Lyn server EE: cannot see enabled user in control pannel(get-csadomain give 4 wornings)
-
Thursday, March 22, 2012 5:38 PM
I am installing a Lync servr EE in a domain contoso.com
forest preparation ..OK
domain preparation ...OK
get-csaddomain fail (5 warning)
"
Warning: The access control entries (ACEs) on the object "domain root" are not ready. 22/03/2012 17:31:35 Warning └ Action: Check Permission settings of users container 22/03/2012 17:31:35 └ Action: Check Permission settings of computers container 22/03/2012 17:31:35 └ Action: Check Permission settings of domain controllers container 22/03/2012 17:31:35 └ Warning: The access control entries (ACEs) on the object "" are not ready. 22/03/2012 17:31:35 Warning └ Domain state: LC_DOMAINSETTINGS_STATE_ DISCOVERED, LC_DOMAINSETTINGS_STATE_ ACCOUNTS_READY 22/03/2012 17:31:35 └ Warning: The domain is not ready. "
Note: when i check csadministrator on a given user, i notice that it has not enough permissions.
seems like permission inheritence dont work!
any help will be apreciated
All Replies
-
Thursday, March 22, 2012 6:33 PM
Mefteh,
I think that this look slike you're running the schema prep - right?
So - you need to be logged onto the Lync server with SCHEMA ADMIN/Enterprise Admin rights to do this. It looks as if you have not done this.
Can you confirm? If you have these rights, then the prep should work pretty flawlessly.
____________________________________ if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)
-
Friday, March 23, 2012 4:32 AM
Hi,
I suggest referring to the following tips to check the issue:
1. Please try to manually verify schema replication first:
http://technet.microsoft.com/en-us/library/gg412822.aspx
To run schema preparation, you must be a member of the Schema Admins group in the root domain and a member of the Enterprise Admins group on the schema master.
2. Verify that forest preparation was successful.
http://technet.microsoft.com/en-us/library/gg398825.aspx
To run Forest Preparation, you must be a member of the Enterprise Admins group.
After running Get-CsAdForest, LC_FORESTSETTINGS_STATE_READY should be returned.
3. If the above steps are successful, please try to run domain preparation and verify it again:
http://technet.microsoft.com/en-us/library/gg425868.aspx
To run this step, you must be a member of the Domain Admins group.
After running Get-CsAdDomain, LC_DOMAINSETTINGS_STATE_READY should be returned.
Please feel free to let us know the exactly result.
Best Regards,
Kent -
Friday, March 23, 2012 9:45 AM
Hi kent,
thank you for your replay.
i have done as we described (steps 1 and 2 passed fine) bur still have 4 warning when execute get-csaddomain. with the message i mentionned in my initial post.
i tried to give exeplicitly permission to csadministrator on a given user ( edit its security setting) and i was able to enable it, it can also connect to Lync.
the probleme is permissions inheritence.
Should i user grant-csoupermission to give permission to all OU in my domain? haw can i "force" pemission propagation in all AD user objects?
http://technet.microsoft.com/en-us/library/gg412970.aspx
haw can i ckeck if my ad islocked-down or not ?
thanks in advance
- Edited by Mefteh_Werghemmi Friday, March 23, 2012 10:38 AM
-
Friday, March 23, 2012 3:28 PM
Just another Update
t was trying to disable ad forest (disable-adforest) and disable-csaddomain)
but i recieved one warning when execute disable-csadforest
Group security identifier (SID): S-1-5-21-917253991-808314923-4276756315-512 23/03/2012 15:46:46 └ HasToken: True 23/03/2012 15:46:46 └ Domain: dev.active 23/03/2012 15:46:46 └ Action: Check Groups 23/03/2012 15:46:46 └ Warning: The universal group "" is not ready. 23/03/2012 15:46:47 Warning └ Action: Remove Groups 23/03/2012 15:46:47 └ Command Status: Command processing is complete. 23/03/2012 15:46:47 └ Command Status: Command run is complete. i am not able to find that group to delete it manually perhaps. my idea was to have a clean domain then to enable forest and domain .
Regards,
-
Monday, March 26, 2012 5:29 AMModerator
Hi,Meftech_W
Would you please give more details about your Active Directroy service and Lync topology?
Are your Lync deployment in a locked-down Active Directory environment?If so you must run the Grant-CsOuPermission cmdlet on each container or OU that has User or InetOrgPerson objects for which permissions inheritance is disabled.Details you can check http://technet.microsoft.com/en-us/library/gg412970.aspx
If you would like to remove Lync reference in AD and start from scratch you can refer to the following article which posted by one Microsoft MVP Randy Wintle.
Hope these useful!
B/R
Sharon
Sharon Shen
TechNet Community Support
************************************************************************************************************************
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
- Edited by Sharon.ShenMicrosoft Contingent Staff, Moderator Monday, March 26, 2012 5:30 AM
-
Monday, March 26, 2012 3:57 PM
Hello Sharon,
thak you for your help:)
i tested the Grant-OuPermission cmdlet but that dont give any positive results, test-csOu Permission reterned u true answer but still not able to see activated user or activate new Lync users.
I am reading about AdminSDHold, that can be a possible reason sicne permission are not inherited on users objects.
Any help or advice aroud this tpoic?
Thanks in advance
-
Wednesday, March 28, 2012 10:11 AM
Hi,
1. Have you tired to give users read-access permissions on containers in the forest root domain?
http://technet.microsoft.com/en-us/library/gg398425.aspx
2. The command is Grant-CsOuPermission not Grant-OuPermission. Would you try it again? Please check if all required steps have been performed.
http://technet.microsoft.com/en-us/library/gg412970.aspx
3. Would you please tell us details about your AD topology and Lync topology?
Regards,
Kent
-
Wednesday, March 28, 2012 2:10 PM
Hi,
i am installing a EE lync with one front en pool and a backend.
Active directory is a 2003, i have an exchange 1003 and an exchange 2010 installed.
i used yje grant-csoupermission described in the link you metionned. that doses not give a results.
i followed also this blog to give permission to some rtc groups. but no result :(
sorry it is in french!
am i missing somethink ?
thanks again.
-
Thursday, March 29, 2012 9:24 AM
Hi,
1. Have you deployed OCS before on this forest?
2. Please check the requirements for AD infrastructure carefully:
http://technet.microsoft.com/en-us/library/gg398760.aspx
3. If the issue persists, I recommend referring to link Sharon provided to remove Lync reference in AD and start from scratch.
Regards,
Kent
-
Monday, April 02, 2012 9:35 AMModerator
Hi,there,
Do you have multiple domain controllers or AD sites?If so please make sure the replication between difference DCs and Sites has completed,you can use DCDiag to analyze the replication and Sync issue,also you can check the Active Directory Service in event viewer to see if there are some sync or replica issues.
B/R
Sharon
Sharon Shen
TechNet Community Support
************************************************************************************************************************
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
-
Monday, April 02, 2012 12:13 PM
Hi,
Thanks again for your reply.
we have one DC and there are no warnig/error in event view.
ashet recommends icheked AD requirement and all is OK .
we have no previous version of Lync installed.
i used Sharon's link to restart from scratch.
i am always blocked in the same stage...
-
Monday, April 02, 2012 7:15 PM
Hi,
Is your forest in 2003 mode and also your domain?
1. Get-CsAdForest Results?
2. Get-CsAdDomain Results
3.Try Enable-CsAdDomain -Domain domain1.contoso.net
3. Check the permissions set by domainprep from this link http://technet.microsoft.com/en-us/library/gg398742.aspx
regards Holger Technical Specialist UC
-
Tuesday, April 03, 2012 12:04 PM
Hi,
1 forest mode and domain are both 2003.
2 Get-CsAdForest Results
LC_FORESTSETTINGS_STATE_READY
3 Get-CsAdDomain Results
LC_FORESTSETTINGS_STATE_READY
4 after trying enable-csAddomain -domain ourdomain.active
permission are not as described in the link you menchen.
what do you suggest now? have i to add them manually ? is there any other method?
regards,
-
Tuesday, April 03, 2012 12:17 PM
can you try to enable CS Domain again with
Enable-CSAdDomain -Verbose -Report "C:\Users\Administrator\AppData\Local\Temp\1\Enable-CSAdDomain-[2012_04_03][21_09_31].xml"
And Opening the new log file C:\Users\Administrator\AppData\Local\Temp\1\Enable-CSAdDomain-[2012_04_03][21_09_31].xml
To see whats happend or do you have the old logfile from the enable-csdomain.
regards Holger Technical Specialist UC
-
Tuesday, April 03, 2012 1:26 PM
Thank you Holger,
this is the output of the enbale-csaddomain:
regards,
-
Thursday, April 05, 2012 9:14 AM
Hello,
Any idea around yhis topic ?
-
Friday, April 06, 2012 10:00 AM
Hi,
Would you please let me know your AD topology? Is it single forest, single domain or single forest, multiple domains?
If you are trying to deploy Lync in sub domain, please try the following command to test the issue.
Enable-CsAdDomain -Domain SubDomainName
If the issue persists, I suggest you refer to the video to deploy Lync.
http://www.trainsignal.com/blog/videos/install-lync-server-2010
Regards,
Kent
-
Tuesday, April 17, 2012 1:42 PM
Hello,
Thank you all for your help. i solved my problem it was related to some ad attribute that was copied manually befaire sheam extention.
Regards,
Mefteh
- Marked As Answer by Sharon.ShenMicrosoft Contingent Staff, Moderator Wednesday, April 18, 2012 1:14 AM
.png)
