Wednesday, August 12, 2015

Skype for Business File Share: Failed to save permissions during Topology publishing

While your are installing and publishing a Skype for Business Server 2015 Topology, you have to create a File Share for all important services.

In this example the File Share is located on the same server which will later host the Skype for Business Standard Server. But in larger or other setup, where the File Share is located on SAN, DFS or File Cluster, you might experience the same issue.


File Share and Folder Prerequisites:



The share name can either a normal share as well as a administrative share$

Share Permission:

EVERYONE: READ
ADMINISTRATORS: FULL CONTROL, CHANGE, READ


Folder (Security Settings):

SYSTEM and CREATOR: must be Windows Server defaultInstalling user: FULL CONTROLlocal Server Administrators: FULL CONTROL


Skype for Business Topology Builder:

Must be started with: "Run as administrator"



Example and problem description:


This example applies to a Windows Server 2012 R2, where we are installing in Single Domain Forest with an Domain Admin. The Domain Administrator Group was placed in the local Member Server Groups for Administrators.

Next step I personally do is setting the User Access Control UAC to NEVER, meaning switching it off entirely.


 
 
Next step after defining the Topology is going to publish it, either with the PoC's Standard Server or with the Primary Pool associated SQL Backend Store.
 
 
Doing so resulted in the describe issue below:


Role: FileStore:1
Acl: "Accesswrite" permission for "RTCHSUniversialServices" on \\fileshareServer\SkypeShare$
Acl: Committed permission changes for \\fileshareServer\SkypeShare$\WinFabDumpFiles.
ACLError: Access permission error.
Error: Failed to save permissions on \\fileshareServer\SkypeShare$

 
The funny part is, that most of the Directories where created successfully during this point.
 
 
 
Next important check are link with Lync 2013 the share permission, well EVERYONE is READ, and the local ADMINISTRATORS have FULL CONTROL, CHANGE and READ
 
 
 
 
Next to share permissions, we also have to check the file/ folder permission. Here the Admin we logged on with can normally stay in the permission for file7 folders, just as a test we removed the administrator from the tap.
 
 
This resulted in the normal issue with Windows Server 2012 and 2012 R2, where the Access Control prevents the user/ admin accessing this folder. Once you click the Continue button, the admin will be part of the permissions again.
 
Therefor I DID NOT ADD the ADMIN the permissions!
 
 
Than we executed the Topology publishing task again and ran in a very interesting issue:
 
Role: FileStore:1
InvalidFolder: Invalid Share.
Error: Caller does not have required permission to create directory \\fileshareServer\SkypeShare$\WinFabTraceFiles. Verify that your user account has administrative privileges and that you selected "Run as administrator" when your started Windows PowerShell.

 

 This is a very good hint, but remember we were Domain Admin, local Server Admin and had switched of the UAC.

 
 
Finally due to the hint I stared the Topology Builder with the option "Run as administrator"


 
 
 
As expected the Wizard finished without any issue or error.
 
Once I tried to access the folder for the Skype for Business File Share, the same warning popped up again and I granted access myself.
In the last picture, you can see the correct permission and also the correct groups were set to the file share and folders finally.
 
 
 

6 comments:

  1. Hello Thomas,
    Nice writeup on the issue.I think basically the OS grants Local Admins permissions only to the elevated sessions. It's interesting how disabling UAC does not change this, though.

    I'm new to the OCS\Lync\SFB, and I'm currently doing a PoC deployment in a lab, and I have a question. There are localized Server versions available - like Spanish, German, etc.
    I've yet to find much difference between those, except for the admin panel interface, obviously.
    My server OS's are localized. My clients will be international - different languages.
    I kinda prefer the English, since almost all SFB\Lync documentation is in English anyway, however I don't want any issues due to the localized underlying OS (and AD domain).

    Any advice on which SFB Server version (English/Localized) I should go with?

    ReplyDelete
    Replies
    1. Hi Vasily,
      tnx for the flowers.

      Back to your question:
      Please use the English Version.

      Reason is, Skype for Business is developed based on Lync 2013 Server and even here we have massive issues with mixed languages. Some Event entries are mixed with English and a local language. I have tested it with Skype for Business actually, but I would wonder if this has changed.

      The Powershell issue is solved and you don't need to localize the PS anylonger.

      But you are right, the most and important articles are all in English, since we MVP share everything mostly in English. This also makes it better and make your live more easy if you have an English installation. For user the language on the server doesn't matter, since all user relevant information are localized and proper translated and here is no need to care about.

      Delete
    2. Great, thank you so much!
      Just the kind of real-world experience I needed.
      I'll stay away from the localized version then.

      Delete
  2. Hi Thomas, if you want to REALLY deactivate UAC in Windows Server 2012-2012R2, you have to change the DWORD "EnableLUA" from 1 to 0 in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system".
    If you simply select "Never notify" in the GUI, UAC is still active and you have these kind of issue.
    Best Regards
    Luca

    ReplyDelete
    Replies
    1. Hi Luca,
      thanks for your support.
      if you would like also posting a solution, where e.g. a program or "cmd" windows/ powershell will always be started in the administrator context, it would be much appreciated.

      Delete
  3. Thank you so much for this information.

    ReplyDelete