Some organizations do not want to grant membership in the DomainAdmins group to users or groups who are deploying Office Communications Server. In this case, delegating setup provides a way for you to grant these users or groups the subset of permissions required to install and activate servers running Office Communications Server. You can grant permissions to deploy Office Communications Server by using either the Setup deployment tool (SetupEE.exe for Enterprise Edition server consolidated configuration, or SetupSE.exe for Standard Edition server) or the LcsCmd.exe command-line tool.

Note:
Although the process described in this topic grants setup permissions, any user in the trustee group must also be a member of the Administrators group on a computer to install and activate Office Communications Server on that computer. For Enterprise Edition server installation and activation scenarios, the trustee group must also be a member of the Administrators group on the computer running the Microsoft SQL Server back-end database.

Active Directory Service Interfaces (ADSI) Edit is a tool that you can use to find and copy the distinguished name that you need to supply in the wizard. For Windows Server 2003, ADSI Edit is included with the Support Tools. For Windows Server 2008, this tool is included with the Remote Server Administration Tools (RSAT).

For Windows Server 2003, Support Tools are available from the Windows Server 2003 CD in the \SUPPORT\TOOLS folder, or you can download them from Windows Server 2003 Service Pack 2 32-bit Support Tools at http://go.microsoft.com/fwlink/?LinkId=125770 . Instructions for installing the Support Tools from the product CD are available from Install Windows Support Tools at http://go.microsoft.com/fwlink/?LinkId=125771 . Adsiedit.dll is automatically registered when you install the support tools. If, however, you copied the files to your computer, you must run the regsvr32command to register the adsiedit.dll file before you can run the tool.

For Windows Server 2008, the RSAT package is copied to the server by default when you install Windows, but it is not installed by default. You use Server Manager to install individual tools. ADSI Edit is included under Role Administration Tools, Active Directory Domain Services Tools, Active Directory Domain Controller Tools. For details about installing Remote Server Administration Tools, see Installing Remote Server Administration Tools for Windows Server 2008.

To use Setup.exe to grant setup permissions

  1. Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent user rights.

  2. From the Office Communications Server installation folder or CD, run SetupEE.exe (for Enterprise Edition server consolidated configuration) or SetupSE.exe (for Standard Edition server) to start the deployment tool.

  3. Click Prepare Environment.

  4. Click Prepare Active Directory.

  5. Click Delegate Setup and Administration.

  6. At Delegate Setup Tasks, click Run.

  7. On the Welcomepage, click Next.

  8. On the Authorize Grouppage, in Select Trustee domain, specify the domain that contains the group to which you want to delegate permissions.

  9. In Name of existing group, type the name of the group to which you want to delegate permissions, and then click Next.

    Note:
    This group must be a universal group or a global group. It cannot be a domain local group.
  10. On the Location of Computer Objects for Deploymentpage, type the distinguished name (DN) of the organizational unit (OU) or container that hosts the computer objects on which Office Communications Server will be deployed.

    Note:
    You can use the ADSI Edit tool to navigate to the properties of the group, and then copy and paste the DN of the group into the wizard.
  11. On the Service Accountpage, type the Session Initiation Protocol (SIP) service account and component service account that will be used by Office Communications Server.

  12. On the Ready to Perform Setup Delegationpage, verify your settings, and then click Next.

  13. When the wizard is complete, click Finish.

  14. Add the new trustee group to the Local Administrators group of each server where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.

  15. If, in your organization, Authenticated Users security group permissions have been removed from Active Directory, you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:

    • Forest root domain

    • Forest root domain System container

    • Configuration container

    • Root of the domain where permissions is delegated

    • Parent containers of computer objects and service account objects

  16. Open a command prompt, and then type whoami.exe /allto verify that the user has appropriate permissions. The output should be similar to the following:

    Copy Code
    Everyone										 Well-known group
    S-1-1-0  
    BUILTIN\Administrators							 Alias
    S-1-5-32-544	
    BUILTIN\Users									Alias
    S-1-5-32-545	
    NT AUTHORITY\INTERACTIVE						 Well-known group
    S-1-5-4  
    NT AUTHORITY\Authenticated Users				 Well-known group
    S-1-5-11
    NT AUTHORITY\This Organization					 Well-known group
    S-1-5-15 
    LOCAL											Well-known group
    S-1-2-0 
    CONTOSO\RTCUniversalUserReadOnlyGroup Group
    S-1-5-21-4264192570- 
    CONTOSO\RTCUniversalGlobalWriteGroup Group	 
    S-1-5-21-4264192570- 
    CONTOSO\RTCUniversalGlobalReadOnlyGroup	
    S-1-5-21-4264192570- 
    CONTOSO\RTCUniversalServerReadOnlyGroup	
    S-1-5-21-4264192570- 
    CONTOSO\RTCSetupDelegate						 
    S-1-5-21-4264192570- 
    CONTOSO\CERTSVC_DCOM_ACCESS Alias			
    S-1-5-21-4264192570-
    

To use LcsCmd.exe to grant permissions

  1. Log on to a computer running Office Communications Server in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent credentials.

  2. Open a command prompt and then type the following command:

    Copy Code
    LCSCmd.exe /Domain[:<domain FQDN>] 
    /Action:CreateDelegation /Delegation:SetupAdmin 
    /TrusteeGroup:<name of the universal group that you will
    delegate to> 
    /TrusteeDomain:<FQDN of the domain where the trustee group
    resides>
    /ServiceAccount:<RTC service account name>
    /ComponentServiceAccount:<RTC component service account name>
    /ComputerOU:<DN of the OU or container where the computer
    objects that will run Office Communications Server reside>
    

    Where:

    TrusteeGroupis the group to which you are granting permissions.

    TrusteeDomainis the domain in which the trustee group resides.

    ServiceAccountis the Real-time Communications (RTC) service account name

    ComponentServiceAccountis the RTC component service account name.

    ComputerOUspecifies the DN of the OU containing the computers on which the trustee group can run Office Communications Server setup tasks.

  3. Add the new trustee group to the Local Administrators group of each computer where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.

  4. If, in your organization, Authenticated Users security group permissions have been removed from Active Directory Domain Services (AD DS), you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:

    • Forest root domain

    • Forest root domain System container

    • Configuration container

    • Root of the domain where permissions is delegated

    • Parent containers of computer objects and service account objects

    • Open a command prompt and then type whoami.exe /allto verify the user has appropriate permissions. The output should be similar to the following:

      Copy Code
      Everyone										 Well-known group
      S-1-1-0  
      BUILTIN\Administrators							 Alias
      S-1-5-32-544	
      BUILTIN\Users									Alias
      S-1-5-32-545	
      NT AUTHORITY\INTERACTIVE						 Well-known group
      S-1-5-4  
      NT AUTHORITY\Authenticated Users				 Well-known group
      S-1-5-11
      NT AUTHORITY\This Organization					 Well-known group
      S-1-5-15 
      LOCAL											Well-known group
      S-1-2-0 
      CONTOSO\RTCUniversalUserReadOnlyGroup Group
      S-1-5-21-4264192570- 
      CONTOSO\RTCUniversalGlobalWriteGroup Group	 
      S-1-5-21-4264192570- 
      CONTOSO\RTCUniversalGlobalReadOnlyGroup	
      S-1-5-21-4264192570- 
      CONTOSO\RTCUniversalServerReadOnlyGroup	
      S-1-5-21-4264192570- 
      CONTOSO\delegatedLSSetup Group				 
      S-1-5-21-4264192570- 
      CONTOSO\CERTSVC_DCOM_ACCESS Alias			
      S-1-5-21-4264192570-