OCS Migration

Migrating to
®
Microsoft Office
Communications
Server 2007
Published: July 2007
Updated: October 2007
2 Migrating to Microsoft Office Communications Server 2007
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, Active Directory, SQL Server, and MSN are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Phase 1: Upgrade Your Perimeter Network and Director 3
Contents
Introduction......................................................................................5
Terminology.................................................................................5
Before You Begin...............................................................................6
Planning Your Migration....................................................................6
Third-Party Applications...............................................................9
Coexistence with Live Communications Server 2005 with SP1.....9
Phase 1: Upgrade Your Perimeter Network and Director.................12
Overview of Steps......................................................................12
Step 1 Configure DNS Records for Your Edge Servers................16
Step 2 Configure a Reverse Proxy..............................................20
Step 3 Deploy a New Edge Server..............................................20
Step 4 Configure Certificates on the Internal Interface of Your Edge
Servers.......................................................................................22
Step 5 Configure Certificates on the External Interface of Your Access
Edge Server................................................................................33
Step 6 Start Services..................................................................41
Step 7 Configure Federation on Your Access Edge Server..........42
Step 8 Configure Your Internal Environment to Use the New Edge
Server .......................................................................................43
Step 9 Change Your Firewall Settings or DNS Settings to Use the IP
Address of Your New Access Edge Server..................................45
Step 10 Validate the Configuration of Your Access Edge Server.46
Step 11 Test Connectivity Between Remote Users, Federated Users
and Public IM Connectivity.........................................................47
Step 12 Deploy an Office Communications Server 2007 Director
(optional)....................................................................................47
Step 13 Remove Your Live Communications Server 2005 SP1 Director
and Access Proxy.......................................................................55
User Experience in Phase 1........................................................56
Phase 2: Deploy Internal Office Communications Servers and Migrate
Users...............................................................................................56
Step 2.1 Deploy Standard Edition Server or Enterprise Pool ......57
Step 2.2 Deploy Archiving and CDR Server If Required..............58
Step 2.3 Verify that User Replication Completed........................61
Step 2.4 Back Up User Data on the Existing Live Communications
Server 2005 with SP1.................................................................63
Step 2.5 Export User Data from Live Communications Server 2005 with
SP1.............................................................................................63
Step 2.6 Move Users to Office Communications Server 2007.....65
Step 2.7 Configure Users............................................................67
Step 2.8 Transfer Remote Call Control Settings As Necessary. . .69
Step 2.9 Validate the Configuration and Connectivity of the Server or
Pool............................................................................................72
Phase 3: Enable Pilot Users for Enhanced Presence and New Features and
Deploy New Clients.........................................................................75
Step 3.1 Enable Enhance Presence for Your Pilot Users.............76
Step 3.2 Deploy Office Communicator 2007 to Your Pilot Users. 77
Step 3.3 Deploy the Live Meeting 2007 Client to Your Pilot Users77
Phase 4: Introduce New Edge Server Roles.....................................77
Phase 5: Continue Phased Migration for Additional User Groups.....78
Phase 6: Deprecate Your Live Communications Server 2005 SP1 Servers
........................................................................................................78
Remove Live Communications Server 2005 SP1 Standard Edition78
Remove Live Communications Server 2005 with SP1 Enterprise Edition
...................................................................................................79
Introduction
Migrating to Microsoft Office Communications Server 2007 guides you through the process of
upgrading from Microsoft® Office Live Communications Server 2005 with Service Pack 1 to
Microsoft Office Communications Server 2007 and for deploying Office Communications Server
2007 in an existing Live Communications Server 2005 SP1 deployment. If you intend for your
Office Communications Server 2007 deployment to coexist with a Live Communications Server
2005 SP1 deployment, this guide includes some essential information for operating such a mixed
environment.
This guide provides information specific to upgrading your existing deployment. It does not
explain how to change your existing topology. Because many of the detailed planning and
deployment information and procedures are provided in other Office Communications Server
2007 documentation, that information is not duplicated in this guide. When a detailed procedure
is documented elsewhere, this guide directs you to the appropriate document.
In addition to this guide, you need the following documentation:
• Microsoft Office Communications Server 2007 Planning Guide
• Microsoft Office Communications Server 2007 Edge Server Deployment Guide
• Microsoft Office Communications Server 2007 Active Directory Guide
• Microsoft Office Communications Server 2007 Enterprise Edition Deployment Guide
• Microsoft Office Communications Server 2007 Standard Edition Deployment Guide
• Microsoft Office Communications Server 2007 Archiving and CDR Server
Deployment Guide
• Microsoft Office Communicator 2007 Deployment Guide
• Deploying the Microsoft Office Live Meeting 2007 Client with Office
Communications Server 2007
Terminology
Anonymous user An external user who does not have credentials in the Active Directory®
Domain Services.
A/V audio/video
Direct federation In Live Communications Server 2005, a form of federation in which two
organizations explicitly designate each other as trusted federated partners. In Office
Communications Server 2007, this term is not used; you achieve the same functionality by not
configuring your Access Edge Server to automatically discover federated partners by using DNS.
Edge server An Office Communications Server 2007 server that resides in the perimeter
network and provides connectivity for external users, federated partners, and public IM
connections. Each edge server has one or more of the following roles: Access Edge Server, Web
Conferencing Edge Server, or A/V Edge Server.
Enhanced federation In Live Communications Server 2005, an organization-to-organization
federation that uses DNS-SRV resolution to identify the Access Proxy for each partner. In Office
Communications Server 2007, this term is not used. You can achieve this functionality to
configure your Access Edge Server to use DNS to automatically discover federated partners.
External user A user who connects from outside the organization’s firewall. External users
include anonymous users, federated users, and remote users.
External IP address An IP address that is accessible from the Internet or from another network
that is outside the organization.
Federated user An external user who possesses valid credentials with a federated partner and
who is therefore treated as authenticated by Office Communications Server.
Internal IP address An IP address that is accessible from the internal network of an
organization.
PSOM Persistent Shared Object Model. A custom protocol for transporting Web conferencing
content.
Remote user An external user with a persistent Active Directory identity within the
organization.
Side-by-side migration Deploying an upgraded software version on a separate computer from
the one that is running the original version, transferring essential data to the new computer,
making the new computer operational, and then taking the legacy computer offline. Note: Side-
by-side migration is not supported for Access Proxy and an Office Communications Server 2007
Access Edge Server.
SIP Session Initiation Protocol, a signaling protocol for Internet telephony.
Web farm A collection of server computers that host a single Web site.
Before You Begin

Ensure that Live Communications Server 2005 with SP1 servers have the following QFEs
installed in the following order:
1. QFE available from Microsoft Web site: http://r.office.microsoft.com/r/rlidOCS?
clid=1033&p1=kb911996.
clid=1033&p1=kb921543.
These QFEs are required for coexistence with Office Communications Server 2007. They must
be installed on all Live Communications Server 2005 with SP1 servers, with the exception of the
back-end database server for an Enterprise pool.
Planning Your Migration

The only migration path, when you have Live Communications Server 2005 with SP1 Access
Proxies deployed, is to migrate your environment from the outside in. You must first replace
your Access Proxies with Office Communications Server 2007 Access Edge Servers before you
can migrate to Office Communications Server 2007 in your internal environment.
If you are running Live Communications Server 2003, you must first migrate to Live
Communications Server 2005 with SP1, and then you can migrate to Office Communications
Server 2007.
To minimize service downtime, we recommend a phased approach in which you upgrade all the
servers of a particular type at one time. The supported order is as follows:
clid=1033&p1=kb911996.
2. Replace Access Proxies in the perimeter network with Access Edge Servers.
3. Replace Directors.
4. Install Enterprise pools and Standard Edition servers.
5. Install Archiving and CDR Servers as necessary.
At this point, you can move some pilot users to the new deployment to test the behavior of IM
and presence.
After you have ensured that IM and presence are working correctly in your environment, you can
deploy Web Conferencing Edge Servers and A/V Edge Servers in your perimeter network. After
you have ensured that Web conferencing and A/V conferencing work properly, you can move the
rest of your users to the new deployment and take the Live Communications Server offline.
Planning your upgrade to Office Communications Server 2007 should include the following:
• Understanding the basic migration process
• Understanding coexistence issues
• Planning user migration
• Determining your requirements for additional hardware
Table 1 summarizes the phases of the migration as they are presented in this guide. The table also
notes changes to the user experience as the migration proceeds.
Table 1 Migration Phases and User Experience
Phase Description User Experience
Phase 1: Introducing new Office No changes. Users continue to
Upgrade Communications Server 2007 use the Microsoft Office
your Access Edge Servers and Communicator 2005 client and
perimeter Directors into your Live have the same IM and presence
network and Communications Server 2005 functionality.
Director SP1 environment.

Phase 2: Deploying a new Office No changes. Users continue to
Deploy Communications Server 2007 use Office Communicator 2005
internal Enterprise pool or Standard and have the same IM and
Office Edition server and an Archiving presence functionality.
Communicat and CDR Server, if required,
ions Servers and moving users to the new
server or pool
Phase 3: Enabling selected users for Pilot users are able to use the
Enable pilot enhanced presence and rolling full functionality of Office
users for out Microsoft Office Communicator 2007 when they
enhanced Communicator 2007 and the communicate with other pilot
presence Microsoft Office Live Meeting users internally. After they are
and roll out 2007 client to the pilot users enabled for enhanced presence,
new clients these users can no longer sign
in to an Office Communicator
2005 client or to previous
versions of Communicator Web
Access or of the Communicator
Mobile clients.
When communicating with
Office Communicator 2005
users, pilot users are able to use
new features in Office
Communications Server 2007.
After the Live Meeting 2007
client is rolled out to your pilot
users, they can participate in
internal Web conferences that
are hosted on your Office
Communications Servers.
Phase 4: Deploying Web Conferencing Pilot users are able to use the
Introduce Edge Servers and A/V Edge new Web conferencing and
new edge Servers in your perimeter audio/video capabilities when
server roles network connecting remotely.
Phase 5: Enabling users for enhanced Office Communicator 2007
Continue presence and rolling out Office users are able to use the full
phased Communicator 2007 and the functionality of Office
migration of Live Meeting 2007 client to the Communicator 2007 when
additional other users communicating with other Office
users Communicator 2007 users.
When communicating with
Office Communicator 2005
users, users of the upgraded
client are not able to use new
features in Office

After the Live Meeting 2007
client is rolled out, users can
participate in Web conferences
that are hosted on your Office
Communications Server whether
they are signed in internally or
remotely.
Third-Party Applications
If you are running third-party applications on your Live Communications Server 2005 SP1
servers, be aware that changes have been made to the server and protocol infrastructure that
might affect these programs. You still need to test these applications to ensure that they work
properly with Office Communications Server 2007. For more information, contact the vendor of
your applications.
If you are running applications that are based on code examples from the Live Communication
2005 with SP1 Software Development Kit, the applications must be updated before they will
work with Office Communications Server 2007. For more information, see the Office
Communications Server 2007 SDK documentation.
The Live Communications Server 2005 with SP1 Network of Origination Icon sample is not
supported on Office Communications Server 2007. In Office Communications Server 2007, for
federated users on a user’s Contacts list, the user sees the same icon for all contacts that are
outside the organization instead of seeing the icon for the network of origin. If the user moves the
pointer over the contact in Office Communicator, the SIP URI for the federated user appears.
Coexistence with Live Communications Server

2005 with SP1
Both the Standard Edition and Enterprise Edition of Office Communications Server 2007 are
designed to coexist with Live Communications Server 2005 with SP1 Standard Edition servers
and Enterprise pools. Preparing the Active Directory for Office Communications Server also
provides backward compatibility with Live Communications Server 2005 with SP1.
If you are planning to deploy Office Communications Server 2007 in a mixed environment with
Live Communications Server 2005 with SP1, there are other issues you need to be aware of:
• Every domain that contains Live Communications Server 2005 SP1 users or servers
must be prepared for Office Communications Server 2007.
• Archiving services for each version are compatible only with servers of the same
version.
• All servers in a pool or in an edge server array must be of the same version, but
servers or pools of different versions can be connected to the same load balancer.
• Users who are enabled for enhanced presence and who sign in by using Office
Communicator 2007 can no longer use Microsoft Office Communicator 2005 or the
2005 releases of Communicator Web Access and Communicator Mobile.
Additionally, such users cannot access specific components of Live Communications
Server 2005 with SP1.
• The A/V conferencing features of Office Communications Server 2007 are not
available to users who are hosted on Live Communications Server 2005 with SP1 or
to any users who are using Office Communicator 2005.
• For Web conferencing, only users hosted on Office Communications Server 2007 can
organize Web conference meetings. However, any user can attend, provided they
have the ability to install the Live Meeting 2007 client. For more information about
deploying Live Meeting 2007, see Deploying the Microsoft Office Live Meeting 2007
Client with Office Communications Server 2007.
• The administrative snap-ins for Live Communications Server 2005 with SP1 and
Office Communications Server 2007 are not mutually compatible. Each can be used
to administer only servers of the corresponding version.
• All external users, including federated users, can connect through Office
Communications Server 2007 Access Edge Servers and Directors, even if they are
hosted on Live Communications Server 2005 with SP1.
The following sections explain the implications of these issues.
Archiving Interoperability
You must archive all traffic on Office Communications Server 2007 servers by using an Office
Communications Server 2007 Archiving and CDR Server. Similarly, you must archive all traffic
on Live Communications Server 2005 SP1 servers by using the Live Communications Server
2005 with SP1 Archiving Service.
The default behavior is different for the different versions. In Office Communications Server
2007, both the global archiving and individual user archiving are disabled by default, but Live
Communications Servers retain their existing global settings. This means that if archiving is
enabled in global settings on all your Live Communications Servers, this setting is retained on all
your Live Communications Server 2055 with SP1 servers.
In a coexistence scenario, conversations initiated by a user hosted on a Live Communications
Server 2005 with SP1 server use the forest-level settings enabled in the Live Communications
Server 2005 SP1 environment. Conversations initiated by a user hosted on Office
Communications Server 2007 use the global settings configured in Office Communications
Server 2007.
Note
To access the global archiving settings, right-click the forest
node, point to Properties, click Global Properties, and then
click the Archiving tab. For more information, see the
Microsoft Office Communications Server 2007 Administration
Guide.
Using Load Balancers
Servers of different versions cannot coexist in a single pool or an edge server array. You can,
however, connect a Live Communications Server 2005 with SP1 pool and an Office
Communications Server 2007 pool to the same load balancer. For example, if you have an array
of Live Communications Server 2005 with SP1 Access Proxies attached to a load balancer, you
can also simultaneously attach an Office Communications Server 2007 edge server array to the
same load balancer.
Adding Live Communications Server 2005 SP1 Servers During

Coexistence
Because Active Directory preparation is backwards compatible with the Live Communications
Server 2005 SP1 Active Directory schema, you can add new Live Communications Server 2005
with SP1 servers to any domain where domain preparation for Live Communications Server was
run before Office Communications Server 2007 Active Directory preparation.
During coexistence, if you do not run Live Communications Server 2005 Active Directory
domain preparation steps in a domain (a new domain for example) before the Office
Communications Server 2007 Active Directory preparation, you cannot install any Live
Communications Server 2005 SP1 servers.
Microsoft Office Communicator

By default, users who are homed on Office Communications Server 2007 can be enabled for
enhanced presence, but Office Communicator 2007 is required for users to take advantage of this
feature. Users who are moved from a Live Communications Server 2005 SP1 server to an Office
Communications Server 2007 can use the Microsoft Office Communicator 2005 client. Such a
user cannot, however, take advantage of the enhanced presence and A/V conferencing features of
Office Communications Server 2007.
After a user who is enabled for enhanced presence has signed in by using Office Communicator
2007, that user can no longer use Office Communicator 2005 or sign in to Live Communications
Server 2005 with SP1. Additionally, such a user can no longer sign in to Communicator Web
Access (2005 release) or to Communicator Mobile (2005 release).
If you plan to deploy in a mixed environment, you must make the appropriate clients available to
all your users. For details about migrating to the 2007 release of Communicator Web Access, see
the Microsoft Office Communicator Web Access (2007 release) Planning and Deployment
Guide.
Administrative Snap-Ins
In general, you must use the administrative snap-in that corresponds to the server version that
you want to manage. The only exception is that you use the Office Communications Server 2007
snap-in to move users from Live Communications Server 2005 with SP1 to Office
Use the 2005 Administrative Snap-In
• To manage Live Communications Server 2005 SP1 users and servers. You can also
use Active Directory Users and Computers on Live Communications Server 2005
SP1 or on a computer with the Live Communications Server 2005 SP1 administrative
snap-in installed.
• Although Office Communications Server pools are available from Live
Communications Server 2005 SP1, you should use only Office Communications
Server to move users hosted on Office Communications Server. Moving Office
Communications Server users from the 2005 administrative snap-in is not supported.
Use the 2007 Administrative Snap-In
• To move Live Communications Server 2005 SP1 users to Office Communications
Server 2007.
• To manage users on Office Communications Server 2007 after moving them from
Live Communications Server 2005 SP1.
• To manage all Office Communications Server 2007 servers.
The Live Communications Server 2005 SP1 administrative snap-in and the Office
Communications Server 2007 administrative snap-in cannot be installed on the same computer.
External User Access

External users, such as remote users, who are hosted on Live Communications Server 2005 with
SP1 and users of Office Communicator 2005, regardless of where they are hosted, can sign in by
using the Office Communications Server 2007 Edge Servers and Directors for functionality that
is supported by Live Communications Server 2005 with SP1. These users cannot, however, take
advantage of the additional features that are offered by Office Communications Server 2007.
Phase 1: Upgrade Your Perimeter

Network and Director
In the initial phase of migration, if you have deployed public IM connectivity, remote user access
or federation in your Live Communications Server 2005 SP1 environment, you begin by
deploying an Office Communications Server 2007 Edge Server. This server replaces your
existing Live Communications Server 2005 SP1 Access Proxy.
Overview of Steps
Upgrading your perimeter network involves the following steps:
1. Configuring necessary DNS records for your new edge server.
2. Deploy your Office Communications Server 2007 Access Edge Server before any
internal servers. The single site edge topology or scaled single-site edge topology is
recommended for your initial edge deployment. This topology allows you to add a
load balancer later for growth.
Deploy the new edge server topology alongside your existing Live Communications Server
2005 SP1 Access Proxy, but do not change your firewall setting to point to the new IP
address used by the Office Communications Server 2007 edge servers until you have
completed the following steps. You must use an internal and external IP address that is
different from your existing Access Proxy.
It is strongly recommends that you use the same external FQDN for your new Access Edge
Server as you did for your Live Communications Server 2005 SP1 Access Proxy. If you do
this, you can use the same certificate. If you have purchased a license for public IM
connectivity, you do not need to go through the provisioning process again. If you use a
different FQDN, you must obtain new certificates and re-provision public IM connectivity.
Additionally, you must notify any federated partners of the change to your external FQDN.
These partners can then change their configurations to point to your new FQDN to federate
with your organization or if they are using enhanced federation or using an Office
Communications Server 2007 Access Edge Server with automatic DNS discovery, they can
simply add your domain on the Allow tab. Also, if you use manual configuration for your
Office Communicator clients, you must update this configuration to point to the new Access
Edge Server FQDN.
3. Configure certificates on your new Office Communications Server 2007 edge server.
This process varies depending on the following conditions:
• Internal certificate configuration.
o If your organization has a firewall between the Live Communications
Server 2005 SP1 Access Proxy and your internal servers, you can use
the same certificate on the internal interface of your new Access Edge
Server as you used on the internal interface of your existing Access
Proxy.
o If your organization does not have an internal firewall, the Director or
your internal Standard Edition server or Enterprise pool that is used for
the global federation route needs to differentiate the new Access Edge
Server from the 2005 Access Proxy so you can either use a new
certificate on the Access Edge Server or update DNS settings.
o If you use a different internal FQDN on your new edge server, you must
obtain a new certificate from the certificate authority you use for
internal certificates.
• External certificate configuration.
o If you use the same external FQDN for your Access Edge Server, and
do not want your Access Edge Server to be discoverable through DNS
SRV records for multiple SIP domains in your organization, you can
use the same certificate on the external interface of your Access Edge
Server as you did on your Live Communications Server 2005 Access
Proxy.
Note If your Access Edge Server is not discoverable through DNS

SRV records, organizations federating with your organization
must manually add your SIP domains and your Access Edge
Server FQDN in the Allow List on their Access Edge Servers.
o If you plan to enable automatic discovery of federated domains, and you
have multiple SIP domains, you must re-issue your external certificate
with each supported SIP domain configured as sip.<domain> in the
subject alternate name.
o If you use a different external FQDN for your Access Edge Server, you
must configure a new external certificate.
4. If you plan to enable external access to on-premise Web conferences, configure an
HTTP reverse proxy for use with the Web Components. (Because this step is
independent of other configuration steps it can be performed independently of the
other steps involved.)
5. Configure your internal servers to communicate with your new Access Edge Server.
Depending on whether you have a Director deployed, you make configuration
changes in one of two ways:
• If you have a Live Communications Server 2005 SP1 Director deployed, after
you deploy your Access Edge Server you can simply update your Director
settings to route external traffic to and from the new Access Edge Server.
• If you do not have a Live Communications Server 2005 SP1 Director deployed,
all your internal servers and pools are routing external traffic directly to and from
the Access Proxy. After you deploy your Access Edge Server, you must
configure your internal servers and pools to route directly to the new Access
Edge Server.
6. Configure your external firewall to point to the new external IP address of the Office
Communications Server 2007 edge servers and update any required DNS settings. At
this point, all federation remote user access and public IM connectivity traverse
through the new Office Communications Server Edge Server.
These changes are transparent to your users. If problems occur, you can simply:
• Point your Director or your internal servers and pools back to the existing Live
Communications Server 2005 SP1 Access Proxy.
• Point your firewall back to the external IP address of your Live Communications
Server 2005 SP1 Access Proxy.
Figure 1 New Access Edge Server in Your Existing Topology
7. Test your new topology by signing in with Office Communicator 2005 user and
testing communications scenarios between internal users, remote users, federated
users, and users on a public IM network (if you use public IM connectivity).
8. If you do not use a Director, skip this step. If you use a Director, after confirming
that external traffic is flowing correctly from the new Access Edge Server to the
Live Communications Server 2005 SP1 Director, install and configure an Office
Communications Server 2007 Director so that it communicates with your new Edge
Server and configure your new Edge Server to route to the 2007 Director. Although
a Director is not required, it is strongly recommended. If problems occur, you can
simply point your Access Edge Server back to your existing Live Communications
Server 2005 SP1 Director.
At this point, your topology should now look similar to the following:
Figure 2 New Access Edge Server and Director in Your Existing Topology
Step 1 Configure DNS Records for Your Edge

Servers
Before you deploy your edge server topology, you must configure the required DNS records. The
default port for external user access has changed from port 5061to port 443. We recommend port
443 to ensure that connectivity from Office Communicator and the Live Meeting 2007 client to
the server is not blocked by any external HTTP proxy servers or firewalls that do not allow
connectivity to 5061.
To change the remote access port from 443 to 5061, you might need to make the following
changes to your existing DNS records:
• For external clients that allow Office Communications Server to configure their
connection automatically, change your DNS SRV record for _sip._tls.<domain> that
points to the external interface of the Access Edge Server to use port 443.
• If your external clients are manually configured, you might need to change the
external server name using the Group Policy object. For more information, see the
Microsoft Office Communicator 2007 Deployment Guide.
Table 2 describes the DNS records that you must configure for the external interface and the
internal interface of edge servers in the single-site edge topology and the scaled single-site edge
topology. If you are deploying a different topology, see the Microsoft Office Communications
Server 2007 Edge Server Deployment Guide. For information about configuring these DNS
records, see the documentation for your DNS server.
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the single-site edge topology.
Table 2 DNS Records for the Single-Site Edge Topology
Interfac Server DNS Settings
e
External Collocated Access An external SRV record for all Access Edge
Edge Server Servers for _sipfederationtls._tcp.<domain>,
over port 5061 (where <domain> is the name
of the SIP domain of your organization). This
SRV should point to an A record with the
external FQDN of the Access Edge Server. If
you have multiple SIP domains, you need a
DNS SRV record for each domain. This SRV
record supports federation and public IM
connectivity.
A DNS SRV (service location) record for
_sip._tls.<domain>, over port 443 where
<domain> is the name of your organization’s
SIP domain. This SRV record must point to the
A record of the Access Edge Server. If you
have multiple SIP domains, you need a DNS
SRV record for each domain. This SRV record
supports external user access through Office
Communicator and the Live Meeting client.
Note: Configuring multiple SRV records for the
same SIP domain is not supported. If multiple
DNS records are returned to a DNS SRV query,
the Access Edge Server always picks the DNS
SRV record with the lowest numerical priority
and highest numerical weight.
For each supported SIP domain in your
organization, an external DNS A record for sip.
<domain> that points to the external interface
of the Access Edge Server and resolves to the
external IP address on the firewall. If you have
multiple SIP domains, you need a DNS A
record for each. If a client cannot perform an
SRV record lookup to connect to the Access
Edge server, it uses this A record as a fallback.
An external DNS A record that resolves the
external FQDN of the Web Conferencing Edge
Server to its external IP address.
Reverse proxy An external DNS A record that resolves the
external Web farm FQDN to the external IP
address of the reverse proxy. The client uses
this record to connect to the reverse proxy.
Access Edge An internal DNS A record that resolves the
Server internal FQDN of the Access Edge Server to its

internal IP address.
The following table describes the DNS records that must be configured for the external interface
and the internal interface of edge servers in the scaled single-site edge topology.
Table 3 DNS Records for the Scaled Single-Site Edge Topology

Interfac Server DNS Settings
e
External Access Edge Server An external SRV record for all Access Edge
Servers for _sipfederationtls._tcp.<domain>,
over port 5061 (where <domain> is the name
of the SIP domain of your organization). This
SRV should point to an A record that resolves
the external FQDN of the Access Edge Server
array to the VIP address used by the Access
Edge Server array on the external load
balancer. If you have multiple SIP domains,
you need a DNS SRV record for each domain.
This SRV record supports federation and
public IM connectivity.
A DNS SRV (service location) record for
_sip._tls.<domain>, over port 443 where
<domain> is the name of your organization’s
SIP domain. This SRV record must point to the
A record of the Access Edge Server. If you
have multiple SIP domains, you need a DNS
SRV record for each domain. This SRV record
supports external user access through Office
Communicator and the Live Meeting client.
Note: Configuring multiple SRV records for
the same SIP domain is not supported. If
multiple DNS records are returned to a DNS
SRV query, the Access Edge Server always
picks the DNS SRV record with the lowest
numerical priority and highest numerical
weight.
For each supported SIP domain in your
organization, an external DNS A record for sip.
<domain> that points to the external
interface of the Access Edge Server and
resolves to the external IP address on the
firewall. If you have multiple SIP domains, you
need a DNS A record for each. If a client
cannot perform an SRV record lookup to
connect to the Access Edge server, it uses this
A record as a fallback.
An external DNS A record that resolves the
external FQDN of the Web Conferencing Edge
Server array to the VIP address used by the
Web Conferencing Edge Server array on the
external load balancer.
Reverse proxy An external DNS A record that resolves the
external Web farm FQDN to the external IP
address of the reverse proxy. The client uses

this record to connect to the reverse proxy.
Access Edge Server An internal DNS A record that resolves the
internal FQDN of the Access Edge Server array
to the virtual IP address used by the Access
Edge Servers on the internal load balancer.
Step 2 Configure a Reverse Proxy

For Office Communications Server 2007, a reverse proxy, such as that provided by Microsoft
Internet Security and Acceleration (ISA) Server is used to enable:
• External users to download meeting content for your Web conference meetings.
• Remote users to expand distribution groups.
• Remote users to download files from the Address Book Service.
This task can be performed independently of other steps in this section. For details about
deploying and configuring a reverse proxy, see the Microsoft Office Communications Server
2007 Edge Server Deployment Guide.
Step 3 Deploy a New Edge Server

If you have Live Communications Server 2005 SP1 Access Proxies deployed, you must upgrade
your edge topology first in the migration process. Deploy a new Access Edge Server and a
Director (if you used one) before migrating your server or pool. After your internal migration is
completed, you can add A/V Edge Servers and Web Conferencing Edge Servers.
If you do not have an existing Access Proxy, skip this section and proceed to Phase 2.
Before you deploy, read the Microsoft Office Communications Server 2007 Edge Server
Deployment Guide to understand the supported topologies and which one is right for your
organization. The single-site topology and the scaled single-site topology are recommended.
To deploy an edge server
1. For each Live Communications Server 2005 with SP1 Access Proxy in your
perimeter network, install and activate an Office Communications Server 2007
Access Edge Server as described in the Microsoft Office Communications Server
2007 Edge Server Deployment Guide. Configure each Access Edge Server with the
settings that are already configured on the corresponding Live Communications
Server 2005 with SP1 Access Proxy.
2. As you run the Configuration Wizard, follow the instructions in the Edge Server
Deployment Guide until you reach the Enable Features on Access Edge Server
page.
3. On the Enable Features on Access Edge Server page, select the features that you
want to enable:
• To make it possible for remote users to use this Access Edge Server to view
presence information and exchange instant messages, select the Allow remote
user to access your network check box.
• To enable federation or public IM connectivity through this Access Edge Server,
select the Enable federation check box.
4. If you selected the Enable federation check box, do one of the following:
• To use DNS to automatically locate the Access Edge Servers of your federated
partners, select the Allow discovery of federation partners using DNS check
box. This configuration is recommended. Select this setting if you used what was
called open enhanced federation in Live Communications Server 2005 with SP1.
• To enable public IM connectivity through this Access Edge Server, select the
Federation with selected public IM providers check box, and then select the
IM providers that you want to use with federated partners.
5. When you are finished, click Next.
6. On the FQDN of the Internal Next Hop Server page, if you are using a Live
Communications Server 2005 SP1 Director, enter the FQDN of the Director. If you
are not using a Director, enter the Live Communications Server 2005 SP1 server or
pool that is used as the next hop server.
7. On the Authorized Internal SIP Domains page, for each SIP domain that your
organization supports, type the name of the supported SIP domain, and then click
Add. When you have entered all the supported SIP domains, click Next.
8. On the Authorized Internal Servers page, specify each internal server that can
connect to your Access Edge Server. If you are routing all outbound traffic through a
Director, the next hop server that you specified earlier in this procedure is
automatically authorized to connect to your Access Edge Server. If you are not using
a Director, type the FQDN of each Enterprise pool and Standard Edition server in
your organization except the next hop server, clicking Add after each.
9. Click Next.
10. On the summary page, review the settings that you selected. If they are as you want
them, and then click Next.
11. On the wizard completion page, select the View the log when you click ‘Finish’
check box.
12. If you want to export the server settings to a configuration file so they can be
imported to another edge server (to streamline the setup of that server), click
Export, and then specify a location and name for the XML file to which you want to
save the server settings. Configure the export settings as you want them, and then
click Save.
13. Click Finish.
14. If you chose the option to view the log immediately, when the Office
Communications Server 2007 Deployment Log opens in a Web browser window,
verify that Success appears under Execution Result in the action column on the far
right side of the screen. Optionally, expand each individual task and verify that the
Execution Result shows Success for the task. When you finish, close the log
window.
Step 4 Configure Certificates on the Internal

Interface of Your Edge Servers
After you have installed, activated, and configured your new Access Edge Server, you must
configure certificates on it. How you configure your certificates depends on whether your Access
Edge Server is part of an array:
• For a single-site edge topology, which has a single Access Edge Server, you need a
certificate configured on the internal interface with a subject name that matches the
internal FQDN of the edge server computer.
• For a scaled single-site edge topology, which has a load-balanced array of Access
Edge Servers, you need a certificate configured on the internal interface with a
subject name that matches the internal FQDN of the VIP address that is used by the
Access Edge Server on the internal load balancer. This certificate must be marked as
exportable on the first computer where you configure the certificate and must then be
imported on each additional computer in the Access Edge Server array.
The certificate on your internal interface of your Access Edge Server must match the DNS A
record that resolves to the internal IP address of the Access Edge Server. As explained earlier,
how you configured your new Access Edge Server determines the process you use to assign
certificates to your new edge server:
• If you used the same internal FQDN on your new Access Edge Server, you can
configure the same certificate that you used on your existing Live Communications
Server 2005 with SP1 Access Proxy. Export the certificate from your Access Proxy,
and then use the Certificate Wizard to import the certificate and assign it to the
internal interface of the edge server.
• If you used a different internal FQDN on your new Access Edge Server, you must
request a new certificate and assign it to the internal interface of the Access Edge
Server.
Option 4.1 Configuring the Certificate with the Same Internal

FQDN as the Existing Access Proxy
If you are using the same internal FQDN for your Office Communications Server 2007 Access
Edge Server as the one that you used on your Live Communications Server 2005 with SP1
Access Proxy, use the following steps to set up a certificate on the internal interface for your
Office Communications Server 2007 Access Edge Server. These steps are explained in detail in
the following sections:
1. Export the certificate from your Live Communications Server 2005 SP1 Access
Proxy.
2. Import the certificate for the internal interface on the first edge server.
3. Verify that the CA (certification authority) is on the list of trusted root CAs for each
Access Edge Server.
4. If the edge server is part of an array, import the certificate on the other edge servers
in the array.
5. Assign the certificate to the internal interface of each edge server.
After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy,
use the Certificate Wizard to complete most of the certificate setup procedures for the internal
interface. You can start this wizard from the Office Communications Server 2007 installation
media, as described in the following procedures, or by using the Computer Management snap-in
on your Access Edge Server.
Note
The procedures in this section are based on a Microsoft
Windows Server® 2003 Enterprise CA or a Windows Server
2003 R2 CA. For step-by-step guidance for any other CA, see
the documentation that is provided by the CA. By default, all
authenticated users have the necessary user rights to request
certificates.
Step 4.1.1 Export the certificate from your Live Communications

Use the following procedure to export the certificate from your Live Communications Server
2005 SP1 Access Proxy.
To export the certificate from your Live Communications Server 2005
SP1 Access Proxy
1. Log on to your Access Proxy as a member of the Administrators group.
2. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Available Standalone Snap-ins list, select Certificates.
6. Click Add.
7. Click Computer account, and then click Next.
8. In the Select Computer dialog box, ensure that Local computer: (the computer this
console is running on) is selected, and then click Finish.
9. Click Close, and then click OK.
10. In the console tree of the Certificates console, expand Certificates (Local
Computer).
11. Expand Personal.
12. Click Certificates, and then in the result pane, right-click the certificate that is to be
used on the internal interface, point to All Tasks, and then click Export.
13. In the Export Wizard, click Next.
14. Click Yes, export the private key, and then click Next.
15. On the Export file format page, click Personal Information Exchange – PKCS
#12 (.PFX).
16. Select the Include all certificates in the certification path if possible check box.
17. Clear the Enable strong protection check box, and then click Next.
18. Complete the wizard by accepting all remaining default values and by indicating the
disk or network share where you want to save the certificate.
Step 4.1.2 Import the certificate for the internal interface on the
first edge server
Use the following procedure to import the certificate to the internal interface of your Access
Edge Server or of the first Access Edge Server in an array.
To import the certificate for the internal interface

1. Log on to your Office Communications Server 2007 Access Edge Server as a
member of the Administrators group and the RTC Local Administrators group.
2. On the Access Edge Server, insert the Office Communications Server 2007 CD, and
then click Setup.exe.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4:
Configure Certificates for the Edge Server, click Run to start the Certificate
Wizard.
4. On the Welcome page, click Next.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,
and then click Next.
6. On the Import Certificate page, type the full path and file name of the certificate
that you exported from the Access Proxy in the Path and file name box (or click
Browse to locate and select the certificate), clear the Mark cert as exportable
check box, and then click Next.
7. On the Import Certificate password page, type the password that you used when
you exported the certificate from the Access Proxy in the Password box, and then
click Next.
8. On the wizard completion page, verify successful completion, and then click Finish.
Step 4.1.3 Verify that the CA is on the list of trusted root CAs
For each Access Edge Server that you deploy, use the following procedure to verify that the CA
for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
1. On the Access Edge Server, open an MMC console: Click Start, and then click
Run. In the Open box, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. In the Add Standalone Snap-ins box, click Certificates, and then click Add.
4. In the Certificate snap-in dialog box, click Computer account, and then click
Next.
5. In the Select Computer dialog box, ensure that the Local computer: (the computer
this console is running on) check box is selected, and then click Finish.
7. In the console tree, expand Certificates (Local Computer), expand Trusted Root
Certification Authorities, and then click Certificates.
8. In the details pane, verify that your CA is on the list of trusted CAs.
Step 4.1.4 Import the certificate on subsequent Access Edge
Servers (if you are deploying an Access Edge Server array)
For each Access Edge Server that you deploy, use the following procedure to import the
certificate for an additional Access Edge Server if you are using an Access Edge Server array.
member of the local Administrators group and the RTC Local Administrators
group.
2. Insert the Office Communications Server 2007 CD, and then click Setup.exe.
Wizard.
5. On the Available Certificate Tasks page, click from Import a certificate a .pfx
file, and then click Next.
7. On the Import Certificate Password page, type the password that you used when
click Next.
Step 4.1.5 Assign the certificate on the Access Edge Server
For each Access Edge Server that you deploy, use the following procedure to assign the
certificate to the internal interface.
To assign the certificate to the internal interface of the edge server
Wizard.
5. On the Available Certificate Tasks page, click Assign an existing certificate, and
then click Next.
6. On the Available Certificates page, click the certificate that you requested for the
internal interface of this edge server, and then click Next.
7. On the Available Certificate Assignments page, select the Access Edge Server
Private Interface check box (the server interface on which you want to install the
certificate), and then click Next.
8. On the Configure the Certificate(s) of Your Server page, review your settings, and
then click Next to assign the certificates.
9. On the wizard completion page, click Finish.
Option 4.2 Configuring the Certificates with a Different Internal
FQDN
If you are using a different internal FQDN for your Office Communications Server 2007 Access
Edge Server than the one that you used on your Live Communications Server 2005 SP1 Access
Proxy, use the following steps to set up a certificate on the internal interface for your Office
Communications Server 2007 Access Edge Server. These steps are explained in detail in the
following sections:
1. Download the CA certification path for the internal interface.
2. Install the CA certification path for the internal interface.
3. Verify that the CA is on the list of trusted root CAs.
4. Create the certificate request for the internal interface.
5. Import the certificate for the internal interface on the first edge server.
6. Export the certificate.
7. Import the certificate on other edge servers.
8. Assign the certificate for the internal interface to each edge server.
For most of these steps, you can use the Office Communications Server Certificate Wizard. You
can start this wizard from the Office Communications Server 2007 installation media, as
described in the following procedures, or from the Computer Management snap-in on your
Access Edge Server.
Note
The procedures in this section are based on using a Windows
Server 2003 Enterprise CA or a Windows Server 2003 R2 CA.
For step-by-step guidance for any other CA, see the
documentation that is provided by the CA. By default, all
certificates.
Step 4.2.1 Download the CA certification path for the internal

interface
Use the following procedure to download the CA certification path on the internal interface of
your Access Edge Server.
To download the CA certification path for the internal interface
1. With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA
Server online, log on to a server in the internal network (not the Access Edge Server)
as a member of the Administrators group.
2. Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and
then click OK. If prompted, enter your user name and password.
3. Under Select a task, click Download a CA certificate, certificate chain, or CRL.
4. Under Download a CA Certificate, Certificate Chain, or CRL, click Download
CA certificate chain.
5. In the File Download dialog box, click Save.
6. Save the .p7b file to the hard disk on the server, and then copy it to a folder on each
Access Edge Server. Verify that the file contains all the certificates that are in the
certification path. To view the certification path, open the server certificate, and then
click the certification path.
Step 4.2.2 Import the CA certification path for the internal
interface
Use the following procedure to import the CA certification path on the internal interface of your
Access Edge Server.
To import the CA certification path for the internal interface
2. On the Access Edge Server page, insert the Office Communications Server 2007
CD, and then click Setup.exe.
Wizard.
5. On the Available Certificate Tasks page, click Import a certificate chain from
a .p7b file, and then click Next.
6. On Import Certificate Chain page, type the full path and file name of the .p7b file
in the Path and file name box (or click Browse to locate and select the file), and then
click Next.
7. Click Finish.
8. Repeat this procedure on each edge server.
Step 4.2.3 Verify that the CA Is on the list of trusted root CAs
Next.
5. In the Select Computer dialog box, ensure that the Local computer: (the
computer this console is running on) check box is selected, and then click Finish.
Step 4.2.4 Create the certificate request for the internal interface
For each Access Edge Server that you deploy, use the following procedure to create the
certificate request for the internal interface.
To create the certificate request for the internal interface
member of the local Administrators group and the RTC Local Administrators
group.
Wizard.
5. On the Available Certificate Tasks page, click Create a new certificate, and then
click Next.
6. On the Select a component page, select the Edge Server Private Interface check
box, and then click Next.
7. On the Delayed or Immediate Request page, select the Prepare the request now,
but send it later check box, and then click Next.
Note
If the Enterprise CA is reachable from the edge server, you can
use the Send the request immediately to an online
certification authority option. Because this is usually not the
case, this procedure and other certificate request procedures in
this guide do not cover the use of that option.
8. On the Name and Security Settings page, type a friendly name for the certificate,
and then specify the bit length (typically, the default of 1024). Select the Mark cert
as exportable check box, and then click Next.
9. On the Organization Information page, enter the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click
Next.
10. On the Your Server’s Subject Name page, type or select the subject name and
subject alternate name of the edge server. The subject name should match the FQDN
of the edge server that is published by the internal firewall for the internal interface
on which you are configuring the certificate:
• For the internal interface of the edge server, the subject name should match the
name that your internal servers use to connect to the edge server (typically, the
FQDN of the internal interface for the edge server).
• If you are using a load balancer, the edge server traffic still uses the FQDN of the
internal edge of the server (server name). If you are using a virtual IP address for
the edge server, the certificate should match the FQDN of the virtual IP address
that is used by this server role on the internal load balancer. For the internal
interface, this is typically the published DNS name for the perimeter network
that maps to the edge server.
11. Click Next.
12. On the Geographical Information page, type the location information, and then
click Next.
13. On the Certificate Request File Name page, type the full path and name of the file
to which the request is to be saved in the File name box (or click Browse to locate
and select the file), and then click Next. A typical path and file name is
C:\certrequest_AccessEdge.txt.
14. On the Request Summary page, click Next.
16. Submit this file to your CA by e-mail or another method that is supported by your
organization for your Enterprise CA. When you receive the response file, copy the
new certificate to this computer so that it is available for import.
Step 4.2.5 Import the certificate on the internal interface
certificate on the internal interface of the Access Edge Server.
1. On the Access Edge Server on which you created the certificate request, log on as a
Wizard.
5. On the Available certificate tasks page, click Process the pending request and
import the certificate, and then click Next.
6. Type the full path and file name of the certificate that you requested for the internal
interface of the edge server (or click Browse to locate and select the certificate), and
then click Next.
7. Click Finish.
Step 4.2.6 Export the certificate (if you have an Access Edge
Server array)
If you are using an Access Edge Server array, use the following procedure to export the
certificate from your Access Edge Server so that you can import it to other Access Edge Servers
in your array.
To export the certificate for the internal interface for importing to
other edge servers
1. On the edge server on which you requested and imported the certificate, log on as a
Wizard.
5. On the Available Certificate Tasks page, click Export a certificate to a .pfx file,
6. On the Available Certificates page, click the certificate that you imported to this
edge server in Select a certificate list as described in the previous procedure, and
then click Next.
7. On the Export Certificate page, type the full path and file name to which you want
to export the certificate in the Path and file name box (or click Browse to locate
and specify a location and file), and then click Next.
8. On the Export Certificate Password page, type the password to used to import the
certificate on the other edge servers in the Password box, and then click Next.
10. Copy the exported file to a location or media that is accessible by the other edge
servers.
Step 4.2.7 Import the certificate for additional Access Edge
Servers (if you have an Access Edge Server array)
If you are using an Access Edge Server array, use the following procedure to import the
certificate to each Access Edge Server in the array.
To import the certificate for the internal interface of each Access Edge
Server
1. On the other Access Edge Servers where you will import the certificate, log on as a
Wizard.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx
file, and then click Next.
that you exported from the first edge server in the Path and file name box (or click
7. On the Import Certificate Password page, type the password that you typed when
you exported the certificate from the first server in the Password box, and then click
Next.
Step 4.2.8 Assign the certificate on the internal interface of each
Access Edge Server
Use the following procedure to assign the certificate to the internal interface of each Access Edge
Server in the array.
To assign the certificate to the internal interface of the edge server
Wizard.
then click Next.
6. On the Available Certificates page, select the certificate that you requested for the
internal interface of this edge server, and then click Next.
7. On the Available Certificate Assignments page, select the Edge Server private
interface check box (the server interface on which you want to install the
Step 5 Configure Certificates on the External

Interface of Your Access Edge Server
If you are supporting public IM connectivity, the certificate that you configure on the external
interface of your Access Edge Server must be from a public CA (certification authority). AOL®
requires the certificate for both client and server authorization. The MSN® network of Internet
services and Yahoo! ® also require a certificate from a public CA, but a Web certificate is
sufficient. The CA must be on the default list of trusted root CAs that is installed on the Access
Edge Server.
Although a certificate from a public CA is not required for federation, it is strongly
recommended.
Note
It is possible to use your Enterprise subordinate CA for direct
federation, as well as for testing or trial purposes, as long as all
partners agree to trust the CA or to cross-sign the certificate.
How you configure the certificate on the external interface depends on whether you are
deploying in a single-site edge topology or a scaled single-site edge topology:
• Single-site edge topology. The subject name of the certificate must match the
external FQDN of the Access Edge Server computer. If you have multiple SIP
domains, each supported SIP domain must be entered as sip.<domain> in the Subject
Alternate Name box of the certificate. For example, if your organization supports
two domains, a.contoso.com and b.contoso.com, and the external FQDN of the
computer is sip.a.contoso.com, configure your certificate as follows:
SN=sip.a.contoso.com
SAN=sip.a.contoso.com, sip.b.contoso.com
• Scaled single-site edge topology. The subject name must match the external FQDN
of the VIP (virtual IP) address of the external load balancer that is used by the Access
Edge Server. This certificate must be marked as exportable on the first computer
where you configure the certificate, and it must then be imported onto each additional
computer in the Access Edge Server array.
Determining Whether You Need a New Certificate for the Access

Edge Server
Whether you can reuse the certificate from your existing Access Proxy or obtain a new certificate
depends on how you have configured your new Access Edge Server:
• If you use the same external FQDN for your Access Edge Server that you used for
the Access Proxy that it replaces, you can use the same certificate on the external
interface of your Access Edge Server that you used on the Access Proxy.
Note
If your Access Edge Server is not discoverable through DNS SRV
records, organizations federating with your organization must
manually add your SIP domains and your Access Edge Server
FQDN in the Allow List on their Access Edge Servers.
If you enable automatic discovery and want to add additional
SIP domains to those supported in your Live Communications
Server 2005 SP1 environment, you must get a new certificate
with all the supported SIP domains in the SAN.
• If you use a different external FQDN for your Access Edge Server, you must
configure a new certificate for the external interface.
Option 5.1 Configuring the Certificate with the Same External

FQDN as the Existing Access Proxy
If you are using the same external FQDN for your Office Communications Server 2007 Access
Edge Server as the one that you used on your Live Communications Server 2005 with SP1
Access Proxy, use the following steps to set up a certificate on the external interface for your
Office Communications Server 2007 Access Edge Server. These steps are explained in detail in
the following sections.
1. Export the certificate from your Live Communications Server 2005 SP1 Access
Proxy.
2. Import the certificate for the external interface on each Access Edge Server.
3. Verify that the CA is on the list of trusted root CAs for each Access Edge Server.
4. Assign the certificate for the external interface to each edge server.
After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy,
use the Certificate Wizard to complete most of the certificate setup procedures for the external
interface. You can start this wizard from the Office Communications Server 2007 installation
media, as described in the following procedures, or by using the Computer Management snap-in
on your Access Edge Server.
Note
The procedures in this section are based on a Microsoft
Windows Server 2003 Enterprise CA or a Windows Server 2003
R2 CA. For step-by-step guidance for any other CA, see the
documentation that is provided by the CA. By default, all
certificates.
Step 5.1.1 Export the certificate from your Live Communications

Use the following procedure to export the certificate from your Live Communications Server
2005 SP1 Access Proxy.
To export the certificate from your Live Communications Server 2005

SP1 Access Proxy
1. Log on to your Access Proxy as a member of the Administrators group.
2. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Available Standalone Snap-ins list, select Certificates.
6. Click Add.
7. Click Computer account, and then click Next.
8. In the Select Computer dialog box, ensure that Local computer: (the computer this
console is running on) is selected, and then click Finish.
10. In the console tree of the Certificates console, expand Certificates (Local
Computer).
11. Expand Personal.
12. Click Certificates, right-click the certificate that is to be used on the external
interface in the result pane, point to All Tasks, and then click Export.
13. In the Export Wizard, click Next.
14. Click Yes, export the private key, and then click Next.
15. On the Export File Format page, click Personal Information Exchange – PKCS
#12 (.PFX).
16. Select the Include all certificates in the certification path if possible check box.
17. Clear the Enable strong protection check box, and then click Next.
18. Complete the wizard by accepting all remaining default values and by indicating the
disk or network share where you want to save the certificate.
Step 5.1.2 Import the certificate for the external interface of
each Access Edge Server
Use the following procedure to import the certificate to the external interface of your Access
Edge Server or of each Access Edge Server in an array.
To import the certificate for the external interface
Wizard.
5. On the Available Certificate Tasks page, click Import a certificate from a .pfx file,
7. On the Import Certificate Password page, type the password that you used when
click Next.
Step 5.1.3 Verify that the CA is on the list of trusted root CAs
Next.
5. In the Select Computer dialog box, ensure that the Local computer: (the
computer this console is running on) check box is selected, and then click Finish.
Step 5.1.4 Assign the certificate on the Access Edge Server
certificate to the external interface.
To assign the certificate to the external interface of the edge server
Wizard.
then click Next.
external interface of this edge server, and then click Next.
7. On the Available Certificate Assignments page, select the Access Edge Server
Public Interface check box (the server interface on which you want to install the
Option 5.2 Configuring the Certificates on the Access Edge

Server External Interfaces When New Certificates Are Required
To set up a certificate for the external interface of an Access Edge Server, complete the following
steps. These steps are explained in detail in the following sections.
1. Create the certificate request for the external interface of the edge server.
2. Submit the request to your public CA.
3. Import the certificate for the external interface of each edge server.
4. Assign the certificate for the external interface of each edge server.
Step 5.2.1 Create the certificate request
For each Access Edge Server that you deploy, use the following procedure to create a certificate
request for the external interface.
To create the certificate request for the external interface
Wizard.
5. On the Available Certificate Tasks page, click Create a new certificate, and then
click Next.
6. On the Select a component page, select the Access Edge Server Public Interface
7. On the Delayed or Immediate Request page, select the Prepare the request now,
but send it later check box, and then click Next.
Note
If the Enterprise CA is reachable from the edge server, you can
use the Send the request immediately to an online
certification authority option. Because this is usually not the
case, this procedure and other certificate request procedures in
this guide do not cover the use of that option.
8. On the Name and Security Settings page, type a friendly name for the certificate,
specify the bit length (typically, the default of 1024), select the Mark cert as
exportable check box, and then click Next.
9. On the Organization Information page, type the name for the organization and the
organizational unit (such as a division or department, if appropriate), and then click
Next.
10. On the Your Server’s Subject Name page, type or select the subject name and
subject alternate name of the edge server:
• The subject name should match the FQDN of the server that is published by the
external firewall for the external interface on which you are configuring the
certificate. For the external interface of the Access Edge Server, this certificate
subject name should be sip.<domain>.
• If multiple SIP domain names exist and they do not appear in the Subject
alternate name box, type the name of each additional SIP domain as
sip.<domain>, separating names with a comma. Domains entered during
configuration of the Access Edge Server are automatically added to this box.
11. Click Next.
12. On the Geographical Information page, type the location information, and then
click Next.
13. On the Certificate Request File Name page, type the full path and name of the file
to which the request is to be saved in the File name box (or click Browse to locate
and select the file), and then click Next. A typical path and file name is
C:\certrequest_AccessEdge.txt.
14. On the Request Summary page, click Next.
16. Submit this file to your CA by e-mail or another method that is supported by your
organization for your Enterprise CA. When you receive the response file, copy the
new certificate to this computer so that it is available for import.
Step 5.2.2 Submit the request to your public CA
Use the following procedure to submit a request to your public CA.
To submit a request to a public certification authority
1. Open the output file.
2. Copy and paste the contents of the certificate signing request CSR into the
appropriate text box beginning with:
-----BEGIN NEW CERTIFICATE REQUEST-----
And ending with:
----END NEW CERTIFICATE REQUEST
3. If you are prompted, select the following options:
• Microsoft as the server platform
• IIS as the version
• Web Server as the usage type
• PKCS7 as the response format
4. When the public CA has verified your information, you receive an e-mail message
containing text that is required for your certificate.
5. Copy the text from the e-mail message to a text file (.txt) on your local computer and
note the file name and location for later.
6. Download the root CA chain of the public CA, and then install it on the local
computer store of each edge server.
Note
Appendix B provides an example of a certificate request and a
sample procedure for requesting a certificate from a public CA.
Step 5.2.3 Import the certificate on the external interface

certificate on the external interface of your Access Edge Server.
To import the certificate for the external interface

Wizard.
5. On the Available certificate tasks page, click Process the pending request and
import the certificate, and then click Next.
6. Type the full path and file name of the certificate that you requested for the external
interface of the edge server (or click Browse to locate and select the certificate), and
then click Next.
7. Click Finish.
Step 5.2.4 Assign the certificate to the external interface of
your Access Edge Server
certificate to the external interface.
To assign the certificate to the external interface of the edge server
Wizard.
then click Next.
external interface of this edge server, and then click Next.
7. On the Available Certificate Assignments page, select the external interface where
you want to install the certificate, and then click Next.
8. Review your settings, and then click Next to assign the certificates.
Step 6 Start Services

After you have set up the edge servers and load balancers, you need to start the Office
Communications Server 2007 services on each edge server.
Note
The following steps detail how to start services by using the
Deployment Wizard, but you can also start services from the
Office Communications Server 2007 administrative snap-in. For
details, see the Microsoft Office Communications Server 2007
Administration Guide.
To start the services

member of the Administrators group.
3. In the Deployment Wizard, on the Deploy Edge Server page, beside Step 6: Start
Services, and then click Run.
5. On the Ready to Start Office Communications Server 2007 Services page, review
the list of services, and then click Next to start the services.
6. When the services have started and the wizard has completed, verify that the View
the log when you click ‘Finish’ check box is selected, and then click Finish.
7. When the Office Communications Server 2007 Deployment Log opens in a Web
browser window, verify for each task that Success appears under Execution Result
in the action column. Optionally, expand each individual task and verify that the
Execution Result shows Success for the task. When you finish, close the log
window.
Step 7 Configure Federation on Your Access Edge

Server
If you intend for your Office Communications Server deployment to support federation, you
must configure federation support on your Access Edge Server. How you configure federation
depends on the type of federation you want to support. For step-by-step instructions about
configuring federation, see the Microsoft Office Communications Server 2007 Administration
Guide.
• If you want to support what was called direct federation in Live Communications
Server 2005 with SP1, then for each federated partner you must add the federated
domain and the FQDN of your federated partner’s 2007 Access Edge Server or 2005
Access Proxy to the Allow tab on your Access Edge Server.
• If you want to support what was called open enhanced federation in Live
Communications Server 2005 SP1, this configuration is set up automatically when
you selected Allow discovery of federation partners.
• If you want to support what was called restricted enhanced federation, you need to
add any legitimate federated partner domains to the Allow tab on your Access Edge
Server.
Note
In Office Communications Server 2007, any federated
connection that is not configured on the Allow tab is actively
monitored for higher than average activity. Any partners that
are not explicitly configured on the Allow tab are subject to
connection throttling if their federated activity with your
organization exceeds some preset limits. It is recommended
that you always add trusted federated partners to your Allow
tab. For more information about how connection throttling
works, see the Microsoft Office Communications Server 2007
Administration Guide.
To configure trusted federated partners

2. Open Computer Management. Right-click My Computer, and then click Manage.
3. In the console tree, expand Services and Applications, right-click Microsoft Office
Communications Server 2007, and then click Properties.
4. On the Access Methods tab, select the Federate with other domains check box and
the Allow discovery of federation partners check box.
5. To add trusted partners, click the Allow tab, and then click Add.
6. In the Add Federated Partner dialog box, do one of the following:
• To add a trusted partner domain if you are using DNS-based discovery, type the
name of the federated partner domain in the Federated partner domain name
box.
• To configure the equivalent of a direct federation partner, type the name of the
federated partner domain in the Federated partner domain name box. In the
Federated partner Access Edge Server box, type the FQDN of the federated
partner’s Access Edge Server.
7. Repeat step 5 and 6 for each federated partner that you want to add to your Allow
list.
Step 8 Configure Your Internal Environment to Use

the New Edge Server
If your Access Edge Server uses a different FQDN than the Live Communications Server 2005
with SP1 Access Proxy that it replaces, you must configure your internal environment for the
new FQDN. If you are using the same internal FQDN for your Edge Server as the one that you
used for your previous Live Communications Server 2005 SP1 Access Proxy, skip to “Step 9:
Change Your Firewall Settings or DNS Settings to Use the IP Address of Your New Access
Edge Server.” To do so, you must complete the following steps:
1. Add the Access Edge Server to the list of trusted servers in the global settings of the
Active Directory.
2. Identify the Access Edge Server as the next hop server for outbound traffic from
your Director or from internal servers.
Step 8.1 Add the Access Edge Server to the Trusted Server List
or Update Your Internal Firewall Setting
If you use an internal firewall between your internal servers and your Access Edge Server, the
global properties in Active Directory route traffic to your internal firewall. In that case, you
simply change the internal firewall setting to point to the internal IP address of your new Access
Edge Server; you do not need to update global properties.
For specific firewall procedures, see your firewall documentation.
If you use a different FQDN on the internal interface of your Office Communications Server
2007 Access Edge Server, you must add this server to the Trusted Access Proxy list in Active
Directory so that Live Communications Servers within your forest accept messages from the
Access Edge Server.
To add the Access Edge Server to the trusted server list
1. Log on to an internal Live Communications Server 2005 with SP1 that is joined to
an Active Directory domain or log on to a computer that has the Live
Communications Server 2005 SP1 Administrative Tools installed, as a member of
the RTCDomainServerAdmin group.
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Live Communications Server 2005.
3. Expand Microsoft Live Communications Server 2005.
4. Right-click the forest node, and then click Properties.
5. On the Access Proxy tab, click Add.
6. In the Access Proxy address box, type the FQDN (fully qualified domain name) of
your Access Edge Server, and then click OK.
Step 8.2 Identify Your Access Edge Server as the Next Hop
Server for Your Director or Internal Servers
How you identify your Access Edge Server as the next hop for external traffic depends on
whether your environment includes a Director. Use the appropriate option for your environment:
• Option 1: If you are using a Director to route all external traffic to and from the
Access Edge Server, you must update the next hop server on the Director.
• Option 2: If you are not using a Director, use the procedure immediately following
this one to configure the Access Edge Server as the FQDN to which all internal
servers route external traffic.
Option 1: To configure the Director to route to the Access Edge Server
1. Log on to an internal Live Communications Server 2005 SP1 server that is a member
of an Active Directory domain, or log on to a computer that has the Live
Communications Server 2005 with SP1 Administrative Tools installed, as a member
of the RTCDomainServerAdmin and RTCUniversalServerAdmins groups.
3. In the console tree, expand Microsoft Office Live Communications Server 2005.
4. Expand the forest node.
5. Expand subsequent nodes under the Domains node until you reach the domain in
which your Director resides.
6. Expand the Live Communications servers and pools node.
7. Right-click the Director, and then click Properties.
8. On the Federation tab, type the FQDN of the Access Edge Server in the Network
address box.
9. In the Port number box, accept the default port of 5061 unless you are using a
different port number for the Access Edge Server. (It is recommended that you use
port 5061.)
Option 2 To configure your internal servers to route to the Access
Edge Server
1. Log on to an internal Live Communications Server 2005 SP1 server that is a member
of an Active Directory domain, or log on to a computer that has the Live
Communications Server 2005 with SP1 Administrative Tools installed, as a member
of the RTCDomainServerAdmin and RTCUniversalServerAdmins groups.
3. Right-click the forest node, and then click Properties.
4. Click the Federation tab.
5. In the Network address box, enter the FQDN of the new Access Edge Server.
Step 9 Change Your Firewall Settings or DNS

Settings to Use the IP Address of Your New
Access Edge Server
After you have configured your internal Live Communications Server 2005 SP1 topology to use
the new Access Edge Server, change your external firewall settings to point to the new Access
Edge Server.
Important
During this step, there are service interruptions to your users.
Changing Your Firewall Settings

Update your firewall settings as follows:
1. Change the external firewall setting to point to the external IP address of your new
Access Edge Server.
2. Do one of the following:
• If you used the same internal FQDN as your Live Communications Server 2005
SP1 Access Proxy on your new Access Edge Server, change the internal firewall
setting to point to the internal IP address of the Access Edge Server.
• If you used a different internal FQDN from the Live Communications Server
2005 SP1 Access Proxy on your new Access Edge Server, update your firewall
rules to point to the new FQDN of your Access Edge Server.
For details about changing firewall settings, see the documentation for your firewall.
Changing DNS Settings

If your organization has a firewall between the internal interface of the Access Edge Server and
your internal servers and you used the same internal FQDN for your Access Edge Server as you
did for your Access Proxy, you do not need to update DNS records.
If your organization does not have an internal firewall or you used a different internal FQDN for
your Access Edge Server than you used for the existing Access Proxy, the Director or the next
hop server used by the Access Edge Server needs to distinguish the new Access Edge Server
from the Access Proxy. To enable this behavior, you must:
1. Modify or create a new DNS A record that resolves to the internal FQDN of the
Access Proxy to point to the internal IP address of the new Access Edge Server.
• If you are using a Director, flush the DNS cache on the Director by running
ipconfig /flushdns from a command line and then restart the Live
Communication service (rtcsrv) on your Director.
• If you are not using a Director, flush the DNS cache on the each internal Live
Communications Server by running ipconfig /flushdns from a command line
and then restart the Live Communication service (rtcsrv) on all your internal
Live Communications Servers.
Step 10 Validate the Configuration of Your Access

Edge Server
Office Communications Server 2007 includes the Validation Wizard, which you can run on each
individual Access Edge Server to verify its configuration and connectivity. Later, you can run the
Validation Wizard on a new Standard Edition server or Enterprise Edition pool to verify that it
can communicate with your Access Edge Server.
Note
If you change the external DNS A record for your Access Edge
Server and you have enabled public IM connectivity, you must
update your provisioning information as described at
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provision.
To validate the configuration of your Access Edge Server

1. Log on to the Office Communications Server 2007 Access Edge Server as a member
of Administrators group and the RTC Local Administrators group.
2. Open Computer Management: Right-click My Computer, and then click Manage.
3. In the console tree, expand Services and Applications.
4. Click Microsoft Office Communications Server 2007.
5. In the details pane, expand Validation, and then click Edge Server.
6. On the Welcome page of the Validation Wizard, click Next.
7. On the Validation steps page, select the options to validate local configuration and
connectivity, and then clear the option to validate SIP logon.
8. To validate that the server on which you are running is configured correctly, select
the Validate Local Server Configuration check box.
9. To verify that the server has connectivity to the your internal servers, select the
Validate Connectivity check box.
10. Clear the Validate SIP Logon (1-Party) and IM (2-Party) check boxes.
11. Click Next.
12. On the Federation and Public IM Connectivity page, select the Test connectivity
of internal and federated users check box, click SIP accounts for federated
users, type the name of a federated user account to use as a test case, and then click
Next.
13. On the wizard completion page, verify that the View the log file results when you
click ‘Finish’ check box is selected, and then click Finish to exit.
browser window, verify that Success appears under Execution Result in the action
column. Optionally, expand each individual task and verify that the Execution
Result shows Success for the task. When you finish, close the log window.
Step 11 Test Connectivity Between Remote Users,

Federated Users and Public IM Connectivity
Test your new topology by signing in remotely as an Office Communicator 2005 user and
confirming that you can communicate with:
• An internal user.
• A federated user.
• Another remote user.
• A user on a public IM network (if you use public IM connectivity).
Note
If you change the external DNS A record for your Access Edge
Server and have enabled public IM connectivity, you must
update your provisioning information as described at
http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provision.
If there is a problem with connectivity, you can simply redirect your firewall to your existing
Live Communications Server 2005 SP1 Access Proxy to avoid an extended outage. To do so,
follow the procedure outlined in Step 9 Change Your Firewall Settings or DNS Settings to Use
the IP Address of Your New Access Edge Server, but point to the Live Communications Server
2005 with SP1 Access Proxy.
Step 12 Deploy an Office Communications Server

2007 Director (optional)
Even if your current deployment does not use a Director, you can install one as part of the
migration process. To enhance security, it is highly recommended that you use a Director if you
are supporting any remote users, whether from your own organization or from federated partners.
If you do not use a Director, skip to Step 13 Remove Your Live Communications Server 2005
SP1 Director and Access Proxy.
To introduce an Office Communications Server 2007 Director into your topology, use the
following steps. These steps are explained in detail in the following sections.
1. Prepare Active Directory for Office Communications Server. If you are planning on
a period of coexistence, remember that you must prepare each domain hosting Live
Communications Server 2005 SP1 servers and users for Office Communications
Server 2007.
2. Deploy a new Office Communications Server 2007 Enterprise pool or Standard
Edition server.
3. Deactivate the unnecessary roles on the Director for a Standard Edition Director.
4. Deactivate the Address Book Server.
5. Verify that User Replicator completes successfully.
6. Configure Office Communications Server as a new Director.
7. Configure your Access Edge Server to use the new Director.
8. Test connectivity between your Access Edge Server and new Director.
9. Test connectivity between remote users, federated users, and public IM connectivity.
Step 12.1 Prepare Active Directory for Office Communications

Server 2007
For information about preparing the Active Directory Domain Services for Office
Communications Server 2007, see the Microsoft Office Communications Server 2007 Active
Directory Guide. Every domain that contains Live Communications Server 2005 SP1 users or
servers must be prepared for Office Communications Server 2007.
Step 12.2 Deploy an Office Communications Server 2007

Enterprise Pool or Standard Edition Server
To add an Office Communications Server 2007 Director, deploy a new Office Communications
Server 2007 Enterprise pool or Standard Edition server that you will later manually configure as
a Director.
To deploy an Office Communications Server 2007 Enterprise pool or
Standard Edition server that will be used as a Director
1. Deploy an Office Communications Server 2007 Enterprise pool or Standard Edition
server as described in the Microsoft Office Communications Server 2007 Enterprise
Edition Deployment Guide or the Microsoft Office Communications Server 2007
Standard Edition Deployment Guide. When you run the Configure Pool or Server
Wizard as part of the deployment, do the following:
• On the Client Logon Settings page, ensure that the Use this server or pool to
authenticate and redirect automatic client logon requests check box is
cleared. This is the default setting. Manually configure this server or pool as the
Director later.
• On the External User Access Configuration page, click Do not configure for
external user access now. Manually configure this server or pool to connect to
your Edge Server later.
2. Continue with the deployment as follows:
• For a Standard Edition server Director, continue with deployment by running all
subsequent procedures as documented in the Microsoft Office Communication
Server 2007 Standard Edition Deployment Guide.
• For an Enterprise pool Director, continue the instructions for deploying a pool in
the expanded configuration in the Microsoft Office Communications Server 2007
Enterprise Edition Deployment Guide, but add only Front End Servers to the
pool. You must still run all other deployment steps.
Step 12.3 Deactivate the Unnecessary Roles on the Director on

Standard Edition Director
Use the following procedure to deactivate the unnecessary roles for a Director on your Standard
Edition Server.
To deactivate the roles that are not required for a Standard Edition
server Director
1. Log on to the Director as a member of the Administrators group and of the
RTCUniversalServerAdmins group.
2. Open the Office Communications Server 2007 Administration tools: Click Start,
point to All Programs, point to Administrative Tools, and then click Office
• For a Standard Edition server, expand Standard Edition Servers, and then
expand the Standard Edition that you just deployed:
1. Right-click the FQDN of the server, point to Deactivate, click Web
Conferencing Server, and then complete the wizard.
2. Right-click the FQDN of the server, point to Deactivate, click A/V
Conferencing Server, and then complete the wizard.
3. Right-click the FQDN of the server, point to Deactivate, click Web
Components Server, and then complete the wizard.
• For an Enterprise pool, expand Enterprise pools, and then expand the pool that
you just deployed:
1. Expand Web Conferencing, right-click the FQDN of the server, point to
Deactivate, click Web Conferencing Server, and then complete the wizard.
2. Expand A/V Conferencing, right-click the FQDN of the server, point to
Deactivate, click A/V Conferencing Server, and then complete the wizard.
3. Expand Web Components, right-click the FQDN of the server, right-
click the FQDN of the server, point to Deactivate, click Web Compoents Server,
and then complete the wizard.
Step 12.4 Deactivate Address Book Server

On both Standard Edition server and Enterprise pool Directors, deactivate the Address Book
Server.
To deactivate the Address Book Server
1. For a Standard Edition Director, log on to a Standard Edition server; for an
Enterprise pool Director, log on to one of the Enterprise Edition server in the pool.
Log on as a member of the RTCUniversalServerAdmins group or of a group that
has equivalent privileges.
2. Open a command prompt window: Click Start, and then point to Run. In the Open
box, type cmd, and then click OK.
3. At the command prompt, type wbemtest.
4. Click Connect.
5. In the Namespace box, type root\cimv2, and then click Connect.
6. Click Enum Classes, and then click OK.
7. Double-click MSFT_SIPAddressBookSetting.
8. Click Instances.
9. Double-click your SQL Server™ database instance.
10. Double-click the OutputLocation property.
11. In the Value field, click Null.
12. Click Save Property.
13. Click Save Object.
14. Click Close.
15. Click Close again, and then click Exit to close wbemtest.
Step 12.5 Verify that User Replicator Completed Successfully

If you deployed a new Office Communications Server 2007 Director, User Replicator must
complete successfully to synchronize the latest user data so that the Director can route
communications to the appropriate server or pool where users are hosted. Before you use the
Office Communications Server 2007 that you deployed as a Director, you must verify that User
Replicator has completed the first replication cycle on the server for all the domains in your
environment.
In an Enterprise pool, only one server in the pool is assigned the role of User Replicator. To
determine which server in the pool runs User Replicator, use the Dbanalyze tool as described in
the following procedures. Dbanalyze is available in the Office Communications Server 2007
Resource Kit, which you can install by using the Office Communications Server 2007
Deployment Wizard.
To verify that User Replicator completed on an Office Communications
Server 2007 Standard Edition server Director
1. Log on to the server as a member of the Administrators group.
2. Open Event Viewer: Click Start, point to All Programs, point to Administrative
Tools, and then click Event Viewer.
3. In the console tree, click Office Communications Server.
4. In the details pane, look for an event with OCS User Replicator as the source and
the event ID 30024. The event should display the following text:
User Replicator has completed initial synchronization of domain <domain
name> (DN: <distinguished name>) and the database. Future synchronization
for this domain will occur as changes are made in Active Directory.
Check this event for all the domains that have users enabled for Office Communications
Server 2007. If you do not find event ID 30024, check for error events that have Office
Communications Server User Replicator as the source to help identify any failure to
synchronize the users in the domain in which Live Communications Server is deployed.
To verify that User Replicator completed in an Office Communications
Server Enterprise pool Director
1. Log on to Office Communications Server 2007 Back-End Database as a member of
the Administrators group for the Office Communications Server Back-End
Database.
2. Use the Dbanalyze tool in the Office Communications Server 2007 Resource Kit
Tools to determine which server in the pool is assigned as the User Replicator. Open
a command window: Click Start, and then click Run. In the Open box, type cmd,
and then click OK. At the command prompt, type the following:
Dbanalyze.exe /report:diag /sqlserver:<the SQL server instance>
The report that is generated shows which server within the pool is assigned as the User
Replicator. In the following example report, server03 is assigned the user replication task:
TaskName Fqdn
----------------- -------
Endpoint Expiration server01.contoso.com
Subscription Expiration server02.contoso.com
User Replication server03.contoso.com
Nightly Maintenance server04.contoso.com

3. Log on to the server that is assigned as the User Replicator as a member of the
Administrators group.
6. In the details pane, look for an event with OCS User Replicator as the source and
the event ID 30024. The event should display the following text:
7. Verify that this event is logged for all the domains that have users enabled for Office
Communications Server 2007. If you do not find event ID 30024, check for error
events that have OCS User Replicator as the source to help identify any failure to
synchronize the users in the domain in which Live Communications Server is
deployed. If User Replicator fails, an event is posted to the log.
Step 12.6 Configure Office Communications Server as a New

Director
Now you are ready to configure the Director. After deactivating the roles not required on the new
Director, you must configure the Director in two ways:
• Configure the Director to route traffic to the new Access Edge Server.
• Configure the Director as the next hop server used by your internal servers to route
traffic to the Access Edge Server in Global Properties.
Important
Your users experience an interruption in service when you
perform this step.
To configure Office Communications Server as a Director

1. Log on to the Director with as a member of the Administrators group and the
2. Open the Office Communications Server 2007 administration snap-in: Click Start,
point to All Programs, point to Administrative Tools, and then click Office
• For a Standard Edition Server, expand Standard Edition Servers, right-click
your Standard Edition server, point to Properties, and then click Front End
Properties.
• For an Enterprise pool, expand Enterprise pools, right-click your pool, point to
Properties, and then click Front End Properties.
5. In the FQDN box, type the FQDN of your Office Communications Server 2007
Access Edge Server, click Apply, and then click OK.
6. Right-click the Forest node, point to Properties, and then click Global Properties.
8. In the FQDN box, type the FQDN of your Office Communications Server 2007
Director, click Apply, and then click OK.
Step 12.7 Configure Your Access Edge Server to Use the New
Director
Your deployment continues to use the existing Live Communications Server 2005 with SP1
Director until you configure the Access Edge Server to use the new Director.
To switch to the new Director
4. Right-click Microsoft Office Communications Server 2007, and then click
Properties.
5. Click the Internal tab.
6. In the Next hop network address box, type the FQDN of the Office
Communications Server 2007 Director.
7. Under Internal servers authorized to connect to this server, click Add Server.
8. In the Office Communications Server box, type the FQDN of your Office
Communications Server 2007 Director.
Step 12.8 Test Connectivity Between Your Access Edge Server

and New Director
Run the Validation Wizard on each Access Edge Server and Director and select options to
validate local server configuration and to validate connectivity.
To validate the server configuration on your Access Edge Server
1. Log on to the edge server as a member of the RTCLocalServerAdmins group or a
group with equivalent user rights.
4. Click Microsoft Office Communications Server 2007.
5. In the details pane, expand Validation, and then click Edge Server.
7. On the Select Validation Steps page, select the options that you want to validate:
• Select the Validate Local Server Configuration check box to validate that the
server on which you are running is configured correctly.
• Select the Validate Connectivity check box to verify that the server is connected
to the internal servers.
8. Click Next.
9. On the wizard completion page, select the View the log files results when you click
‘Finish’ check box, and then click Finish to exit.
To validate your Director configuration
1. Log on to a server in your domain as a member of the
2. Insert the Microsoft Office Communications Server 2007 CD. The deployment tool
starts automatically. If you are installing from a network share, go to the \Setup\I386
folder, and then double-click Setup.exe.
• For an Enterprise pool Director, click Deploy Pools in an Expanded Topology,
and then click Add Front End Server.
• For a Standard Edition server Director, click Deploy Standard Edition Server.
4. At Validate Server and Pool Functionality or Validate Server Functionality,
click Run.
5. On the Welcome to the Office Communications Server 2007 Validation wizard
page, click Next.
6. On the Select validation steps page, select the Validate Local Server
Configuration check box. This option verifies that the federation routes are
correctly configured on your Director.
8. When the wizard completes, select the View log files when you click Finish check
box, and then click Finish to exit.
9. In the log file, verify that <Success> appears under the Execution Result column.
Look for <Success> Execution Result at the end of each task to verify that the server
was added successfully to the pool.
10. Close the log window when you finish.
Step 12.9 Test Connectivity Between Remote Users, Federated

Users, and Public IM Connectivity
Test your new topology by signing in with Office Communicator 2005 as a remote user and
confirming that you can communicate with an internal user. Next, verify that you can
communicate from inside your intranet with a federated user and, if you are supporting public IM
connectivity, a user on a public IM service provider.
If there is a problem with connectivity, you can avoid an extended outage by returning to using
your existing Live Communications Server 2005 SP1 Director. When you have resolved any
connectivity problems and are using the Office Communicator Server 2007 Director, go to step
13.
Step 13 Remove Your Live Communications Server

2005 SP1 Director and Access Proxy
After communications with remote users, federated users, and users of public IM services are
working correctly, remove your Live Communications Server 2005 SP1 Director and Access
Proxy from your environment and use those computers for another purpose. If you choose to
retain the Live Communications Server Director as a safeguard, skip this step.
To remove your Live Communications Server 2005 SP1 Director and Access Proxy, you
complete the following steps:
1. Disconnect the Director from the Access Edge Server.
2. Deactivate and remove Live Communications Server 2005 with SP1 from the
computer where the Director is installed.
3. Deactivate and remove Live Communications Server 2005 with SP1 from the
computer where the Access Proxy is installed.
Disconnect the Live Communications Server 2005 SP1 Director

from the Access Edge Server
Before you remove the Live Communications Server 2005 with SP1 Director, you must remove
it from the list of servers that are authorized to connect to your Access Edge Server.
To remove the Director from the servers authorized to connect to the
Access Edge Server
1. Log on to your Access Edge Server as a member of the Administrators group and
the RTC Local Administrators group.
4. Right-click Microsoft Office Communications Server 2007, and then click
Properties.
5. Click the Internal tab.
6. Under Internal servers authorized to connect to this server, click the FQDN of
your Live Communications Server 2005 SP1 Director, and then click Remove.
Deactivate and Uninstall Live Communications Server 2005 SP1

on the Director
If you want to repurpose the hardware that was used by your Live Communications Server 2005
with SP1 Director, you can deactivate Live Communications Server 2005 with SP1 and then
remove the software by using the procedures in Phase 6: Deprecate Your Live Communications
Server 2005 SP1 Servers later in this guide.
Deactivate and Uninstall Live Communications Server 2005 on
the Access Proxy
If you want to repurpose the hardware that was used by your Live Communications Server 2005
with SP1 Access Proxy, you can deactivate this server and remove the software by using the
procedures in Phase 6: Deprecate Your Live Communications Server 2005 SP1 Servers later in
this guide.
User Experience in Phase 1

Aside from a brief service outage, all the changes in Phase 1 are transparent to your users. Your
users are still running Office Communicator 2005 and continue to have the same IM and
presence functionality that they did in a pure Live Communications Server 2005 SP1
environment.
Note
Do not deploy Office Communicator 2007 during Phase 1. The
Office Communicator 2007 client does not work until you deploy
new internal computers running Office Communication Server
2007 Standard Edition or Enterprise pools and move users to
these servers or pools (as described in Phase 2).
Phase 2: Deploy Internal Office

Communications Servers and
Migrate Users
After you have upgraded your perimeter network and your Director (if you use one), deploy
Office Communications Server 2007 in your internal environment by completing the following
steps:
1. Deploy an Office Communications Server 2007 Standard Edition server or
Enterprise Pool. This pool or server uses the Office Communications Server 2007
Edge Server for remote user access and for external access to meetings.
2. If archiving is required for your new server or pool, install and configure the new
Office Communications Server 2007 Archiving and CDR (Call Detail Recording)
Service. Your existing Live Communications Server 2005 with SP1 Archiving
Service does not work with your new server or pool. When you are finished
upgrading your internal servers, your new topology should resemble that shown in
Figure 3.
Figure 3 Mixed Topology with Office Communications Server 2007 Internal
Servers
3. Verify that User Replication completed successfully on the new server or pool.
4. Back up user data on the existing Live Communications Server 2005 with SP1.
5. Export user data from Live Communications Server 2005 with SP1.
6. Move users to Office Communications Server 2007. You might want to transfer a
small number of users at first to test the configuration.
7. Configure users on Office Communications Server 2007.
8. Transfer remote call control settings as necessary.
9. Validate the configuration and connectivity of the server or pool.
At this point, the users who were moved to Office Communications Server 2007 are still using
Office Communicator 2005 as their client. They are able to use the following features as if they
are still using Live Communications Server SP1:
• Internal IM and presence
• Remote user access
• Federation
• Public IM connectivity
Step 2.1 Deploy Standard Edition Server or

Enterprise Pool
If you have already installed a Director, you have prepared Active Directory as part of this
process. If you did not deploy a Director, you must prepare Active Directory as the initial step in
deploying an Office Communications Server 2007 Standard Edition server or Enterprise pool.
For step-by-step instructions, see the Microsoft Office Communications Server 2007 Active
Directory Guide. If you plan to support a period of coexistence between Live Communications
Server 2005 SP1 and Office Communications Server 2007, you must prepare each domain
hosting Live Communications Server SP1 servers and users for Office Communications Server
2007.
After the necessary Active Directory objects are in place, you are ready to deploy an Office
Communications Server 2007 Standard Edition server or Enterprise Edition pool. For details, see
the Microsoft Office Communications Server 2007 Standard Edition Deployment Guide or the
Microsoft Office Communications Server 2007 Enterprise Edition Deployment Guide.
Supporting a Pool with a Single Enterprise Edition Server

If you deploy Office Communications Server 2007 Enterprise pool with a single Enterprise
Edition server without a load balancer, to support coexistence you must use a separate IP address
for the Enterprise server and the Enterprise pool.
Note
If you are using a pool with a single Enterprise Edition Server,
you still must use a separate computer for the SQL database.
Installing the back-end database on a computer with Enterprise
Edition Server installed is not supported.
To do so, the following steps are required:

• Add a second IP address on the Enterprise Edition server
• Point the DNS record for the Enterprise pool to the second IP address
This requirement exists because Live Communications Server 2005 SP1 servers cannot
successfully communicate if the Enterprise Edition server and the Enterprise pool have the same
IP address.
After your deployment is moved completely to Office Communications Server, you can remove
the new IP and use a single IP address for the pool (and the pool’s DNS record) and the
Enterprise Edition server.
Step 2.2 Deploy Archiving and CDR Server If

Required
If your organization needs to preserve IM conversations or other data about communications that
use Office Communications Server, you must install an Archiving and CDR Server to perform
compliance functions for any users that will be hosted on Office Communications Server 2007.
For step-by-step instructions, see the Microsoft Office Communications Server 2007 Archiving
and CDR Deployment Guide.
Note
If your organization has compliance-related applications
currently running on Live Communications Server 2005 with
SP1, be aware of the following changes to the way instant
messages are formatted and archived:
• Office Communicator 2007 sends instant
messages in rich-text format (RTF). These messages
are archived by Office Communications Server in the
same format in the Office Communications Server
2007 archiving database.
• Office Communicator 2007 includes the first IM
message as a base 64 encoded parameter “ms-
body” within the “ms-text-format” header.
Any applications that are based on the Live Communications
Server 2005 Management API and that intercept IM messages
for compliance purposes might need to be updated for these
changes.
Step 2.3 Verify that User Replication Completed

The User Replicator component of Office Communications Server 2007 updates the user
database to synchronize with the User objects in Active Directory. Before you move users from
Live Communications Server 2005 with SP1, you need to verify that User Replicator has
completed the first replication cycle on the new server or pool for all the domains in which users
are enabled for Office Communications Server 2007.
In an Enterprise pool, only one server in the pool is assigned the role of User Replicator. To
determine which server in the pool runs User Replicator, use the Dbanalyze tool, as described in
the following procedures. Dbanalyze is available in the Office Communications Server 2007
Resource Kit, which you can install by using the Office Communications Server 2007
Deployment Wizard.
To verify that User Replicator completed on an Office Communications
Server 2007 Standard Edition server
1. Log on to the server as a member of the Administrators group.
2. Open Event Viewer. Click Start, point to All Programs, point to Administrative
4. In the details pane, look for an event with OCS User Replicator as the source and the
event ID 30024. The event should display the following text:
Check this event for all the domains that have users enabled for Office Communications
Server 2007. If you do not find event ID 30024, check for error events that have Office
Communications Server User Replicator as the source to help identify any failure to
synchronize the users in the domain in which Live Communications Server is deployed.
To verify that User Replicator completed in an Office Communications
Server Enterprise Edition pool
1. Log on to the Office Communications Server 2007 Back-End Database as a member
of the System Administrators group.
2. Use the Dbanalyze tool from the Office Communications Server 2007 Resource Kit
to determine which server in the pool is assigned as the User Replicator. Open a
command window: Click Start, and then click Run. In the Open box, type cmd, and
then click OK. At the command prompt, type the following:
Dbanalyze.exe /report:diag /sqlserver:<SQL Server\instance>
The report that is generated shows which server within the pool is assigned as the User
Replicator. In the following example report, server03 is assigned the user replication task:
TaskName Fqdn
----------------- -------
Endpoint Expiration server01.contoso.com
Subscription Expiration server02.contoso.com
User Replication / Address Book Server server03.contoso.com
Focus Maintenance server04.contoso.com
TimeBound Publication Maintenance server05.contoso.com

3. Log on to the server that is assigned to the User Replicator task as a member of the
4. Open Event Viewer. Click Start, point to All Programs, point to Administrative
6. In the details pane, look for an event with OCS User Replicator as the source and the
event ID 30024. The event should display the following text:
7. Verify that this event is logged for all the domains that have users enabled for Office
Communications Server 2007. If you do not find event ID 30024, check for error
events that have OCS User Replicator as the source to help identify any failure to
synchronize the users in the domain in which Live Communications Server is
deployed. If User Replicator fails, an event will be posted to the log.
Step 2.4 Back Up User Data on the Existing Live

Communications Server 2005 with SP1
As a precaution, you should back up the existing user data on the Live Communications Server
2005 with SP1 Standard Edition server or Enterprise pool before the users are moved to Office
Communications Server 2007. If a problem occurs with an Office Communications Server 2007
deployment, you can restore your user data on Live Communications Server 2005 with SP1.
To back up data, ensure that the MSDE database (for Live Communications 2005 with SP1
Standard Edition) or the Back-End Database (for Live Communications Server 2005 with SP1
Enterprise Edition) is available and then back up the RTC database by doing the following:
• For the Back-End Database server in an Enterprise pool, use your SQL Server
database backup program.
• For a Standard Edition server, use the following procedure, which uses the tool
(Dbbackup.exe) that is provided with Live Communications Server 2005 with SP1 to
back up the RTC database. The tool is available in the support folder of the Live
Communications Server 2005 SP1 installation CD and is installed in the <drive
letter>:\Program Files\Microsoft LC 2005\Server\Support folder on a server with
Live Communications Server 2005 with SP1.
To back up user data from your Live Communications Server 2005
with SP1 Standard Edition server
1. Log on to the Live Communications Server 2005 with SP1 Standard Edition server
as a member of the Administrators group. For more information about the
credentials required to back up data, see Dbbackup-readme.htm on the Live
Communications Server 2005 with SP1 installation CD.
2. Insert the Live Communications Server 2005 with SP1 CD.
3. Open a command window: click Start, and then click Run. In the Open box, type
cmd, and then click OK. Go to the \Support folder on the installation CD.
4. At the command prompt, type the following command to back up the RTC database
on the local server:
dbbackup.exe /backupfile:filename
For example:
dbbackup.exe /backupfile:backup2005
Step 2.5 Export User Data from Live

Communications Server 2005 with SP1
To preserve a copy of the latest user data on Live Communications Server 2005 with SP1,
including contacts, groups, and ACEs (access control entries) for each user, use the Office
Communications Server 2007 Dbimpexp.exe tool. If there are problems with the migration
process, use this data to restore users on Live Communications Server 2005 with SP1 with their
contacts, groups, and ACEs intact. This procedure works well when there are many users to be
rolled back.
Notes
The new Office Communications Server 2007 Dbimpexp.exe
tool is required for this operation. Do not use the Live
Communications Server 2005 with SP1 version of this tool.
The Office Communications Server 2007 User Services database
(the RTC database) must be available when you perform this
procedure, but users should not sign in while you are running
the DBimpexp tool. To prevent users from signing in, stop rtcsrv
services on both servers (the Live Communications Server
service on the Live Communications Server 2005 SP1 server
and the Communications Server service on the Office
Communications Server 2007 server).
Running this tool on a Microsoft SQL Server cluster is not
supported.
To export user data from Live Communications Server

1. Log on to the appropriate server:
• For a Standard Edition server, log on to the server that is running Live
Communications Server 2005 with SP1 as a member of the Administrators
group.
• For an Enterprise pool, log on to the server that is running the Live
Communications Server 2005 SP1 Back-End Database with an account that has
read-only access to the database.
2. Insert the Office Communications Server 2007 CD.
3. Open a command window: Click Start, and then click Run. In the Open box, type
cmd, and then click OK. Go to the \Support folder of the installation CD.
4. At the command prompt, type one of the following:
• For a Standard Edition server:
Dbimpexp.exe /hrxmlfile:”<XML file path for the exported user data>”
• For an Enterprise pool:
dbimpexp.exe /hrxmlfile:"c:\SavedUserData.xml" /sqlserver:<sql server
instance>
If you want to export data for only a specific user, add the /user:Username parameter to the
command line. The user name is a fully qualified SIP address.
For example, to move a single user on a Standard Edition server:
Dbimpexp.exe /hrxmlfile:“c:\SavedUserData.xml” /user:johna@contoso.com
Note
If the users are currently homed on multiple Live
Communications Server 2005 with SP1 pools or servers, you
must export the user data that is stored on each Enterprise pool
or Standard Edition server. To do this, repeat steps 1 through 4
on each server or pool on which users are homed.
Step 2.6 Move Users to Office Communications

Server 2007
After you have backed up existing user data, it is safe to move user data from Live
Communications Server 2005 with SP1 to Office Communications Server 2007. All the user
contact data is preserved during the move, but any notes that users added to their Office
Communicator status needs to be recreated after the user is moved to Office Communications
Server.
Note
The following procedure uses the Office Communications Server
2007 administrative snap-in to move users. You can run the
snap-in from any computer that is running Office
Communications Server 2007. You can also move users by
using Active Directory Users and Computers on any server in
the domain on which the Office Communications Server 2007
administrative snap-in is installed.
To move users to Office Communications Server 2007

1. Log on to a computer that is running Office Communications Server 2007 Standard
Edition or Enterprise Edition or a computer on which the Office Communications
Server 2007 administrative snap-in is installed. Use an account is a member of the
RTCUniversalUserAdmins group on the Office Communications Server 2007
Standard Edition server or Enterprise pool and is a member of one of the following
groups or has equivalent permissions:
• RTCDomainUserAdmins on the Live Communications Server 2005 with SP1
Standard Edition server or Enterprise pool
• RTCDomainServerAdmins on the Live Communications Server 2005 with SP1
Standard Edition server or pool.
2. Verify that the RtcSrv service is running on both the Office Communications Server
2007 server and Live Communications Server 2005 with SP1 server. (The service
display name is Office Communications Server Front End service on Office
Communications Server 2007 and is Live Communications Server service on the
Live Communications Server 2005 with SP1 server.)
3. Open the Office Communications Server administrative snap-in. Click Start, point
to All Programs, point to Administrative Tools, and then click Office
4. In the console tree, expand Live Communications Server 2005.
5. Expand the server or pool node from which you want to move your users.
6. Click Users.
• To move all users, right-click Users, and then click Move users.
• To move specific users, select the users that you want to move in the details
pane, right-click the selection, and then click Move users.
8. If a message indicates that Office Communications Server cannot manage users until
they have been moved, click OK.
9. On the Welcome page of the Move Users Wizard, click Next.
10. On the Select an Office Communications Server or Pool page, select an Office
Communications Server 2007 Standard Edition server or Enterprise pool in the
Move users to the following Office Communications Server or Pool list.
11. On the Select Move Option page, ensure that the Force the user move if the server
or pool is unavailable check box is cleared. This option should not be used for a
side-by-side migration.
12. If you are prompted to check log files and allow Active Directory replication to
finish, click OK.
13. On the Move Operation Status page, verify that the wizard completed successfully.
To verify that the move succeeded, leave the wizard open while you perform the
other procedures in this section.
14. After you have completed the verification procedures, do one of the following:
• If the move succeeded, click Finish.
• If the move failed, you need to create a log file to locate the problem. Click
Export to create a log file to use to help locate the problem. In the Save As
dialog box, specify the path and file name to which the log file is to be exported,
click Save, and then click Finish.
15. If the move failed, view the log file to see whether any users were successfully
moved. The move operation moves Active Directory settings and user data for each
user, one by one, so several users might have been moved successfully before a
transaction failed. If the Move Users operation failed, run the procedure again from
the Office Communications Server 2007 administrative snap-in. Begin with the user
directly after the last user that was successfully moved.
Note
Running the Move Users Wizard twice can clean up Active
Directory attributes in instances where a move was
unsuccessful. If a user is having problems, run the Move Users
Wizard again after Active Directory replication is completed.
To use Event Viewer to verify that Move Users succeeded

2. In the console tree, click Application.
3. Look for events that have OCS User Services as the source and verify that no errors
occurred. If User Replicator fails, an event is posted to the log.
To use the Office Communications Server snap-in to verify that the
move users operations succeeded
1. On a server with the Office Communications Server administrative snap-in, click
Start, point to All Programs, point to Administrative Tools, and then click Office
2. In the console tree, do one of the following:
• For a Standard Edition deployment, expand Standard Edition Servers.
• For an Enterprise pool, expand Enterprise pools.
3. Expand the server or pool where you moved your users, and then click Users.
4. In the details pane, verify that your users appear.
Note
If the Move Users operation succeeded but the users do not
appear under the Users node for the Enterprise pool or
Standard Edition server, force Active Directory replication or
wait for replication to complete and then refresh the data.
Step 2.7 Configure Users

After you have moved your users to Office Communications Server 2007, you need to configure
any additional features that you want your users to have access to. With Office Communications
Server 2007, you can configure your users for Web conferencing, which they can use after you
deploy the Microsoft Office Live Meeting 2007 client. Users’ IM and presence experience is
similar to that in Live Communications Server 2005 SP1 until you have enabled the users for
enhanced presence and deployed Office Communicator 2007 to their desktops.
To configure users for Office Communications Server 2007
1. Click Start, click Control Panel, click Administrative Tools, and then click Office
2. Expand the Forest node and the Pool node, and then click Users.
3. Right-click the users that you want to configure, and then click Configure users.
4. On the Welcome to the Configure Users Wizard page, click Next.
5. Select the check boxes for the features that you want to configure for the selected
users: Federation, Remote user access, Public IM connectivity, Enhanced
Presence, Archive internal messages, and Archive federated messages.
6. Select the options that indicate whether you want to enable that feature for the users
that you want to configure: Enable or Disable. Do not enable enhanced presence for
these users yet.
• If, when you configured Web conferencing during your Standard Edition
deployment, if you set a global property to allow or disallow anonymous
participation in meetings on the Meeting tab in Global Properties, click Next.
deployment, if you chose to allow or disallow anonymous participation in
meetings on a per-user basis on the Meeting tab in Global Properties, select the
Organize meetings with anonymous participants check box, and then click
Allow or Disallow. When you are finished, click Next.
Note
If you enable anonymous participation in meetings, your
internal users can invite people from outside your organization
to participate in your on-premise Web conference meetings. By
default, all users are allowed to organize meetings that include
anonymous participants.

deployment, you set a global policy for meetings, click Next.
deployment, you chose to set meeting policy on a per-user basis, select the
Change meeting policy check box. In the Select a meeting policy for the users
list, click the name of the policy you want to apply to the select users. When you
are finished, click Next.
10. Do one or more of the following:
• To enable Enterprise Voice and configure the voice policy that is applied to the
selected users, select the Change Voice Settings check box, and then select the
Enable Voice check box. In the Select a Voice policy for the users list, click
the name of the policy you want to apply to the selected users. If you want to
view the voice features that are enabled by a policy before you accept it, click
View. Click OK to close the Add or Edit Policy dialog box. When you have
selected the policy that you want, click Next.
• If the global setting for voice policy is not set to Use per user policy, you cannot
change the policy for the selected users. Click Next to continue.
For more information about Enterprise Voice policies, see the Microsoft Office
Communications Server 2007 Enterprise Voice Planning and Deployment Guide.
Note
To configure a particular voice setting for a specific user, the
corresponding setting under the forest’s Voice properties must
be configured to allow enforcement on a per-user basis.
11. Verify the status of each user configuration operation, and then click Finish.
Step 2.8 Transfer Remote Call Control Settings As

Necessary
If your organization used remote call control in Live Communications Server 2005 SP1, the
information in this section helps ensure that the correct settings are preserved in your Office
Communications Server deployment.
This section does the following:
• Explains the differences between remote call control Group Policy object settings in
Office Communicator 2005 and Office Communicator 2007.
• Explains how to retain these settings in the two following scenarios:
• If you enabled users for remote call control by using default settings, you can use
either the Office Communicator 2007 administrative snap-in or the Group Policy
object settings in Office Communicator to retain these settings.
• If you enabled users for remote call control and also disabled PC-to-PC audio
and PC-to-Phone calling, you must configure this setting by using the Group
Policy object or out-of-band provisioning, such as manually setting the registry
keys.
The following table shows the differences between Office Communicator 2005 and Office
Communicator 2007 Group Policy object settings.
Table 4 Transferring Group Policy Object Settings
Office Office Description
Communicator Communicator
2005 Setting 2007 Setting
EnablePhoneContro TelephonyMode= This setting allows only PC-to-PC
l=0 0 communications (the default).
EnablePhoneContro TelephonyMode= This setting maintains remote call control
l=1 2 for your Office Communicator 2007
users.
If you make this setting through server
in-band provisioning, you can simply
configure the user settings in the Office
Communications Server 2007
administrative snap-in.
If you make this setting through Group
Policy object or an out-of-band policy
that contradicts the in-band provisioning
server settings, your users must
manually configure the Phone SIP URI or
the TEL URI of the phone that the user
controls and the SIP URI of the CSTA-SIP
gateway server in Office Communicator
2007. These two settings are stored in
the ManualConfigPhURI and
Office Office Description

Communicator Communicator
2005 Setting 2007 Setting
ManualConfigSIPURI registry key
settings on each client.
EnablePhoneContro Telephonymode= This setting maintains remote call control
l=1 4 for your Office Communicator 2007
DisablePC2PCAudio users. It also enables calls from the
=1 user’s PC to a telephone and disables PC-
to-PC audio communication.
EnablePC2Phone
=1 This setting can be provisioned only
through Group Policy object settings or
by manually setting registry keys. It is
not available through in-band
provisioning on the server side.
NA Telephonymode= This setting enables Enterprise Voice
3 with PBX integration.
NA Telephonymode= This setting enables Enterprise Voice.
1
Transferring Default RCC Settings

If your user’s Group Policy object used the default settings for remote call control (you did not
disable remote call control, PC-to-PC audio, or PC-to-phone connections), you can retain these
settings by configuring individual user account properties or by configuring a Group Policy
object or registry key.
To configure individual user account properties
1. Click Start, click Control Panel, click Administrative Tools, and then click
2. In the console tree, expand the forest node, and then navigate to the Standard
Edition server or Enterprise pool that contains the user account that you want to configure.
3. Expand the pool name for the Enterprise pool or Standard Edition server.
4. In the details pane, right-click the user account name, and then click Properties.
5. On the Communications tab, click Configure.
6. Click Enable Remote Call Control.
If you configured your users for remote call control using Group Policy object settings or another
out-of-band provisioning method, you need to do the following for each client:
• Set the Group Policy object setting Telephonymode=2
• Each user must manually configure telephony settings in Office Communicator 2007.
Note
To manually configure a client
If you want to manually configure your clients, you need to
perform this step when you deploy Office Communicator to your
users.
1. On the user’s computer, open Office Communicator 2007.
2. In the title bar, click the Menu button, point to Tools, and then click Options.
3. Click the Phones tab.
4. Click Advanced.
5. Under Advanced Phone Integration Configuration, click Manual configuration.

6. In the Remote call control URI (sip) box, type the URI of the CSTA-SIP gateway
server in Office Communicator 2007 in the following format:
sip:<URI of the CSTA-SIP gateway server>
7. In the Phone URI (tel) box, type the SIP URI or the TEL URI of the phone that you
control in one of the following formats:
sip:<URI of the user phone>
or
tel:<URI of the user phone>
Transferring Remote Call Control Settings When PC-to-Phone

Connection and PC-to-PC Audio Are Disabled
If your users were enabled for remote call control but disabled from using PC-to-PC audio and
PC-to-phone connections, you can retain these settings only by using a Group Policy object or by
provisioning the setting out of band.
If you configured your users for remote call control by using Group Policy object settings or
another out-of-band provisioning method, you need to manually set the Telephonymode
property of the Group Policy object to 4 and then manually configure telephony settings in the
client.
Note
To manually configure a client
If you want to manually configure your clients, you need to
perform this step when you deploy Office Communicator to your
users.
1. Open Communicator 2007.
2. In the title bar, click the Menu button, point to Tools, and then click Options.
3. Click the Phones tab.
4. Click Advanced.
5. In the Advanced Phone Integration Configuration dialog box, click Manual

configuration.
6. In the Remote call control URI (sip) box, type the URI of the CSTA-SIP gateway
server in Office Communicator 2007 by using the following format:
sip:<URI of the CSTA-SIP gateway server>
7. In the Phone URI (tel) box, type the SIP URI or the TEL URI of the phone that you
control in one of the following formats:
sip:<URI of the user phone>
or
tel:<URI of the user phone>
Step 2.9 Validate the Configuration and

Connectivity of the Server or Pool
Run the Validation Wizard on each individual Access Edge Server to verify that it can
communicate with the new Office Communications Server. Run the Validation Wizard on your
new Standard Edition server or pool to verify that it can communicate with your Access Edge
Server.
To verify that the Access Edge Server can communicate with Office
Communications Server
member of Administrators group and the RTC Local Administrators group.
4. Click Office Communications Server 2007.
5. In the details pane, click Edge Server under Validation.
6. In the Deployment Wizard, click Run beside Validate Server Functionality to start
the Validation Wizard.
8. On the Select Validation Steps page, select the Validate Local Server
Configuration check box to validate that the server on which you are running is
configured correctly.
9. Click Next.
10. On the wizard completion page, verify that the Check this box to view log files
results check box is selected, and then click Finish to exit.
To verify that your internal server can communicate with the Access
Edge Server
1. Log on to an Office Communications Server 2007 Standard or Enterprise Edition
Front-End Server as a member of the RTCUniversalServerAdmins group or a
group with equivalent user rights.
2. Insert the Office Communications Server 2007 CD. If you are deploying from a
network share, go to the installation path, and then click Setup.exe.
3. Select one of the following:
• For Standard Edition server, click Deploy Standard Edition Server, and then
click Validate.
• For a pool in the expanded configuration, click Deploy Pools in an Expanded
Topology, and then click Add Front End Server.
4. At Validate Server and Pool Functionality, click Run.
5. In the details pane, under Validations, beside Validate Server Functionality or
Validate Pool Functionality, click Run to start the Validation Wizard.
7. On the Select Validation Steps page, select the Validate SIP Logon (1-Party) and
IM (2-Party) check box to verify that the user accounts that you created and enabled
can be used to sign in and connect.
8. On the User Account page, type the account name, user sign-in name, and password
of a test user who is enabled for SIP.
Important
Because this user account will be converted to use enhanced
presence, ensure that you use a test account.
9. In the Server or Pool list, click the name of the server or Enterprise pool on which
the user account is hosted.
10. Click Next.
11. On the Second user account page, type the account name, user sign-in name, and
password of a second test user who is enabled for SIP. This account will be used
with the first account that you specified to test IM functionality between two users.
Important
Because this user account will be converted to use enhanced
presence, ensure that you use a test account.
12. In the Server or Pool list, click the name of the server or Enterprise pool on which
the user account is hosted, and then click Next.
13. If you have configured federation or public IM connectivity, , select the Test
between internal user and federated users check box on the Federation and
Public IM Connectivity page. In the Enter SIP User Accounts for federated use
box, type the SIP URI of one or more federated user accounts (separated by
semicolons) that you want to use to test this functionality. If you have not configured
federation or public IM connectivity, go to the next step.
14. Click Next.
15. On the wizard completion page, verify that the View the log when you click Finish
check box is selected, and then click Finish.

At this point, your Office Communications Server 2007 users still have only the IM and presence
features that are available in Office Communicator 2005. These users can now organize Web
conference meetings.
After your deploy the Live Meeting 2007 client to these users, they are able to use the Web
conferencing features. Users hosted on Live Communications Server 2005 SP1 are able to attend
Web conferences, provided they can install the Live Meeting 2007 client, but are not able to
organize Web conference meetings until they are moved to an Office Communications Server
2007 server or pool.
Phase 3: Enable Pilot Users for

Enhanced Presence and New
Features and Deploy New Clients
After your users are successfully transferred to the new Office Communications Server 2007
client and presence and IM are working correctly between your pilot users and others, you can
enable these users for enhanced presence and deploy Office Communicator 2007 to them. The
upgrade to enhanced presence and Office Communicator 2007 is supported on a per-user, not a
per-client, basis. After you enable a user for enhanced presence and that user signs in by using
Office Communicator 2007, the user can no longer sign in to the previous version of Office
Communicator, Communicator Web Access, or Communicator Mobile. For users with clients in
multiple locations, they are not able to sign in from clients that have not been upgraded. You can
mitigate this inconvenience if you deploy Communicator Web Access (2007 release). On clients
where Office Communicator 2007 is not yet deployed, your pilot users can then use
Communicator Web Access for IM and presence. For details about deploying Communicator
Web Access (2007 release), see the Microsoft Office Communicator Web Access (2007 release)
Planning and Deployment Guide.
To enable your users for the full functionality of Office Communications Server 2007, perform
the following steps:
1. Enable enhanced presence for your pilot Office Communications Server 2007 users.
Important
If you enable enhanced presence for a user and the user signs
in to Office Communications Server 2007 using the
Communicator 2007 client, the user account is converted to use
enhanced presence. The user is then no longer able to sign in to
Live Communications Server 2005 SP1 and cannot use any
previous version of Office Communicator, Communicator Web
Access, or Communicator Mobile to sign in.
2. Deploy Office Communicator 2007 to all client computers for these users.
3. Deploy the Microsoft Office Live Meeting 2007 client to all client computers for
these users.
Step 3.1 Enable Enhance Presence for Your Pilot

Users
You can enable enhanced presence for an individual user or multiple users, as described in the
following procedures.
To enable enhanced presence for a single user
1. Log on as a member of the RTCUniversalUserAdmins group to a computer that is
running Office Communications Server 2007 Standard Edition or Enterprise Edition
or to a computer on which the Office Communications Server 2007 administrative
tools are installed.
2. Open the Office Communications Server administrative snap-in: Click Start, point
to All Programs, point to Administrative Tools, and then click Office
4. Expand the server or pool node where you moved your users, and then click Users.
5. In the details pane, right-click the user for whom you want to enable enhanced
presence, and then click Properties.
6. In the Properties dialog box, click Configure.
7. In the User Options dialog box, select the Enable enhanced presence check box.
8. When a message is displayed that indicates that Office Communications Server is
enabling enhanced presence, read the information, and then click Yes to complete
the enabling of enhanced presence for the user.
To enable enhanced presence for a multiple users
1. On a computer with the Office Communications Server 2007 administrative snap-in,
click Start, point to All Programs, point to Administrative Tools, and then click
3. Expand the server or pool where you moved your users, and then click Users.
4. In the details pane, select the users for whom you want to enable rich presence,
right-click the selection, and then click Configure users.
5. In the Configure Users Wizard, on the Configure User Settings page, select the
Enhanced presence check box, and then click Next.
Note
You can also access the Configure Users Wizard from the Active
Directory Users and Computers snap-in by right-clicking users in
an OU (organizational unit) and then clicking Configure User
Settings.
6. In the Configure Operations Status page review the settings, and then click Finish.
Step 3.2 Deploy Office Communicator 2007 to Your

Pilot Users
After you have enabled your users for enhanced presence, deploy Office Communicator 2007 to
all client computers for these users. After a user is enabled for enhanced presence, the user can
no longer sign in to previous versions of Office Communicator, Communicator Web Access, or
Communicator Mobile.
If you cannot deploy Office Communicator 2007 to all of a user’s client computers
simultaneously, you can mitigate the impact for users with multiple clients by deploying
Communicator Web Access (2007 release). The pilot users can use Communicator Web Access
on any client computer that does not have Office Communicator 2007 deployed. For details
about deploying Communicator Web Access (2007 release), see the Microsoft Office
Communicator Web Access (2007 release) Planning and Deployment Guide.
Step 3.3 Deploy the Live Meeting 2007 Client to

Your Pilot Users
You can deploy the Microsoft Live Meeting 2007 client at any time during the migration process.
Your users need the Live Meeting client to use the Web conferencing features that are available
in Office Communications Server. For details about deploying the Live Meeting client, see the
Deploying the Microsoft Office Live Meeting Client with Office Communications Server 2007.

At the end of phase 3, your Office Communications Server 2007 users are able to use all of the
new features in Office Communications Server 2007 and its clients for which they are enabled
when they communicate internally with other pilot users with Office Communicator 2007. They
can also take advantage of the new IM and presence features when they connect from outside the
intranet. As stated earlier, only users hosted on Office Communications Server 2007 can organize
Web conferencing meetings, but users hosted on Live Communications Server 2005 can attend
these conferences, if they have the Live Meeting client installed or have a way to install it.
When your Office Communicator 2007 users communicate with Office Communicator 2005
users, only the legacy presence and IM functionality is available.
Phase 4: Introduce New Edge Server

Roles
After IM and presence are working correctly in your environment, you can introduce the Web
Conferencing Edge Servers and A/V Edge Servers in your perimeter network. For details about
deploying and activating these edge servers, see the Microsoft Office Communications Server
2007 Edge Server Deployment Guide.

At this point, your Office Communications Server 2007 users are able to use all of the new
features in Office Communications Server 2007 and Office Communicator 2007 for which they
are enabled when they communicate internally and externally with other pilot users who are
using Office Communicator 2007. Your pilot users are able to take advantage of your Web
conferencing and A/V features when they connect from outside the intranet. As stated earlier,
only users hosted on Office Communications Server 2007 can organize Web conferencing
meetings, but users hosted on Live Communications Server 2005 can attend these conferences, if
they have the Live Meeting client installed or have a way to install it.
When your Office Communicator 2007 users communicate with Office Communicator 2005
users, only the legacy presence and IM functionality is available.
Phase 5: Continue Phased Migration

for Additional User Groups
Continue the phased migration of your users as described in Phase 3: Enable Pilot Users for
Enhanced Presence and New Features and Deploy New Clients.
Phase 6: Deprecate Your Live

Communications Server 2005 SP1
Servers
When you have moved all your users to Office Communications Server 2007 Standard Edition
servers and Enterprise pools, you can deactivate and uninstall Live Communications Server 2005
with SP1 and use those computers for another purpose.
Remove Live Communications Server 2005 SP1

Standard Edition
By default, when you deactivate and remove a Standard Edition server, the database and any
associated logs are detached, but they are preserved on the server. During the removal procedure,
you can chose to drop the databases and delete Live Communications Server data and logs. It is
recommended that you retain the database and save the data in the event that you need them later.
To remove Live Communications Server 2005 with SP1 Standard Edition, do the following:
1. Deactivate Live Communications Server 2005 with SP1 Standard Edition
2. Delete the Live Communications Server 2005 with SP1 Standard Edition files
To deactivate Live Communications Server 2005 with SP1 Standard
Edition
1. Log on as a member of the DomainAdmins group to a Standard Edition server that
is a member of the same domain as the Live Communications Server 2005 with SP1
Standard Edition that you are deactivating. If the domain is a child domain, you must
also be logged on as a member of the RTCDomainServerAdmins group. The
Standard Edition server can be anywhere in the enterprise, as long as it is joined to a
domain and the user has the necessary group memberships. You can also perform
this task from a domain member server that has the Live Communications Server
2005 with SP1 administrative snap-in installed.
2. Open the Live Communications Server 2005 with SP1 snap-in: Click Start, point to
All Programs, point to Administrative Tools, and then click Live
3. In the console tree, select the <FQDN> node for the Standard Edition server that you
want to deactivate.
4. In the details pane, click Deactivate, and then complete the Deactivate Wizard.
To remove files for Live Communications Server 2005 with SP1
1. Log on to the Live Communications Server 2005 with SP1 server as a member of the
2. Click Start, point to Control Panel, and then click Add or Remove Programs.
3. In the Add or Remove Programs dialog box, click Microsoft Office Live
Communications Server 2005 with SP1, and then click Change to start the Live
Communications Server 2005 Setup Wizard.
5. On the Remove the Program page, if you want to retain the Users Servers database
data files, which is recommended, accept the default. Otherwise, clear the Keep the
user database check box. Click Next.
6. Click Remove.
Note
If you do not retain the user database (the default setting), user
data for this server is lost.
Remove Live Communications Server 2005 with

SP1 Enterprise Edition
For each server in the pool, deactivate and then remove the files.
Important
Before you begin this process, verify that no users are still
assigned to the pool.
Use the following procedures to uninstall Live Communications Server 2005 with SP1 Standard
Edition. This involves the following tasks:
1. Deactivating each server in the Enterprise pool.
2. Removing the files on all but the last server in the pool.
3. Removing the Enterprise pool.
To deactivate a server in the Enterprise pool
1. Log on as a member of the DomainAdmins group to a Live Communications Server
that is a member of the same domain as the Live Communications Server 2005 with
SP1 Enterprise Edition server that you are deactivating. If the domain is a child
domain, you must also be logged on as a member of the
RTCDomainServerAdmins group. The Standard Edition server can be anywhere in
the enterprise, as long as it is joined to a domain and the user has the necessary
group memberships. You can also perform this task from a domain member server
that has the Live Communications Server 2005 with SP1 administrative snap-in
installed.
2. Open the Live Communications Server 2005 with SP1 snap-in: Click Start, point to
All Programs, point to Administrative Tools, and then click Live
3. In the console tree, expand Live Communications Server 2005 with SP1.
4. Expand subsequent nodes under the Domains node until you reach the domain in
which the server or pool resides.
5. Expand Live Communications servers and pools.
6. Right-click the FQDN of the server, and then click Deactivate.
To remove the Live Communications Server files on all but the last
server in the pool
1. Log on to the Live Communications Server 2005 with SP1 server as a member of the
2. Click Start, point to Control Panel, and then click Add or Remove Programs.
3. In Add or Remove Programs, click Live Communications Server 2005 with SP1, and
then click Change.
4. In the Setup Wizard, click Next.
5. On the Program Maintenance page, confirm that the action is set to Remove, and
then click Next.
Remove the Enterprise pool only after you have deactivated and removed the files from all but
one server in the pool. Do not remove a pool unless you are certain that the pool is no longer
used by any servers or users. After you remove this pool, you must delete its configuration from
the load balancer.
To remove a pool
1. Log on as a member of the RTCDomainServerAdmins group to a Live
Communications Server that is a member of the same domain as the Enterprise pool
that you are removing. The computer can be anywhere in the enterprise, as long as it
is joined to a domain and the user account has the necessary group membership.
3. In the console tree, expand Live Communications Server 2005 with SP1.
4. Expand nodes under the Domains node until you reach the domain in which the
server or pool resides.
5. Expand Live Communications servers and pools.
6. Right-click the pool, and then click Remove pool.
7. Deactivate and remove Live Communications Server 2005 with SP1 from this server
as described earlier in this section.

OCS Migration

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OCS Migration

Uploaded by

Copyright:

Available Formats

Migrating to

© 2007 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Before You Begin

Planning Your Migration

Phase Description User Experience

Phase Description User Experience

Coexistence with Live Communications Server

Adding Live Communications Server 2005 SP1 Servers During

Microsoft Office Communicator

External User Access

Phase 1: Upgrade Your Perimeter

Note If your Access Edge Server is not discoverable through DNS

Step 1 Configure DNS Records for Your Edge

Server internal FQDN of the Access Edge Server to its

Table 3 DNS Records for the Scaled Single-Site Edge Topology

address of the reverse proxy. The client uses

Step 2 Configure a Reverse Proxy

Step 3 Deploy a New Edge Server

Step 4 Configure Certificates on the Internal

Option 4.1 Configuring the Certificate with the Same Internal

Step 4.1.1 Export the certificate from your Live Communications

To import the certificate for the internal interface

Step 4.2.1 Download the CA certification path for the internal

Step 5 Configure Certificates on the External

Determining Whether You Need a New Certificate for the Access

Option 5.1 Configuring the Certificate with the Same External

Step 5.1.1 Export the certificate from your Live Communications

To export the certificate from your Live Communications Server 2005

Option 5.2 Configuring the Certificates on the Access Edge

Step 5.2.3 Import the certificate on the external interface

To import the certificate for the external interface

Step 6 Start Services

To start the services

Step 7 Configure Federation on Your Access Edge

To configure trusted federated partners

Step 8 Configure Your Internal Environment to Use

Step 9 Change Your Firewall Settings or DNS

Changing Your Firewall Settings

Changing DNS Settings

Step 10 Validate the Configuration of Your Access

To validate the configuration of your Access Edge Server

Step 11 Test Connectivity Between Remote Users,

Step 12 Deploy an Office Communications Server

Step 12.1 Prepare Active Directory for Office Communications

Step 12.2 Deploy an Office Communications Server 2007

Step 12.3 Deactivate the Unnecessary Roles on the Director on

Step 12.4 Deactivate Address Book Server

Step 12.5 Verify that User Replicator Completed Successfully

Subscription Expiration server02.contoso.com

User Replication server03.contoso.com

Nightly Maintenance server04.contoso.com

Step 12.6 Configure Office Communications Server as a New

To configure Office Communications Server as a Director

Step 12.8 Test Connectivity Between Your Access Edge Server

Step 12.9 Test Connectivity Between Remote Users, Federated

Step 13 Remove Your Live Communications Server

Disconnect the Live Communications Server 2005 SP1 Director

Deactivate and Uninstall Live Communications Server 2005 SP1

User Experience in Phase 1

Phase 2: Deploy Internal Office

Step 2.1 Deploy Standard Edition Server or

Supporting a Pool with a Single Enterprise Edition Server