220 likes | 575 Views
Session Objectives and Takeaways. Session Objectives: Describe the implications of our investments in PowerShell and delegation (Role Based Access Control (RBAC)) for Lync Server 2010Navigate the Lync Server 2010 Control Panel, the graphical administrative tool for this releaseTakeaways:Underst
E N D
1. Microsoft Lync Server 2010Management and Admin Experience Module 05 Microsoft Corporation Slide Objective:
Notes:Slide Objective:
Notes:
2. Session Objectives and Takeaways Session Objectives:
Describe the implications of our investments in PowerShell and delegation (Role Based Access Control (RBAC)) for Lync Server 2010
Navigate the Lync Server 2010 Control Panel, the graphical administrative tool for this release
Takeaways:
Understand our management experience investments in Lync Server 2010
Describe the Lync Server 2010 management experience
2 Slide Objective: To set expectations for student learning in this section
Notes: Read the objectives listed on the slide.
Slide Objective: To set expectations for student learning in this section
Notes: Read the objectives listed on the slide.
3. Agenda Experience: Lync Server Control Panel and PowerShell
Demos: Management Experience
Experience: RBAC
Demo: RBAC 3 Slide Objective: Explain the agenda for this presentation
Notes:
The majority of this presentation will focus on the demos. Each section will have a few slides followed by demos to show the functionality.
Slide Objective: Explain the agenda for this presentation
Notes:
The majority of this presentation will focus on the demos. Each section will have a few slides followed by demos to show the functionality.
4. Management Experience Investments PowerShell Foundation for Administration
All management functions run in PowerShell
Full PowerShell 2.0 capabilities leveraged for Lync Server 2010
New Silverlight-based Graphical User Interface (GUI) tool
Lync Server Control Panel
Addresses key pain points from OCS 2007 R2
No Microsoft Management Console (MMC) for Lync Server 2010
RBAC
Supported throughout Lync Server Control Panel and PowerShell
Built-in and customer-defined roles available 4 Slide Objective: Explain the major investments for manageability
Notes:
Each of these topics will be covered in detail in further slides. Talk at a high level about the three areas of focus for the Lync Server 2010 management experience.
PowerShell
The investment in PowerShell allows Lync Server 2010 to use a common management interface as other Microsoft technologies such as Exchange, Active Directory, and SQL.
All management functions will be available in PowerShell. This will replace WMI as the supported management interface for scripting technologies
Full PowerShell 2.0 capabilities
Most notably PowerShell Remoting allowing you to execute cmdlets on the Lync Server 2010 server from a remote machine running PowerShell 2.0
Lync Server Control Panel
Replaces the MMC experience No more multiple management layers and right click menus
Role based Access Control (RBAC)
Allows administrators to assign management roles to user groups (i.e. telephony admin)
RBAC roles will limit viewable management scope in Lync Server Control Panel and when using PowerShell remoting
Slide Objective: Explain the major investments for manageability
Notes:
Each of these topics will be covered in detail in further slides. Talk at a high level about the three areas of focus for the Lync Server 2010 management experience.
PowerShell
The investment in PowerShell allows Lync Server 2010 to use a common management interface as other Microsoft technologies such as Exchange, Active Directory, and SQL.
All management functions will be available in PowerShell. This will replace WMI as the supported management interface for scripting technologies
Full PowerShell 2.0 capabilities
Most notably PowerShell Remoting allowing you to execute cmdlets on the Lync Server 2010 server from a remote machine running PowerShell 2.0
Lync Server Control Panel
Replaces the MMC experience No more multiple management layers and right click menus
Role based Access Control (RBAC)
Allows administrators to assign management roles to user groups (i.e. telephony admin)
RBAC roles will limit viewable management scope in Lync Server Control Panel and when using PowerShell remoting
5. Manageability Experience Lync Server Control Panel 5 Slide Objective: This is a section break slide for introducing the Lync Server Control Panel
Notes:
Introduce Lync Server Control Panel
Slide Objective: This is a section break slide for introducing the Lync Server Control Panel
Notes:
Introduce Lync Server Control Panel
6. Lync Server Control PanelWhat Is It? A Web-based, scenario-driven management GUI for Lync Server 2010
Based on Silverlight 4 and PowerShell
Targeted to expose most relevant PowerShell delivered features and settings
GUI tool includes
Discoverable dialogs
Easy and fast searches
Effective policy view
Voice dial-plan support built-in
No cascading property sheets
And more
Replaces MMC-based snap-in used in previous OCS releases 6 Slide Objective: Explain what is the Lync Server Control Panel
Notes:
Lync Server Control Panel is the GUI management tool for Lync Server 2010
It is a web based Silverlight application used to manage the key administrative tasks
There are features like E-911 and bandwidth management that are not exposed in Lync Server Control Panel and must be managed via PowerShell
Includes Route Helper functionality
Can be scoped to specific admin scenarios using RBAC
Reduces the confusion between objects (Routes, Polices, and Phone Usages)
The web based approach removes the limitations of the MMC used in previous releases
No need to deploy admin tools to multiple machines
Easier navigation experience
Better search capability
Slide Objective: Explain what is the Lync Server Control Panel
Notes:
Lync Server Control Panel is the GUI management tool for Lync Server 2010
It is a web based Silverlight application used to manage the key administrative tasks
There are features like E-911 and bandwidth management that are not exposed in Lync Server Control Panel and must be managed via PowerShell
Includes Route Helper functionality
Can be scoped to specific admin scenarios using RBAC
Reduces the confusion between objects (Routes, Polices, and Phone Usages)
The web based approach removes the limitations of the MMC used in previous releases
No need to deploy admin tools to multiple machines
Easier navigation experience
Better search capability
7. Why Lync Server Control Panel? Usability studies and customer feedback:
MMC UI in OCS 2007 R2 is difficult to navigate/deploy/manage
Multiple places/levels to configure the same thing
Risk of out-of-sync configurations/validation prior to changes not adequate
Management tasks spread across different tools (Active Directory Administrative Center (ADAC), OCS, MMC, etc.)
7 Slide Objective: Explain the rationale behind the new Lync Server Control Panel approach
Notes:
Lync Server Control Panel was designed to address the pain points from managing previous versions
The MMC UI limited the ways in which settings could be shown and configured
It was difficult to determine what an end users experience would be with multiple configuration locations (i.e. meeting policies and GPOs or local registry settings)
Tools like Route Helper could introduce multiple versions of data with the risk of out-of-sync configurations
There was no single management tool. Servers and users had to be managed with separate tools. Slide Objective: Explain the rationale behind the new Lync Server Control Panel approach
Notes:
Lync Server Control Panel was designed to address the pain points from managing previous versions
The MMC UI limited the ways in which settings could be shown and configured
It was difficult to determine what an end users experience would be with multiple configuration locations (i.e. meeting policies and GPOs or local registry settings)
Tools like Route Helper could introduce multiple versions of data with the risk of out-of-sync configurations
There was no single management tool. Servers and users had to be managed with separate tools.
8. Lync Server Control Panel Addresses Key Customer Feedback No need for multiple tools
Response Group management integrated
Route Helper Tool (OCS 2007, OCS 2007 R2) integrated
External access management consolidated
All policies are reflected in single tool
Easy to see and understand users effective policy
Navigation cleaner and easier
Bread crumbing provides context on task
Queries can be saved and re-used
Consistent tools, look, and feel throughout UI 8 Slide Objective: Discuss how Lync Server Control Panel address key customer feedback
Notes:
Lync Server Control Panel replaces multiple administrative tools from previous releases
OCS management MMC
Active Directory Users and Computers
Response Group Tools (rsgcot.exe, MMC, web workflow configuration)
WMI
GPOs
Local registry settings
Control more client settings via in-band provisioning
This allows you to easily see what features a user is allowed to use in a single place
Multiple policy settings and scopes
New policy settings include
Call forwarding
Delegation
Call transfer
Call park
Simultaneous ring options
Team Call
PSTN reroute
Bandwidth policies
Malicious call tracing
Navigation makes it easier to identify the proper location for setting configuration
No more is this a global, pool, or server setting?Slide Objective: Discuss how Lync Server Control Panel address key customer feedback
Notes:
Lync Server Control Panel replaces multiple administrative tools from previous releases
OCS management MMC
Active Directory Users and Computers
Response Group Tools (rsgcot.exe, MMC, web workflow configuration)
WMI
GPOs
Local registry settings
Control more client settings via in-band provisioning
This allows you to easily see what features a user is allowed to use in a single place
Multiple policy settings and scopes
New policy settings include
Call forwarding
Delegation
Call transfer
Call park
Simultaneous ring options
Team Call
PSTN reroute
Bandwidth policies
Malicious call tracing
Navigation makes it easier to identify the proper location for setting configuration
No more is this a global, pool, or server setting?
9. Topology Model Global Microsoft Lync Server 2010 Deployment is a collection of Sites
Sites are made up of Pools
Pools host:
Services (such as Instant Messaging (IM), Conferencing, Voice over Internet Protocol (VoIP))
Users 9 Slide Objective: Describe the topology model and terms used with Lync Server 2010 scopes
Notes:
The topology model is important when considering the scope for which policies will take effect.
Global: There is only one global level. Setting at this level would affect all users
Sites: Sites relate to the sites defined in Topology Builder
NOTE: The term should not be confused with Active Directory Sites
Pools: Pools relate to Enterprise or Standard edition pools deployed within sites
User: User is the forth scope that is not shown. Policies can be assigned at the user level.Slide Objective: Describe the topology model and terms used with Lync Server 2010 scopes
Notes:
The topology model is important when considering the scope for which policies will take effect.
Global: There is only one global level. Setting at this level would affect all users
Sites: Sites relate to the sites defined in Topology Builder
NOTE: The term should not be confused with Active Directory Sites
Pools: Pools relate to Enterprise or Standard edition pools deployed within sites
User: User is the forth scope that is not shown. Policies can be assigned at the user level.
10. Policy Scopes and Resolution Configuration:
Data/settings needed by a component/service. Applies to all requests equally
Policy:
Data needs to process a request. Implies lookup and resolution
Policy Scopes:
Global
Site
Pool (or service)
User
Policy Resolution Order:
Closest policy to the user wins
User > Pool > Site > Global
10 Slide Objective: Describe the role of policies and how they relate to scopes
Notes:
Configurations are applied to components/services. These should not be confused with policies that are applied and topology levels and affect user experience.
Policies will allow you to define the features/functionality that a user or set of users are allowed to use
Policies can be applied at each of the four levels (Global, Site, Pool, User)
Policies are always applied in the same order with the closest policy to the user taking precedent
A global policy will apply to all users unless the user has another policy set at the site, pool, or user level.Slide Objective: Describe the role of policies and how they relate to scopes
Notes:
Configurations are applied to components/services. These should not be confused with policies that are applied and topology levels and affect user experience.
Policies will allow you to define the features/functionality that a user or set of users are allowed to use
Policies can be applied at each of the four levels (Global, Site, Pool, User)
Policies are always applied in the same order with the closest policy to the user taking precedent
A global policy will apply to all users unless the user has another policy set at the site, pool, or user level.
11. Task Success Comparison 11 Slide Objective: Explain the task success improvements between Lync Server 2010 and OCS 2007 R2
Notes:
Usability studies conducted by Microsoft show the improvements made with Lync Server 2010 in the admin being able to find the appropriate way to conduct the listed tasks.
Slide Objective: Explain the task success improvements between Lync Server 2010 and OCS 2007 R2
Notes:
Usability studies conducted by Microsoft show the improvements made with Lync Server 2010 in the admin being able to find the appropriate way to conduct the listed tasks.
12. Manageability Experience PowerShell 12 Slide Objective: This is a section break slide introducing PowerShell
Notes:
Introduce Lync Server PowerShell
Slide Objective: This is a section break slide introducing PowerShell
Notes:
Introduce Lync Server PowerShell
13. Microsoft Lync Server 2010 PowerShell Key pain point:
Difficult to automate tasks such as managing user policies and entitlements in a consistent way
Solution:
PowerShell foundation for Administration
PowerShell eases automation for administrative tasks
Consistent PowerShell administration experience
Consistency with Exchange administration 13 Slide Objective: Discuss the management pain point that is addressed with PowerShell
Notes:
In previous versions of OCS, the supported automation API was WMI. WMI can be difficult and complex.
PowerShell has become the common foundation for administration in Microsoft products (i.e. Exchange, Active Directory, SQL)
PowerShell allows administrators to accomplish administrative tasks using either simple one liner commands or via complex scripts.
Slide Objective: Discuss the management pain point that is addressed with PowerShell
Notes:
In previous versions of OCS, the supported automation API was WMI. WMI can be difficult and complex.
PowerShell has become the common foundation for administration in Microsoft products (i.e. Exchange, Active Directory, SQL)
PowerShell allows administrators to accomplish administrative tasks using either simple one liner commands or via complex scripts.
14. Microsoft Lync Server 2010 PowerShell (Cont.) 14 Slide Objective: Describe the management functions of Lync Server 2010 PowerShell cmdlets
Notes:
Lync Server 2010 cmdlets encompass the full scope of management functions allow you to configure every piece of the environment.
The functions listed are a subset of cmdlets available
Each area listed encompasses multiple cmdlets (get, new, modify)
Synthetic Transactions allow you to test the system functionality in an end-to-end manner
Many of the features are going to be shown in the upcoming demoSlide Objective: Describe the management functions of Lync Server 2010 PowerShell cmdlets
Notes:
Lync Server 2010 cmdlets encompass the full scope of management functions allow you to configure every piece of the environment.
The functions listed are a subset of cmdlets available
Each area listed encompasses multiple cmdlets (get, new, modify)
Synthetic Transactions allow you to test the system functionality in an end-to-end manner
Many of the features are going to be shown in the upcoming demo
15. Demo: Lync Server Control Panel and PowerShell 15 Slide Objective: This is a section break introducing the Lync Server Control Panel and PowerShell demos
Notes:
The demonstrations are the main purpose of this presentation. Please consult the demo guide for the features/functions/scripts that should be shown.
They main features highlighted should be:
BigFin
User management
Resulting set of policies in the user context
Voice Configuration + integrated route helper
PowerShell
Automation
Bulk enablement on users (from a csv file)
Mailbox Enablement/OCS Enablement from the same PowerShell console
Slide Objective: This is a section break introducing the Lync Server Control Panel and PowerShell demos
Notes:
The demonstrations are the main purpose of this presentation. Please consult the demo guide for the features/functions/scripts that should be shown.
They main features highlighted should be:
BigFin
User management
Resulting set of policies in the user context
Voice Configuration + integrated route helper
PowerShell
Automation
Bulk enablement on users (from a csv file)
Mailbox Enablement/OCS Enablement from the same PowerShell console
16. Manageability ExperienceRBAC 16 Slide Objective: This is a section break slide for introducing RBAC
Notes:
Introduce Role Based Access Control
Slide Objective: This is a section break slide for introducing RBAC
Notes:
Introduce Role Based Access Control
17. Why Role Based Access Control? Security best practice
Enables least-privilege access for admin roles
Greater administrative productivity
Focus each organizational role on right tasks
Assigning right task to right person drives total cost of ownership (TCO) improvements across organization
Consistent with Exchange administration approach 17 Slide Objective: Describe Role Based Access Control
Notes:
RBAC enables administrators to delegate control of specific management tasks for Lync Server 2010. For example, instead of granting help desk and support personnel full administrator privileges, you can give these employees very specific rights: the right to manage user accounts, and only user accounts; the right to manage Enterprise Voice components, and only Enterprise Voice components; the right to manage archiving and Archiving Server, and only archiving and Archiving Server. In addition, these rights can be limited in scope: someone can be given the right to manage Enterprise Voice, but only in the Redmond site; while someone else can be given the right to manage users, but only if those user accounts are in the Finance OU.
Security best practice is to give role administrators the least amount of administrative access necessary
RBAC introduces granular administrative roles that will allow administrations access to only the roles necessary based upon their function
Example: Will allow telephone admins to configure the telephony functions and users of Lync Server 2010 without being given access to the telephone features.
Role administrators will not have to learn the entire management interface and functions. They can focus on their areas of administration.
RBAC will only show the functions available to that specific administrative role.
Although this is like the Exchange implementation of RBAC there are some differences:
Lync Server 2010 includes pre-defined roles
These roles can be combined to create new superset roles
However, you cannot configure RBAC to allow administration at the cmdlet levelSlide Objective: Describe Role Based Access Control
Notes:
RBAC enables administrators to delegate control of specific management tasks for Lync Server 2010. For example, instead of granting help desk and support personnel full administrator privileges, you can give these employees very specific rights: the right to manage user accounts, and only user accounts; the right to manage Enterprise Voice components, and only Enterprise Voice components; the right to manage archiving and Archiving Server, and only archiving and Archiving Server. In addition, these rights can be limited in scope: someone can be given the right to manage Enterprise Voice, but only in the Redmond site; while someone else can be given the right to manage users, but only if those user accounts are in the Finance OU.
Security best practice is to give role administrators the least amount of administrative access necessary
RBAC introduces granular administrative roles that will allow administrations access to only the roles necessary based upon their function
Example: Will allow telephone admins to configure the telephony functions and users of Lync Server 2010 without being given access to the telephone features.
Role administrators will not have to learn the entire management interface and functions. They can focus on their areas of administration.
RBAC will only show the functions available to that specific administrative role.
Although this is like the Exchange implementation of RBAC there are some differences:
Lync Server 2010 includes pre-defined roles
These roles can be combined to create new superset roles
However, you cannot configure RBAC to allow administration at the cmdlet level
18. How is RBAC Implemented? User/Group from Active Directory Domain Services (AD DS)
Role: List of Cmdlets and scripts
Scope: Set of objects upon which Cmdlets in Role can operate
Role Assignment: Defines who can run what and where
Who: User or Group
What: Set of tasks in the Role definition
Where: Scope 18 Slide Objective: Describe how RBAC is implemented
Notes:
The Lync Server 2010 implementation of RBAC is based on two key elements: Active Directory security groups and Windows PowerShell cmdlets. When you install Lync Server 2010, a number of universal security groups CsAdministrator, CsArchivingAdministrator, CsBranchOfficeTechnician, etc. are created for you. These universal security groups have a one-to-one correspondence with RBAC roles; that simply means that any user who is in the CsArchivingAdministrator security group has all the rights granted to the aptly-named CsArchivingAdministrator RBAC role. In turn, the rights granted to an RBAC role are based on the cmdlets assigned to that role (cmdlets can be assigned to multiple RBAC roles).
Role: There are predefined roles (details on the next slide) that can be assigned to the Active Directory security group
Scope: The scope will define the set of objects on which a cmdlet can be run.
Role Assignment: The role assignment is the combination of the role and scope that is assigned to the Active Directory security group.
Slide Objective: Describe how RBAC is implemented
Notes:
The Lync Server 2010 implementation of RBAC is based on two key elements: Active Directory security groups and Windows PowerShell cmdlets. When you install Lync Server 2010, a number of universal security groups CsAdministrator, CsArchivingAdministrator, CsBranchOfficeTechnician, etc. are created for you. These universal security groups have a one-to-one correspondence with RBAC roles; that simply means that any user who is in the CsArchivingAdministrator security group has all the rights granted to the aptly-named CsArchivingAdministrator RBAC role. In turn, the rights granted to an RBAC role are based on the cmdlets assigned to that role (cmdlets can be assigned to multiple RBAC roles).
Role: There are predefined roles (details on the next slide) that can be assigned to the Active Directory security group
Scope: The scope will define the set of objects on which a cmdlet can be run.
Role Assignment: The role assignment is the combination of the role and scope that is assigned to the Active Directory security group.
19. Built-in Roles 19 Slide Objective: Describe the built-in RBAC roles that are available
Notes:
Custom RBAC roles can be created by combining one or more of these roles to create a superset role.
To create a new role you must first create a universal security group in Active Directory that shares a name with the role; for example to create a new role named DialInConferencingAdministrator you must create a security group with the SamAccountName DialInConferencingAdministrator. New-CsAdminRole will not create this group for you; if DialInConferencingAdministrator does not already exist then your command will fail. Note that the Identity you assign to your new role must be the SamAccountName of the corresponding Active Directory group.
After creating the Active Directory security group you must then select a built-in RBAC role to serve as the template for your new custom role. You cannot create a "blank" RBAC role using New-CsAdminRole. Instead, all custom roles must be based on one of the built-in RBAC roles. For the most part, this means that a custom role must, initially, have the same assigned cmdlets as one of the built-in roles. However, after the role has been created you can use the Set-CSAdminRole cmdlet to add or remove cmdlets from your custom role.
Slide Objective: Describe the built-in RBAC roles that are available
Notes:
Custom RBAC roles can be created by combining one or more of these roles to create a superset role.
To create a new role you must first create a universal security group in Active Directory that shares a name with the role; for example to create a new role named DialInConferencingAdministrator you must create a security group with the SamAccountName DialInConferencingAdministrator. New-CsAdminRole will not create this group for you; if DialInConferencingAdministrator does not already exist then your command will fail. Note that the Identity you assign to your new role must be the SamAccountName of the corresponding Active Directory group.
After creating the Active Directory security group you must then select a built-in RBAC role to serve as the template for your new custom role. You cannot create a "blank" RBAC role using New-CsAdminRole. Instead, all custom roles must be based on one of the built-in RBAC roles. For the most part, this means that a custom role must, initially, have the same assigned cmdlets as one of the built-in roles. However, after the role has been created you can use the Set-CSAdminRole cmdlet to add or remove cmdlets from your custom role.
20. Demo: RBAC in PowerShell and Lync Server Control Panel 20 Slide Objective: Demonstrate how RBAC works and how it will affect the admin experience.
Notes: Consult the demonstration manual for the demonstration tasks.
The highlighted features should be:
Delegation of administration
User management role
Voice administration role
How the UI is changing depending on the roles you are a member of
Slide Objective: Demonstrate how RBAC works and how it will affect the admin experience.
Notes: Consult the demonstration manual for the demonstration tasks.
The highlighted features should be:
Delegation of administration
User management role
Voice administration role
How the UI is changing depending on the roles you are a member of
21. Delivering a Leading Communications Management Experience Summary
Administration is a major investment for Lync Server 2010
Lync Server Control Panel streamlines and eases administration
PowerShell enables automation across entire infrastructure
RBAC supports security best practices and organizational efficiency 21 Slide Objective: Summarize the new management experience in Lync Server 2010
Notes:
Slide Objective: Summarize the new management experience in Lync Server 2010
Notes:
22. 22 Slide Objective:
Notes:
Slide Objective:
Notes:
23. 23 Slide Objective:
Notes:
Slide Objective:
Notes: