Stories from the Lync Test Bench: Cleaning up Active Directory
As with any new, non-trivial, upgrade, we spend a lot of time performing test installs on our test bench. (Yes, sometimes the test bench is production… but we do try to avoid testing in production… usually). There are times were we need to clean Lync from the Active Directory. Normally, we would restore the domain controller from ice, but there are occasions where restoring / rebuilding the test domain is not practical.
This document covers the steps for “cleaning” your Active Directory of Lync “stuff” in order to allow for a brand new install.
Step#1: Remove permissions
This step removes the original Lync permissions from the active director.
- Open Active Directory Users and Computers
- Right click on your top level domain being cleaned and select Properties
- From the Properties windows, select the Security tab.
- Remove all security users titled RTC*
These are usually
– RTCUniversalServerReadOnlyGroup
– RTCUniversalUserReadOnlyGroup
– RTCUniversalUniversalServices
– RTCUniversalUserAdmins - Repeat the same steps for each of the following AD Folders and OUs
NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
– Domain Controllers
– System
– Users
Step#2: Remove the RTC Services branch
- Open ADSI Edit
New to ADSI? See this link: http://technet.microsoft.com/en-us/library/cc773354 - Open the Naming Context Configuration for the domain being cleaned
- Drill down to the following path:
CN=Configuration[ your domain] CN=Services - Delete the CN=RTC Service entry
Step#3: Additional AD cleanup
- Open Active Directory Users and Computers
- Drill down as follows
[Your Domain] Program Data Distributed KeyMan - Delete LyncCertificates
NOTE: This may not exist in all scenarios. - Drill down as follows
[Your Domain] Users - Delete all RTC* and CS* users created by Lync
I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.
Step#4: Cleanup existing users
This steps resets Lync attributes for any domain users and contacts.
Manual Method
- Open Active Directory Users and Computers
- Click View from the menu and activate Advanced Features
- Right click on your domain and select Find
- Set the Find: option to Custom Search
- Select the Advance Tab
- Enter the following LDAP Query: (msRTCSIP-PrimaryHomeServer=*)
- Click Find Now
- Note each returned user or object
- Close Find
- Right click on each user or object found in the search
- Select Properties
- Select the Attribute Editor tab
- Find and reset all msRTCSIP* attributes for the user/object
Automatic Method
For those who love PowerShell:
Important: Remember to launch PowerShell as an Administrator
Import-Module ActiveDirectory ; Get-ADObject -LDAPFilter “(msRTCSIP-PrimaryHomeServer=*)” | ForEach-Object {Set-ADObject -Identity $_.DistinguishedName -Clear “msRTCSIP-DeploymentLocator”, “msRTCSIP-FederationEnabled”, “msRTCSIP-InternetAccessEnabled”, “msRTCSIP-OptionFlags”, “msRTCSIP-PrimaryUserAddress”, “msRTCSIP-UserEnabled”, “msRTCSIP-UserPolicies”, “msRTCSIP-UserRoutingGroupId”, “msRTCSIP-PrimaryHomeServer”; “Cleaned $($_)”}
Final “user cleanup” considerations:
· The scripts and methods are current as of Lync 2013 (March 2013). Review your particular implementation to determine if more or less attributes needs to be cleaned.
· If you have integrated with Exchange Unified Messaging (UM), you will have two contacts specifically setup for the Unified Messaging. Consider deleting these contacts as they will most likely be recreated during the next Lync server installation and setup.
Step#5: Prepare Current Forest Impacts
Manually cleaning Lync from your Active Directory will result in some issues when preparing the Active Directory during Lync install. If you receive the following error on Step 3: Prepare Current Forest under the Prepare Active Directory for Lync Server wizard:
Command execution failed: Active Directory operation failed on “[your Lync Server]”. You cannot retry this operation: “Directory object not found [domain specific text]”
-OR-
Result: Create permissions for Configuration delete objects container
TaskFailed: Task execution failed
Use the following steps to manually prepare the forest:
- Launch Lync Server Management Shell from the start menu
Important: Remember to run as an administrator - Enter the following PowerShell command
Enable-CSAdForest -GlobalCatalog [fully qualified domain server name] -Force
Example:
Enable-CSAdForest -GlobalCatalog DC.YourDomain.COM –Force - Refresh the wizard. The green checkbox should now be displayed on Step 3.
- Continue the wizard as normal.