Montag, 23. April 2012 18:53
We have a customer who had their Lync Server 2010 Edge role on a machine in their domain. They have since removed the machine from the domain following best practices, but they now get this every hour:
Log Name: Lync Server
Source: LS Server
Date: 4/23/2012 1:21:55 PM
Event ID: 12295
Task Category: (1000)
Active Directory operation failed while verifying validity of service account password
Active Directory operation failed with error code: 0x80070005 (Access is denied.
Cause: The service account may not have required privileges to access Active Directory.
Check domain controller/global catalog server connectivity and whether the service account has sufficient privileges to access the Active Directory. If the problem persists, contact Product Support Services.
<Provider Name="LS Server" />
<TimeCreated SystemTime="2012-04-23T17:21:55.000000000Z" />
<Data>Access is denied.
What service account it is trying to check - everything is Network Service.
The machine is production do we really don't want to completely tear down and put back the installation.
Mittwoch, 25. April 2012 06:49Moderator
Please refer the following article about this problem, hope it can help you:
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Mittwoch, 25. April 2012 12:06
Thank you for your answer. However, that KB does not apply for two important reasons:
- It refers to the "service accounts LCS 2003 runs under" but as I said in my question Lync runs under Network Service so I don't know what accounts it is looking for.
- It refers to the password policy in the domain, but this machine is no longer in the domain.
I have since done a Network Monitor trace and the machine is indeed trying to go against the old domain to look up something, but I can't see what because it doesn't get far enough to do the actual query. So I'm still at my original question of what is account is Lync checking and why is it doing it?
Freitag, 27. April 2012 22:30I'm having the same exact issue. I even tried the solution proposed in the KB article to no avail.
Donnerstag, 10. Mai 2012 13:16
Just as a follow-up, we ate the production downtime, tore down the Edge server by removing all of the Lync components (via bootstrapper /scorch), and put everything back, and we STILL have the problem.
Montag, 21. Mai 2012 16:42
I opened a case with Microsoft PSS on this (112052153849537) and we found fairly quickly that AD still had a computer account for the Edge server that was enabled and had child objects. We deleted the computer object, and the warnings stopped.
We (myself or the engineer) can't explain what the code path must be like for this to matter, but it did. He's going to look into it some on his end and see if we can get a root cause answer, and if that happens I'll add an update, but I'm not holding my breath as break/fix doesn't officially offer root cause analysis.
My personal guess is that the Edge server is doing an LDAP query for a machine with its own name, then tries to check for something against the query result. The query is allowed anonymously but nothing after that is. Just a guess.
- Als Antwort markiert MikeBaz-BA Montag, 21. Mai 2012 16:42
Dienstag, 22. Mai 2012 12:26Thank you very much for taking the time to come back and update this case. Our Edge server, while not being a domain member, still had a computer account in AD (no child objects). I removed that object and the hourly alerts ceased.