Is there a way to separate OCS server administration between pools in the same domain? Can't we all just get along Part II

  • Article

I had this question today from a large University in the Midwest and after some digging I found the answer to this is yes:

Here are the steps to do this:

1) Create two Universal security admin groups in ADUC such as OCSserverPool1group and OCSserverPool2group

2) Add various pool administrators to the correct group

2) Create two OUs in ADUC such as Pool1Servers and Pool2servers

3) Move all Pool1 OCS servers to Pool1servers OU and all Pool2 OCS servers to Pool2servers OU

4) Log onto OCS server you would like to delegate with either Domain Admins or RTCUniversalServerAdmins rights

5) Run the following command from the command line like this sample:

"C:\Program Files\Common Files\Microsoft Office Communications Server 2007\LCSCmd.exe" /domain:ocstest.loc /action:createdelegation /delegation:useradmin /trusteegroup:OCSserverPool1group

/trusteedomain:ocstest.loc /serviceaccount:rtcservice /componentserviceaccount:rtccomponentservice

/computerOU:ou=ocspool1,dc=ocstest,dc=loc /userOU:ou=students,dc=ocstest,dc=loc /usertype:user

/poolname:ocssa.ocstest.loc

More info around the command syntax:

 

LcsCmd /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:ServerAdmin /TrusteeGroup:<name of the universal group that you will delegate to>

/TrusteeDomain: <FQDN of the domain where the trustee group resides>

/ServiceAccount:<RTC service account name>

/ComponentServiceAccount:<RTC component service account name>

/ComputerOU:<DN of the OU or container where the computer objects that run Office Communications Server reside>

/PoolName:<Name of an Enterprise pool or Standard Edition server>

[/ExtraServers:<FQDN of server1, FQDN of server2>]

Where:

TrusteeGroup is the group to which you are granting permissions.

TrusteeDomain is the domain in which the trustee group resides.

ServiceAccount is the RTC service account name.

ComponentServiceAccount is the RTC component service account name.

ComputerOU specifies the DN of the organizational unit containing the computer running the server to which you are granting administrative permissions.

PoolName specifies the name of the Standard Edition server or Enterprise pool in which the trustee group can administer servers; adds the trustee group to the Local Administrators group of each computer in the pool to the AdminRole of the RTC database, and to the ReadWriteRole of the RTCConfig database on the SQL Server back-end database server.

ExtraServers specifies a comma separated list of FQDNs of computers that are not part of a pool to which the trustee group requires access. You can enter the FQDN of Archiving and CDR Servers, Mediation Servers, or the internal FQDN of edge servers.

 

For more information on OCS server delegation see the OCS Active Directory Guide here.