Stories from the Lync Test Bench: Cleaning up Active Directory
As with any new, non-trivial, upgrade, we spend a lot of time performing test installs on our test bench. (Yes, sometimes the test bench is production… but we do try to avoid testing in production… usually). There are times were we need to clean Lync from the Active Directory. Normally, we would restore the domain controller from ice, but there are occasions where restoring / rebuilding the test domain is not practical.
This document covers the steps for “cleaning” your Active Directory of Lync “stuff” in order to allow for a brand new install.
Step#1: Remove permissions
This step removes the original Lync permissions from the active director.
- Open Active Directory Users and Computers
- Right click on your top level domain being cleaned and select Properties
- From the Properties windows, select the Security tab.
- Remove all security users titled RTC*
These are usually
– RTCUniversalServerReadOnlyGroup
– RTCUniversalUserReadOnlyGroup
– RTCUniversalUniversalServices
– RTCUniversalUserAdmins - Repeat the same steps for each of the following AD Folders and OUs
NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
– Domain Controllers
– System
– Users
Step#2: Remove the RTC Services branch
- Open ADSI Edit
New to ADSI? See this link: http://technet.microsoft.com/en-us/library/cc773354 - Open the Naming Context Configuration for the domain being cleaned
- Drill down to the following path:
CN=Configuration[ your domain] CN=Services - Delete the CN=RTC Service entry
Step#3: Additional AD cleanup
- Open Active Directory Users and Computers
- Drill down as follows
[Your Domain] Program Data Distributed KeyMan - Delete LyncCertificates
NOTE: This may not exist in all scenarios. - Drill down as follows
[Your Domain] Users - Delete all RTC* and CS* users created by Lync
I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.
Step#4: Cleanup existing users
This steps resets Lync attributes for any domain users and contacts.
Manual Method
- Open Active Directory Users and Computers
- Click View from the menu and activate Advanced Features
- Right click on your domain and select Find
- Set the Find: option to Custom Search
- Select the Advance Tab
- Enter the following LDAP Query: (msRTCSIP-PrimaryHomeServer=*)
- Click Find Now
- Note each returned user or object
- Close Find
- Right click on each user or object found in the search
- Select Properties
- Select the Attribute Editor tab
- Find and reset all msRTCSIP* attributes for the user/object
Automatic Method
For those who love PowerShell:
Important: Remember to launch PowerShell as an Administrator
Import-Module ActiveDirectory ; Get-ADObject -LDAPFilter “(msRTCSIP-PrimaryHomeServer=*)” | ForEach-Object {Set-ADObject -Identity $_.DistinguishedName -Clear “msRTCSIP-DeploymentLocator”, “msRTCSIP-FederationEnabled”, “msRTCSIP-InternetAccessEnabled”, “msRTCSIP-OptionFlags”, “msRTCSIP-PrimaryUserAddress”, “msRTCSIP-UserEnabled”, “msRTCSIP-UserPolicies”, “msRTCSIP-UserRoutingGroupId”, “msRTCSIP-PrimaryHomeServer”; “Cleaned $($_)”}
Final “user cleanup” considerations:
· The scripts and methods are current as of Lync 2013 (March 2013). Review your particular implementation to determine if more or less attributes needs to be cleaned.
· If you have integrated with Exchange Unified Messaging (UM), you will have two contacts specifically setup for the Unified Messaging. Consider deleting these contacts as they will most likely be recreated during the next Lync server installation and setup.
Step#5: Prepare Current Forest Impacts
Manually cleaning Lync from your Active Directory will result in some issues when preparing the Active Directory during Lync install. If you receive the following error on Step 3: Prepare Current Forest under the Prepare Active Directory for Lync Server wizard:
Command execution failed: Active Directory operation failed on “[your Lync Server]”. You cannot retry this operation: “Directory object not found [domain specific text]”
-OR-
Result: Create permissions for Configuration delete objects container
TaskFailed: Task execution failed
Use the following steps to manually prepare the forest:
- Launch Lync Server Management Shell from the start menu
Important: Remember to run as an administrator - Enter the following PowerShell command
Enable-CSAdForest -GlobalCatalog [fully qualified domain server name] -Force
Example:
Enable-CSAdForest -GlobalCatalog DC.YourDomain.COM –Force - Refresh the wizard. The green checkbox should now be displayed on Step 3.
- Continue the wizard as normal.
Hello,
What is the best way to Query AD for all users who have been enabled for PIC, aka the msRTCSIP-optionflags set to 256 I believe (I think it could also be above 256 if they had other options enabled)?
Thanks!
Jason,
Without knowing exactly what you are doing (and what you are using), this is a difficult question to answer.
I would recommend starting with this URL: http://technet.microsoft.com/en-us/library/cc776693(v=ws.10).aspx. This will give you several options (and it covers the basics) for performing a query against AD.
Thank you so math for your help, my problem is solved now! I executed this process exacly this and sucess.
Best answer i found on Removing lync from AD
The below needs to be added before step 1 or you will not see the security tab to delete the security users:
Open Active Directory Users and Computers
Click View from the menu and activate Advanced Features
Otherwise great document.
Thank you so much! I’ve been racking my brain for last week trying to figure out to do this proper.
Also, it solved a lot of others issues I was experiencing post Lync removal.
Hello,
very nice information, but if anyone can help me with below query how i can filter users from only specific Group ? for example security group |HeadOffice”
(msRTCSIP-PrimaryHomeServer=*)
Do you know what to do when receiving this error: “Length of the access control list exceed the allowed maximum”
I have completely cleared all RTC and CS groups from my AD, CN=RTC has been deleted, and I have tried the Enable-CSAdForest command above and still continue to receive this error.
I am unsure how else to completely get rid of Skype for Business 2019 to be able to reinstall it with the same DC1.