A problem that all Office Communicator 2007 users may face from time to time is the Office Communicator 2007 notification “cannot synchronize address book”. This notification usually stems from logical or physical network connectivity design issues that exist between the Office Communicator 2007 client and the Office Communications Server 2007 Web Components server. However, this Office Communicator 2007 notification could be a symptom that indicates an Office Communications Server 2007 services failure that is caused by the Server 2003 default Active Directory service account administration.

Office Communications Server 2007 RTCComponentService account

Office Communications Server 2007 requires the use of proprietary service accounts that are created during the installation phase of the product. This blog will describe the proprietary service account that is used to support the authentication process for the new features that Office Communication Server 2007 brings into our workplace. This service account is the RTCComponentService account. The RTCComponentService account can be created during the Office Communications Server 2007 activation process for the Web Component services. By default it is a member of the RTCComponentUniversalServices group which is created during the Office Communications Server 2007 ForestPrep operations. The RTCComponentService account is the default service account for the Office Communications Server 2007 Web Conferencing service, Audio \ Video service, and the Identity account for the LsGroupExpAppPool IIS application pool that hosts the Office Communications Server 2007 Web Components virtual applications. When this service account cannot complete the authentication process for the services it supports the Office Communications Server 2007 installation will not be able to provide Web Conferencing services, Audio \ Video services and Web Component services to Unified Communication clients on its network.

Server 2003 Default Domain account policies and the RTCComponentService account

When the RTCComponentService service account is created during the Office Communications Server 2007 activation process, it is added to the "log on as a service" policy for the User Rights Assignment of the Local Policies under the Security Settings for the Local Machine Policy on the Office Communications Server 2007 server. As a service account it will need to have a password assigned to it which is created by the Office Communications Server 2007 administrator during the Office Communications Server 2007 activation process. Since the RTComponentService is a domain account, its assigned password is kept in compliance by the Default Domain group policies for password administration. These default password policies apply their limitations on all domain accounts’ password specifications, one such limitation is the "Maximum password age" password policy which has a default lifetime of 42 days. This policy sets the time limitation for the expiration of a domain account password. The most common way to thwart the expiration of a domain account password is for a domain administrator to set the option of "Password never expires" on the domain user account object in Server 2003 Active Directory Users and Computers. However, when the RTCComponentService account is created during the activation process, the “password never expires” domain user / service account option is not enabled and the RTCComponentService account is subject to the expiration of its password as per the Default Domain group policies for password administration.



If the RTCComponentService password expiration should occur then the Web Conferencing and the Audio/Video services will not be able to start on the Office Communications Server 2007 servers that are hosting them. Also the LsGroupExpAppPool which is hosted locally in IIS 6.0 on the Web Components Server will become disabled resulting in the failure to provide Office Communicator 2007 users with their Address Book information and Group Expansion services. The most noticeable symptom in this scenario is that the Office Communicator 2007 clients will display the notification "Cannot Synchronize Address Book". The Web Conferencing and Audio \ Video services on the Office Communications Server 2007 server will log similar events in the system event log:

Event Type:      Error
Event Source:   Service Control Manager
Event Category:            None
Event ID:          7038
Date:                4/26/2008
Time:                10:40:21 AM
User:                N/A
Computer:         WEBDATA8
Description:
The RTCDATAMCU service was unable to log on as PLATNETWORK\RTCComponentService with the currently configured password due to the following error:
Logon failure: the specified account password has expired.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The LsGroupExpAppPool application pool that is located in the application pools container on the Office Communications Server 2007 Web Components server IIS 6.0 MMC will add the following W3SVC events to the local System log in Event viewer.
Event Type:      Warning
Event Source:   W3SVC
Event Category:            None
Event ID:          1057
Date:                4/23/2008
Time:                7:48:27 AM
User:                N/A
Computer:         WEBDATA8
Description:
The identity of application pool 'LSGroupExpAppPool' is invalid, so the World Wide Web Publishing Service cannot create a worker process to serve the application pool.  Therefore, the application pool has been disabled. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:   W3SVC
Event Category:            None
Event ID:          1059
Date:                4/23/2008
Time:                7:48:27 AM
User:                N/A
Computer:         WEBDATA8
Description:
A failure was encountered while launching the process serving application pool 'LSGroupExpAppPool'. The application pool has been disabled. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The Identity authentication issue with the LsGroupExpAppPool application pool does not become apparent until a request is made to one of the Office Communications Server 2007 Web Component services on the Office Communications Server 2007 server. Then events like the ones listed above will be logged in the local System Event log. The LsGroupExpAppPool application may not show up as visibly disabled until you select it in the IIS 6.0 application pools container and perform a refresh on it. Then it will display a red X on its icons lower left corner as listed below.

To get the RTCComponentService account to provide authentication for its services again is a simple task, but the procedure does require the permissions of a local domain administrator for the Active Directory domain that is hosting the RTCComponentService account.

  1. Open the Active Directory Users and Computers dialog on a Server 2003 server in the same domain that is hosting the Office Communications Server 2007 servers
  2. Browse to the Users container and highlight it
  3. In the details pane on the right side of the window locate the RTCComponentService account and access its properties dialog. Then browse to the Account tab.
  4. Place a check in the "Password never expires" option to enable it. Then click on the OK button and close the Active Directory Users and Computers dialog.

  5. Go to the Office Communications Server 2007 server that is hosting the Audio \ Video services or the Web Conferencing services. Open the Office Communications Server 2007 Administration MMC and locate the respective servers. Right click on each and choose Start from the pop-up menu. The Audio \ Video and Web Conferencing servers should start now.
  6. Open up the IIS 6.0 manager on the Office Communications Server 2007 that is hosting the Web Components server. Expand the application pools node and then select and right click on the LsGroupExpAppPool application pool node and choose the refresh option. Next right click on the LsGroupExpAppPool application pool and choose start.
  7. You should be back in business now with the availability of Office Communicator Address Book synchronization and the Office Communications Server 2007 Audio \ Video and Web Conferencing will be available for your network's Unified Communication clients.


RTCComponentSevice password mismatch

Should the RTCComponentService service account password be reset by a domain administrator in the Users container of the Server 2003 Active Directory Users and Computers dialog then the services that run under it on the Office Communications Server 2007 server will continue to run until either the Office Communications Server 2007 server is restarted, the Audio \ Video or Web Conferencing services are restarted singly, or the IIS 6.0 services that host the Office Communications Server 2007 Web Components services are restarted.

A good practice is to make sure that the password for the RTCComponentService account is updated on all the services that are dependent for it as a login account, whenever you have to reset its password in the Users container of Active Directory Users and Computers.

  1. To do this, open the services.msc on the Office Communications Server 2007 server and locate the following services:
    • Office Communications Server Audio \ Video Conferencing
    • Office Communications Server Web Conferencing
  2. Access the properties dialog of each and choose the Login tab. Here you can enter the updated password for the RTCComponentService account and apply the changes. Then just re-start the services.

  1. Open up the IIS 6.0 manager on the Office Communications Server 2007 that is hosting the Web Components server.
  2. Expand the application pools node and then select and right click on the LsGroupExpAppPool application pool node and open the properties dialog. Next select the Identity tab and re-enter the updated password for the RTCComponentService account.
  3. Click on OK and enter the password confirmation then click on OK to close the properties dialog. Next right click on the LSGroupExpAppPool application pool object and choose the Start option.


User defined RTCComponentService account

You can use any pre-defined service account or service account schema as a substitute for the RTCComponentService account. For instance if your organization has a naming convention for its service accounts and you cannot use a service account named RTCComponentService, but requires a service account like "Service2301'. As you are going through the beginning of the Office Communications Server 2007 Activation or Web Components Activation wizard then you will have the choice to create an account or use an existing account, Either way that you choose to implement the service account it will be added to the RTCComponentUniversalServices group where it will inherit the proper Access Control Entries and be added to the "log on as a service" policy under the User Rights Assignment of the Local policies under Security Settings of the Local Machine Policy on the Office Communications Server 2007.

Mike Adkins
Support Escalation Engineer

Published Monday, May 12, 2008 10:33 AM by octeam
Filed Under: Setup & Administration