locked
Moving Lync Admin groups RRS feed

  • Question

  • I am working with a customer that has one AD forest with a dedicated root domain, and then 8 separate trees/domains in the forest for different companies. One of the company units in Europe implemented Lync in one of the domains in Europe, putting the Lync AD admin groups in their local domain.

    The company now wants to deploy Lync 2010 throughout the organization. The issue is that company policy says that the administrators (from a North American domain) who will be the Lync admins in the future cannot be added to the Lync admin groups in the Europe domain. Not a technical issue, a policy issue. My thinking is that the best way to deal with this is to move the Lync admin groups to the forest root domain or into one of the other domains in North America.

    Is this the best solution, or is there another way to address this? Has anyone tried moving the Lync Admin groups using ADMT or a third party product?

    Thanks,


    Stan Reimer

    Tuesday, October 16, 2012 11:56 AM

Answers

  • Hi,

    I think , RBAC would be the best option.

    Create security groups for each domain and delegate Lync admin permission based on the requirments. Following link may help you ; http://technet.microsoft.com/en-us/library/gg425917(v=ocs.15).aspx

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    • Proposed as answer by Kent-Huang Monday, October 29, 2012 2:34 AM
    • Marked as answer by Kent-Huang Tuesday, October 30, 2012 8:49 AM
    Tuesday, October 16, 2012 12:39 PM
  • Hi,

    If you get the default Lync Admin groups out of the European domain, how the European admins manage Lync in European domain?

    If two domains are not in the same Lync site, you can try to create a new RBAC role that only applied to Lync NA site. If this case, the admin user in new RBAC role will only be able to manage Lync user or Lync server in NA site. The management will not affect anything in European domain.


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    • Edited by Kent-Huang Wednesday, October 17, 2012 8:56 AM
    • Proposed as answer by Kent-Huang Monday, October 29, 2012 2:35 AM
    • Marked as answer by Kent-Huang Tuesday, October 30, 2012 8:50 AM
    Wednesday, October 17, 2012 8:56 AM

All replies

  • Hi,

    I think , RBAC would be the best option.

    Create security groups for each domain and delegate Lync admin permission based on the requirments. Following link may help you ; http://technet.microsoft.com/en-us/library/gg425917(v=ocs.15).aspx

    Thanks

    Saleesh


    If answer is helpful, please hit the green arrow on the left, or mark as answer.

    • Proposed as answer by Kent-Huang Monday, October 29, 2012 2:34 AM
    • Marked as answer by Kent-Huang Tuesday, October 30, 2012 8:49 AM
    Tuesday, October 16, 2012 12:39 PM
  • The problem is that I can't add the North American administrators or a group with these admins to the European group because of company policy. And the North American admins have to be members of the Lync Admin groups. So I have to get the default Lync Admin groups out of the European domain and into a North American domain.

    Stan Reimer

    Tuesday, October 16, 2012 12:45 PM
  • Hi,

    If you get the default Lync Admin groups out of the European domain, how the European admins manage Lync in European domain?

    If two domains are not in the same Lync site, you can try to create a new RBAC role that only applied to Lync NA site. If this case, the admin user in new RBAC role will only be able to manage Lync user or Lync server in NA site. The management will not affect anything in European domain.


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    • Edited by Kent-Huang Wednesday, October 17, 2012 8:56 AM
    • Proposed as answer by Kent-Huang Monday, October 29, 2012 2:35 AM
    • Marked as answer by Kent-Huang Tuesday, October 30, 2012 8:50 AM
    Wednesday, October 17, 2012 8:56 AM
  • The company doesn't have any issue with adding European admins to the Lync admin groups in North America. So if we can get the Lync admin groups moved to the North American domain, then we can add European admins with permissions they need to manage Lync.

    I am thinking that the only option is to uninstall Lync in Europe, delete the admin groups, and start over with a new installation in North America and add the Europe site. Thanks,


    Stan Reimer

    Wednesday, October 17, 2012 11:00 AM
  • Hi,

    Sorry for delay response. I have not tried to move the Lync admin groups so I am not sure if it causes any issue. The universal groups were created by Forest Preparation. So it needs to run reverse forest preparation on root domain and run forest preparation on other domain. However, it is not recommended to change it since it related to Active Directory Domain services.

    In addition, even if you can move the groups to North American domain successfully. When you add a NA user into Lync admin groups ( for example RTCUniversalUserAdmins group. ) in NA domain. This admin user will be able to enable or move European users in Lync Contorl Panel as Lync is a forest level server. So the best way is to create new RBAC roles that applied to different site. In this case, the admin user only be able to manage Lync user in the domain that themself reside.

    If you still want to reinstall Lync Server, hope to following information will help you:

    Backing some setting in Lync Server 2010

    http://technet.microsoft.com/en-us/library/hh202194.aspx

    http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-components-postattachments/00-03-41-38-31/Lync-Backup-Instructions.docx


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.



    • Edited by Kent-Huang Thursday, October 25, 2012 3:08 AM
    Thursday, October 25, 2012 3:07 AM