A problem that all Office Communicator 2007 users may face from time to time is the Office Communicator 2007 notification “cannot synchronize address book”. This notification usually stems from logical or physical network connectivity design issues that exist between the Office Communicator 2007 client and the Office Communications Server 2007 Web Components server. However, this Office Communicator 2007 notification could be a symptom that indicates an Office Communications Server 2007 services failure that is caused by the Server 2003 default Active Directory service account administration.
Office Communications Server 2007 requires the use of proprietary service accounts that are created during the installation phase of the product. This blog will describe the proprietary service account that is used to support the authentication process for the new features that Office Communication Server 2007 brings into our workplace. This service account is the RTCComponentService account. The RTCComponentService account can be created during the Office Communications Server 2007 activation process for the Web Component services. By default it is a member of the RTCComponentUniversalServices group which is created during the Office Communications Server 2007 ForestPrep operations. The RTCComponentService account is the default service account for the Office Communications Server 2007 Web Conferencing service, Audio \ Video service, and the Identity account for the LsGroupExpAppPool IIS application pool that hosts the Office Communications Server 2007 Web Components virtual applications. When this service account cannot complete the authentication process for the services it supports the Office Communications Server 2007 installation will not be able to provide Web Conferencing services, Audio \ Video services and Web Component services to Unified Communication clients on its network.
When the RTCComponentService service account is created during the Office Communications Server 2007 activation process, it is added to the "log on as a service" policy for the User Rights Assignment of the Local Policies under the Security Settings for the Local Machine Policy on the Office Communications Server 2007 server. As a service account it will need to have a password assigned to it which is created by the Office Communications Server 2007 administrator during the Office Communications Server 2007 activation process. Since the RTComponentService is a domain account, its assigned password is kept in compliance by the Default Domain group policies for password administration. These default password policies apply their limitations on all domain accounts’ password specifications, one such limitation is the "Maximum password age" password policy which has a default lifetime of 42 days. This policy sets the time limitation for the expiration of a domain account password. The most common way to thwart the expiration of a domain account password is for a domain administrator to set the option of "Password never expires" on the domain user account object in Server 2003 Active Directory Users and Computers. However, when the RTCComponentService account is created during the activation process, the “password never expires” domain user / service account option is not enabled and the RTCComponentService account is subject to the expiration of its password as per the Default Domain group policies for password administration.
If the RTCComponentService password expiration should occur then the Web Conferencing and the Audio/Video services will not be able to start on the Office Communications Server 2007 servers that are hosting them. Also the LsGroupExpAppPool which is hosted locally in IIS 6.0 on the Web Components Server will become disabled resulting in the failure to provide Office Communicator 2007 users with their Address Book information and Group Expansion services. The most noticeable symptom in this scenario is that the Office Communicator 2007 clients will display the notification "Cannot Synchronize Address Book". The Web Conferencing and Audio \ Video services on the Office Communications Server 2007 server will log similar events in the system event log:Event Type: ErrorEvent Source: Service Control ManagerEvent Category: NoneEvent ID: 7038Date: 4/26/2008Time: 10:40:21 AMUser: N/AComputer: WEBDATA8Description:The RTCDATAMCU service was unable to log on as PLATNETWORK\RTCComponentService with the currently configured password due to the following error:Logon failure: the specified account password has expired.To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.The LsGroupExpAppPool application pool that is located in the application pools container on the Office Communications Server 2007 Web Components server IIS 6.0 MMC will add the following W3SVC events to the local System log in Event viewer.Event Type: WarningEvent Source: W3SVCEvent Category: NoneEvent ID: 1057Date: 4/23/2008Time: 7:48:27 AMUser: N/AComputer: WEBDATA8Description:The identity of application pool 'LSGroupExpAppPool' is invalid, so the World Wide Web Publishing Service cannot create a worker process to serve the application pool. Therefore, the application pool has been disabled. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type: ErrorEvent Source: W3SVCEvent Category: NoneEvent ID: 1059Date: 4/23/2008Time: 7:48:27 AMUser: N/AComputer: WEBDATA8Description:A failure was encountered while launching the process serving application pool 'LSGroupExpAppPool'. The application pool has been disabled. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.The Identity authentication issue with the LsGroupExpAppPool application pool does not become apparent until a request is made to one of the Office Communications Server 2007 Web Component services on the Office Communications Server 2007 server. Then events like the ones listed above will be logged in the local System Event log. The LsGroupExpAppPool application may not show up as visibly disabled until you select it in the IIS 6.0 application pools container and perform a refresh on it. Then it will display a red X on its icons lower left corner as listed below.
To get the RTCComponentService account to provide authentication for its services again is a simple task, but the procedure does require the permissions of a local domain administrator for the Active Directory domain that is hosting the RTCComponentService account.
Should the RTCComponentService service account password be reset by a domain administrator in the Users container of the Server 2003 Active Directory Users and Computers dialog then the services that run under it on the Office Communications Server 2007 server will continue to run until either the Office Communications Server 2007 server is restarted, the Audio \ Video or Web Conferencing services are restarted singly, or the IIS 6.0 services that host the Office Communications Server 2007 Web Components services are restarted. A good practice is to make sure that the password for the RTCComponentService account is updated on all the services that are dependent for it as a login account, whenever you have to reset its password in the Users container of Active Directory Users and Computers.
You can use any pre-defined service account or service account schema as a substitute for the RTCComponentService account. For instance if your organization has a naming convention for its service accounts and you cannot use a service account named RTCComponentService, but requires a service account like "Service2301'. As you are going through the beginning of the Office Communications Server 2007 Activation or Web Components Activation wizard then you will have the choice to create an account or use an existing account, Either way that you choose to implement the service account it will be added to the RTCComponentUniversalServices group where it will inherit the proper Access Control Entries and be added to the "log on as a service" policy under the User Rights Assignment of the Local policies under Security Settings of the Local Machine Policy on the Office Communications Server 2007.Mike AdkinsSupport Escalation EngineerPublished Monday, May 12, 2008 10:33 AM by octeamFiled Under: Setup & Administration