Tuesday, July 10, 2012

ACL Problem in AD

ACL Problem in AD:
Beside the known requirements and pre-requisites in Lync, there are additional confusion in Lync on how to initiate Servers in Sub-Level Domains.
We found at one customer a problem deploying Lync in his SubDom.

What was happened?
We were, with all proper assigned rights for the installation account, setting up the first Lync Server in their sub domain. Simply said it didn’t work. We could see additional Lync attributes written in AD Configuration Partition, saw the additional sub config under the Lync Server.


But just the services didn’t start.
It was a problem reading the Configuration Partition based information, even if the writing into AD work well.



Solution:
After digging through the AD structure, validating the Topology and more, the solution found was: for installation in a Sub Level Domain, you must have Enterprise Admin Right too. Wired, isn't it?! This is normally nothing special and even valid from the point after Schema, Forest, AD Prep, …
Doing so, you ensure during the installation of topology and server objects, the ACL in Configuration Partition is updated proper and will be readable for later installation too.

No comments:

Post a Comment