Unable to with install Lync Server, due to "domain not ready error." or Prepare Active Directory shows "Partial"

  • Article

Symptoms

=========

 

Get-CsAdDomain generates "The domain is not ready" after successful domain prep. Also Prepare Active Directory on Deployment Wizard shows "Partial" after a successful domain prep.

 

Cause

======

 

Check the following Trace statement, when you run OCS Logger "Powershell" and "Deployment" Components selected at Level->All, Flags->All

 

4361 TL_INFO(TF_COMPONENT) [1]0FC8.123C::02/22/2011-20:28:40.091.000022ce (Deployment,DeploymentContext.CreateCustomizedSession:deploymentenvironment.cs(411))(000000000283D742)Using default network credentials for AD session.
 
4392 TL_WARN(TF_STACKTRACE) [0]0FC8.123C::02/22/2011-20:28:40.107.000022ed (Deployment,DirectoryCommon.FindAces:directorycommon.cs(341))Unable to find the requested ace: contoso\RTCUniversalUserReadOnlyGroup; Allow; ReadProperty; ContainerInherit; Descendents; bf967aba-0de6-11d0-a285-00aa003049e2; e2d6986b-2c7f-4cda-9851-d5b5f3fb6706

Concentrate on the "Applies To: " for the ACL "RTCUserSearchPropertySet" for the User "RTCUniversalUserReadOnlyGroup". The ACL "RTCUserSearchPropertySet" for "contoso\RTCUniversalUserReadOnlyGroup" is applied to "This object and all descendant objects" is the cause of this issue.

 

Resolution

=========

 

Concentrate on the "Applies To: " for the ACL "RTCUserSearchPropertySet" for the User "RTCUniversalUserReadOnlyGroup". Changing the ACL "RTCUserSearchPropertySet" for "contoso\RTCUniversalUserReadOnlyGroup" to apply to ONLY  "Descendant User Objects" instead of  "This object and all descendant objects" will resolve this issue.

 

OK so adding, how did I actually find the problem :-), the interesting part

========================================================

 

Requested the output of the following from the customer: dsacls "CN=RTCUniversalUserReadOnlyGroup,CN=Users,DC=contoso,DC=com" , compared this with

the dsacls from a working environment: dsacls "CN=RTCUniversalUserReadOnlyGroup,CN=Users,DC=contoso,DC=com"

 

The delta showed up:

 

contoso.com

nwtraders.com

 

414 Permissions inherited to subobjects are:

415 Inherited to all subobjects

 

510 Allow  contoso\RTCUniversalUserReadOnlyGroup

511                                       SPECIAL ACCESS for RTCUserSearchPropertySet

512                                       READ PROPERTY

 

Missing here

 

 

 

 

163 Allow contoso\RTCUniversalUserReadOnlyGroup

164                                       SPECIAL ACCESS for RTCUserSearchPropertySet

165                                       READ PROPERTY

 

Missing here

804 Inherited to user

 

Missing here

226 Inherited to user

 

246 Allow NWTRADERS\RTCUniversalUserReadOnlyGroup      SPECIAL ACCESS for RTCUserSearchPropertySet

247                                                    READ PROPERTY

 

 

 After this it was just about using "dsa.msc" to locate the ACL "RTCUserSearchPropertySet" for "contoso\RTCUniversalUserReadOnlyGroup", and making sure the delta is handled.