locked
Lync doesnt work for OCS2007 R2 enabled users RRS feed

  • Question

  • Hi,

    We were shortly testing OCS2007 R2 before deciding to wait for Lync – only 3 users in IT dept. were OCS enabled. Before the Lync installation the OCS was removed but some component weren’t unregistered from AD, anyway, the users were disabled successfully. The OCS 2007R2 test server was removed from AD and deleted.

    Now, after Lync installation it does works everything for other users except these three. If I want to enable them, I receive an error message: Active Directory operation failed on “DC.test.local”. "You cannot retry this operation: Insufficient access rights to perform the operation". Even I have all admin roles.

    I managed to enable them via command line, all setting looks ok, but when Lync client connects I get message: "limited functionality is available due to outage" and the errors are generated into windows log, see below. The other users, previously not enabled, works perfectly without problems. I tried to manualy reset all OCS attributes in AD for these three but no luck.

    Any help appreciated. Thanks j.

    Log Name:      Lync Server
    Source:        LS UserPin Service
    Date:          9/22/2010 8:21:20 PM
    Event ID:      47052
    Task Category: (1044)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      LYNC.TEST.local
    Description:
    Failed to process the Publish Cert stored procedure.

    User:user@test.com
    Exception Details:
    System.Data.SqlClient.SqlException: ###63005:ReppMasterOnResourceUpdated:Unable to find primary and backup registrar clusters for resource.
    ###50001:CertStorePublishCert:Propagation
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
       at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
       at Microsoft.Rtc.Common.Data.DBCore.Execute(SprocContext sprocContext, SqlConnection sqlConnection, SqlTransaction sqlTransaction)
    Cause: The connection to the database might be broken.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="LS UserPin Service" />
        <EventID Qualifiers="50196">47052</EventID>
        <Level>2</Level>
        <Task>1044</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-09-22T18:21:20.000000000Z" />
        <EventRecordID>2845</EventRecordID>
        <Channel>Lync Server</Channel>
        <Computer>LYNC.TEST.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>user@test.com</Data>
        <Data>System.Data.SqlClient.SqlException: ###63005:ReppMasterOnResourceUpdated:Unable to find primary and backup registrar clusters for resource.
    ###50001:CertStorePublishCert:Propagation
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
       at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
       at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
       at Microsoft.Rtc.Common.Data.DBCore.Execute(SprocContext sprocContext, SqlConnection sqlConnection, SqlTransaction sqlTransaction)</Data>
      </EventData>
    </Event>


    Log Name:      Lync Server
    Source:        LS UserPin Service
    Date:          9/22/2010 8:21:20 PM
    Event ID:      47068
    Task Category: (1044)
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      LYNC.TEST.local
    Description:
    GetAndPublish web service failed.

    Certificate could not be published in the database associated with User Services Cluster [LYNC.TEST.local]. Request Details - Entity: [user@test.com], Device Id: [{F1255897-F36A-5574-BBE0-BA4314D86120}], Authenticated User: [sip:user@test.com].
    Cause: This could be due to network connectivity issues with the remote server, or because the database is down.
    Resolution:
    Please ensure that the user services is reachable and the database is up and running.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="LS UserPin Service" />
        <EventID Qualifiers="33812">47068</EventID>
        <Level>3</Level>
        <Task>1044</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-09-22T18:21:20.000000000Z" />
        <EventRecordID>2846</EventRecordID>
        <Channel>Lync Server</Channel>
        <Computer>LYNC.TEST.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>LYNC.TEST.local</Data>
        <Data>user@test.com</Data>
        <Data>{F1255897-F36A-5574-BBE0-BA4314D86120}</Data>
        <Data>sip:user@test.com</Data>
      </EventData>
    </Event>

    Wednesday, September 22, 2010 7:56 PM

Answers

  • Causes of "Active Directory Operation failed on "<DOMAIN CONTROLLER NAME>". You cannot retry this operation. Insufficient access rights to perform the operation."

    1. The user to be enabled has greater rights than the user trying to do the enabling.  Such as the enabled user is in the domain admins group and the control panel user is not.
    2. The user to be enabled is in an OU that does not have the appropriate Lync permissions inherited.  Open Active Directory Users and Computers, View -> Advanced Features.  Then right click on the OU, go to the security tab, click advanced features, and be sure that the "Include Inheritable permissions from this object's parent" is checked.

    Essentially what it boils down to, is that the user doing the enabling does not have rights to modify the active directory attributes of the particular user.

    • Marked as answer by Ben-Shun Zhu Friday, October 1, 2010 8:32 AM
    Wednesday, September 22, 2010 8:19 PM
  • Please try below command, updates let us know.

    Move-CsUser -Identity "Pilar Ackerman" -Target "sip.domain.com" -Force


    Best regards,
    • Marked as answer by Ben-Shun Zhu Friday, October 1, 2010 8:32 AM
    Thursday, September 23, 2010 9:35 AM
  • Hi,

     

    solved, the problem was as suggested

    2. The user to be enabled is in an OU that does not have the appropriate Lync permissions inherited.  Open Active Directory Users and Computers, View -> Advanced Features.  Then right click on the OU, go to the security tab, click advanced features, and be sure that the "Include Inheritable permissions from this object's parent" is checked.

     

    thanks

    • Marked as answer by jmcz Sunday, October 3, 2010 9:52 PM
    Sunday, October 3, 2010 9:52 PM

All replies

  • Causes of "Active Directory Operation failed on "<DOMAIN CONTROLLER NAME>". You cannot retry this operation. Insufficient access rights to perform the operation."

    1. The user to be enabled has greater rights than the user trying to do the enabling.  Such as the enabled user is in the domain admins group and the control panel user is not.
    2. The user to be enabled is in an OU that does not have the appropriate Lync permissions inherited.  Open Active Directory Users and Computers, View -> Advanced Features.  Then right click on the OU, go to the security tab, click advanced features, and be sure that the "Include Inheritable permissions from this object's parent" is checked.

    Essentially what it boils down to, is that the user doing the enabling does not have rights to modify the active directory attributes of the particular user.

    • Marked as answer by Ben-Shun Zhu Friday, October 1, 2010 8:32 AM
    Wednesday, September 22, 2010 8:19 PM
  • Please try below command, updates let us know.

    Move-CsUser -Identity "Pilar Ackerman" -Target "sip.domain.com" -Force


    Best regards,
    • Marked as answer by Ben-Shun Zhu Friday, October 1, 2010 8:32 AM
    Thursday, September 23, 2010 9:35 AM
  • Hi, Jmcz, do above approaches work out for you?
    Best regards,
    Thursday, September 30, 2010 8:50 AM
  • Hi,

     

    solved, the problem was as suggested

    2. The user to be enabled is in an OU that does not have the appropriate Lync permissions inherited.  Open Active Directory Users and Computers, View -> Advanced Features.  Then right click on the OU, go to the security tab, click advanced features, and be sure that the "Include Inheritable permissions from this object's parent" is checked.

     

    thanks

    • Marked as answer by jmcz Sunday, October 3, 2010 9:52 PM
    Sunday, October 3, 2010 9:52 PM

  • Causes of "Active Directory Operation failed on "<DOMAIN CONTROLLER NAME>". You cannot retry this operation. Insufficient access rights to perform the operation."

    1. The user to be enabled has greater rights than the user trying to do the enabling.  Such as the enabled user is in the domain admins group and the control panel user is not.
    2. The user to be enabled is in an OU that does not have the appropriate Lync permissions inherited.  Open Active Directory Users and Computers, View -> Advanced Features.  Then right click on the OU, go to the security tab, click advanced features, and be sure that the "Include Inheritable permissions from this object's parent" is checked.

    Essentially what it boils down to, is that the user doing the enabling does not have rights to modify the active directory attributes of the particular user.


     

    Please try below command, updates let us know.

    Move-CsUser -Identity "Pilar Ackerman" -Target "sip.domain.com" -Force


    Best regards,

    The two solutions numbered 1 and 2 above seemed "just on target" for our situation. After an uninstallation of OCS 2007 R2 (but obviously missing parts similar to thread starter) and an installation of Lync (for our lab environment), only two out of the Lync enabled users were movable to the Registrar pool. Moving the four others was unsucessful, and trying to disable or delete them from Lync gave an "Insuccicient Access Right" as result. The two users in the pool could log in to the Lync client and the communication was working.

    What is common for the four users, including me, is that we are the four administrators. But I tried running both logged in to my own domain account and tried to remove myself, I also tried running as the domain administrator account. So it doesn't seem to be suggestion #1.

    Suggestion #2 was equally plausible, we four are alone in a R&D sub-group. But I could find no breaks in the inheritation chain, "Include Inheritable permissions from this object's parent" was checked both for our group and groups above in the chain. So not that either.

    Then I tried the Move-CsUser command and it worked! Now all users are in the pool and can log in to Lync :) However , I'm still wondering what could be our problem cause and why did this third solution work?

    Friday, October 15, 2010 11:48 AM
  • Please try below command, updates let us know.

    Move-CsUser -Identity "Pilar Ackerman" -Target "sip.domain.com" -Force


    Best regards,

    To move the user went well, but how can I get the buddylist with me as well?
    Friday, February 11, 2011 1:34 PM
  • Please try below command, updates let us know.

    Move-CsUser -Identity "Pilar Ackerman" -Target "sip.domain.com" -Force


    Best regards,

    To move the user went well, but how can I get the buddylist with me as well?

    The initial problem seemed to be the adminSDHolder issue. It is well documented by Microsoft. You'll need to re-create your user contacts. They are gone and not recoverable.

    Never use the -Force switch for this reason unless the user just won't migrate. Once you've used the -Force command your address book is pretty much gone for good and will need to be re-created. I ran into the same issue in the beginning when migrating a few legacy users who hold elevated priviledges before I figured that out.

    To move legacy users (admins) from OCS 2007 R2 and keep address book intact use this command:

    Command: Move-CsLegacyUser -Identity "Username" -Target "sip.domain.com"


    Billy Patterson - MCSE + Security
    Friday, February 11, 2011 4:11 PM
  • Yes, with the command:  Move-CsLegacyUser -Identity "Username" -Target "sip.domain.com"

    It did the trick, thanks a lot :-)

    However I did encounter another problem, after migrating a user from OCS to Lync I get one person in the " Frequent Contact" with me at all times even if the user never talked to the person before?

    Monday, February 14, 2011 1:19 PM