Monthly Archives: April 2013

Remove Lync from Active Directory

8 Replies

Stories from the Lync Test Bench: Cleaning up Active Directory

As with any new, non-trivial, upgrade, we spend a lot of time performing test installs on our test bench. (Yes, sometimes the test bench is production… but we do try to avoid testing in production… usually). There are times were we need to clean Lync from the Active Directory. Normally, we would restore the domain controller from ice, but there are occasions where restoring / rebuilding the test domain is not practical.

This document covers the steps for “cleaning” your Active Directory of Lync “stuff” in order to allow for a brand new install.

Step#1: Remove permissions
This step removes the original Lync permissions from the active director.

  1. Open Active Directory Users and Computers
  2. Right click on your top level domain being cleaned and select Properties
  3. From the Properties windows, select the Security tab.
  4. Remove all security users titled RTC*
    These are usually
    – RTCUniversalServerReadOnlyGroup
    – RTCUniversalUserReadOnlyGroup
    – RTCUniversalUniversalServices
    – RTCUniversalUserAdmins
    clip_image001[4]
  5. Repeat the same steps for each of the following AD Folders and OUs
    NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
    – Domain Controllers
    – System
    – Users

Step#2: Remove the RTC Services branch

  1. Open ADSI Edit
    New to ADSI? See this link: http://technet.microsoft.com/en-us/library/cc773354
  2. Open the Naming Context Configuration for the domain being cleaned
    clip_image002
  3. Drill down to the following path:
    CN=Configuration[ your domain] CN=Services
  4. Delete the CN=RTC Service entry
    clip_image003

 

Step#3: Additional AD cleanup

  1. Open Active Directory Users and Computers
  2. Drill down as follows
    [Your Domain] Program Data Distributed KeyMan
  3. Delete LyncCertificates
    NOTE: This may not exist in all scenarios.
  4. Drill down as follows
    [Your Domain] Users
  5. Delete all RTC* and CS* users created by Lync
    I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.

 

Step#4: Cleanup existing users
This steps resets Lync attributes for any domain users and contacts.

Manual Method

  1. Open Active Directory Users and Computers
  2. Click View from the menu and activate Advanced Features
  3. Right click on your domain and select Find
  4. Set the Find: option to Custom Search
  5. Select the Advance Tab
  6. Enter the following LDAP Query: (msRTCSIP-PrimaryHomeServer=*)
    clip_image004
  7. Click Find Now
  8. Note each returned user or object
  9. Close Find
  10. Right click on each user or object found in the search
  11. Select Properties
  12. Select the Attribute Editor tab
  13. Find and reset all msRTCSIP* attributes for the user/object
    clip_image005

Automatic Method
For those who love PowerShell:
Important: Remember to launch PowerShell as an Administrator

Import-Module ActiveDirectory ; Get-ADObject -LDAPFilter “(msRTCSIP-PrimaryHomeServer=*)” | ForEach-Object {Set-ADObject -Identity $_.DistinguishedName -Clear “msRTCSIP-DeploymentLocator”, “msRTCSIP-FederationEnabled”, “msRTCSIP-InternetAccessEnabled”, “msRTCSIP-OptionFlags”, “msRTCSIP-PrimaryUserAddress”, “msRTCSIP-UserEnabled”, “msRTCSIP-UserPolicies”, “msRTCSIP-UserRoutingGroupId”, “msRTCSIP-PrimaryHomeServer”; “Cleaned $($_)”}

Final “user cleanup” considerations:

· The scripts and methods are current as of Lync 2013 (March 2013). Review your particular implementation to determine if more or less attributes needs to be cleaned.

· If you have integrated with Exchange Unified Messaging (UM), you will have two contacts specifically setup for the Unified Messaging. Consider deleting these contacts as they will most likely be recreated during the next Lync server installation and setup.

 

Step#5: Prepare Current Forest Impacts

Manually cleaning Lync from your Active Directory will result in some issues when preparing the Active Directory during Lync install. If you receive the following error on Step 3: Prepare Current Forest under the Prepare Active Directory for Lync Server wizard:

Command execution failed: Active Directory operation failed on “[your Lync Server]”. You cannot retry this operation: “Directory object not found [domain specific text]”

-OR-

Result: Create permissions for Configuration delete objects container
TaskFailed: Task execution failed

Use the following steps to manually prepare the forest:

  1. Launch Lync Server Management Shell from the start menu
    Important: Remember to run as an administrator
  2. Enter the following PowerShell command
    Enable-CSAdForest -GlobalCatalog [fully qualified domain server name] -Force
    Example:
    Enable-CSAdForest -GlobalCatalog DC.YourDomain.COM –Force
  3. Refresh the wizard. The green checkbox should now be displayed on Step 3.
  4. Continue the wizard as normal.

Installing Lync: HostLocalActivateTask execution failed on an unrecoverable error

4 Replies

In our test labs (and occasionally, at a customer’s site), we will encounter an error running the Install or Update Lync Server System wizard at Step2 : Setup or Remove Lync Server Components.  The error looks something like:

This step will configure services, apply permissions, create firewall rules, etc.Executing PowerShell command: Enable-CSComputer -Confirm:$false -Verbose -Report “C:UsersadministratorAppDataLocalTempEnable-CSComputer-[2013_04_07][11_40_53].html”
HostLocalActivateTask execution failed on an unrecoverable error.

Root Cause

We have seen two primary root causes for this error:

  1. A failed installation of Lync that is being recovered
  2. Installing a fresh copy of Lync on a server which previously had Lync installed

Either way, the error is a PIA as the server has services installed which are causing the wizard all sorts of grief.

Validation of the error

  1. Open Lync Server Management Shell
    Important: Remember to run as administrator
  2. Execute the command Enable-CSComputer
  3. When the command fails, note the location of the detailed results.  This will read something like:
    WARNING: Detailed results can be found at “C:UsersadministratorAppDataLocalTempEnable-CSComputer-d7c83064-2a82-4db9.html
  4. Locate and open the html file.  Review the error It will read something along the lines of
    Error: The service name “RTCnnnn” is already in use

Solution

The solution is to delete the services which already exist on the server.

  1. Open a command prompt (CMD)
    Important: Remember to run as administrator
  2. Enter the following command
    sc delete RTCnnnn
    Where RTCnnnn is the name of the service from the log file
  3. Rerun the steps listed in Validation of the error above
  4. Repeat as necessary as there may be more than one service causing problems on your install
  5. Restarting the server is strongly recommended

 

Lync 2013 Specific Solution

For Lync 2013, we have identified 6 services which consistently cause the HostLocalActivateTask error.  For Lync 2013, we recommend you perform the following solution:

    1. Open a command prompt (CMD)
      Important: Remember to run as administrator
    2. Enter the following commands (execute each separately)
      sc delete RTCCAS
      sc delete RTCCAA
      sc delete RTCCPS
      sc delete RTCRGS
      sc delete RTCPDPAUTH
      sc delete RTCPDPCORE
      sc delete RTCATS
    3. Restarting the server is strongly recommended

“Existing universal groups were found” error during Prepare Current Forest during Lync 2013 install

Leave a reply

We have seen several installs of Lync 2013 receive the following error during Step#3: Prepare Current Forest of the “Prepare Active Directory for Lync Server” wizard:

Prepare Forest Active Directory settings execution failed on an unrecoverable error.  ForestPrepareTask execution failed on an unrecoverable error.

Reviewing the log shows the following error details:

Error: Existing universal groups were found in “[your AD OU group]”.  Specify where to create new Lync Server universal groups explicitly at the command line with the GroupDomain parameter

Root Cause

This occurs during migration of Lync from an earlier version to Lync 2013.  The Lync wizard requires any existing RTC* and CS* Security Groups be within the Users OU in Active Directory.  Many larger organizations tend to organize such groups into custom OUs.  This breaks the Lync 2013 Prepare Active Directory for Lync Server wizard.

 

Solution

  1. Move all existing RTC* and CS* security groups to the users OU
    (See image below)
  2. Complete the Lync 2013 installation
  3. Move the RTC* and CS* security groups back to their original location

 

image