none
Cs-* related security groups RRS feed

  • Question

  • Hi,

    Background

    1. Single forest and multiple child domains

    2. domain.com.sg (root domain) is empty.

    3. child1.domain.com.sg was installed with OCS2007R2. All RTC* security groups are in child1 domain.

    4. child2.domain.com.sg was installed with Lync2010. All CS* security  groups are in child2 domain.

    5. Prepare Lync2010 in child1 domain prior to S4B deployment/migration.

    All CS* related security groups are not created after executed 

    Enable-CsAdForest -GroupDomain child1.domain.com.sg

    &

    Enable-CsAdDomain -Domain child1.domain.com.sg

    No errors found and looks fine when I executed Get-CsAdForest & Get-CsAdDomain.

    From the Lync Deployment Wizard, Step 3 - Prepare Current Forest (Run once per deployment. Creates Global settings and universal groups for Lync Server server complete)

    It seems like CsAdministrator and Cs related groups are allowed to create once per deployment. Is it mean Cs related groups are created per domain? No ways to create Cs related group in child2 domain?


    Please advice.  Thanks.


    Kelvin Teang



    Monday, December 19, 2016 7:25 AM

All replies

  • Hi kelvin,

    Welcome to post in our forum.

    Based on my understanding, you need to run domain prep on every domain that will host a Lync server, Cs related groups are created per domain.

    The Enable-CsAdForest Lync Server command is designed to run from the Active Directory Domain Services forest root domain for security purposes. If the pre-existing RTC Universal security groups do not exist in the Active Directory Domain Services forest root domain the Enable-CsAdForest Lync Server command will fail.

    In Lync Deployment Wizard, after you run Step 3 - Prepare Current Forest, you can’t run it again.

    The following document is for your reference
    http://blog.schertz.name/2013/03/lync-server-2013-deployment-part-1/

    Hope this reply is helpful to you.


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 20, 2016 9:00 AM
    Moderator
  • Hi Alice,

    I think we could have some workaround by manual creation of Cs* universal group and perform New-CSAdminRole -ID CSAdministratorRBAC -Template CSAdministrator

    Add the LyncAdmin user account to CSAdministratorRBAC universal group.

    By the way,  should I use current topology (with Lync2010 installed) and create new pool or new topology?

    Tested using current topology and published it, got errors as file shared unauthorized from child2. New Lync2010 in child1 has configured file shared in child1.

    In addition, I need to allow IM between child1 users and child2 users without federation. Is it possible? 

    Please advice.  Thanks.


    Kelvin Teang


    • Edited by Kelvin Teang Wednesday, December 21, 2016 6:51 AM
    Wednesday, December 21, 2016 3:26 AM
  • Hi Kelvin,

    Thanks for your response.

    I don’t think that you can create CS universal group manually, because these groups are created automatically during the deployment.

    You can’t use the current topology create new topology.

    For the file share, you need to make sure the user who publish the topology has the full access permission (read and write).

    If you want external users could use Lync, you need to configure federation.


    Regards,

    Alice Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 26, 2016 9:43 AM
    Moderator