From 78c7cbd1aab994301626d4c4f46f18851ef5eefb Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 27 Jan 2017 09:36:51 -0800 Subject: [PATCH 1/3] add multi-forest --- devices/surface-hub/TOC.md | 3 +- .../surface-hub/change-history-surface-hub.md | 1 + ...e-and-test-a-device-account-surface-hub.md | 3 +- ...-deployment-surface-hub-device-accounts.md | 6 +- ...ses-deployment-surface-hub-multi-forest.md | 106 ++++++++++++++++++ 5 files changed, 114 insertions(+), 5 deletions(-) create mode 100644 devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 3c1ef3bcb3..a08087ffa9 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -5,7 +5,8 @@ #### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) #### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) ##### [Online deployment](online-deployment-surface-hub-device-accounts.md) -##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) +##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) +##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) ##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) ##### [Create a device account using UI](create-a-device-account-using-office-365.md) ##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index dbf6b92769..a58c51ec66 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac | New or changed topic | Description | | --- | --- | | [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New | +| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | New | | [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. | | [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. | diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index ec7e16757b..9930a748e3 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -46,7 +46,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt | Organization deployment | Description | |---------------------------------|--------------------------------------| | [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. | -| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). | +| [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. | +| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. | | [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. | If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index cb9d732585..8914899056 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -1,5 +1,5 @@ --- -title: On-premises deployment (Surface Hub) +title: On-premises deployment single forest (Surface Hub) description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 keywords: single forest deployment, on prem deployment, device account, Surface Hub @@ -11,12 +11,12 @@ author: TrudyHa localizationpriority: medium --- -# On-premises deployment (Surface Hub) +# On-premises deployment for Surface Hub in a single-forest environment This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. -If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section. +If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md). 1. Start a remote PowerShell session from a PC and connect to Exchange. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md new file mode 100644 index 0000000000..bfabf99e17 --- /dev/null +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -0,0 +1,106 @@ +--- +title: On-premises deployment multi-forest (Surface Hub) +description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment. +ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 +keywords: single forest deployment, on prem deployment, device account, Surface Hub +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: surfacehub +author: TrudyHa +localizationpriority: medium +--- + +# On-premises deployment for Surface Hub in a multi-forest environment + + +This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment. + +If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md). + +1. Start a remote PowerShell session from a PC and connect to Exchange. + + Be sure you have the right permissions set to run the associated cmdlets. + + Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server. + + ```PowerShell + Set-ExecutionPolicy Unrestricted + $org='contoso.microsoft.com' + $cred=Get-Credential $admin@$org + $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue + $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue + Import-PSSession $sessExchange + Import-PSSession $sessLync + ``` + +2. After establishing a session, create a new mailbox in the Resource Forest. This will allow the account to authenticate into the Surface Hub. + + If you're changing an existing resource mailbox: + + ```PowerShell + New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" + ``` + +3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. + +Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the PasswordEnabled property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. + +If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. + + + ```PowerShell + $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false + ``` + + Once you have a compatible policy, then you will need to apply the policy to the device account. + + ```PowerShell + Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy -ActiveSyncEnabled $true + Set-Mailbox $acctUpn -Type Room + ``` + +4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. + + ```PowerShell + Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" + ``` + +5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. This should be set in the User Forest. + + ```PowerShell + Set-AdUser $acctUpn -PasswordNeverExpires $true + ``` + +6. Enable the account in Active Directory so it will authenticate to the Surface Hub. This should be set in the User Forest. + + ```PowerShell + Set-AdUser $acctUpn -Enabled $true + ``` + +6. You now need to change the room mailbox to a linked mailbox: + + ```PowerShell + $cred=Get-Credential AuthForest\LinkedRoomTest1 + Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1 + ``` + +7. Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool: + + ```PowerShell + Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com" + -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com + -Identity HUB01 + ``` + + You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity. + + + +  + + + + + From 6070d5a68434545e12162159fcb07b722ccf83ad Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 27 Jan 2017 11:16:25 -0800 Subject: [PATCH 2/3] format --- .../on-premises-deployment-surface-hub-multi-forest.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index bfabf99e17..8d66041c90 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -44,10 +44,9 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. -Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the PasswordEnabled property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. - -If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. + Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled. + If you haven’t created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts. ```PowerShell $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false From 9f6a9895474eb6fb19c32b6762812fa6b3a5dded Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Fri, 27 Jan 2017 11:20:41 -0800 Subject: [PATCH 3/3] metadata --- .../on-premises-deployment-surface-hub-multi-forest.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index 8d66041c90..08688230d6 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -2,12 +2,12 @@ title: On-premises deployment multi-forest (Surface Hub) description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment. ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 -keywords: single forest deployment, on prem deployment, device account, Surface Hub +keywords: multi forest deployment, on prem deployment, device account, Surface Hub ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium ---