earlier release and have used the System container but plan to use the Configuration container, you MUST move the settings in the System container BEFORE you do any upgrade preparations. To migrate your System container settings to the Configuration container, see Microsoft Office Communications Server 2007 Global Settings Migration Tool at http://go.microsoft.com/fwlink/?LinkId=145236 .

When deploying Office Communications Server, the first step is to prepare Active Directory Domain Services. Preparing Active Directory Domain Services for Office Communications Server consists of the following three steps:

  • Prep Schema. This task extends the schema in Active Directory Domain Services to include classes and attributes specific to Office Communications Server 2007 R2. Prep Schema can be performed only by schema administrators or by a local administrator on the schema master.

  • Prep ForestThis task creates global settings and objects in the forest root domain, along with the universal service and administrative groups that govern access to these settings and objects.

  • Prep Domain. This task adds the necessary access control entries (ACEs) to universal groups that grant permissions to host and manage users within the domain. Prep Domain is required in all domains where you want to deploy Office Communications Servers and any domains where your Office Communications Server users reside.

For detailed information about each of these Active Directory preparation steps, see Preparing Active Directory Domain Services for Office Communications Server 2007 R2in the Deployment documentation.

Universal Groups

During Prep Forest, Office Communications Server creates various universal groups within Active Directory Domain Services that have permission to access and manage global settings and services. These universal groups include:

  • Administrative groups. These groups define the fundamental administrator roles for an Office Communications Server network. During Prep Forest, these administrator groups are added to Office Communications Server infrastructure groups.

  • Infrastructure groups. These groups provide permission to access specific areas of the Office Communications Server infrastructure. They function as components of administrative groups, and you should not modify them or add users to them directly.

  • Service groups. These groups are service accounts that are required to access various services provided by Office Communications Server.

The following table describes Office Communications Server universal groups and their privileges.

Table 1. Universal Groups Created by Office Communications Server 2007 R2

Administrative group Privileges

RTCUniversalServerAdmins

Manage all Office Communications Server objects and settings in a forest, including all server roles, global settings, and users.

RTCUniversalUserAdmins

Manage all users in a forest who are enabled for Office Communications Server.

RTCUniversalReadOnlyAdmins

Read-only access to all servers and users.

Infrastructure group

Privileges

RTCUniversalGlobalReadOnlyGroup

Read-only access to global settings.

RTCUniversalGlobalWriteGroup

Write access to global settings.

RTCUniversalUserReadOnlyGroup

Read-only access to user settings.

RTCUniversalServerReadOnlyGroup

Read-only access to server settings.

Service group

Privileges

RTCHSUniversalServices

The service account used to run the Office Communications Server 2007 R2 Standard Edition servers and Enterprise Edition front-end servers. This group authorizes these servers to read and write global settings and user objects.

RTCArchivingUniversalServices

The service account used to run the Office Communications Server 2007 R2 Archiving Servers and to access the services database.

RTCProxyUniversalServices

The service account used to run the Office Communications Server 2007 R2 Proxy Server.

RTCComponentsUniversalServices

The service account used to run the Office Communications Server 2007 R2 conferencing servers, Web Components Servers, and Mediation Servers.

RTCUniversalGuestAccessGroup

Read-only access to meeting content for conferences. This group is used by internal users with Active Directory credentials who are connecting remotely, as well as by external users who do not have Active Directory credentials.

Server Information

During activation, Office Communications Server publishes server information to the three following locations in Active Directory Domain Services:

  • A service connection point (SCP) on each Active Directory computer object corresponding to a physical computer on which Office Communications Server is installed.

  • Server objects created in the container of the msRTCSIP-Poolsclass.

  • Trusted server lists.

Service Connection Points

Each Office Communications Server object in Active Directory Domain Services has an SCP called RTC Services, which in turn contains a number of attributes that identify each computer and specify the services that it provides. Among the more important SCP attributes are serviceDNSName, serviceDNSNameType, serviceClassname, and serviceBindingInformation. Third-party asset management applications can retrieve server information across a deployment by querying against these and other SCP attributes.

Active Directory Server Objects

Each Office Communications Server role has a corresponding Active Directory object whose attributes define the services provided by that role. When a Standard Edition server is activated, or when an Enterprise Edition pool is created, Office Communications Server creates a new msRTCSIP-Poolobject in the msRTCSIP-Poolscontainer. The msRTCSIP-Poolclass specifies the fully qualified domain name (FQDN) of the pool, along with the association between the front-end and back-end components of the pool. (A Standard Edition server is regarded as a logical pool whose front and back ends are collocated on a single computer.)

Trusted Server Lists

During Prep Forest, Office Communications Server creates containers for holding lists of trusted servers. During activation, Office Communications Server publishes the FQDN of every server to its appropriate container. A trusted server is one that meets the following criteria:

  • The FQDN of the server occurs in one of the trusted server lists stored in Active Directory Domain Services, as described in the preceding section.

  • The server presents a valid certificate from a trusted CA. The FQDN on this certificate matches the FQDN for that server in one of the trusted server lists. For details about how Office Communications Server uses certificates, see Public Key Infrastructure for Office Communications Server 2007 R2.

If either of these criteria is missing, the server is not trusted and connection with it is refused. This double requirement prevents a possible, if unlikely, attack in which a rogue server attempts to take over a valid server’s FQDN.

The use of multiple trusted server lists represents a departure from earlier versions of Live Communications Server, which maintained only a single trusted server list. Each server in the list is represented as a globally unique identifier (GUID) in the Global Settings container. With the addition of new server roles in Office Communications Server 2007 R2, new containers are defined to hold the GUIDs of different server roles. These new containers and their respective trusted server lists are shown in the following table.

Table 2. Trusted Server Lists and Their Active Directory Containers

Trusted server list Active Directory container

Standard Edition servers and Enterprise pool Front End Servers

RTC Service/Global Settings

Conferencing Servers

RTC Service/Trusted MCUs

Web Components Servers

RTC Service/TrustedWebComponentsServers

Mediation Servers and Communicator Web Access Servers (also 3rd-party SIP servers)

RTC Service/Trusted Services

Proxy Servers

RTC Service/Trusted Proxies

Trusted server lists duplicate FQDN entries that are also found on individual Office Communications Server objects. The purpose of this redundancy is to prevent possible spoofing of trusted servers. This can conceivably occur because Active Directory Domain Services allows individual users to modify the attributes on the computer objects corresponding to their personal computers. Most organizations do not allow users to make such modification on their work computers, but trusted server lists add an additional layer of security by making such modifications available only to members of RTCUniversalServerAdmins.