Welcome to The Modality Systems Blog

I have a habit of tearing out interesting articles from newspapers.  I rip them out, fold them, and stuff them into the breast pocket of my suit.

This has the interesting side effect of letting interesting nuggets of information surface when I least expect it.  Today I found an fragment of an article that I tore out ages ago, and it could not have appeared at a better time as I was contemplating how to tackle a rather large engagement that we’ve started. 

I have no idea what the source of this is other than it’s from a British newspaper sometime between 2006 and 2007.

There are two dangers in consultation. On the one hand, it can simply be lip service, or window dressing, at one extreme; and at the other extreme it can be the experts almost abandoning their responsibilities, saying to people – "What do you want? We will then build it ." If experts are worth anything, they know about pre-risk experience, about how things have been done differently elsewhere. They can look after the longer term and, to my mind, "longer term" sums up the nature but also the problems and the opportunities [in this type of work].

Sunand Prasad

President of the Royal Institute of British Architects

Why do people hire consultants?  I think there are two main reasons:

First, if you’re having a lot of pain, you may want to hire someone to take the pain away.  By and large, this reason applies to contract consulting (we need 1,000 pages of documentation in order to meet a regulatory requirement – let’s hire some unsuspecting consultant to do it.), or to outsourcing companies (We’re still running Windows98 in the accounting department – anyone want to migrate our users data to our new systems?  Anyone?)

The second reason is exemplified Mr. Prasad’s quote.  Consultants tend to focus in a particular area and then do lots of projects in that area.   We’ve not done something once, but dozens or even hundreds of times.  The experience and insight developed from these activities means that we can build risk-mitigation into the design and into the system.   It also means that we understand how things have been done elsewhere.  We constantly refine our approach, picking up best practices and lessons learned.  We build flexibility into the system when possible so that it can be changed or amended later.

The equally smart, but novice designer will spend too much time trying to figure out what to do, essentially because there is a fear that an action taken now could cause an un-retractable problem in the future.  They will spend too much time and still not get it quite right.  

When used correctly, consultants can save companies immeasurable amounts of time and resources by eliminating future problems before they happen.

This also requires a responsible consultant.  One who is aware of her practice as craftsmanship.  Once who does not give lip service or who does not go in too far over their head in doing "whatever the client wants."    

-John Lamb, Modality Systems

There are two kinds of people in this world:  Those who have tried to install and configure the "Microsoft Office Communicator, Phone Edition Software Update Service" (aka, the Tanjay Update Server)… and those who haven’t.

If you have, you’re probably smirking because you know what I’m talking about.  If you haven’t yet, I might suggest you let sleeping monsters lie. 

Though if you’re a brave knight and want to test your luck, help is available.  I’ve been working with Microsoft and we’re documenting solutions to the most common problems. 

TomL (LCSKid) has posted our work over on his blog : http://blogs.technet.com/toml/archive/2008/06/02/update-server-problems-with-configupdateserver-vbs.aspx

Thomas Lee (from Global Knowledge) also has an excellent post on his blog that covers the infrastructure requirements.  http://cacorner.blogspot.com/2008/05/getting-tanjay-working.html

If you have any questions or issues not covered in these blog posts, please post a comment or email me.  We’re tracking the problems and will post updates with solutions.  Thanks!

-John Lamb, Modality Systems

We’ve just been through the exercise that every IT consultant / engineer / analyst goes through at some point:  The reverse engineering of permissions applied on active directory objects. 

Hopefully this post will spare you the tedious task.

In this particular case, we needed to give a non-Domain Administrator the ability to install and activate an OCS 2007 server. 

The OCS installation wizard (setup.exe) and command-line configuration tool (LCSCmd.exe) both give you a simple way to delegate installation & activation of OCS Servers.  The challenge however, was that our client wanted to know “what, exactly” was being delegated.   It’s a fair question.  What would be the point of having a Domain Admin delegate permissions to a user, if the user received 90% of the privileges of the Domain Admin as a result of the delegation? 

Presumably, the OCS delegation wizard only delegates the minimum permissions required to do the job.  That is what we set out to prove.

OCS Installer Group Required

First, you must pre-create an AD security group that will receive the delegated permissions.  Let’s call this “OCSInstallersGroup” for the purposes of the example.

Any user who will perform installation and activation of OCS servers will become a member of this group.   The delegation wizard delegates permissions to this group, not to an individual user.

OCS Service Accounts Required

Before running the delegation wizard (or LCSCmd) you will also need to know the names of the OCS SIP Service and OCS Component Service accounts.  These are AD user accounts that are being used to run the various OCS Server services.  If this will be the first OCS Server in the domain, you will need to pre-create these user accounts. 

• OCS SIP Service Account (default: RTCService)
• OCS Component Service Account (default: RTCComponentService)

Delegation Wizard Inputs

The delegation wizard must be run by a user who is a member of the Domain Admins group in the domain where we are installing the OCS Servers.

The wizard requires 5 input variables:

1. TrusteeGroup:  The name of the OCS Installer Group, e.g., OCSInstallersGroup
2. TrusteeDomain:  The domain where the group exists, e.g., europe.yourcompany.com
3. SIPServiceAccount:   The name of the OCS SIP Service account, e.g, RTCService
4. ComponentServiceAccount:  The name of the OCS Component Service Account, e.g., RTCComponentService
5. ComputerOU:  The DN of the OU where the OCS Servers are located, e.g., OU=OCS2007,OU=Servers,DC=europe,DC=yourcompany,DC=com

Delegation Wizard Outputs

The wizard performs the following tasks:

1.  The TrusteeGroup is added to the Following Groups:

• RTCUniversalGlobalWriteGroup – Members have write access to RTC global settings
• RTCUniversalGlobalReadOnlyGroup – Members have read access to RTC global settings

(The OCS Global Settings are AD objects typically stored in the configuration partition at: CN=Global Settings,CN=RTC Service,CN=Services,CN=Configuration,DC=yourcompany,DC=com.   In some cases, the Global Settings may be stored in the Root Domain Partition instead.)

2.  The TrusteeGroup is granted Read and Write permissions* to the ComputerOU (the OU containing the OCS Servers).

3. The TrusteeGroup is granted Read/Write Service Principal Name (SPN) permissions* on the OCS SIP Service Account object

4.  The TrusteeGroup is granted Read/Write Service Principal Name (SPN) permissions* on the OCS Component Service Account object.

*  If you would like to see a list of the specific Access Control Entries (ACEs) that are applied in Steps 2 – 4, we’ve documented them here.

Analysis

Our findings were pretty much what we expected.  The person installing OCS needs to be able to create the Pool and Server objects in the Global Settings and they need to be able to register new Service Principal Names in AD (Use a utility like SetSPN.exe to see what these are).  

We were happy with this… and more importantly, our client was happy with this. 

John Lamb, Modality Systems

Technorati Tags: office communications server 2007, active directory, delegation of administration