Doug Deitterick's Blog

Information about Microsoft Lync, OCS, and Exchange UM.

LCS Services Fail to Start After Running the Global Settings Migration Tool

LCS Services Fail to Start After Running the Global Settings Migration Tool

  • Comments 5
  • Likes

I ran into this problem recently.  I was doing a migration from LCS 2005 SP1 to OCS 2007 R2 and as part of the R2 prep we were moving the global settings to the Configuration Partition.  We followed the steps outlined in this TechNet article (http://technet.microsoft.com/en-us/library/dd819962(office.13).aspx), and while trying to complete Step #7, we ran into a small issue.  When trying to start the LCS service, so that we could test, we got the error listed below:

Windows could not start the Live Communications Server on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2147016694.

Looking in the Application Event Log, we got Event IDs 16417 and 12299.

 

Checking the System Event Log, we got Event ID 7024.

The service can't start up because the rights aren't being applied to the new container structure in the Configuration Partition.  If you check the Security tab for the RTC Service container in ADSI Edit, you see the following:

The RTC groups that need rights aren't being added.  There are 2 ways to fix this issue.  The first options is to grant the RTCDomainUserAdmins, RTCDomainServerAdmins, and RTCHSDomainServices groups permissions to the Services (or RTC Service) container.  I've included a report of the permission both before moving the global settings as well as after moving the global settings to the Configuration Partition.  A copy of the permissions is also attached to this post, since some of the report is cut off the screen.  The second option is a little more risky.  In my lab I was able to successfully get the permissions to apply if I re-ran the DomainPrep step AFTER completing Step #8, which is removing the RTC Service container in the System container.  This is risky because you couldn't switch back to using the System container if you absolutely had to.  You can mitigate this risk by making sure that you have a recent backup of Active Directory.  You should also be able to get the services started by using Option #1, but you will more than likely be granting more permissions than necessary.  After re-running DomainPrep, the permissions were applied to the Services container in the Configuration Partition and I could start the LCS service.

 

Before Moving the Global Settings (CN=Microsoft,CN=System,DC=test,DC=domain,DC=com)

Access list:
Effective Permissions on this object are:
Allow TEST\Domain Admins                          FULL CONTROL
Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Administrators                      SPECIAL ACCESS   <Inherited from parent>
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow TEST\Enterprise Admins                      FULL CONTROL   <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                  LIST CONTENTS

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Administrators                      SPECIAL ACCESS   <Inherited from parent>
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow TEST\Enterprise Admins                      FULL CONTROL   <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                  LIST CONTENTS

Inherited to computer
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                  READ PROPERTY
Inherited to group
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                  READ PROPERTY
Inherited to user
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information   <Inherited from parent>
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information   <Inherited from parent>
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information   <Inherited from parent>
                                                  READ PROPERTY
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS for RTCUserSearchPropertySet   <Inherited from parent>
                                                  READ PROPERTY
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS for Public Information   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS for RTCUserSearchPropertySet   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS for RTCPropertySet   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS for RTCPropertySet   <Inherited from parent>
                                                  DELETE
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS for RTCUserSearchPropertySet   <Inherited from parent>
                                                  READ PROPERTY
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS for RTCPropertySet   <Inherited from parent>
                                                  READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins                  SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices                    SPECIAL ACCESS
                                                  LIST CONTENTS
                                                  READ PROPERTY

 

After Moving the Global Settings (CN=Services,CN=Configuration,DC=test,DC=domain,DC=com)

Access list:
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
                                        READ PERMISSONS
                                        LIST CONTENTS
                                        READ PROPERTY
                                        LIST OBJECT
Allow TEST\Enterprise Admins            SPECIAL ACCESS
                                        READ PERMISSONS
                                        WRITE PERMISSIONS
                                        CHANGE OWNERSHIP
                                        CREATE CHILD
                                        LIST CONTENTS
                                        WRITE SELF
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        LIST OBJECT
                                        CONTROL ACCESS
Allow NT AUTHORITY\SYSTEM               FULL CONTROL
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from parent>
Allow TEST\Domain Admins                SPECIAL ACCESS   <Inherited from parent>
                                        DELETE
                                        READ PERMISSONS
                                        WRITE PERMISSIONS
                                        CHANGE OWNERSHIP
                                        CREATE CHILD
                                        LIST CONTENTS
                                        WRITE SELF
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        LIST OBJECT
                                        CONTROL ACCESS

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
                                        READ PERMISSONS
                                        LIST CONTENTS
                                        READ PROPERTY
                                        LIST OBJECT
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from parent>
Allow TEST\Domain Admins                SPECIAL ACCESS   <Inherited from parent>
                                        DELETE
                                        READ PERMISSONS
                                        WRITE PERMISSIONS
                                        CHANGE OWNERSHIP
                                        CREATE CHILD
                                        LIST CONTENTS
                                        WRITE SELF
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        LIST OBJECT
                                        CONTROL ACCESS

Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        WRITE PROPERTY
                                        READ PROPERTY
                                        DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        CREATE CHILD
                                        DELETE CHILD
                                        LIST CONTENTS
                                        WRITE PROPERTY
                                        READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins        SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices          SPECIAL ACCESS
                                        LIST CONTENTS
                                        READ PROPERTY

Attachment: permissions.txt
Comments
  • Hi Doug, I have a mixed LCS 2005 SP1 and OCS R1 environment, and I am currently performing the system container to configuration container migration.  When I ran forest prep and domain prep I ran the LCS 2005 version of the commands, and encountered the same problem as yourself (No rights applied to the hierarchy).  I corrected the issue by following your advice to grant the RTCDomainUserAdmins, RTCDomainServerAdmins, and RTCHSDomainServices groups permissions to the RTC Service configuration container hierarchy.  I also added the everyone group (Read and List rights) as well.  LCS and OCS are now working fine.  

    In reading your post am I correct to infer that in production you fixed the problem by adding the RTC groups, but performed option 2 in the testlab?

     - If this is the case did you have any issues running the OCS R2 forest prep or domain prep?  

    - Does the OCS R2 forest prep and domain prep reconfigure access to the RTC Service container and apply the RTCUniversalGlobalReadOnlyGroup, RTCUniversalGlobalWriteGroup, RTCUniversalServerAdmins if the manually added groups are in place?

    I cannot find any documentation on what the domainprep actually does.  Do you have any links you could refer me to?

    We still have not deleted the system container (with the MigrateOCS script), and at this point we are contemplating if we should leave the manual rights in place and proceed with the OCS R2 prep, or run the OCS R1 forest prep and domain prep before proceeding.

    Thanks in advance,

    Cliff

  • Thanks Doug...This article helped me fix the error !!

  • Hi Guys,

    I am runing lcs 2005 service pack 1 ,few weeks before this computer has been deleted from AD (OU).I logged in as local administrator to that PC and rejoin the domain again but i can not restart the LCS services.it showed below error.

    "Windows could not start the Live Communication server on local computer.For more information,reveiw the system event log.If this a nonn microsoft service,contact service vedor and refer to specific error code -1008054264"

    please do let me know any solution.

    thanks

    ifti

  • Nice work.  This was a big help.  

    We ran into this at a client today.  Running LcsCmd /Domain /Action:DomainPrep solved the issue.  I used the 2007 version of the command because someone had already run it using the 2007 version before, so the 2005 version would not work.  I also ran "LcsCmd /Forest /Action:ForestPrep /global:configuration", but that was probably not necessary.

    Thanks again,

    Wade

  • From what I've read, using the 2007 R2 version of the LcsCmd might be bad if you're trying to coexist with 2005.  I used the non-R2 version of the 2007 LcsCmd.exe.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment