In this lesson, you will review the necessary steps for preparing for a Lync Server 2010 deployment. Thisincludes preparing the infrastructure, ensuring that the appropriate software and hardware componentsare in place, planning for certificates, and considering the client, device, and network requirements.

ObjectivesAfter completing this lesson, you will be able to:

• Inspect the Active Directory infrastructure.• Assess load-balancing options.• Validate the required operating system and Microsoft Windows® components.• Consider an internal versus an external public key infrastructure (PKI) solution.• Examine the client requirements.• Examine the device requirements.• Describe the physical network and file share requirements.

Active Directory Infrastructure Requirements

Lesson 1: Preparing for DeploymentTuesday, October 01, 2013 12:25 AM

Lesson 1 Page 1

Lync Server 2010 communications software supports the same AD DS topologies asMicrosoft Office Communications Server 2007 R2 and Microsoft Office Communications Server 2007. Thefollowing topologies are supported:

• Single forest with single domain. This is a common and simple topology.

different from the domain where you deploy Lync Server 2010. However, you must deploy anEnterprise pool within a single domain. Lync Server 2010 contains support for Windows universaladministrator groups, which enables cross-domain administration.

• Single forest with multiple domains. In this topology, the domain where you create users can be

independent tree structures and separate Active Directory namespaces.• Single forest with multiple trees. This topology consists of two or more domains that define

other forests. The central forest hosts user accounts for any users in the forest. A directorysynchronization product, such as Microsoft Identity Integration Server (MIIS),Microsoft Forefront® Identity Manager (FIM) 2010, orMicrosoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1) is used to synchronize thecreation or deletion of user accounts within the organization.

• Multiple forests in a central forest topology. This topology uses contact objects to represent users in

server applications, such as Microsoft Exchange Server and Lync Server 2010. The resource foresthosts the server applications and a synchronized representation of the active user object, but it doesnot contain logon-enabled user accounts. When you deploy Lync Server 2010 in this type oftopology, you create one disabled user object in the resource forest for every user account in the userforests. If Microsoft Exchange is already deployed in the resource forest, the disabled user accountsmay already exist. A directory synchronization product manages the life cycle of user accounts.

• Multiple forests in a resource forest topology. In this topology, one forest is dedicated to running

Active Directory RequirementsBefore you start the process of preparing AD DS for Lync Server 2010, you must ensure that all domaincontrollers (including global catalog servers) meet the following prerequisites:

• Microsoft Windows Server® 2008 R2, Windows Server 2008, Windows Server 2003 R2, or

Lesson 1 Page 2

• Microsoft Windows Server® 2008 R2, Windows Server 2008, Windows Server 2003 R2, orWindows Server 2003 must be installed.• All domains must be raised to Windows Server 2003 domain functional level.

Lync Server 2010 supports AD DS deployments that include read-only domain controllers or read-onlyglobal catalog servers, as long as there are writable domain controllers available

• The forest must be raised to a Windows Server 2003 forest functional level.

Load Balancing Options

Lync Server 2010 supports Domain Name System (DNS) load balancing for many features of Front Endpools, Edge server pools, Director pools, and stand-alone Mediation server pools.

DNS Load Balancing on Front End Pools and Director PoolsDNS load balancing is supported only by servers running Lync Server 2010 and Lync Server 2010 clients.You cannot achieve load balancing of connections from older clients and servers by implementing DNSround robin on the DNS server—a hardware load balancer is required. Additionally, if you are usingExchange Unified Messaging (UM), only Exchange Server 2010 SP1 interoperates with Lync Server 2010DNS load balancing.To deploy DNS load balancing on Front End pools and Director pools, you must:

for resolving the physical Internet Protocol (IP) addresses of the servers in the pool, and anotherFQDN is required on the hardware load balancer for web services to resolve the virtual IP address ofthe pool. You create this extra FQDN for the pool’s web services by using Topology Builder.

• Create two fully qualified domain names (FQDNs). A regular pool FQDN is required on the DNS server

the pool.• Provision DNS. Provision the DNS server to resolve the pool FQDN to the IP addresses of all servers in

DNS Load Balancing on Edge Server PoolsWe recommend that you deploy DNS load balancing on the external interface of your Edge servers. Youcan also deploy load balancing on the internal interface; however, when an Edge server has failed, failover

Lesson 1 Page 3

failoveris lost and some users might experience a denial of request.To deploy DNS load balancing on the external interface of your Edge server pool, you must create thefollowing DNS entries:

the FQDN of the Lync Server Access Edge service to the IP address of the Lync Server Access Edgeservice on one of the Edge servers in the pool.

• Lync Server Access Edge service. Create one entry for each server in the pool. Each entry must resolve

must resolve the FQDN of the Lync Server web Conferencing Edge service to the IP address of theLync Server web Conferencing Edge service on one of the Edge servers in the pool.

• Lync Server web Conferencing Edge service. Create one entry for each server in the pool. Each entry

resolve the FQDN of the Lync Server Audio/Video (A/V) Edge service to the IP address of the LyncServer A/V Conferencing Edge service on one of the Edge servers in the pool.

• Lync Server Audio/Video Edge service. Create one entry for each server in the pool. Each entry must

Using DNS Load Balancing on Stand-Alone Mediation Server PoolsYou can use DNS load balancing on stand-alone Mediation server pools without the need for a hardwareload balancer. All Session Initiation Protocol (SIP) and media traffic is balanced by DNS load balancing.

To deploy DNS load balancing on a Mediation server pool, you must provision DNS to resolve the poolFQDN to the IP addresses of all servers in the pool.

Operating System and Windows Component Requirements

In addition to the hardware and operating system requirements for server platforms, Lync Server 2010may require the installation of additional software on the servers that you deploy. Some of the softwarerequirements only apply to specific server roles or components, so they may not be required for yourparticular deployment. The slide lists all of the software components that may be required forLync Server 2010. However, this topic covers only those software components that you may need todownload, enable, or install that are not automatically installed during the Lync Server 2010 setupprocess.

Before deploying Lync Server 2010, you must install the following operating system updates:

Lesson 1 Page 4

• Microsoft Knowledge Base article 968929, “Windows Management Framework (WindowsPowerShell™ 2.0, WinRM 2.0, and BITS 4.0),” at http://go.microsoft.com/fwlink/?linkid=197390• For each server that has Microsoft Internet Information Services (IIS) installed, you must install the

o IIS URL Rewrite module at http://go.microsoft.com/fwlink/?linkid=197391o IIS Application Request Routing module at http://go.microsoft.com/fwlink/?linkid=197392

following updates:

Windows PowerShell Version 2.0Lync Server 2010 Management Shell requires Microsoft Windows PowerShell command-line interfaceversion 2.0. You must remove previous versions of Windows PowerShell prior to installingWindows PowerShell version 2.0.

For details about downloading Windows PowerShell version 2.0, see Knowledge Base article 968929,“Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0),” which isavailable at http://go.microsoft.com/fwlink/?linkid=197390.

Microsoft .NET Framework RequirementsThe 64-bit edition of Microsoft .NET Framework 3.5 with SP1 is required for Lync Server 2010. The setupprocess of Lync Server 2010 prompts you to install this prerequisite, and it automatically installs it if it isnot already installed on the computer. However, if you install Lync Server 2010 by using the commandline, you need to manually install .NET Framework 3.5 SP1 on the server, which is available athttp://go.microsoft.com/fwlink/?linkid=197398.

Microsoft Visual C++ 2008 Redistributable Package RequirementsThe Microsoft Visual C++® 2008 redistributable package is required for Lync Server 2010. If you installLync Server 2010 by using the Lync Server Deployment Wizard, setup prompts you to install thisprerequisite. However, if you install Lync Server 2010 by using the command line, you need to manuallyinstall this prerequisite on the server, which is available at http://go.microsoft.com/fwlink/?linkid=197399.

Message QueuingLync Server 2010 uses the Microsoft Message Queuing (MSMQ) technology with the following serverroles:• Front End server• Mediation server• Archiving server• Monitoring server• A/V Conferencing server

The Message Queuing service must be enabled on all servers prior to deploying any of the above listedserver roles. Message Queuing can be installed as an optional feature in Windows Server 2008.

Windows Installer Version 4.5Lync Server 2010 uses Windows Installer technology to install, uninstall, and maintain various server roles.Windows Installer version 4.5 is available as a redistributable component for the Windows Serveroperating system, which is available at http://go.microsoft.com/fwlink/?linkid=197395.

Windows Media Format Runtime RequirementsTo use the Call Park, Announcement, and Response Group applications, you must install Windows MediaFormat Runtime on Front End servers. We recommend that you install Windows Media Format Runtimebefore installing Lync Server 2010. If Lync Server 2010 does not find this software on the server, it willprompt you to install it; you must then restart the server to complete the installation.

Lesson 1 Page 5

prompt you to install it; you must then restart the server to complete the installation.

Certificate Infrastructure Requirements

Lync Server 2010 requires a PKI to support Transport Layer Security (TLS) and mutual TLS (MTLS)connections, as well as other services. If you are allowing external access, a PKI infrastructure must be inplace. We recommend that you use certificates issued from a public certification authority (CA).

Additional requirements for certificates include:

• All server certificates must support server authentication (Server EKU).• Auto-enrollment is supported for internally facing servers, but it is not supported for Edge servers.

Internally Facing ServersThe internal servers that require certificates include:• Standard Edition server• Enterprise Edition Front End server• Stand-alone A/V Conferencing server• Mediation server• Director server

You can use the Lync Server 2010 Certificate Wizard to request these certificates. Although usingcertificates from an internal CA is recommended for internal servers, you can also obtain certificates forinternal servers from a public CA.

External User AccessLync Server 2010 supports the use of a single certificate for Access and web Conferencing Edge externalinterfaces, and the internal interface of the A/V Edge. The Edge internal interface can use either a privateor a public certificate.

• Requirements for the private (or public) certificate used for the Edge internal interface are as follows:

alternative name. For details, see Knowledge Base article 929395, “Unified Communications • The certificate must be issued by an internal CA or an approved public CA that supports subject

Lesson 1 Page 6

alternative name. For details, see Knowledge Base article 929395, “Unified Communications CertificatePartners for Exchange Server and for Communications Server,” athttp://go.microsoft.com/fwlink/?LinkId=140898.

certificate used on each Edge server in the Edge pool.• If the certificate will be used on an Edge pool, it must be created as exportable, with the same

virtual IP (VIP) address (for example, csedge.contoso.com).• The subject name of the certificate is the Edge internal interface FQDN or hardware load balancer

• No subject alternative name list is required.

If you are deploying multiple, load-balanced Edge servers at a site, the A/V authentication certificate thatis installed on each Edge server must be from the same CA and must use the same private key. In other

Note: Microsoft recommends that both NTLM and Kerberos be enabled as authentication options ifwords, the certificate must be exportable if it is to be used on more than one server.

you plan to support remote users.

Group ChatTo install Lync Server 2010 Group Chat, you must have a certificate issued by the same CA as the one usedby Lync Server 2010 internal servers for each server running the Lookup service, Channel service, and webservice. Ensure that you have the required certificate(s) before you start the Group Chat installation,especially if you are using an external CA.

Client Requirements

Before deploying Lync 2010 clients, you must configure several essential policies and settings. Theseinclude client bootstrapping policies, client version policy, and key in-band provisioning settings.

Client Bootstrapping PoliciesClient bootstrapping policies specify, for example, the default servers and security mode that the clientshould use until sign-in is complete. Because client bootstrapping policies take effect before the clientsigns in and begins receiving in-band provisioning settings from the server, you use Group Policy toconfigure them.

Lesson 1 Page 7

configure them.

Client Version PolicyThe default Client Version Policy requires that all clients are running a minimum ofMicrosoft Office Communicator 2007 R2. If clients in your environment are running earlier versions ofCommunicator, you might need to reconfigure the Client Version rules to prevent clients and devicesfrom being unexpectedly blocked or updated when connecting to Lync Server 2010. You can modify thedefault rule, or you can add a rule higher in the Client Version Policy list to override the default rule.Additionally, as cumulative updates are released, you should configure the Client Version Policy to requirethe latest updates. The following options are available when editing the client version policy:• Allow the client to log on.

Update.• Allow the client to log on and receive updates from Windows Server Update Service or Microsoft

• Allow the client to log on and display a message about where to download another client version.• Block the client from logging on.

Service or Microsoft Update.• Block the client from logging on and allow the client to receive updates from Windows Server Update

version.• Block the client from logging on and display a message about where to download another client

Key In-Band SettingsMost of the Group Policy settings in Lync Server 2010 are controlled by server-based client policies, alsoknown as in-band provisioning. In-band provisioning settings can significantly impact the user experienceand therefore should be configured before client deployment. In Lync Server 2010, client policies (exceptfor those required for bootstrapping) are configured by using the Windows PowerShell cmdlets New-CsClientPolicy or Set-CsClientPolicy.

Device Requirements

Lync Server 2010 expands the line of available unified communications (UC) devices to include a new line

Lesson 1 Page 8

lineof IP phones. Before you deploy UC phones, ensure that the following recommended Lync Server 2010communications software components are in place.

Device Update ServiceThe Device Update service, which is an automated way to update your IP phones, is installed with web

NOTE: In Lync Server 2010 Enterprise Edition, you may have multiple servers in the pool. Foreach instance of web services running on servers in a pool, there is a separate instance of the DeviceUpdate service running in the pool. When you make a configuration change to the Device Updateservice, the changes are propagated to all servers in that pool, but not to servers in any other pool.

services on the Front End server.

Enterprise VoiceEnterprise Voice is the voice over Internet Protocol (VoIP) solution in Lync Server 2010 that allows users tomake calls and use rich communication and collaboration features, such as viewing enhanced presenceinformation or location information for contacts in your organization’s address book.Enterprise Voice must be enabled for each device user. To check whether Enterprise Voice is enabled for auser, in Lync Server Control Panel, find the user and then view the user’s details. If the user is enabled forEnterprise Voice, the check box Enabled for Lync Server will be selected, and the Telephony drop-downlist will show Enterprise Voice as selected.

Contact Objects for Common Area Phones and Analog DevicesYou must associate all phones with a specific user or an Active Directory contact object. With contactobjects, as with user accounts, you can assign policies and voice plans for managing the device.

NOTE: When you create a contact object for an analog device (for example, by using the New-CSAnalogDevice command), you must specify the correct categorization of the analog device aseither a fax machine (such as fax, modem, Teletype-33 (TTY), or a voice device. The designation of faxaffects how the call will be routed.

Dial Plans, Voice Polices, and Outbound Call RoutesBefore deploying Lync Server 2010, you must set up the following rules for users:

location, user, or contact object into a single standard (E.164) format. This allows UC device users tomake calls to the public switched telephone network (PSTN).

• Dial plans. Dial plans are sets of normalization rules that translate phone numbers for a given

organization, and include various calling features that can be enabled or disabled as appropriate.Voice policies must be set up for device users.

• Voice policies. Voice policies are records that define call permissions for users, sites, or an entire

devices. Lync Server 2010 uses routes to associate a target phone number with one or more mediagateways or SIP trunks and one or more PSTN usage records.

• Call routes. Call routes are rules that specify how Lync Server 2010 handles outbound calls from UC

Least-Cost RoutingLync Server 2010 enables you to specify the PSTN gateways through which you want to route numbers.The recommended best practice is to select routes that incur the lowest costs and implement themaccordingly. When selecting a gateway, choose the one closest to the destination location to minimizelong-distance charges. For example, if you are in New York and calling a number in Rome, you shouldcarry the call over the IP network to the gateway in your Rome office, thereby incurring a charge only fora local call.You use Lync Server Control Panel to verify whether dial plans, voice policies, and call routes are set up

Lesson 1 Page 9

You use Lync Server Control Panel to verify whether dial plans, voice policies, and call routes are set up for

Note: If your organization has Microsoft Exchange Server deployed, you can also configure ExchangeUM and Lync Server 2010 to work together.

users, and to set up or modify these user policies.

PIN Authentication and PolicyIf you are deploying the new line of IP phones—Aastra 6721ip, Polycom CX600, Polycom CX500, orPolycom CX3000—you must enable personal identification number (PIN) authentication onLync Server 2010, and set the appropriate PIN policy. This allows automatic authentication when a usersigns in. You set the PIN policy on the PIN Policy page of the Security group in Lync Server Control Panel.Also in Security, you should click web Service and verify that PIN authentication is enabled in the Globalpolicy.

Physical Network and File Share Requirements

The proper network infrastructure for your Lync Server 2010 deployment is vital to both user adoptionand the overall success of your communication system. Inadequate network throughput increasesresponse times and can result in a solution that fails to achieve the goals of enhanced collaboration andconnectivity. The network adapter card of each server in the Lync Server 2010 topology must support atleast 1 gigabit per second (Gbps). In general, you should connect all server roles by using a low-latencyand high-bandwidth local area network (LAN). The size of the LAN is dependent on the size of thetopology:

equivalent.• Standard Edition topologies. Servers should be in a network that supports 1 Gbps Ethernet or

especially when supporting A/V conferencing and application sharing.• Front End pool topologies. Most servers should be in a network that supports more than 1 Gbps,

PSTN integration can be achieved with a supported PSTN Gateway, IP-PBX, or SIP trunk.

Media RequirementsFollow these recommendations for optimized A/V in a Lync Server 2010 deployment:• Configure the external firewall as a NAT (whether the site has only a single Edge server or multiple

Lesson 1 Page 10

Edge servers deployed).• Configure the external firewall as a NAT (whether the site has only a single Edge server or multiple

capacity for PSTN data flows.• Deploy the media subsystem within an existing Quality of Service (QoS) infrastructure that prioritizes

• Disable Internet Protocol security (IPsec) over the port ranges used for A/V traffic.

Ensuring Media QualityFor optimal media quality, you must ensure that proper network provisioning and capacity planning hasbeen performed:

network, the ability of the Lync Server 2010 media endpoints to dynamically deal withvarying network conditions (for example, temporary high packet loss) is reduced.

• Lync Server 2010 media endpoints can adapt to varying network conditions. However, in an under-provisioned

stream and 300 Kbps per video stream, if enabled, during peak usage periods.• Networks must be provisioned to support throughput of 45 kilobits per second (Kbps) per audio

provisioning for a lower volume of traffic. In this scenario, you let the elasticity of theLync Server 2010 media endpoints absorb the difference between that traffic volume and the peaktraffic level, at the cost of some reduction in quality. However, in this case, there is a decrease in thesystem’s ability to absorb sudden peaks in traffic.

• For network links where provisioning is extremely costly and difficult, you might need to consider

wide area network [WAN] links), consider disabling video for certain users.• For links that cannot be correctly provisioned in the short term (for example, a site with very poor

under peak load. Latency is the one network impairment that Lync Server 2010 media componentscannot reduce, and it is important to find and eliminate the weak points.

• Provision your network to ensure a maximum end-to-end delay (latency) of 150 milliseconds (ms)

Lesson 1 Page 11