Introduction
The HMC 3.5 deployment tool carries out a lot of automated tasks, with somewhat mysterious names like "Initialize Active Directory for Hosting". Many customers have asked me what it is actually doing to their Active Directory configuration! This info is actually buried in the HMC 3.5 documentation (in the Deployment Automation Appendix), but I have created a simple listing of what each step actually does.
Following is an overview of what each deployment automation feature does.
1.1.1 Initialize Service Account Security
Steps Performed.
1. Ensure Windows-based Hosting Service Accounts exists in the Users container. If it does not exist, create it.
2. Reference the dn of this group in an OtherWellKnownObject on the domain OU.
3. Remove the Authenticated Users group from the Pre-Windows 2000 Compatibility Group
4. Add the Domain Computers group to the Pre-Windows 2000 Compatibility Group
5. Apply a read ACL to the domain root giving the Windows-based Hosting Service Accounts group read access to the directory tree.
1.1.2 Create Servers OU
Steps Performed.
1. Creates the Servers OU hierarchy in Active Directory
1.1.3 Configure MPS SQL Service Account
Steps Performed:
1. Add the MPSSQLService account to the Windows-based Hosting Service Accounts group
1.1.4 Configure MPS Cluster Admin
Steps Performed:
1. Add the MPSClusterAdmin account to the Windows-based Hosting Service Accounts group
1.1.5 Configure MPF Service Account
Steps performed.
1. Add the MPFServiceAccts group to the Windows-based Hosting Service Accounts group
2. Query the registry to discover the name of the MPF Configuration Server
3. Query WMI to determine if configuration server represents a cluster.
4. If configuration server is a cluster, enumerate the nodes of the cluster.
5. Query WMI to determine the names of any MPF engine servers
6. For each MPF engine, configuration server, or configuration server node, add the MPFServiceAccts group to the local Administrators group on each machine.
1.1.6 Initialize Namespace Security
Steps Performed:
Configures the context under which various provisioning namespace procedures run.
1.1.7 Initialize Active Directory for Hosting
Steps Performed:
1. Creates the Hosting OU
2. Removes permissions from the Authenticated Users group to the Hosting OU
1.1.8 Configure MOM Service Account
Steps Performed:
1. Add the MOMService account to the Windows-based Hosting Service Accounts group
2. Grant the following user rights to the MOMService account on the MOM servers specified in <serverName>:
Act as part of the operating system
Create a token object
Log on as a batch job
Log on as a service
1.1.9 Configure MOM Action Account
Steps Performed:
1. Add the MOMAction account to the Windows-based Hosting Service Accounts group
1.1.10 Configure Reporting Services
Configures service startup behavior on the MOM SQL Server
Steps performed.
1. Set Distributed Transaction Coordinator (DTC) service to Automatic startup
2. Set SQLSERVERAGENT service to Automatic startup
3. Set Microsoft Search Agent to Disabled
4. Start DTC service
5. Start SQLSERVERAGENT
6. Stop Microsoft Search Agent
1.1.11 Disable Domain RUS
Disables the domain Recipient Update Service.
Steps Performed:
1. Disables the Domain Recipient Update Service in Exchange.
1.1.12 Native Mode
Sets Microsoft Exchange to Native Mode
Steps Performed:
1. Sets Microsoft Exchange to Native Mode
1.1.13 Prepare Address List Security
Configures security on the All Address Lists container to prevent users and customers from resolving each other's names in Outlook.
Steps Performed:
1. Secures the "All Address Lists" container in Exchange
a. Disable inheritable permissions from propagating from parent
b. Remove Authenticated Users Group
c. Remove Everyone Group
1.1.14 Configure Exchange Address List Security
Steps performed
1. Delete default address lists
a. Delete All Users default address list
b. Delete All Groups default address list
c. Delete All Contacts default address list
d. Delete Public Folders default address list
2. Secure the Global Address List
a. Disable inheritable permissions from propagating from parent
b. Remove Authenticated Users Group
c. Remove Everyone Group
1.1.15 Configure Exchange Front End Servers
Automates configuration of an Exchange Front End Server.
Steps performed
1. Disable the Microsoft Exchange Information Store
2. Enable Services
a. POP3
b. IMAP
3. Configure Virtual Directories
a. Exchange
b. Public
c. RPC
1.1.16 Configure MPS Exchange Security
Configure MPSExchangeAccts group
Steps Performed:
1. Ensure MPSExchangeAccts group exists
2. Add MPSExchangeAccts group to local administrators on MPS server
3. Ensure MPSPrivAcct-xxxx is a member of MPSExchangeAccts group
1.1.17 Create OAB Lifetime Registry Keys
Create a registry key in order to configure automatic generation of Offline Address Books in the hosting environment. Configuration of the OAB Lifetime registry key is required on all back, OAB Exchange Servers, and Front-end servers.
Steps Performed:
1. Enumerate all Exchange servers
2. Create the following registry keys on each server:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters]
"OAL Folder Lifetime (days)"=dword:00000000
Note- by setting OAL Folder Lifetime to zero, this prevents Exchange from allowing Offline Address Books to expire.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters]
"Disable OABScanTask"=dword:00000001
Note - by disabling the OAB scan task, this prevents Exchange from trying to scan all of the OAB's during nightly online maintenance.
1.1.18 Configure Sharepoint Services Security
Required Input:
1. <serverName>
2. <username> -- The domain logon name of the domain account created for Sharepoint services (e.g. Sharepoint_AppID). This should be in the format of Domain\UserName.
Steps Performed:
1. Ensure account existence.
2. Create a new SQL Login for the supplied user name.
3. Add the SQL Login to the following server roles:
a. Security Administrators
b. Process Administrators
c. Database Creators
; "Solar-Halo.jpg")
; "sweetpotato.jpg")
; "cardgame.jpg")
nice blog, thanks
buy diflucan