You are on page 1of 11

Lesson 1: Preparing for Deployment

Tuesday, October 01, 2013 12:25 AM

In this lesson, you will review the necessary steps for preparing for a Lync Server 2010 deployment. This includes preparing the infrastructure, ensuring that the appropriate software and hardware components are in place, planning for certificates, and considering the client, device, and network requirements. Objectives After completing this lesson, you will be able to: Inspect the Active Directory infrastructure. Assess load-balancing options. Validate the required operating system and Microsoft Windows components. Consider an internal versus an external public key infrastructure (PKI) solution. Examine the client requirements. Examine the device requirements. Describe the physical network and file share requirements. Active Directory Infrastructure Requirements

Lesson 1 Page 1

Lync Server 2010 communications software supports the same AD DS topologies as Microsoft Office Communications Server 2007 R2 and Microsoft Office Communications Server 2007. The following topologies are supported:
Single forest with single domain. This is a common and simple topology. Single forest with multiple domains. In this topology, the domain where you create users can be different from the domain where you deploy Lync Server 2010. However, you must deploy an Enterprise pool within a single domain. Lync Server 2010 contains support for Windows universal administrator groups, which enables cross-domain administration. Single forest with multiple trees. This topology consists of two or more domains that define independent tree structures and separate Active Directory namespaces. Multiple forests in a central forest topology. This topology uses contact objects to represent users in other forests. The central forest hosts user accounts for any users in the forest. A directory synchronization product, such as Microsoft Identity Integration Server (MIIS), Microsoft Forefront Identity Manager (FIM) 2010, or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1) is used to synchronize the creation or deletion of user accounts within the organization. Multiple forests in a resource forest topology. In this topology, one forest is dedicated to running server applications, such as Microsoft Exchange Server and Lync Server 2010. The resource forest hosts the server applications and a synchronized representation of the active user object, but it does not contain logon-enabled user accounts. When you deploy Lync Server 2010 in this type of topology, you create one disabled user object in the resource forest for every user account in the user forests. If Microsoft Exchange is already deployed in the resource forest, the disabled user accounts may already exist. A directory synchronization product manages the life cycle of user accounts. Active Directory Requirements Before you start the process of preparing AD DS for Lync Server 2010, you must ensure that all domain controllers (including global catalog servers) meet the following prerequisites:

Microsoft Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, or
Lesson 1 Page 2

Microsoft Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, or Windows Server 2003 must be installed. All domains must be raised to Windows Server 2003 domain functional level. The forest must be raised to a Windows Server 2003 forest functional level. Lync Server 2010 supports AD DS deployments that include read-only domain controllers or readonly global catalog servers, as long as there are writable domain controllers available Load Balancing Options

Lync Server 2010 supports Domain Name System (DNS) load balancing for many features of Front End pools, Edge server pools, Director pools, and stand-alone Mediation server pools.

DNS Load Balancing on Front End Pools and Director Pools DNS load balancing is supported only by servers running Lync Server 2010 and Lync Server 2010 clients. You cannot achieve load balancing of connections from older clients and servers by implementing DNS round robin on the DNS servera hardware load balancer is required. Additionally, if you are using Exchange Unified Messaging (UM), only Exchange Server 2010 SP1 interoperates with Lync Server 2010 DNS load balancing. To deploy DNS load balancing on Front End pools and Director pools, you must:
Create two fully qualified domain names (FQDNs). A regular pool FQDN is required on the DNS server for resolving the physical Internet Protocol (IP) addresses of the servers in the pool, and another FQDN is required on the hardware load balancer for web services to resolve the virtual IP address of the pool. You create this extra FQDN for the pools web services by using Topology Builder. Provision DNS. Provision the DNS server to resolve the pool FQDN to the IP addresses of all servers in the pool. DNS Load Balancing on Edge Server Pools We recommend that you deploy DNS load balancing on the external interface of your Edge servers. You can also deploy load balancing on the internal interface; however, when an Edge server has failed, failover
Lesson 1 Page 3

failover is lost and some users might experience a denial of request. To deploy DNS load balancing on the external interface of your Edge server pool, you must create the following DNS entries:
Lync Server Access Edge service. Create one entry for each server in the pool. Each entry must resolve the FQDN of the Lync Server Access Edge service to the IP address of the Lync Server Access Edge service on one of the Edge servers in the pool. Lync Server web Conferencing Edge service. Create one entry for each server in the pool. Each entry must resolve the FQDN of the Lync Server web Conferencing Edge service to the IP address of the Lync Server web Conferencing Edge service on one of the Edge servers in the pool. Lync Server Audio/Video Edge service. Create one entry for each server in the pool. Each entry must resolve the FQDN of the Lync Server Audio/Video (A/V) Edge service to the IP address of the Lync Server A/V Conferencing Edge service on one of the Edge servers in the pool. Using DNS Load Balancing on Stand-Alone Mediation Server Pools You can use DNS load balancing on stand-alone Mediation server pools without the need for a hardware load balancer. All Session Initiation Protocol (SIP) and media traffic is balanced by DNS load balancing. To deploy DNS load balancing on a Mediation server pool, you must provision DNS to resolve the pool FQDN to the IP addresses of all servers in the pool.

Operating System and Windows Component Requirements

In addition to the hardware and operating system requirements for server platforms, Lync Server 2010 may require the installation of additional software on the servers that you deploy. Some of the software requirements only apply to specific server roles or components, so they may not be required for your particular deployment. The slide lists all of the software components that may be required for Lync Server 2010. However, this topic covers only those software components that you may need to download, enable, or install that are not automatically installed during the Lync Server 2010 setup process. Before deploying Lync Server 2010, you must install the following operating system updates:

Lesson 1 Page 4

Microsoft Knowledge Base article 968929, Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0), at http://go.microsoft.com/fwlink/?linkid=197390 For each server that has Microsoft Internet Information Services (IIS) installed, you must install the following updates: o IIS URL Rewrite module at http://go.microsoft.com/fwlink/?linkid=197391 o IIS Application Request Routing module at http://go.microsoft.com/fwlink/?linkid=197392 Windows PowerShell Version 2.0 Lync Server 2010 Management Shell requires Microsoft Windows PowerShell command-line interface version 2.0. You must remove previous versions of Windows PowerShell prior to installing Windows PowerShell version 2.0. For details about downloading Windows PowerShell version 2.0, see Knowledge Base article 968929, Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0), which is available at http://go.microsoft.com/fwlink/?linkid=197390.

Microsoft .NET Framework Requirements The 64-bit edition of Microsoft .NET Framework 3.5 with SP1 is required for Lync Server 2010. The setup process of Lync Server 2010 prompts you to install this prerequisite, and it automatically installs it if it is not already installed on the computer. However, if you install Lync Server 2010 by using the command line, you need to manually install .NET Framework 3.5 SP1 on the server, which is available at http://go.microsoft.com/fwlink/?linkid=197398.
Microsoft Visual C++ 2008 Redistributable Package Requirements The Microsoft Visual C++ 2008 redistributable package is required for Lync Server 2010. If you install Lync Server 2010 by using the Lync Server Deployment Wizard, setup prompts you to install this prerequisite. However, if you install Lync Server 2010 by using the command line, you need to manually install this prerequisite on the server, which is available at http://go.microsoft.com/fwlink/?linkid= 197399. Message Queuing Lync Server 2010 uses the Microsoft Message Queuing (MSMQ) technology with the following server roles: Front End server Mediation server Archiving server Monitoring server A/V Conferencing server The Message Queuing service must be enabled on all servers prior to deploying any of the above listed server roles. Message Queuing can be installed as an optional feature in Windows Server 2008. Windows Installer Version 4.5 Lync Server 2010 uses Windows Installer technology to install, uninstall, and maintain various server roles. Windows Installer version 4.5 is available as a redistributable component for the Windows Server operating system, which is available at http://go.microsoft.com/fwlink/?linkid=197395. Windows Media Format Runtime Requirements To use the Call Park, Announcement, and Response Group applications, you must install Windows Media Format Runtime on Front End servers. We recommend that you install Windows Media Format Runtime before installing Lync Server 2010. If Lync Server 2010 does not find this software on the server, it will prompt you to install it; you must then restart the server to complete the installation.
Lesson 1 Page 5

prompt you to install it; you must then restart the server to complete the installation. Certificate Infrastructure Requirements

Lync Server 2010 requires a PKI to support Transport Layer Security (TLS) and mutual TLS (MTLS) connections, as well as other services. If you are allowing external access, a PKI infrastructure must be in place. We recommend that you use certificates issued from a public certification authority (CA). Additional requirements for certificates include: All server certificates must support server authentication (Server EKU). Auto-enrollment is supported for internally facing servers, but it is not supported for Edge servers. Internally Facing Servers The internal servers that require certificates include: Standard Edition server Enterprise Edition Front End server Stand-alone A/V Conferencing server Mediation server Director server

You can use the Lync Server 2010 Certificate Wizard to request these certificates. Although using certificates from an internal CA is recommended for internal servers, you can also obtain certificates for internal servers from a public CA.
External User Access Lync Server 2010 supports the use of a single certificate for Access and web Conferencing Edge external interfaces, and the internal interface of the A/V Edge. The Edge internal interface can use either a private or a public certificate. Requirements for the private (or public) certificate used for the Edge internal interface are as follows: The certificate must be issued by an internal CA or an approved public CA that supports subject alternative name. For details, see Knowledge Base article 929395, Unified Communications
Lesson 1 Page 6

alternative name. For details, see Knowledge Base article 929395, Unified Communications Certificate Partners for Exchange Server and for Communications Server, at http://go.microsoft.com/fwlink/?LinkId=140898. If the certificate will be used on an Edge pool, it must be created as exportable, with the same certificate used on each Edge server in the Edge pool. The subject name of the certificate is the Edge internal interface FQDN or hardware load balancer virtual IP (VIP) address (for example, csedge.contoso.com). No subject alternative name list is required. If you are deploying multiple, load-balanced Edge servers at a site, the A/V authentication certificate that is installed on each Edge server must be from the same CA and must use the same private key. In other words, the certificate must be exportable if it is to be used on more than one server. Note: Microsoft recommends that both NTLM and Kerberos be enabled as authentication options if you plan to support remote users.

Group Chat To install Lync Server 2010 Group Chat, you must have a certificate issued by the same CA as the one used by Lync Server 2010 internal servers for each server running the Lookup service, Channel service, and web service. Ensure that you have the required certificate(s) before you start the Group Chat installation, especially if you are using an external CA.
Client Requirements

Before deploying Lync 2010 clients, you must configure several essential policies and settings. These include client bootstrapping policies, client version policy, and key in-band provisioning settings. Client Bootstrapping Policies Client bootstrapping policies specify, for example, the default servers and security mode that the client should use until sign-in is complete. Because client bootstrapping policies take effect before the client signs in and begins receiving in-band provisioning settings from the server, you use Group Policy to configure them.
Lesson 1 Page 7

configure them. Client Version Policy The default Client Version Policy requires that all clients are running a minimum of Microsoft Office Communicator 2007 R2. If clients in your environment are running earlier versions of Communicator, you might need to reconfigure the Client Version rules to prevent clients and devices from being unexpectedly blocked or updated when connecting to Lync Server 2010. You can modify the default rule, or you can add a rule higher in the Client Version Policy list to override the default rule. Additionally, as cumulative updates are released, you should configure the Client Version Policy to require the latest updates. The following options are available when editing the client version policy: Allow the client to log on. Allow the client to log on and receive updates from Windows Server Update Service or Microsoft Update. Allow the client to log on and display a message about where to download another client version. Block the client from logging on. Block the client from logging on and allow the client to receive updates from Windows Server Update Service or Microsoft Update. Block the client from logging on and display a message about where to download another client version. Key In-Band Settings Most of the Group Policy settings in Lync Server 2010 are controlled by server-based client policies, also known as in-band provisioning. In-band provisioning settings can significantly impact the user experience and therefore should be configured before client deployment. In Lync Server 2010, client policies (except for those required for bootstrapping) are configured by using the Windows PowerShell cmdlets NewCsClientPolicy or Set-CsClientPolicy. Device Requirements

Lync Server 2010 expands the line of available unified communications (UC) devices to include a new line
Lesson 1 Page 8

line of IP phones. Before you deploy UC phones, ensure that the following recommended Lync Server 2010 communications software components are in place. Device Update Service The Device Update service, which is an automated way to update your IP phones, is installed with web services on the Front End server. NOTE: In Lync Server 2010 Enterprise Edition, you may have multiple servers in the pool. For each instance of web services running on servers in a pool, there is a separate instance of the Device Update service running in the pool. When you make a configuration change to the Device Update service, the changes are propagated to all servers in that pool, but not to servers in any other pool. Enterprise Voice Enterprise Voice is the voice over Internet Protocol (VoIP) solution in Lync Server 2010 that allows users to make calls and use rich communication and collaboration features, such as viewing enhanced presence information or location information for contacts in your organizations address book. Enterprise Voice must be enabled for each device user. To check whether Enterprise Voice is enabled for a user, in Lync Server Control Panel, find the user and then view the users details. If the user is enabled for Enterprise Voice, the check box Enabled for Lync Server will be selected, and the Telephony drop-down list will show Enterprise Voice as selected. Contact Objects for Common Area Phones and Analog Devices You must associate all phones with a specific user or an Active Directory contact object. With contact objects, as with user accounts, you can assign policies and voice plans for managing the device. NOTE: When you create a contact object for an analog device (for example, by using the NewCSAnalogDevice command), you must specify the correct categorization of the analog device as either a fax machine (such as fax, modem, Teletype-33 (TTY), or a voice device. The designation of fax affects how the call will be routed. Dial Plans, Voice Polices, and Outbound Call Routes Before deploying Lync Server 2010, you must set up the following rules for users: Dial plans. Dial plans are sets of normalization rules that translate phone numbers for a given location, user, or contact object into a single standard (E.164) format. This allows UC device users to make calls to the public switched telephone network (PSTN). Voice policies. Voice policies are records that define call permissions for users, sites, or an entire organization, and include various calling features that can be enabled or disabled as appropriate. Voice policies must be set up for device users. Call routes. Call routes are rules that specify how Lync Server 2010 handles outbound calls from UC devices. Lync Server 2010 uses routes to associate a target phone number with one or more media gateways or SIP trunks and one or more PSTN usage records. Least-Cost Routing Lync Server 2010 enables you to specify the PSTN gateways through which you want to route numbers. The recommended best practice is to select routes that incur the lowest costs and implement them accordingly. When selecting a gateway, choose the one closest to the destination location to minimize long-distance charges. For example, if you are in New York and calling a number in Rome, you should carry the call over the IP network to the gateway in your Rome office, thereby incurring a charge only for a local call. You use Lync Server Control Panel to verify whether dial plans, voice policies, and call routes are set up
Lesson 1 Page 9

You use Lync Server Control Panel to verify whether dial plans, voice policies, and call routes are set up for users, and to set up or modify these user policies. Note: If your organization has Microsoft Exchange Server deployed, you can also configure Exchange UM and Lync Server 2010 to work together. PIN Authentication and Policy If you are deploying the new line of IP phonesAastra 6721ip, Polycom CX600, Polycom CX500, or Polycom CX3000you must enable personal identification number (PIN) authentication on Lync Server 2010, and set the appropriate PIN policy. This allows automatic authentication when a user signs in. You set the PIN policy on the PIN Policy page of the Security group in Lync Server Control Panel. Also in Security, you should click web Service and verify that PIN authentication is enabled in the Global policy. Physical Network and File Share Requirements

The proper network infrastructure for your Lync Server 2010 deployment is vital to both user adoption and the overall success of your communication system. Inadequate network throughput increases response times and can result in a solution that fails to achieve the goals of enhanced collaboration and connectivity. The network adapter card of each server in the Lync Server 2010 topology must support at least 1 gigabit per second (Gbps). In general, you should connect all server roles by using a low-latency and high-bandwidth local area network (LAN). The size of the LAN is dependent on the size of the topology: Standard Edition topologies. Servers should be in a network that supports 1 Gbps Ethernet or equivalent. Front End pool topologies. Most servers should be in a network that supports more than 1 Gbps, especially when supporting A/V conferencing and application sharing. PSTN integration can be achieved with a supported PSTN Gateway, IP-PBX, or SIP trunk. Media Requirements Follow these recommendations for optimized A/V in a Lync Server 2010 deployment: Configure the external firewall as a NAT (whether the site has only a single Edge server or multiple
Lesson 1 Page 10

Configure the external firewall as a NAT (whether the site has only a single Edge server or multiple Edge servers deployed). Deploy the media subsystem within an existing Quality of Service (QoS) infrastructure that prioritizes capacity for PSTN data flows. Disable Internet Protocol security (IPsec) over the port ranges used for A/V traffic. Ensuring Media Quality For optimal media quality, you must ensure that proper network provisioning and capacity planning has been performed: Lync Server 2010 media endpoints can adapt to varying network conditions. However, in an underprovisioned network, the ability of the Lync Server 2010 media endpoints to dynamically deal with varying network conditions (for example, temporary high packet loss) is reduced. Networks must be provisioned to support throughput of 45 kilobits per second (Kbps) per audio stream and 300 Kbps per video stream, if enabled, during peak usage periods. For network links where provisioning is extremely costly and difficult, you might need to consider provisioning for a lower volume of traffic. In this scenario, you let the elasticity of the Lync Server 2010 media endpoints absorb the difference between that traffic volume and the peak traffic level, at the cost of some reduction in quality. However, in this case, there is a decrease in the systems ability to absorb sudden peaks in traffic. For links that cannot be correctly provisioned in the short term (for example, a site with very poor wide area network [WAN] links), consider disabling video for certain users. Provision your network to ensure a maximum end-to-end delay (latency) of 150 milliseconds (ms) under peak load. Latency is the one network impairment that Lync Server 2010 media components cannot reduce, and it is important to find and eliminate the weak points.

Lesson 1 Page 11