Office Communications Server 2007 R2 Resource Kit Tool: OCS Trust Entry

The Microsoft Office Communications Server 2007 R2 Resource Kit command-line tool, OCS Trust Entry, can be used to locate, edit, or remove Office Communications Server trusted server and trusted service entries from the Active Directory Domain Services real-time communications (RTC) Services container. You can download this tool and other Office Communications Server 2007 R2 Resource Kit tools from the Download Center.

Author: Mike Adkins

Publication date: March 2011

Product version: Microsoft Office Communications Server 2007 R2, Microsoft Communicator Web Access (2007 R2 release)

Introduction

The Office Communications Server 2007 R2 Resource Kit tool, OCS Trust Entry, is a command-line tool that can be used to view, add, or remove entries that are part of the trusted servers and trusted services containers that reside in the Active Directory Domain Services RTC Services container. As a preventive measure, use OCS Trust Entry to ensure that there are no residual trusted servers or trusted service entries that will share the same Active Directory Domain Services attribute values as any of the new trusted server or trusted service entries that will be added with the installation of new Communications Server and service roles. If unwanted trusted server or trusted service entries are located in their respective containers, OCS Trusted Entry can be used to remove them. OCS Trust Entry can also be used to add new trusted server or trusted service entries to the trusted server or trusted service container. After installing a new Communications Server or service role, use OCS Trust Entry to ensure that the new Communications Server or service roles have been entered correctly into their trusted server or service Active Directory Domain Services container. OCS Trust Entry is a reliable Office Communications Server 2007 R2 Resource Kit tool that can be used to perform an analysis of or updates to the Communications Server Active Directory Domain Services trusted server or trusted services list.

Description

OCS Trust Entry is designed to perform Lightweight Directory Access Protocol (LDAP) queries to locate and update the trusted server or trusted services entries in the Active Directory Domain Services forest that hosts the Communications Server installation. This requires the use of permissions that are the equivalent to a member of the Domain Admins group in the Active Directory Domain Services that is hosting the RTC Services container. OCS Trust Entry is a command-line tool that can be run from the folder that hosts the OccTrustEntry.vbs file as follows:

C:\Program Files\Microsoft Office Communications Server 2007 R2\ResKit>cscript OcsTrustEntry.vbs /Type:TrustedService /Action:List

OCS Trust Entry gains its flexibility though the use of its command-line parameters that are required when performing specific operations, such as viewing, editing, or removing entries from the Communications Server trusted server or trusted services list. Following are the parameters:

  • /Action:<List | Add | Remove>
  • /Type:<TrustedServer | TrustedService>
  • /FQDN:<Machine FQDN>
  • /Service:<Service Name>
  • /Port:<Service Port>
  • [/Version:<Version>]
  • [/CN:<CN GUID>]
  • [/Routable:<TRUE | FALSE>]
  • [/Container:<Trust Entry Container DN>]
  • [/TlsTarget:<TLS Target FQDN>]
  • [/v:<Verbose Output>]

Output

OCS Trust Entry provides a complete list of the Active Directory Domain Services attributes for the trusted server entries or the trusted services entries. The output from this command is very useful, but it can be a little intimidating for the viewer. Figure 1 shows a sample of a Communications Server trusted server entry.

Figure 1. Communications Server trusted server entry

Figure 2 shows an example of the output of a Communications Server trusted service entry.

Figure 2. Output of a Communications Server trusted service entry

One of the caveats of OCS Trust Entry is that it only displays output for the msRTCSIP-TrustedServer entries in the trusted server entries list. The trusted server entries list contains other entries for Communications Server roles, such as the Edge Server role and additional SIP domain entries that will not be output by the command. Their attribute names are as follows:

  • msRTCSIP-EdgeProxy
  • msRTCSIP-Domain

The output of OCS Trusted Entry can be ported to Notepad (notepad.exe) as a convenient way to store the command's output. Just use the following command to do so.

C:\Program Files\Microsoft Office Communications Server 2007 R2\ResKit>cscript OcsTrustEntry.vbs /Type:TrustedServiceEntry /Action:List > c:\TrustedServiceList.txt

Storing your Communications Server trusted server list and trusted services list electronically could be a convenience in the following circumstances:

  • Making a point-in-time comparison of the current trusted server and trusted service entries is necessary
  • Restoring the trusted server and trusted service entries to their previous values is needed

Purpose

OCS Trust Entry can be used to perform the task of locating, editing, or removing trusted server or trusted service entries that are no longer needed and may provide unneeded information in regard to the current installation of Communications Server. By design, it allows the removal of Communications Server roles or services without the completion of a server role or service's deactivation process. The Communications Server service or role deactivation process ensures that the Active Directory Domain Services trusted server or trusted service information is completely removed for that Communications Server or service role. When the deactivation process fails or is not used prior to removing the server hardware that hosts a Communications Server role or service, the Active Directory Domain Services trusted server or trusted service information for that Communications Server or service role. This information is still associated with the msRTCSIP* attributes of a computer that's running Window Server. This can cause the following issues during and after the installation of Communications Server or service roles:

  • The trusted server container entries will be checked for the msRTCSIP-TrustedServerFQDN value during the activation process of a new Communications Server role. If there is a residual msRTCSIP-TrustedServerFQDN value that matches that of the new Communications Server role, the installation will be halted with an error.
  • The trusted services container entries will not be checked for the msRTCSIP-TrustedServerFQDN value during the activation process of a new Communications Server service role. The activation of the new Communications Server trusted service role will succeed. This allows one functional Communications Server service role to be represented with more than one service role. In this case, you will have separate entries for the msRTCSIP-ServiceType that share the same value for the msRTCSIP-TrustedServerFQDN. This could lead to the representation of an unsupported collocation for Communications Server in the Active Directory Domain Services trusted service containers.

Requirements

The Communications Server Resource Kit tools are supported on the following Window Server operating systems:

  • Windows Server 2003 Standard Edition operating system with Service Pack 2
  • Windows Server 2003 Enterprise Edition operating system with Service Pack 2
  • Windows Server 2008 operating system

OCS Trusted Entry requires the equivalent permissions from a member of the Domain Admins group in the Active Directory Domain Services domain that is hosting the RTC Services container.

Examples

A typical example of an unsupported Communications Server collocation could be described as the Microsoft Office Communicator Web Access (2007 R2 release) service installed on a Communications Server Front End Server. In actuality, this type of collocation should never occur and is described as unsupported in the Microsoft deployment documentation for Communications Server. However, this type of installation can exist in the Active Directory Domain Services trusted service containers. Let's say that the network's Communications Server consolidated Front End Server is shut down because of hardware failure. The only available computer that's running Windows Server that is available as a replacement is the Communications Server network's Office Communicator Web Access (2007 R2 release) server. Because of this, the Communications Server network's support personnel performed the following steps:

  • Remove the Microsoft Office Communications Server 2007 R2 Standard Edition Front End Server from the Communications Server network.
  • In the process of uninstalling the Communicator Web Access (2007 R2 release) service from the server the Communicator Web Access (2007 R2 release) service deactivation process fails because the Office Communications Server Standard Edition Front End Server has been removed from the network.
  • In haste, the Communications Server network's support engineers decide to re-image the Windows Server that has hosted the Communicator Web Access (2007 R2 release) service prior to re-installing the Communications Server Standard Edition Server Front End Server on it.
  • The re-imaged computer that's running Windows Server retains its original Domain Name System (DNS) fully qualified domain name (FQDN) after it is re-imaged and joined back to the Active Directory Domain Services domain.
  • The Communications Server Front End services are successfully installed on the re-imaged computer that's running Windows Server that had hosted the Communications Server network's Communicator Web Access (2007 R2 release) installation

Now the new Communications Server Front End Server information is inadvertently hosted in the Active Directory Domain Services trusted services container in an unsupported configuration with the addition of the unintended service entry for the msRTCSIP-ServiceType of Communicator Web Access (2007 R2 release).

OCS Trusted Entry can be used to detect this unsupported configuration. It can also be used to remove the unwanted trusted service entries that represent an unsupported installation of Communications Server service roles.

Warning   OCS Trusted Entry can be used to perform updates to entries in the Active Directory Domain Services trusted server and trusted services containers. They can result in a Communications Server service failure if these updates are not performed correctly. Make sure that the Active Directory Domain Services trusted server and trusted services containers are backed up prior to using OCS Trusted Entry to perform updates to the Active Directory Domain Services trusted server and trusted services containers.

Figure 3 shows the partial output for the OCS Trusted Entry tool's TrustedService List command that displays the unwanted information trusted service entry information that was previously mentioned in this article.

Figure 3. Partial output for the OCS Trusted Entry tool's TrustedService List command

Figure 4 shows the TrustedService Remove command being used to remove the unwanted Communicator Web Access (2007 R2 release) trusted service entry.

Figure 4. The OCS Trusted Entry tool's TrustedService Remove command

If the wrong trusted service entry was removed from the trusted services container, the OCS Trusted Entry tool's Add feature allows you to restore the recently removed trusted service entry back into the trusted service container. Figure 5 shows the command used to add a trusted service entry to the trusted service container.

Figure 5. Command used to add a trusted service entry to the trusted service container

Summary

The Communications Server 2007 R2 Resource Kit tool, OCS Trust Entry, provides an efficient way to view or make point-in-time electronic back-ups of the Active Directory Domain Services trusted server and trusted service entries. With the proper administrative permission, OCS Trust Entry can be used to remove unwanted or add needed trusted server or service entries from a command line console on a computer that is running Windows Server that shares the same Active Directory Domain Services forest as the Communications Server pool. Proper use of OCS Trust Entry helps eliminate the issues that occur when incorrect information is stored in the trusted server and trusted services containers.

Additional Information

To learn more, check out the following:

Lync Server Resources

We Want to Hear from You

 

**

Keywords: trusted service, server, active, directory, installation, failure