LCS Services Fail to Start After Running the Global Settings Migration Tool
I ran into this problem recently. I was doing a migration from LCS 2005 SP1 to OCS 2007 R2 and as part of the R2 prep we were moving the global settings to the Configuration Partition. We followed the steps outlined in this TechNet article (https://technet.microsoft.com/en-us/library/dd819962(office.13).aspx), and while trying to complete Step #7, we ran into a small issue. When trying to start the LCS service, so that we could test, we got the error listed below:
Windows could not start the Live Communications Server on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2147016694.
Looking in the Application Event Log, we got Event IDs 16417 and 12299.
Checking the System Event Log, we got Event ID 7024.
The service can't start up because the rights aren't being applied to the new container structure in the Configuration Partition. If you check the Security tab for the RTC Service container in ADSI Edit, you see the following:
The RTC groups that need rights aren't being added. There are 2 ways to fix this issue. The first options is to grant the RTCDomainUserAdmins, RTCDomainServerAdmins, and RTCHSDomainServices groups permissions to the Services (or RTC Service) container. I've included a report of the permission both before moving the global settings as well as after moving the global settings to the Configuration Partition. A copy of the permissions is also attached to this post, since some of the report is cut off the screen. The second option is a little more risky. In my lab I was able to successfully get the permissions to apply if I re-ran the DomainPrep step AFTER completing Step #8, which is removing the RTC Service container in the System container. This is risky because you couldn't switch back to using the System container if you absolutely had to. You can mitigate this risk by making sure that you have a recent backup of Active Directory. You should also be able to get the services started by using Option #1, but you will more than likely be granting more permissions than necessary. After re-running DomainPrep, the permissions were applied to the Services container in the Configuration Partition and I could start the LCS service.
Before Moving the Global Settings (CN=Microsoft,CN=System,DC=test,DC=domain,DC=com)
Access list:
Effective Permissions on this object are:
Allow TEST\Domain Admins FULL CONTROL
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
Inherited to computer
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to group
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to user
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information <Inherited from parent>
READ PROPERTY
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information <Inherited from parent>
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for RTCUserSearchPropertySet <Inherited from parent>
READ PROPERTY
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS for Public Information <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS for RTCUserSearchPropertySet <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS for RTCPropertySet <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS for RTCPropertySet <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCHSDomainServices SPECIAL ACCESS for RTCUserSearchPropertySet <Inherited from parent>
READ PROPERTY
Allow TEST\RTCHSDomainServices SPECIAL ACCESS for RTCPropertySet <Inherited from parent>
READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
After Moving the Global Settings (CN=Services,CN=Configuration,DC=test,DC=domain,DC=com)
Access list:
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow TEST\Enterprise Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow TEST\Domain Admins SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow TEST\Domain Admins SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Comments
- Anonymous
January 01, 2003
Hi Doug, I have a mixed LCS 2005 SP1 and OCS R1 environment, and I am currently performing the system container to configuration container migration. When I ran forest prep and domain prep I ran the LCS 2005 version of the commands, and encountered the same problem as yourself (No rights applied to the hierarchy). I corrected the issue by following your advice to grant the RTCDomainUserAdmins, RTCDomainServerAdmins, and RTCHSDomainServices groups permissions to the RTC Service configuration container hierarchy. I also added the everyone group (Read and List rights) as well. LCS and OCS are now working fine. In reading your post am I correct to infer that in production you fixed the problem by adding the RTC groups, but performed option 2 in the testlab? - If this is the case did you have any issues running the OCS R2 forest prep or domain prep?
- Does the OCS R2 forest prep and domain prep reconfigure access to the RTC Service container and apply the RTCUniversalGlobalReadOnlyGroup, RTCUniversalGlobalWriteGroup, RTCUniversalServerAdmins if the manually added groups are in place? I cannot find any documentation on what the domainprep actually does. Do you have any links you could refer me to? We still have not deleted the system container (with the MigrateOCS script), and at this point we are contemplating if we should leave the manual rights in place and proceed with the OCS R2 prep, or run the OCS R1 forest prep and domain prep before proceeding. Thanks in advance, Cliff
Anonymous
December 07, 2010
Thanks Doug...This article helped me fix the error !!Anonymous
February 15, 2011
Hi Guys, I am runing lcs 2005 service pack 1 ,few weeks before this computer has been deleted from AD (OU).I logged in as local administrator to that PC and rejoin the domain again but i can not restart the LCS services.it showed below error. "Windows could not start the Live Communication server on local computer.For more information,reveiw the system event log.If this a nonn microsoft service,contact service vedor and refer to specific error code -1008054264" please do let me know any solution. thanks iftiAnonymous
September 21, 2012
Nice work. This was a big help. We ran into this at a client today. Running LcsCmd /Domain /Action:DomainPrep solved the issue. I used the 2007 version of the command because someone had already run it using the 2007 version before, so the 2005 version would not work. I also ran "LcsCmd /Forest /Action:ForestPrep /global:configuration", but that was probably not necessary. Thanks again, WadeAnonymous
September 21, 2012
From what I've read, using the 2007 R2 version of the LcsCmd might be bad if you're trying to coexist with 2005. I used the non-R2 version of the 2007 LcsCmd.exe.