Unable to with install Lync Server, due to "domain not ready error." or Prepare Active Directory shows "Partial"

Get-CsAdDomain generates "The domain is not ready" after successful domain prep. Also Prepare Active Directory on Deployment Wizard shows "Partial" after a successful domain prep.

Check the following Trace statement, when you run OCS Logger "Powershell" and "Deployment" Components selected at Level->All, Flags->All
4361 TL_INFO(TF_COMPONENT) [1]0FC8.123C::02/22/2011-20:28:40.091.000022ce (Deployment,DeploymentContext.CreateCustomizedSession:deploymentenvironment.cs(411))(000000000283D742)Using default network credentials for AD session.
4392 TL_WARN(TF_STACKTRACE) [0]0FC8.123C::02/22/2011-20:28:40.107.000022ed (Deployment,DirectoryCommon.FindAces:directorycommon.cs(341))Unable to find the requested ace: contoso\RTCUniversalUserReadOnlyGroup; Allow; ReadProperty; ContainerInherit; Descendents; bf967aba-0de6-11d0-a285-00aa003049e2; e2d6986b-2c7f-4cda-9851-d5b5f3fb6706

Concentrate on the "Applies To: " for the ACL "RTCUserSearchPropertySet" for the User "RTCUniversalUserReadOnlyGroup". The ACL "RTCUserSearchPropertySet" for "contoso\RTCUniversalUserReadOnlyGroup" is applied to "This object and all descendant objects" is the cause of this issue.


Concentrate on the "Applies To: " for the ACL "RTCUserSearchPropertySet" for the User "RTCUniversalUserReadOnlyGroup". Changing the ACL "RTCUserSearchPropertySet" for "contoso\RTCUniversalUserReadOnlyGroup" to apply to ONLY  "Descendant User Objects" instead of  "This object and all descendant objects" will resolve this issue.

OK so adding, how did I actually find the problem :-), the interesting part
Requested the output of the following from the customer: dsacls "CN=RTCUniversalUserReadOnlyGroup,CN=Users,DC=contoso,DC=com" , compared this with
the dsacls from a working environment: dsacls "CN=RTCUniversalUserReadOnlyGroup,CN=Users,DC=contoso,DC=com"
The delta showed up:




414 Permissions inherited to subobjects are:

415 Inherited to all subobjects


510 Allow  contoso\RTCUniversalUserReadOnlyGroup

511                                       SPECIAL ACCESS for RTCUserSearchPropertySet

512                                       READ PROPERTY


Missing here





163 Allow contoso\RTCUniversalUserReadOnlyGroup

164                                       SPECIAL ACCESS for RTCUserSearchPropertySet

165                                       READ PROPERTY


Missing here

804 Inherited to user


Missing here

226 Inherited to user


246 Allow NWTRADERS\RTCUniversalUserReadOnlyGroup      SPECIAL ACCESS for RTCUserSearchPropertySet

247                                                    READ PROPERTY


 After this it was just about using "dsa.msc" to locate the ACL "RTCUserSearchPropertySet" for "contoso\RTCUniversalUserReadOnlyGroup", and making sure the delta is handled.
Comments (0)

Skip to main content