LCS Services Fail to Start After Running the Global Settings Migration Tool

I ran into this problem recently. I was doing a migration from LCS 2005 SP1 to OCS 2007 R2 and as part of the R2 prep we were moving the global settings to the Configuration Partition. We followed the steps outlined in this TechNet article (http://technet.microsoft.com/en-us/library/dd819962(office.13).aspx), and while trying to complete Step #7, we ran into a small issue. When trying to start the LCS service, so that we could test, we got the error listed below:

Windows could not start the Live Communications Server on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2147016694.

Looking in the Application Event Log, we got Event IDs 16417 and 12299.

Checking the System Event Log, we got Event ID 7024.

The service can't start up because the rights aren't being applied to the new container structure in the Configuration Partition. If you check the Security tab for the RTC Service container in ADSI Edit, you see the following:

The RTC groups that need rights aren't being added. There are 2 ways to fix this issue. The first options is to grant the RTCDomainUserAdmins, RTCDomainServerAdmins, and RTCHSDomainServices groups permissions to the Services (or RTC Service) container. I've included a report of the permission both before moving the global settings as well as after moving the global settings to the Configuration Partition. A copy of the permissions is also attached to this post, since some of the report is cut off the screen. The second option is a little more risky. In my lab I was able to successfully get the permissions to apply if I re-ran the DomainPrep step AFTER completing Step #8, which is removing the RTC Service container in the System container. This is risky because you could switch back to using the System container if you absolutely had to. You can mitigate this risk by making sure that you have a recent backup of Active Directory. You should also be able to get the services started by using Option #1, but you will more than likely be granting more permissions than necessary. After re-running DomainPrep, the permissions were applied to the Services container in the Configuration Partition and I could start the LCS service.

Before Moving the Global Settings (CN=Microsoft,CN=System,DC=test,DC=domain,DC=com)

Access list:
Effective Permissions on this object are:
Allow TEST\Domain Admins                          FULL CONTROL
Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Administrators                      SPECIAL ACCESS   <Inherited from parent>
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow TEST\Enterprise Admins                      FULL CONTROL   <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS   <Inherited from parent>
                                                  LIST CONTENTS

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Administrators                      SPECIAL ACCESS   <Inherited from parent>
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow TEST\Enterprise Admins                      FULL CONTROL   <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS   <Inherited from parent>
                                                  LIST CONTENTS

Inherited to computer
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                  READ PROPERTY
Inherited to group
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                  READ PROPERTY
Inherited to user
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS   <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information   <Inherited from parent>
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS   <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS   <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information   <Inherited from parent>
                                                  READ PROPERTY
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS for RTCUserSearchPropertySet   <Inherited from parent>
                                                  READ PROPERTY
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS for Public Information   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS for RTCUserSearchPropertySet   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS for RTCPropertySet   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS for RTCPropertySet   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS for RTCUserSearchPropertySet   <Inherited from parent>
                                                  READ PROPERTY
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS for RTCPropertySet   <Inherited from parent>
                                                  READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY

After Moving the Global Settings (CN=Services,CN=Configuration,DC=test,DC=domain,DC=com)

Access list:
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
                                        READ PERMISSONS
                                        LIST CONTENTS
                                        READ PROPERTY
                                        LIST OBJECT
Allow TEST\Enterprise Admins            SPECIAL ACCESS
                                        READ PERMISSONS
                                        WRITE PERMISSIONS
                                        CHANGE OWNERSHIP
                                        CREATE CHILD
                                        LIST CONTENTS
                                        WRITE SELF
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        LIST OBJECT
                                        CONTROL ACCESS
Allow NT AUTHORITY\SYSTEM               FULL CONTROL
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from parent>
Allow TEST\Domain Admins                SPECIAL ACCESS   <Inherited from parent>
                                        DELETE
                                        READ PERMISSONS
                                        WRITE PERMISSIONS
                                        CHANGE OWNERSHIP
                                        CREATE CHILD
                                        LIST CONTENTS
                                        WRITE SELF
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        LIST OBJECT
                                        CONTROL ACCESS

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
                                        READ PERMISSONS
                                        LIST CONTENTS
                                        READ PROPERTY
                                        LIST OBJECT
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from parent>
Allow TEST\Domain Admins                SPECIAL ACCESS   <Inherited from parent>
                                        DELETE
                                        READ PERMISSONS
                                        WRITE PERMISSIONS
                                        CHANGE OWNERSHIP
                                        CREATE CHILD
                                        LIST CONTENTS
                                        WRITE SELF
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        LIST OBJECT
                                        CONTROL ACCESS

Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY